This year was especially memorable as we celebrated the launch of The NetSPI Platform, the proactive security solution used to discover, prioritize, and remediate security vulnerabilities of the highest importance. Plus, we revealed our new and improved brand and positioning which better articulates who we are today, while staying true to the NetSPI legacy. 

We had the opportunity to take our Employee Kickoff on the road, starting with the US and Canada teams, then to the UK, and lastly to India. Each stop on our 2024 tour presented unique moments — none of which would be possible without the people who power NetSPI.  

Our mission is to create moments of magic that result in game changing outcomes for our customers.  

To us, this means going beyond what is expected to deliver an experience that feels special, delightful, and memorable. Every employee at NetSPI, regardless of their role, asks themselves, “How can I turn this into a moment of magic for our customers?” 

This year more than ever before, we’re challenged with securing the most trusted brands on Earth. And I assure you, the team you see at NetSPI is ready to step up to the plate.

Proactive Security Allows Us to Walk Alongside Our Customers 

Defensive, offensive, proactive… all of these terms have meaning in the security industry, but one stood out to us as aligning with NetSPI’s purpose: proactive security.  

Security leaders deserve a partner who cares, who works collaboratively through the challenges they’re facing, and who walks alongside them to find a solution. Our Employee Kickoff helped us align on proactive security as a company and walk forward together with this shared vision.  

NetSPI is the proactive security solution used to discover, prioritize, and remediate security vulnerabilities of the highest importance, so you can protect what matters most to you and your customers. 

Continued Innovation Equips Us to Secure the Most Trusted Brands on Earth 

We simply cannot secure the most trusted brands on Earth without continued innovation and transformation. If there is one message I’d want each of our employees to take from the Employee Kickoff events, it’s this. 

To reiterate this, we welcomed Thorsten Stremlau, Systems Principal Architect at NVIDIA, to the stage. Thorsten spoke about the AI-driven innovations he’s supported to improve quality of life for those diagnosed with ALS. He drove home the security community’s role in enabling companies like NVIDIA to innovate with confidence and make meaningful impacts in people’s lives.  

One critical innovation that is moving the needle for NetSPI and our customers is the launch of The NetSPI Platform. Announced on May 1, 2024, the unified platform for proactive security is bringing together all NetSPI solutions – penetration testing as a service (PTaaS), attack surface management (ASM), and breach and attack simulation (BAS) – under one interface to bring efficiencies, data insights, and telemetry like no other firm in the industry can. 

The Employee Kickoff tour was our opportunity to celebrate all of the brilliant minds behind The NetSPI Platform just weeks before we revealed it to the world. 

Our Value Lies within the People behind Our Products 

You can build a top-notch product, but when it comes down to it, it’s people that will make or break a successful company. We hear time and time again that NetSPI’s people set the standard of service for engagement across the industry. Between deep expertise and tailored communication, our security experts set the bar high for what a customer experience should be.

Our team relies on innovation, collaboration, and delivery as shared values in any engagement we’re part of. Our Employee Kickoff helped us highlight a handful of key individuals and teams who’ve made a significant impact at NetSPI.

Kurtis Shelton, Director, AI/ML Pentesting 

Kurtis and his team led the charge to develop a cross-functional automation working group responsible for sketching out and prototyping technology focused on automation, AI and machine learning in products. 

Sam Beaumont, Director, Transportation, Mobility & Cyber-Physical Systems, and Larry (Patch) Trowell, Director, Hardware and Embedded Systems

These two are at the helm of innovation in securing critical infrastructure and integrated hardware systems. It goes without saying that a breach in these systems can have catastrophic consequences, and the work our team is doing in this area brought major advances to NetSPI’s methodology for protecting critical infrastructure.

Giles Inkson, Director, Services – EMEA

Giles was instrumental in earning NetSPI’s CBEST accreditation, which helped us become a true partner in the UK’s financial ecosystem. Our experience with TIBER and DORA frameworks already allowed us to perform Threat Intelligence-Based Ethical Red Teaming, and now our CBEST accreditation aligns us with cybersecurity standards across the globe.

Jake Karnes, Senior Technical Architect

Jake and his team are leading the charge with NetSPI’s technical enablement to upskill the security experts of today and tomorrow. His team’s approach to systematic training in NetSPI’s key solutions brings a tangible methodology to cross-train our team and help address the skills shortage plaguing the industry.

Naveen Ramesh, Security Consultant II

Naveen took home NetSPI’s Innovate Award because of his exceptional ability to navigate tricky challenges and guide his team through complex projects. He excels at helping his teammates overcome hurdles, deepening their understanding of the processes involved and fostering a collaborative work environment. His dedication to both client communication and team development defines him as a true innovator at NetSPI.

Melissa (Mel) Miller, Senior Technical Manager

Last but not least is Mel Miller, who earned NetSPI’s Founders Award, a well-deserved recognition of her relentless commitment to NetSPI as a whole, and specifically NetSPI University, a training program that equips security practitioners with cybersecurity skills as they enter the workforce or shift their careers. Mel is a shining example of the standard of service NetSPI sets in the industry. 

