Pentera expands in APAC, taps AI to outsmart attackers

Pentera is expanding its Asia-Pacific operations from its Singapore hub and leveraging artificial intelligence (AI) to automate and enhance its attack simulation platform.

The Israeli company, which has progressed from automating penetration testing to leading what Gartner calls exposure validation, helps organisations continuously test their security defences by simulating real-world cyber attacks.

Speaking in an interview with Computer Weekly in Singapore, Pentera CEO Amitai Ratzon said the company is seeing strong growth momentum, with 1,200 customers across 65 countries and a global team of 400 employees.

“Just like CrowdStrike is the leader in EDR [endpoint detection and response], and Recorded Future is the leader in threat intelligence, Pentera is the leader in security validation,” Ratzon said.

The company has been driving its next phase of growth by incorporating AI into its platform to improve everything from user experience to the speed and sophistication of its simulated attacks. In reporting, for example, the platform now employs AI to translate complex technical findings into actionable business insights.

“If you’re a CEO, you don’t care about all the small details,” Ratzon said. “Thanks to AI, we can tailor a report for a board member or CEO who doesn’t know the language of cyber security.”

In addition, Pentera is embedding AI into its core attack engine to speed up research and develop new attack techniques, slashing the time to create a new simulated ransomware campaign from a month to just a few days. It is also developing AI red teaming capabilities to help organisations test the security of their AI chatbots and large language models.

Despite the standardisation of Pentera’s core technology, organisations have the flexibility to tailor their security tests in various ways. For instance, using natural language prompts, security managers could instruct the platform to run tests against a specific network segment within a given time frame or direct the platform to target their most critical assets.

They can also configure the stealthiness level of attacks based on the threats that apply most to them. A government body fearing nation-state actors could opt for a highly evasive test, while a retailer might simulate a less sophisticated attack from a script kiddie.

Amid mounting fears of an AI arms race, where defenders use AI to counter AI-mediated attacks, Ratzon said Pentera will remain a “responsible adult” by providing human oversight over AI-driven decisions and actions.

“We’re literally attacking your company, so you don’t want us to do that just based on AI recommendations,” Ratzon said. “There will be a named person at Pentera who clicks a button to approve it, because there are ramifications of being wrong.”

With growing concerns over nation-state attacks on critical infrastructure in the region, Ratzon touched on Pentera’s role in securing operational technology (OT) systems that control everything from power grids to train lines.

The company does not directly test the defences of OT systems because of the risks involved, but it plays a role in securing the wider IT environment they connect to.

“We would go against the servers on which OT systems sit, but we won’t touch the actual interface of the OT machine,” Ratzon said. By testing the IT servers and networks that are increasingly converged with OT environments, the platform can mitigate the risk of attackers gaining a foothold in the IT domain and moving laterally to disrupt physical operations, he added.

Pentera’s growth has been particularly strong in the Asia-Pacific region. The company has established an independent entity in Singapore to drive its regional business and expand its footprint beyond Japan and Australia to markets such as Taiwan and India.

“The biggest banks, retailers and governments in most countries in the region have been using Pentera because they are seeing threats,” said Ratzon. He expects the company’s regional customer base to grow from just under 70 a few years ago to over 150 by next year.

Following a $60m funding round earlier this year, Pentera is now eyeing some bold acquisitions, Ratzon said, without revealing details. “We’re building a platform for security validation, and when you build a platform, you are the one consolidating, not the one being consolidated,” he added.

While an initial public offering (IPO) is on the cards, Ratzon said “it is a 2027 decision” as the firm focuses on cementing its leadership position in the market and expanding its platform through internal product development and acquisitions.