Core Security CEO to step down

Paul Paget, CEO of penetration testing software vendor Core Security Technologies, is leaving the company. Paget said the move is the result of a series of discussions with the board of directors and was a mutual decision.

Paget has been at the helm of Core Security for more than five years, but said that he sees himself as best-suited for start-ups and early stage companies. With more than 500 customers and several key product and strategy decisions on the horizon, Paget said he and the board both agreed that the time was right to look for a CEO ready to guide Core in its next growth stage.

"The kind of testing we're doing is becoming understood as a critical component for any organisation," Paget said. "When we first started, it was considered a bit over the edge. Right now we have one product that's essentially delivered at one price point. You can imagine in the future delivering it in a number of different ways. We're in a space without a lot of competition and we want to take advantage of that opening."

Paul Paget

There is no set timeline for finding a new CEO, and Paget said he plans to stay on until the board fills his position. Paget will also resign from Core's board once the new CEO joins the company. The company has yet to hire a search firm.

Paget joined Core in 2002 after stints at several other security and technology companies. He had served as a senior vice president at Baltimore Technologies and a vice president at CyberTrust, which acquired Baltimore in 2000. He also worked at Lotus and IBM earlier in his career.

The penetration testing market is still quite small. In addition to Core, Immunity Inc., of New York, is essentially the only other software-based commercial penetration-testing player, with its Canvas tool. HD Moore's Metasploit framework , which is free, is also in the mix, as is Saint Corp.'s Exploit product. And a new appliance on the way from BreakingPoint Systems performs some of the same testing functions as penetration-testing tools. But a lot of penetration tests are still performed by consultants, in large part because most of the tools require a high level of skill and even many large enterprises don't have someone on staff who can do the tests.

Paget believes that it's simply a matter of time before penetration tests become standard procedure in the enterprise. To take advantage of that potential opportunity, however, Paget said Core needs to continue its growth and perhaps give customers more options for how they buy the company's product, Core Impact.

"The business is growing at a very fast rate and I believe we can take it to a whole different place," he said. "We have a huge open marketplace in front of us and we want to address it properly in the next few years. There are some areas that go far beyond our comfort zone as a team. We've talked about this as a group for a long time."

Paget said that he wouldn't rule out a software-as-a-service model for a future Core product. "Everything is on the table. There's not anything we wouldn't look at or that we'd rule out right now," he said.