All This to Say, NetSPI’s Impact Matters 

The impact that NetSPI has on the world matters. It matters for business continuity, nation-state security, and people’s livelihood. 

The attacks NetSPI protects our customers from can be devastating for businesses and people alike. They can lead to massive financial losses and disruption in operations that can quite literally put companies out of business.  

In fact, the recent Change Healthcare breach hit me close to home when my sister wasn’t able to fill a prescription for my nephew because the system that brokers transactions from payer to provider was shut down. Events like this aren’t bound by industry or tech stack. Whether it’s healthcare, AI and machine learning, or critical infrastructure, securing these systems is paramount in light of the real and active risks facing organizations today. 

Our Employee Kickoff was a time for us to reignite our inspiration for securing the most trusted brands on Earth. The people, processes, and technology behind NetSPI are the reason we’re able to create moments of magic.  

Thank you to everyone on our team today, and to those who will join us in the future. You are what makes it possible for NetSPI to bring a proactive approach to cybersecurity with more clarity, speed, and scale than ever before.

The post Creating Moments of Magic across the Globe at NetSPI’s 2024 Employee Kickoff  appeared first on NetSPI.

With deep roots in penetration testing, plus consistent recognition for our people, process, and technology by global analyst firms, NetSPI is uniquely positioned to help security teams take a proactive approach to security with more clarity, speed, and scale than ever before. 

Last year brought strategic changes to NetSPI, allowing us to double down on meaningful innovation with Chief Product Officer Vinay Anand at the helm. Today we’re introducing The NetSPI Platform, the proactive security solution used to discover, prioritize, and remediate security vulnerabilities of the highest importance. Plus, a refreshed brand that stays true to our legacy and puts our customers and our team front and center. 

Take a look at how we arrived here and join us on this journey to secure the most trusted brands on Earth.  

Inspiration for the evolution 

The impact cybersecurity has on the world is exponential. The cyber attack on Change Healthcare served as a wake-up call, proving the point that cybersecurity can no longer be reactive; it must shift to proactive. 

The massive attack didn’t just take Change Healthcare offline, but it also threatened our economy and means of survival. It prevented small healthcare providers from getting compensated for their services, wiping some of them out of business. More importantly, it stopped patients from accessing vital medication and medical care, jeopardizing their well-being.  

For me, this cyber attack hit close to home, with my nephew unable to access his prescription needed for a medical condition. Situations like this fuel our mission to bring proactive security to the forefront of the C-suite’s agenda. 

The impact of a cyber attack today is unlike ever before — and the only way we can stand up to the challenge is through collaboration across the industry, innovation in processes, and delivery of improved technology to address today’s risks. 

With this challenge as our inspiration, NetSPI reinforced our true purpose and mission:  

• Purpose: Secure the most trusted brands on Earth.  
• Mission: Create moments of magic that result in game-changing outcomes for our customers. 

We’ve made massive advancements such as transitioning from traditional point-in-time testing to technology-enabled proactive security, and developing a new technology foundation that allows us to address the challenges today’s security leaders face: discovering, prioritizing, and remediating vulnerabilities of the highest importance.  

We shifted away from “offensive” security to “proactive” security to better align with our customers who face insurmountable pressure in the never-ending battle to secure systems. The solutions we provide are intended to support defensive teams, not to discourage. We are an ally to defensive teams, not an enemy. To us, proactive security means:  

1. Accurate and thorough discovery of known and unknown assets in the IT estate. 
2. Prioritization of the vulnerabilities to fix first based on a thorough understanding of the environment and risks that truly impact the business. 
3. Remediation advice that can be expedited by building integrations with customer systems, giving you guidance on what to fix, how to fix it faster, and how to ensure the effectiveness of the fix. 

In addition, to be truly proactive, this needs to happen in real time and continuously, an objective NetSPI is relentlessly committed to.  

Introducing: The NetSPI Platform 

With expertise across Penetration Testing as a Service (PTaaS), Attack Surface Management (ASM), and Breach and Attack Simulation (BAS), NetSPI is well-positioned to advance proactive security. The NetSPI Platform is a unified solution used to discover, prioritize, and remediate security vulnerabilities of the highest importance. We built The NetSPI Platform to help teams succeed at continuous threat and exposure management, while scaling solutions to enhance their security maturity over time.  

What can customers expect as they gain access to The NetSPI Platform? True activation of PTaaS in a way no other proactive security company can. This means all of the functionality our Resolve pentesting and vulnerability management platform had, in addition to:  

• Asset inventory: Using our combination of commercial, open-source, and proprietary scanning tools, we discover known and unknown assets such as domains, IP addresses, cloud accounts, ASNs, and more. 
• Attack paths and narratives: It can be difficult to see how all the pieces come together to lead to an exposure or asset. To help with this, The NetSPI Platform has attack paths and narratives with supporting visuals to highlight the exact user journey that was required to discover that item. 
• Expanded integrations: The NetSPI Platform integrates with ticketing systems, asset management tools, vulnerability scanners, and more for easy, improved time to remediation. You can also use an API to instantly connect the tools you use with simple integration guides – no coding needed. 

