23 Oct Penetration Testing: Offense Is The New Defense
BreachLock founder & CEO Seemant Sehgal on Penetration Testing as a Service (PTaaS)
Melbourne, Australia – Oct. 23, 2022
If two decades working as a corporate security practitioner taught Seemant Sehgal anything, it was that businesses were paying consulting firms a whole lot of money to do the regular security testing that has become even more important amidst the surge of cybercrime over the past five years.
As head of cybersecurity assessment with one of Europe’s largest banks, Sehgal told Cybercrime Magazine, he came to realize that the whole process of penetration testing was fundamentally flawed.
“I had access to a lot of Big 4 firms, boutique firms, and talented hackers in general,” he explained, “and I was paying all of them to get the job of penetration testing done.”
“It gave me a lot of experience on the buyer side of the table, but it also told me what were the problems with the pen-testing industry at the time.”
Businesses were, for example, making the process of pen testing “overly complex.”
“In real life the hacker is not on-premises,” Sehgal explained. “they are either in a different country and, in most cases, on a different continent — so why do you want to bring hackers onsite and make your life complex?”
Another common issue was wasted time: hackers were being brought onsite to do “fairly repetitive tasks that are better done by a machine,” he said.
Also problematic: remediation was typically treated as a different process to pen testing.
“You are doing a pen test to [resolve] the findings,” he said, “so why make remediation a different silo that is not integrated into your pen-testing process?”
Solving these three key issues became the impetus for BreachLock, a New York City and Amsterdam-based startup that Sehgal founded in 2019 with a remit to turn the pen-testing industry on its head.
But the world had other plans — and even as his small team breathed life into what would become the company’s pen testing as a service (PTaaS) platform, the COVID-19 pandemic hit — both hobbling his growth plans and, ironically, validating the very premise behind the business.
Reach out and pen test someone
The premise of BreachLock is simple enough: rather than making pen testing a human-led endeavor that didn’t scale well, it would leverage automation, AI, and “the creativity of human hackers” to offer similar capabilities on an as-a-service basis so customers can run automated pen testing at any time.
By using BreachLock to launch a complete full-stack probe of the company’s complete attack surface, security teams can get a baseline evaluation of their current security status — and, as Sehgal put it, free up specialist time to “focus on more complex problems so they can really upgrade their security postures.”
In a time when cybersecurity practitioners are more pressured than ever, freeing up their time for anything is a boon. Yet as COVID became entrenched just months after BreachLock was established, Sehgal said having remote access to specialist expertise became a life-or-death issue for the company.
As he worked to build up a team of remotely available specialists from around the world, it became clear that the distributed team of specialists would be crucial to complement the automated pen-testing capabilities that he had developed.
“Just when we started to accelerate, we were hit by COVID,” he explained. “I couldn’t travel to different countries to meet people and talk to them eye to eye — but we still had to get on with the job.”
The remote recruitment proved successful, with the business growing 100 percent year on year and the team rapidly expanding to the point where it now employs nearly 50 pentesters and staff in three countries to deliver its penetration testing services.
Over the course of less than four years, the company has secured over 700 customers and obtained quality certifications including CREST, ISO 27001 and SOC 2.
Its ability to rapidly cycle up pen-testing exercises, and to deliver reports 50 percent faster, helped it earn a mention on the Gartner Hype Cycle for Security Operations this year — for the second time.
“That was an important testimony for a four-year-old company that is working on an innovative concept to change the industry forever,” Sehgal said.
“There is a ton of investment that has gone into defense — but offense is the new defense, and that’s the space BreachLock wants to dominate in the next five years.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.
Sponsored by BreachLock
Affordable, Smarter and Scalable Cyber Security Testing
BreachLock™ offers a SaaS platform that enables our clients to request and receive a comprehensive penetration test with a few clicks.
Our unique approach makes use of manual as well as automated vulnerability discovery methods aligned with industry best practices.
We execute in-depth manual penetration testing and provide you with both offline and online reports. We retest your fixes and certify you for executing a Penetration Test. This is followed up with monthly automated scanning delivered via the BreachLock platform. Throughout this process, you have access to the platform and our security experts who will help you find, fix, and prevent the next cyber breach.
Find out why penetration testing with BreachLock™ is the leading choice for startups, SMBs, and enterprises around the world.
BreachLock has offices in The Netherlands, London, New York City, and Wilmington, Del.