How BAS KILLED the pen test
Apr 23, 2019 / Cymulate
Cymulate’s Breach and Attack Simulation (BAS) as-a-Service has forever changed pen tests as we know them. From months to minutes, cloud-based BAS has revolutionized how fast organizations can get security assessment results, and how much they must pay to know how secure they are at any given point in time.
Predicting the Present
In February 2018, Mr. Augusto Barros, Research VP at Gartner, predicted that breach and attack simulation technology (BAS), combined with vulnerability assessments, would kill the traditional penetration testing.
A year later, we can safely say that Barros’ prediction was in fact spot on. At least as far as network penetration testing is concerned. We are currently witnessing the very final days of the outdated service paradigm that security service and consulting firms—including the Big Four—offer their clients. Meanwhile, one can easily find new cyber security companies that have long been developing the automated answer to application pentesting, and in this fashion are decisively eliminating the old ways of performing pen tests.
A Pen Test Paradigm Shift
A good analogy to describe what is happening in the pentesting world today is to think of consulting firms as the equivalent of Nokia, who did not read where the market was going, nor the changing needs of their customers—all while BAS companies are the iPhone (and later, Android) of the pentesting world. They are fast, agile and provide organizations with immediate results. You can use them on a daily basis, at any given moment, to get a clear picture of your organization’s security posture.
Twenty years ago, I worked as the CISO of a large national telco, during which time I consumed consulting services that included risk assessments and penetration tests.
Today—two decades later—consulting firms’ work methodologies have not changed an iota. As the manager of an organization’s security operations or IT security department, you are still expected to select one or more consulting firms to work with. The consulting firms send over their teams of cyber security experts and pen testers to conduct audits or pen tests, gather information and return to the office to write up the report. On average, this entire process—from the first day of testing until the report is submitted—takes no less than 30 days. I believe that most security professionals would agree that the report, on the day of submission, is no longer relevant, as the internet is an ever-changing place, where cyber threats continuously morph and evolve. A report covering tests that were performed 30 days earlier is at that moment largely irrelevant.
Why I founded Cymulate
Driven by the idea of changing this ‘old world’ methodology, my colleagues and I decided to found Cymulate. Prior to starting up the company, I served as VP of Business Development at a large information security consulting firm. I particularly recall an extensive project that we carried out for a client in Asia, to which we deployed our teams to perform the very same tests I mentioned earlier. Our experts flew to the client’s premises numerous times, ran the tests and wrote up their reports. All told, the project took half a year to complete.
On one of those flights, I started thinking to myself, “What if we could let our clients perform those very same tests by themselves? What if we could simply impart our knowledge to them? Couldn’t they have performed those very same pen tests themselves, had they been given the knowhow and tools?"
The BAS Revolution
And that is how Cymulate’s breach and attack simulation as-a-service was born. One should consider that the very same project in Asia could have been performed today by the client himself within a single working day using Cymulate’s technology, including the publishing of two types of reports—an executive brief and a technical brief, complete with all of the gaps identified by the platform along with practical recommendations on how to remediate those security holes in a detailed and comprehensive manner. No one would have to fly in. No manual pen tests would have to be performed. No hardware would have to be installed.
Cymulate crowned “Cool”
Last year, Cymulate was named a "Cool Vendor" in Gartner’s May 2018 “Cool Vendors in Application and Data Security” report for its BAS platform, which tests an organization’s security posture from an attacker's point of view, and uniquely does so 100% from the cloud.
Today, we serve customers large and small across the globe—delivering multi-vector security assessments that leverage a team of top-notch security researchers combined with publicly-available threat intelligence. Cymulate takes just a few minutes to set up, and only a few more to get test results.
Admittedly, some good ideas can come from suffering on long flights… Don’t take my word for it, though. See for yourself why Cymulate is not only cool, but also revolutionary.
Latest BlogsSee all blog posts
The Fourth Annual March Hackness Phishing Bracket
Mar 2019 / Area1
Contrast Security recognised as the only "VISIONARY" in the GARTNER MAGIC QUADRANT for application security testing for 2019
Apr 2019 / Contrast
Understanding Microsoft's OAuth2 implementation - Part 3: Using Microsoft Graph API
Apr 2019 / Swimlane