In a world where point-in-time penetration testing is table stakes, we’re helping customers go beyond check-the-box security and shift from one-off projects to proactive security programs.  

Later this year, customers can expect to see new risk prioritization and exposure management capabilities in The NetSPI Platform and telemetry across PTaaS, ASM, and BAS. The NetSPI Platform will significantly improve our ability to build new products faster, deliver better outcomes, and secure and operationalize delivery. 

Read the press release: NetSPI Goes All-In on Proactive Security, Unveils Unified Platform

Elevating the credibility of The NetSPI Agents 

The NetSPI Platform needed the right branding to accurately depict what it’s like to work with NetSPI. Customers tell us time and time again that the quality of insights and seamless experiences they have with our security experts are what sets NetSPI apart. We know the people at NetSPI are the heart of our organization, and we felt it was the right time to give our team the recognition they deserve. 

We’re introducing The NetSPI Agents to authentically differentiate the level of expertise our people bring and reinforce NetSPI’s reputation as the best-in-class proactive security partner. This team sets the bar high and continues to raise it. 

Behind the scenes: NetSPI’s photoshoot 

To steer away from the dark hooded figures and stock photos commonly found in cybersecurity, we wanted to lean into our authenticity and show that we’re allies to our customers and partners. We held a photoshoot with our actual team members to put our people front and center. People are our number one differentiator, so our photography focuses on our approachable and team-oriented security experts, diligently safeguarding our customers’ networks. 

While the name is new, the actions behind it stay the same. The changes we’re introducing simply reflect what we’ve always seen from interactions with our security experts. The NetSPI Agents possess deep domain knowledge ranging from web applications to artificial intelligence and they’re committed to going above and beyond to deliver moments of magic for our customers.  

Unveiling The NetSPI Advantage 

We leaned into the current state of cybersecurity as inspiration to help us define The NetSPI Advantage. The goal was not to change NetSPI’s DNA, but clearly articulate what we do, why we do it, and how we can amplify it. From this workshop emerged “The NetSPI Advantage,” our brand narrative. 

The NetSPI Advantage 

In today’s world where all of our most important assets are online, business success depends on customer and employee trust.   

Revolutionary advancements in AI, increased demand for cloud computing, and a new age for digital identity are a few of the trends that make today’s technology landscape the most exciting we’ve seen in decades.   

But when security can’t keep up with the pace of innovation, your ability to deliver bottom-line results is at stake. And when you can’t deliver results with security and confidence, you risk losing the trust you’ve built with your team and your customers.   

At NetSPI, we are your allies in the battle for trust. We accelerate cybersecurity at scale so you can protect your priorities, perform better, and move faster.  

NetSPI is the proactive security solution used to discover, prioritize, and remediate security vulnerabilities of the highest importance, so you can protect what matters most to you and your customers.  

But The NetSPI Advantage goes beyond check-the-box security; it brings together dedicated security experts, intelligent process, and advanced technology to contextualize the priorities that will have the biggest impact on your business. Unlike other vendors, we go beyond the noise to deliver high impact results and recommendations based on your business needs and objectives.   

By pairing our unique combination of people, process, and technology with decades of insights and experience, NetSPI ensures you’re taking a proactive approach to cybersecurity with more clarity, speed, and scale than ever before.  

With the full force of NetSPI in your corner, you can navigate rapid innovation with confidence, while protecting the trust you’ve worked so hard to build. To put it simply, we go beyond for our customers, so you can go beyond for yours.   

Your team and your customers deserve peace of mind.  

They deserve to be secure.  

And you deserve a good night’s sleep.

The most trusted products, services, and brands are secured by NetSPI. 

A first look at the updated NetSPI brand 

In an industry where others prey on fear, uncertainty, and doubt, NetSPI is a breath of fresh air. We made the decision to update our look and feel with the goal of moving away from the industry stigma that offensive and defensive teams are at odds with one another. Our updated branding reflects the trust and optimism that NetSPI brings to cybersecurity with an evolution that accurately captures who we are today and who we’ll become in the future. 

“We want to take a conscious step away from fear, uncertainty, and doubt – and we want to stand out by evoking a feeling of trust through connection. NetSPI is an ally to the defenders, our customers, and their organizations – this new branding helped us nail that sentiment.”  

Heather Rubash
Chief Marketing Officer

Logo: A new era for NetSPI 

This is an evolution of our logo with a bold, legible, and simple “N” monogram to accurately tell the story of building trust through connection. The typography of the wordmark is seamlessly integrated with the headline font, which is consistently used throughout the brand. 

