Development of the First Automated Pentesting Platform

As VP of Product for Pcysys, I wanted to take this exciting opportunity to share with you a few tips and tales of our product evolution in the past 4 years, bringing us to this point, when Blackstone elected to invest in our growth.

We know there is an imbalance in the cyber security space; on one hand, we see significant spending on security stacks, while on the other hand, the rate of devastating breaches continues to rise. It all comes down to the absent  ability to measure the effectiveness of our security controls. In the current state of affairs, there is one unfortunate assumption, a breach is not a question of IF, but more a question of WHEN. The inability to validate all security controls in a continuous manner makes it impossible to answer the daunting questions; “Am I prepared?” and “Where are my true vulnerabilities?”.

Nov 2015 – The Concept Product 

This was the basis of the inception of the PenTera product – enterprises cannot afford to have ‘flimsy’ security hygiene with a great deal of variance. They must maintain a consistently high level of security hygiene at all times. 

This is not very different from  Quality Assurance (QA) in software. You build a machine – it has to be tested to ‘deliver the goods’ before you can announce it operational. In fact, Statista report that “26% of their organization’s annual IT budget was allocated towards quality assurance and testing”. I dare say that in cyber security the rate is a low single-digit investment vs. the overall IT data security budget.

So coding began with the following 7 principles:

1. Agentless – IT professionals will not install and maintain agents to test their network. This is an operational burden that we avoided from day one. “No agents for you!”. This also allows the product to emulate a real attack, including the exploits (an attacker will not have agents pre-installed in the network)
2. Test Everything, emulate a full and realistic attack flow – our product exploits vulnerabilities, controls, credentials, privileges, and critical data access; the full attack surface. We emulate the full attack flow from an attacker’s perspective, providing real visibility of the breachable vulnerabilities and the most cost-effective way to remediate. Once remediation is in place we allow to re-run the attack scenario to validate the effectiveness of the fix
3. No simulation – the product should hack for real – inject (ethical) malware, LoTL, fileless attacks. There’s no real validation without challenging the security controls for real, with real attack behavior 
4. Safety – Safety as a first priority, PenTera was designed to ensure this from day one. Although we do really attack the network, we would never cause any harm or downtime. The system runs a full sanitation cleanup when done, leaving no trace or impact on the network or end points. 
5. Stealthy Harmless Attacks – like a hacker who tries to stay under the radar, we allow customized stealth levels to test multiple scenarios that will challenge and validate detection in order to train and improve the SOC response 
6. No False Positives – report on remediation only for proven breachable vulnerabilities
7. Instant reporting – the report is ready when the test ends for immediate consumption. It provides both an executive view as well as detailed attack data; complete “kill-chain” vectors and a list of top vulnerabilities, prioritized based on business impact

Nov 2017 – The Product Beta  

First, beta customers, knew very well the shortcomings of manual pentesting – a snapshot in time, expensive, partial in coverage and talent dependent. On the other hand, we were facing doubt about the ability to deliver on the “fully automated” promise. 

All beginnings are modest – initially, our library of attacks included only a dozen common Window attacks that we experienced frequently as commonly used threats. But on the robustness and safety aspects of the product, we wouldn’t compromise, even on day 1. 

Our first customer was a large retailer – we had a meeting of the minds with their experienced CISO and his IT staff was amazed by the results. We helped them focus on the 1% of truely-breachable weaknesses and they had their first-ever posture benchmark with a click of a button. 

June 2018 – Early Majority

Following the first five customers, we named the product PenTera (in short for Penetration Testing Terra-Land). Then we pulled out all the stops and the customers began flowing in. 

Security-aware companies craved for the economic means to conduct continuous validation of controls. We allowed for free Proof-of-Concept (PoC), single-day, exercises for qualified prospects to perform a ‘test drive’ in their own environment. The agentless nature of the tool enabled that. 

We increased the inventory of attacks at a rapid pace: Linux, network equipment, OSX and many attacks were added and written in parallel to tapering off the user interface as well as the auditability and traceability of the product. Our team made sure it participated in the PoCs to get as much user input and impressions as possible. 

June 2019 – Enterprise Ready

Winning large enterprises we moved forward on the enterprise readiness axis and hardened the non-functional aspects of the product to fit large, company-wide deployments. As part of this effort, we’ve also completed the native alignment of the product with the MITRE ATT&CK matrix to provide visibility and full coverage mapped to the industry standards . 

In parallel to the product readiness, we’ve also technically-trained our channel partners to be self-sufficient and able to manage the product installation, PoCs, deployment and upgrades without our help. Our virtual sales force today counts dozens of certified IT professionals.

The Hereafter

A wise man once said, “it takes many years of hard work to become an overnight success”. I believe that is the case. We iterate the product every two weeks and work very closely with our customers and partners. The product proved itself with Blackstone’s IT and drew the attention of the VC folks who decided to invest and partner with us for the future. Approaching 100 customers – the journey continues!