vulnerability scans

I have a friend who manages a large financial investment company based in NJ and each year, sometimes twice a year, he brings in a team of pen testers to run a test and check the box for security regulations.When I told him that my company automated pen testing (PT) in software for corporations to run at will, he said, “We already do regular vulnerability assessment (VA) scans; why would I need to do the same with PT? And it’s so expensive!”

Firstly, I told him, when you receive the list of vulnerabilities from the VA report, what do you do with it? VA identifies thousands of vulnerabilities. It does not tell you the potential impact of those in terms of breaches in your particular environment, and does not show you the hacker’s “attack vector” that weaves vulnerability exploits like beads on a fuze string to create a disastrous attack vector.

And when it comes to cost, I added, when PT is done by software and doesn’t require expense expert hour billing, you’re in a completely different ball game of economics. The cost of another pentest run is marginal.

My friend’s eyes widened and he confessed to the reality that vulnerabilities are discovered at a pace much higher than the pace of remediation and that even maintaining the critical updates of the primary components in their network does not make his sleep sound at night.

“You got my attention, so how does your software work?” he asked.

I explained that pentesting in its essence is a multi-step approach in which each vulnerability is attempted until you get to the achievement — stealing info, encrypting info or disrupting applications/services. Pen testing takes the vulnerability (CVSS) scoring system to the next level by determining the most critical attack vectors. This leads to threat-based prioritization that is contextualized to the tested environment. At the end of the day in order to protect your company’s “crown jewels” and focus your cybersecurity resources on remediation, it’s crucial to know the cyber-path of the potential “burglars”.

My friend said, “To tell you the truth, you had me at ‘automated’ in your automated pentesting pitch. I’ll go for a quick test run to see if my team likes the solution.”

If you’d like to try automated PT for your own company, click here to start your journey cyber resilience yellow brick road.


By Arik Liberzon, Founder of Pcysys,  The Automated Pentesting Platform Startup

Written by: Arik Liberzon
Show all articles by Arik Liberzon
Learn more about automated security validation
Resource center
Get blog updates via email
Trending
Four steps the financial industry can take to cope with their growing attack surface
Four steps the financial industry can take to cope with their growing attack surface

The financial services industry has always been at the forefront of technology adoption, but the 2020 pandemic accelerated the widespread use of mobile banking apps, chat-based customer service, and other digital tools. Adobe’s 2022 FIS Trends Report, for instance, found that more than half of financial services and insurance firms surveyed experienced a notable increase […]

The elephant 🐘 in the cloud
The elephant 🐘 in the cloud

As much as we love the cloud, we fear it as well. We love it because cloud computing services of Amazon, Azure, and Google have transformed operational efficiency and costs, saving us money, time, and alleviating much of the IT burden. We also fear it because as companies moved to the cloud, they found that […]

A new era of tested Cloud Security is here
A new era of tested Cloud Security is here

Cloud computing has fundamentally changed how we operate. It’s efficient and scalable, but it’s not without some problems. Security is the biggest. As we’ve shifted to the cloud, we’ve exposed ourselves to new risks that can’t be ignored. The IBM Cost of a Data Breach 2023 Report points out that 11% of breaches are due […]

Learn more about our platform
Platform