Color palette: Evoking modern sophistication 

Our revised color palette conveys a sense of professional poise and understated confidence by emphasizing blue with orange accents that nod to the vibrancy of technology. The palette achieves a layer of sophistication through its restrained selection, complemented by subtle hints of faded green and chestnut. 

Typeface: Friendly meets professional 

Our new font choice strikes a balance between a bold technological feel and a professional elegance. By combining modernity with sophistication, it contributes to a cohesive and dynamic brand identity.   

Nodes: Reinforce trust through connection 

The node serves as a central visual motif, showing connection, transparency, and the intersection of people and technology. They reinforce the theme of trust, agility, and transparent communication as they intertwine photography and visual elements across the brand. 

Website: Tying it all together  

All of these elements culminate in a cohesive brand representation on the new NetSPI website. With real photos of The NetSPI Agents, enhanced filtering of resources, and a dedicated page for The NetSPI Platform, our website reflects the connection between people, process, and technology that NetSPI is known for. 

Equipped with a strong brand reflective of NetSPI’s evolution while remaining true to our legacy, customers can walk confidently alongside us on the path to proactive security.  

Are you with us? 

At NetSPI, we believe:  

• Industry-wide collaboration is key to standing up to today’s cyber threats. 
• Innovation in intelligent processes will collectively push us further than ever before. 
• Delivery of advanced technology will have the biggest impact on your team’s ability to discover, prioritize, and remediate security vulnerabilities of the highest importance. 

We are NetSPI. And we exist to secure the most trusted brands on Earth. Are you with us?

The post A New Era of Proactive Security Begins: The Evolution of NetSPI  appeared first on NetSPI.

Technology innovation, global expansion, responsible vulnerability disclosures, special shoutouts from clients. Plus, personal accomplishments like job promotions, buying your first home, welcoming a new life into the world, traveling to new places, the list goes on. 

All of this and more was the focal point of our 2023 NetSPI Employee Kickoff event. We brought nearly 500 of our offensive security experts together to Minneapolis to connect face-to-face, celebrate our accomplishments, and align the entire organization on our vision for the future. This year’s theme was “A World of Opportunities” which explored the opportunities we can uncover to make a real impact as the global leader in pentesting, attack surface management, breach and attack simulation – and beyond! 

The claim “global leader in offensive security” is a bold one to make. The proof is in our impressive growth year-over-year, the skillset of our team, the comprehensiveness of our solutions, and our client’s desire to choose us over our competition. 

The kickoff event presented a unique opportunity to reflect on what exactly got us to this point. Certainly, a lot of hard work and grit from the team, but these four core narratives were made evident throughout the course of the day. 

Collaboration and diverse thought 

“Individual commitment to a group effort – that is what makes a team work, a company work, a society work, a civilization work.”

^{Vince Lombardi}

This quote articulates the importance of collaboration and the main reason we brought everyone together in one room (plus, I couldn’t let the day go by without at least one Green Bay Packers reference). Building relationships with one another and feeding that culture of collaboration was at the core of our 2023 kickoff. 

What we’ve built is special because of our people. But talented individuals alone are not enough. While it’s often an overused marketing term, collaboration is, and will always be, a core value of NetSPI. We pride ourselves on our ability to collaborate across boundaries and teams to uncover new offensive security solutions and solve seemingly impossible cybersecurity challenges.  

There is immense power in the diversity of thought that brings unique ideas and approaches to challenge the status quo. It was incredible to see members of the team spending time with people outside of their social circle or department, people with backgrounds and perspectives different to theirs. This is where the magic happens. 

Unwavering dedication to our clients 

Events like this are a great platform to reinforce the why behind everything we do. In our case the why is our clients, some of the world’s most prominent organizations. We are maniacally focused on customer delight, ensuring that everything we do brings value to programs and is not creating more work for security teams.  

At the end of the day, we are providing offensive security testing solutions so that businesses can innovate with confidence. 

Our keynote speaker, Brittany Hodak, spoke about how to create superfans, leaving us with the acronym SUPER (Start with your story, Understand your customer’s story, Personalize, Exceed expectations, Repeat). Her session was preceded by a panel of six NetSPI superfans, or soon to be. 

NetSPI Chief Revenue Officer Alex Jones moderated the panel, which centered around the key pain points cybersecurity leaders face today. Interacting with and speaking to customers to understand the challenges they are dealing with is invaluable, and something we make a conscious effort to do day in and day out. Key takeaways? 

• Cyber is not the #1 risk for businesses, it is just one of the risks. 
• Perimeter security is paramount. Understanding what is on your perimeter should be a priority. 
• Those who follow foundational security best practices are going to succeed. Get the basics done right. 
• Generative AI (e.g. ChatGPT) is a real concern for security leaders. Many are evaluating the risk and building policies. 
• Security now has a seat at the table! The role of the CISO is becoming less technical and more strategic. 
• Media headlines around breaches and other security incidents are helping cyber leaders get executive buy-in. 

