Penetration Testing is a key element of most cyber defence strategies. Having a red team, external or internal, testing your applications and defences for vulnerabilities makes sense. Unfortunately, for many small and even mid-sized businesses (SMBs), the cost is excessive. That presents them with a problem. Not only are they missing out on a defence, but larger organisations may well require evidence of such activity when onboarding them.
ThreatSpike has decided to offer a solution to this problem. It recently announced ThreatSpike Red, an unlimited offensive cybersecurity service. It will continuously scan websites and applications for vulnerabilities. Importantly, it does this at a fixed price which the company says is affordable.
Adam Blake, CEO and co-founder of ThreatSpike, explains, “In today’s challenging digital environment, offensive cybersecurity shouldn’t be just a point-in-time activity, but the high cost of traditional pentesting services means most organisations can only afford to test infrequently, if at all. This creates a high-risk cybersecurity gap where adversaries have a large window of opportunity to attack quickly. The results can be devastating, from loss of revenue and reputation to compliance failures and enterprise collapse.
“ThreatSpike Red disrupts the traditional pentesting and cybersecurity services market by democratising access to offensive cybersecurity services through our transparent, fixed-price service. It means not only that more organisations can benefit from offensive cybersecurity, but also that they can protect their business on a continuous basis. In a difficult economic climate, our solution resolves the tension between security and cost at a time when managing both is critical to business success.”
What does affordable mean?
That’s a really good question. According to the announcement of ThreatSpike Red, the costs will be:
- Companies up to 250 employees: £5k per year
- Companies up to 1000 employees: £10k per year
- Companies up to 2000 employees: £15k per year
- For larger enterprises, ThreatSpike is offering bespoke pricing.
It is an interesting price range and one that should fit into the budget of a lot of SMBs. It is also low enough that large enterprises who work with a wide range of SMBs could consider adding it to their list of services they offer to key suppliers. That would also relieve the SMB of the burden of testing and provide the enterprise with a fuller picture of the risk from its suppliers.
What does Adam Blake say?
To get a better picture of ThreatSpike and what it is offering, Enterprise Times talked with Adam Blake. Blake has been involved in cybersecurity since 2005 and previously worked at Accenture and Deloitte before setting up ThreatSpike. One of the problems that Blake found himself dealing with was an industry that was focused on tools and infrastructure rather than on helping customers get the value out of their data.
The problem today is that many security companies are still selling bits of a solution rather than a single, cohesive solution. Blake says, “the security industry is just like buying a car in parts. You buy the exhaust, you buy the motor, you buy the doors and you plug it all together.”
The problem is, most organisations don’t know how to plug it all together. It results in them having to pay consultants when they extend their security tools suite. What they want is either a Managed Security Service that takes it all away or a fully integrated platform that they can use. The latter, a security platform, is what ThreatSpike offers.
But what about penetration testing?
Penetration testing is not part of the usual security platform offering. There are good reasons for it, not least the complexity and skills requirements. So how did ThreatSpike get to penetration testing?
Blake replied, “Two years ago, we hired an analyst from Darktrace. At the time, he said, ‘one of the things that I would be quite interested in doing is penetration testing or red teams’. It wasn’t something that we did at all. I said to him, ‘Well, you’re at the right place if you want to try this out. We can go to our customers and sell this to them as an additional service, and we would do a red team exercise for them.’ We did that, and we got about 15, or 20 or so customers sign up to it over the first couple of years.
“We would go to their offices, scan their perimeter, try and get into that VPN, send them phishing emails, malware docs, all this kind of stuff. It was genuinely really interesting, and it gave us a lot more information about our customers. That’s because, in a detection role, you’re just sitting there waiting for the bad guy to come along. In these cases, we’re going out there and exploring and learning more about our customer, their presence online, what they look like, how they are, and their staff.
“Interestingly, it taught our guys more about what a bad actor would do. They know better how to detect things. We could do some purple team testing, where we see how good our staff was at picking things up. It was a win-win experience.”
Turning it into a customer offering
Blake commented, “This year, we’ve actually decided to turn this into a proper offering at a fixed price. We will offer a whole year of offensive security, pentesting, red teaming, and vulnerability scanning, and do it at a ridiculously low price. It would be amazing in terms of its comparison to that 1000 pounds a day business model that a pen test industry runs.”
It is not just breaking the business model of pen testers. “We ourselves have penetration testing done because we have PCI compliance, ISO, and cyber essentials. So we need to have pentesting done. What we noticed is that we pay about £15,000 pounds a year to have penetration testing done on us. And people just turn up and use off-the-shelf tools and give us the output of the report.”
Showcasing new capabilities
Blake sees this as an opportunity to use the pentesting as a showcase for ThreatSpike. It’s not just about a fixed-price offering. It’s about making offensive security a game-changer for his customers.
“Offensive security is a game changer that we found for our customers. You don’t want to wait until the bad guy, the ransomware guy, comes along and tries to break into your network to find out that your controls or your staff are not working at the optimal level in terms of the security. By getting them ahead of an attacker, we can improve their security over time, and put them in a much better position.
“But it’s just not accessible today. We’ve now got hotel chains signing up who are always incredibly resource constraints and would never ever sign up to this. Some of them have got 40-odd hotels, and you’re talking about huge amounts of money. A fixed price test we can do in a year and improve over time is going to be a huge game changer for them. So our 2023 ambition is to do what we’ve done in the managed security space, but to apply it to the offensive side and actually bring pentesting out to the market in a way, which is much more affordable and results oriented, than what exists.”
Getting away from the run book challenge
One of the problems with a lot of offensive and defensive security is runbooks. Teams are given a script and told what they are attacking and what to do. Too many end up sticking only to the script, and therefore, the testing is very predictable. Additionally, runbooks often fail to evolve and even those that do rarely evolve quickly. The malicious attacker has a different agenda and a different approach. We asked Blake how ThreatSpike will avoid that runbook point of failure.
Blake believes there are two parts to doing this properly. He replied, “You should always cover off a standard methodology to make sure that you’re picking up the standard framework and benchmark. You’ve got the same results, and you’re testing everybody to the same standard. Then the more experienced people in our team will look at how well those exercises have performed. If they haven’t performed very well, then those more experienced people will then step in, be creative and come up with a new way of doing things.”
Blake talked about an attack called device code phishing that allows you to use a Microsoft API to get a code. The attacker then persuades a user to input that code, and it gives the attack full access to all of the victim’s OneDrive, emails and everything. It is this type of adaptation to new attacks that Blake wants to focus on. He sees following scripts as the platform on which you develop new attacks against systems that you then add to your pentesting.
Enterprise Times: What does this mean?
As organisations expand their digital footprint, they need to change how they defend themselves. Pentesting and offensive security is often seen as a major cost point for SMBs leaving many of them unable to afford them. Even larger organisations make limited use of it due to the cost.
Blake believes that ThreatSpike can lower the cost and, in doing so, improve cybersecurity for SMBs. Importantly, it is not just SMBs that gain here. The enterprises in whose supply chains these SMBs are embedded, also gain. It raises an interesting question. Will we see large enterprises consider factoring in the cost of this model to help their suppliers protect themselves?
