Montri -

Pentera ups ante in penetration testing

The Israeli startup, which expanded to the APAC region last year, scans for vulnerabilities and emulates cyber attacks through its automated security validation platform

More organisations are doling out bug bounties and conducting penetration testing to uncover security loopholes and assess their cyber defences, but such efforts can at times be manual and expensive.

Pentera, an Israeli startup which raised $150m in a funding round last year which took its value to $1bn, is hoping to improve how penetration testing is done through what it calls “automated security validation”.

Unlike penetration testing, which Pentera claimed only covers 15% of IT assets and is typically conducted just once a year, automated security validation is touted to be more complete, accurate and current, giving organisations a better sense of their resilience against mounting cyber threats.

The Pentera platform offers both internal and external security validation capabilities, with the former focused on validating internal security controls by identifying an organisation’s assets and their vulnerabilities, before simulating attacks generated by an algorithmic attack engine.

For an organisation’s external attack surface, Pentera offers the same capabilities from the outside in, mapping an organisation’s internet-facing assets and potential exploits that can be leveraged in a simulated attack.

“By emulating the adversaries’ perspective, we can show you, for the first time, not how you see yourself, but how the attacker sees you,” Amitai Ratzon, CEO at Pentera, told Computer Weekly. “Security professionals think they know what preventive solutions they should buy and how they should protect the castle, but they know very little about how attackers see them in a vectorial way.

“And we try to do it as realistically as possible, so if attackers don’t deploy lots of agents or ask you for the APIs [application programming interfaces] to Amazon to show you the vulnerabilities you have on the cloud, we don’t do that as well,” he added.

Malware and script development

As much as the attacks are automated, Pentera employs a team of security researchers to develop malware and scripts that are tested on different target systems before they are deployed in production.

It also keeps track of vulnerabilities – such as the Log4j loophole – as they emerge, ensuring its scanning capabilities can look out for those vulnerabilities in customer systems within 24 to 48 hours after they have been disclosed.

Thereafter, it would take another two to three weeks to write malware and executables that leverage those vulnerabilities to simulate an attack, said Ratzon.

He stressed that even as Pentera simulates cyber attacks, safety remains a top priority. “We don’t take open-source scripts or use ChatGPT to write scripts and put them in our product,” said Ratzon. “We write them on our own because our number one priority is safety by design.”

On how enterprises are using Pentera, he said they have used the platform to see if password policies are being enforced on a regular basis, and in other cases, to discover misconfigurations that could lead to database exposures.

“People thought we were just showing them things they had neglected because they didn’t have the manpower, but we also showed them what was exposed,” said Ratzon. “It’s one thing to run a penetration test on 1,000 endpoints, but it’s another to have a watchdog running an X-ray scan of your body all the time to reveal problematic areas.”

Read more about cyber security in APAC

Pentera – which has almost 800 customers including some of the world’s largest companies, such as Toyota and BNP Paribas – expanded to Asia-Pacific (APAC) last October, with new offices in Australia, Japan and Singapore. It hopes to double the size of its APAC team in the next two years.

With an eye on the $100m revenue mark next year and an initial public offering in the next two to three years, Pentera is looking to offer more value-added services and build further automation capabilities into its platform from next year.

Meanwhile, some managed security service providers, some of which saw Pentera as a competitor in the beginning, have even started using the platform to speed up penetration testing for their clients, said Ratzon.

“But when it comes to the core of what we do, we don’t want to start playing in other areas like vulnerability management because we want to be the best in what we do – which is to safely emulate attackers’ perspective into features that users can use independently to protect themselves and improve their security over time. That’s going to remain the same.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management