NetSPI delivers real solutions to these mission critical challenges. We are a key player in the arms race against a sophisticated and well-funded adversary. Offensive security must be scaled and adopted globally, or our clients will fall short.  

This year, we made a strategic investment in a product leader, Vinay Anand, to help us rise to this challenge and create a strong technology platform that is scalable, continuous, easy to use, and leverages intelligent automation. Aligning on this vision as an organization was one of my top highlights of the day. I don’t want to give too much away, but a unified offensive security platform is on its way.  

Maintaining the NetSPI culture and staying true to our Purpose 

Innovation dies without a strong culture. While there may be amazing ideas brought to bear, they won’t flourish without a culture of collaboration, respect, motivation, and challenging our peers. Our culture is the foundation of our success.  

We spend a massive amount of our lives at work, so it’s truly meaningful when we say on top of all this, we’re having fun! We’re disciplined; we’re focused; we’re competitive. But at the end of the day, we enjoy each other’s company and the strong culture we’ve built together. 

Our clients feel this in their interactions with us. They tell us this regularly and it’s one of the many reasons they continue to work with us. They feel supported by a team that takes their offensive security goals as seriously as they do. Our culture at NetSPI is the formula for creating superfans that help us unlock opportunities.  

Someone who emulates the NetSPI culture is our very own Eric Gruber who was the recipient of the NetSPI Founders Award at this year’s kickoff event.  

Another component of our culture is our passion for giving back, whether that’s by way of security community involvement, donating our time to help others, or financially with our philanthropic partner, the Masonic Children’s Hospital.  

Last year, we raised $250,000 for Jersey, the newest facility dog at the University of Minnesota Masonic Institute for the Developing Brain. Jersey made her debut at the kickoff, and we heard first-hand how she is making an impact supporting the emotional and social needs of patients.

Making an impact, globally 

In attendance were teams from across the US, UK, and Canada – then we took the show on the road to Pune, India where our team of 60+ came prepared with unbelievable energy. 

Most organizations have global aspirations, so who are we to think our global aspirations are so unique? Well when you have something so special, you want others to experience it. In a very short time, we’ve ramped up top-notch teams in Canada and the UK and continue to build our Pune team. There’s no doubt in my mind that we have the top offensive security teams in those regions today. There are many large multinational clients who need NetSPI to have global operations, and many regions where we can advance and accelerate their testing programs. 

Circling back to a point made earlier, innovation thrives in diversity of thought. Learning new cultures and ways of doing business is a once in a lifetime experience for our team and an opportunity to bring increasingly diverse viewpoints and approaches to support our clients.

I mentioned this in the written recap of last year’s kickoff, but it’s worth reiterating: To other business leaders considering an all-employee in-person event, I couldn’t recommend it more. There’s no replacement for human connection. 

We are at an inflection point as an organization and we cannot become complacent. We continue to find ways to ensure we attract top talent, refine our processes, and stay agile while driving innovation. 

I am both honored and privileged to be a part of the global leader in offensive security. Keep an eye on this team. You won’t want to miss the world of opportunities we uncover next. I’ll leave you with this recap video to keep the energy high until next year – cheers!

The post Celebrating a World of Opportunities with a World-Class Offensive Security Team  appeared first on NetSPI.

Why nVisium/NetSPI?

Aaron Shilts: The nVisium team brings an impressive track record in cloud and application pentesting, and we’re incredibly excited to welcome them to NetSPI. Coming together, we will unlock great potential in meeting the increasing demand for quality pentesting solutions and reinforce our commitment to growth and innovation. It took months of research, discussions, and interactions to come to this decision, but one thing is for sure, we were always convinced the nVisium team will be the perfect complement to our DNA and culture we’ve built at NetSPI.

Jack Mannino: We’ve competed with NetSPI in the past, and I’ve always respected what Aaron and his team have built. Agreeing to an acquisition is not a small decision, but as soon as we started talking with the NetSPI team, it was clear that both organizations were extremely aligned from a culture, delivery, and people perspective. They care deeply about their people and maintaining a culture of collaboration, plus, we have the same high standards for security testing as they do. With this acquisition, nVisium employees and clients will be presented with a wide array of new opportunities. I’m eager to see what we can accomplish together.

How will this acquisition impact mutual clients and the greater security community?

Aaron: This news follows our recent announcement of KKR’s investment in NetSPI’s future and its promise to continue to bring positive impact to the security community. By joining forces with nVisium, we can move faster, offer clients access to an incredibly talented team of offensive security professionals, and double down on our promise for innovative, platform driven, and human delivered offensive security solutions.

Jack: By joining forces with NetSPI, nVisium has a massive opportunity to expand the breadth and depth of solutions we deliver, improve the client experience, and introduce new growth opportunities to our employees. We have built strong enterprise relationships and we are eager to support them in new ways and, at the same time, build on our capabilities within cloud and application security testing.

Notably, NetSPI’s penetration testing as a service (PTaaS) delivery model has made an incredible impact on its clients, enabling them to test continuously, digest results in a dynamic way, improve vulnerability management efforts, and increase manual testing and triaging. nVisium and NetSPI together will amplify the PTaaS model and allow us to increase our capacity to help more organizations.

What’s next for the combined companies?

Aaron: This acquisition is proof that we are committed to staying true to our mission, disrupting the penetration testing industry by attracting and retaining top talent, and setting the highest standards in the penetration testing market. Over the next few months, we will be focused on integrating the nVisium team to help deliver high-caliber pentesting solutions to more enterprises, globally.

Over the next year, you will see an emphasis on NetSPI’s R&D, particularly with our cloud, IoT, and blockchain solutions. We’ve recently formed an official NetSPI Labs team, who will lead the development and expansion of new offensive security solutions and tools.

Jack: The industry can expect continued growth, innovation, and quality pentesting from NetSPI and nVisium – with no signs of slowing. The power of our combined teams will certainly be a force to be reckoned with.

The post NetSPI Acquires nVisium – Q&A with the CEOs appeared first on NetSPI.

We didn’t become the leader in offensive security by checking boxes or sticking to the status quo. We got here by hiring the best talent in the business, innovating without limits, and creating a workplace culture of excellence. This is where our focus will remain as we double down on our investments to build strong teams, develop our technology stack, and expand our offensive security services globally.

In May 2021, KKR made a $90 million investment in NetSPI, with participation from Ten Eleven Ventures. Over the past 18 months, they’ve been a dedicated partner who believes deeply in this team. This growth investment is further proof that hard work pays off as we near the end of another record year of growth and celebrate our recent accomplishments including, the continued adoption of our PTaaS delivery model, our acquisition of Silent Break Security, the introduction of Attack Surface Management, our global expansion to EMEA, our NetSPI University training program, and more.

We are much more than a penetration testing company. We’re a group of incredibly talented ethical hackers, vulnerability researchers, project managers, and strategic partners who ultimately want to help our clients innovate with confidence. We’re a company that understands how to develop and leverage technologies to create efficiencies at a time where resources are limited, empowering people to focus on what matters most.

To ensure the security of today’s most prominent organizations and keep pace with the evolving attack surface, we must challenge the status quo in offensive security. With KKR’s support, we will continue doing just that. I, for one, am excited for this new chapter in NetSPI’s story of growth, disruption, innovation, and dedication.

Aaron Shilts, CEO at NetSPI

The post What KKR’s Growth Investment Means to NetSPI appeared first on NetSPI.

Last month, NetSPI held its 2022 Employee Kickoff event in-person after a long two-year hiatus. Nearly 300 employees from across the globe came together in the North Loop neighborhood of Minneapolis, just steps from NetSPI headquarters.  

The day was buzzing with great energy from the get-go as we reunited with our friends and colleagues, met people in-person for the first time, and got to experience firsthand what an incredible workplace culture NetSPI has. 

Amidst the keynotes, build-your-own lego Scan Monster races, and live 90’s rock band, one thing became abundantly clear: the power that comes from bringing people together face-to-face to form relationships, share ideas, and collaborate is unmatched. 

All too often in the high-growth cybersecurity industry, we view technology as the ‘silver bullet’ against today’s threat actors. But at the end of the day, it’s people who will solve the greatest challenges we face. 

Reflecting on the day, I wanted to share four takeaways that highlight the importance of the human impact in the tech industry.

The cyber arms race can only be won through the intersection of technology and talent 

We cannot rely solely on technology to win this cyber “arms race” we’re experiencing today. We often find ourselves myopically focused on technology to solve difficult problems. And while technology and automation are critical, our industry will not thrive on tech alone.  

The only way that the good guys will come out on top is through the intersection of technology and talent. 

Technology should enable humans to do their job in a more effective and efficient way, and we should remember to view it through this lens. For example, during the NetSPI Employee Kickoff Event, we revealed a couple of Resolve updates to our security consultants who use the vulnerability management and penetration testing platform. We updated notification settings to be more customizable and created a portal for all project kickoff documentation and tracking. These are fairly simple and administrative updates, but it nearly resulted in a standing ovation for our product and development teams. 

Again, technology enables humans to do what they do best. In this case, we found a way to limit notifications and streamline a mundane process to free up our pentesters’ time, enable them to do the work they enjoy, and ultimately find more business-critical vulnerabilities for our clients. 

As we’re all aware, recruiting and retaining a team with the right cyber talent is incredibly hard in a market where unemployment is 0%. But simply assembling a team with the right technical skills is far from enough. It is vital to tackle cybersecurity with empathy, curiosity, and creativity – all traits that only humans can possess. 

“Culture eats strategy for breakfast” 

Peter Drucker stated, “Culture eats strategy for breakfast.” And he was right. 

Culture and values define who you are. They drive innovation in technology, how teams collaborate, and the service clients receive and how they perceive you. 

NetSPI Chief Revenue Officer Alex Jones said it well in his keynote, “Values represent whatever is important to YOU.” Work is important… and so is everything else. Employees should get to spend time doing what they enjoy in and outside of the workplace. Once organizations recognize this, it becomes much easier to embrace a values-driven culture. 

A strong culture requires teams working authentically and in concert with each other, a task that became increasingly difficult during a global pandemic that sent most organizations, including NetSPI, to operate fully remote. 

I believe we have underestimated the power of in-person, human connection. Bringing 300 people together in-person certainly had its risks, but it was immediately evident how valuable the human connection was in driving collaboration and building relationships – and in turn improving the customer experience and the team’s performance. 

Collaboration and diverse perspectives are key to solving the most difficult challenges 

In cybersecurity and at NetSPI, we solve client challenges every day, often for the largest organizations in the world. We succeed at solving the most difficult of these challenges when collaboration and diverse thoughts reign. 

One thing I noticed at the event was that sales didn’t cling to their sales peers, services didn’t cling to their services peers, leadership didn’t cling to their fellow leaders. Although it can be difficult, breaking down departmental silos within an organization can cultivate idea sharing and welcome new perspectives across the organization. This event helped us make big strides toward that goal. 

Allowing everyone to have a seat at the table and feel comfortable speaking up and sharing their ideas is something that we value greatly at NetSPI. After all, diverse thought fuels innovation. 

In-person events can help you uncover the Purpose that your team will rally around 

After the event, I challenged myself to think hard about what my employees really care about. What can I do as a leader to deliver on that purpose and adhere to my employee’s values? Am I creating a workplace environment that allows them to adhere to their values? 

These events tend to be a wakeup call around a greater mission. And a presentation from our philanthropic partner, the Masonic Children’s Hospital, did just that. 

The Director of Development at the Hospital, Nicholas Engbloom, shared a powerful story about Minnesota Gopher placeholder Casey O’Brien and his journey battling cancer. For those unfamiliar with Casey, I’d encourage everyone to listen to his story.  

It was clear how much the story and our partnership with the Masonic Children’s Hospital resonated with and empowered our employees. It showed me how powerful it is for our employees to rally around a greater sense of Purpose and give back to the community. I’m excited to ramp up our philanthropic activities with the hospital and other organizations this year. 

Investments that you make as an organization to bring your team members together have incredible Return on Investment (ROI) – and that’s just the ROI we can measure. To other cybersecurity business leaders considering an all-employee in-person event, I couldn’t recommend it more.  

People are the key to solving the world’s biggest cybersecurity challenges. And the organizations that are enabling employees through tech and creating a values-driven workplace culture will be the ones leading the charge. 

I’ll leave you with some incredible dance moves, courtesy of the NetSPI team. Check out this video recap for highlights from the NetSPI 2022 Employee Kickoff:

Want to join us next year? NetSPI is hiring!

The post Technology Cannot Solve Our Greatest Cybersecurity Challenges, People Can appeared first on NetSPI.

Is cyber warfare in your crisis management plan? If not, it’s time to revisit your incident response plans and get proactive with your security as tensions rise in Eastern Europe. 

Recently, several Ukrainian government and bank websites were offline as a result of a massive distributed denial-of-service (DDoS) attack. Shortly following these attacks, a new “wiper” malware targeting Ukrainian organizations was discovered on hundreds of machines to erase data from targeted systems.  

Experts believe both security incidents were carried out by Russian cybercriminals or nation-state hackers, creating a new digital warfare environment that affects organizations worldwide.  

Now, on the heels of the Biden administration issuing new sanctions against Russian banks, the U.S. government is advising public and private organizations to heighten cybersecurity vigilance related to ransomware attacks carried out by the newly identified wiper malware. In fact, New York recently issued an “ultra high alert” as the state faces increased risk of nation-state sponsored cyber attacks.  

As cybercrime escalates and tensions mount, business leaders can take the following four steps to bolster security measures and remain better protected against potential risk: 

1. Evaluate Your Current Security Posture

Before implementing any new initiatives or overhauling existing measures, it’s important to evaluate the organization’s current security posture. This means taking a closer look at its attack surface, customer environments, vendor relationships, and other partnerships to understand an organization’s true exposure to malicious actors.  

Businesses that have proactively developed an incident response playbook are best prepared to evaluate their position, and large organizations likely have policies that cover geopolitical unrest. However, with the threats still unclear, even late adopters can allocate resources to strengthen their security posture in weeks or even days. 

2. Refer to CISA’s Shields Up Initiative  

The Cybersecurity and Infrastructure Security Agency (CISA) recently launched Shields Up, a free resource that features new services, the latest threat research, recommendations for business leaders, as well as actions to protect critical assets.  

Whether an IT security professional, or a top C-suite leader, all roles within an organization should familiarize themselves with Shields Up and the actionable advice recommended by CISA.  

Such advice includes reducing the likelihood of a damaging cyber intrusion; taking steps to quickly detect a potential intrusion; ensuring that the organization is prepared to respond if an intrusion occurs; and maximizing the organization’s resilience to a destructive cyber incident. 

3. Prioritize Proactive Offensive Security Measures

Proactive cybersecurity testing is oftentimes an afterthought for business leaders when evaluating breach preparedness. In reality, enterprise security testing tools and penetration testing services that boost an organization’s cybersecurity posture from the onset should be a top priority, now more than ever before.  

While many tend to focus on the physical disruption nation-state attacks can cause, popular cybercriminal tactics like distributed denial-of-service and ransomware can be mitigated through proactive offensive security activities like Penetration Testing as a Service (PTaaS), red team, breach and attack simulation, or attack surface management. 

4. Understand that Security is Everyone’s Responsibility

The weakest link within any organization is its employees. Everyone working for, or with, the business should understand that security is everyone’s business – from the CEO to the seasonal intern, and even the third-party contractor.  

For this reason, organizations should implement frequent, hands-on security training, and regularly test the effectiveness of such training with simulated attacks to determine if more work needs to be done. After all, it only takes one accidental click on a malicious link to cripple an entire organization and its assets. 

During times of unrest, cybercrime skyrockets as individuals become distracted and increasingly vulnerable. It’s important to remain vigilant while the current attacks continue, even if an organization does not directly work with Ukraine or Russia.

Connect with Team NetSPI to learn more about our testing capabilities. Contact us today.

The post Cyber Attacks on Ukraine Signal Need for Heightened Security appeared first on NetSPI.

Putting a successful vulnerability management program in place needs careful consideration up-front to ensure your organization is set up for success to remediate vulnerabilities for each application and system you have. The following checklist breaks the best practices process down and provides you with a planning roadmap to getting the most value out of a penetration testing and vulnerability management program.

Penetration Testing Program Plan of Attack

All organizations should aspire to have the people, processes, and tools necessary to effectively execute an ongoing vulnerability management program. Failure to do so may result in poor tool selections, testing mistakes, and faulty interpretation of vulnerability scanner and pentest results that often lead to a false sense of security and could put the enterprise at risk. By building out a vulnerability management plan, as depicted above, you can dramatically increase the security of your enterprise and can be better assured to reach your ultimate goal: to decrease time to remediation and close any security gaps in your network.

The post Checklist: Getting the Most Value Out of Penetration Testing and Vulnerability Management appeared first on NetSPI.

Red teaming is not a job for the faint of heart as it involves travel and many hours, even days, of thinking strategically and reacting quickly to the situation at hand. Nevertheless, it’s a critical component of every vulnerability testing strategy and can help organizations accurately assess threats to IT assets, benchmark current security capabilities, justify security investments, sharpen the skills of the team and improve detective controls. Given the importance of red teaming engagements, the industry should also understand the people behind the engagements and how they operate in order to get the most value out of the engagement. I talked with NetSPI Managing Director Nabil Hannan for an inside look at red teaming culture.

Aaron Shilts (AS): Who is drawn to red teaming work?

Nabil Hannan (NH): Although having solid technical skills to be able to circumvent security controls in the software, network or infrastructure may be an important skill to have, ultimately, the personalities who are most attracted to this type of work, and end up being most successful at red teaming engagements, are people who are clever and can think outside the box. Having the ability to think quickly on one’s feet and solve problems on the fly are important attributes for people who perform these assessments.

AS: Penetration tests and red teaming assignments can cause stress and anxiety, how does this affect professionals?

NH: Although red teaming engagements can be stressful, typically the personalities who do these engagements enjoy, and even thrive on, doing this type of work, and – from my experience – rarely consider this as true “stress.” Red teaming engagements really allow assessors to go above and beyond and truly think outside the box on how to circumvent security controls in creative ways to successfully complete objectives. These creative methods can range from being able to create phishing emails (that generate excitement and make victims fall for the attack and click/respond to the phishing attack) all the way to physical security attacks where you can use condensed air cans or even something as simple as a balloon to trigger motion sensors and get access to parts of a building which require special access or clearance.

AS: What kind of tools do red teams have at their disposal?

NH: Red Teaming assessments can leverage any existing information they have at their disposal regarding vulnerabilities and weaknesses in the systems and environments they are trying to compromise. This may include penetration testing reports, automated scan reports (e.g. static application security testing (SAST), dynamic analysis security testing (DAST), interactive application security testing (IAST), network scanning), video surveillance feeds, user guides, documentation around access controls, and more. There are also many tools and gadgets that can be purchased for fairly low cost to do reconnaissance and exploits with things like WiFi antennas with extended range, RFID sniffers, and USB mice with flash storage inside them.

AS: How can leaders help balance the demands of the job while creating a sense of camaraderie among their teams?

NH: Most red teaming engagements are performed in teams of two or more. It’s important for the team to work cohesively together and help complement each other’s strengths. Building a team with a good mix of both technical and non-technical skills is important for success. Successful leaders will assign specific roles for each team member focused on harnessing their strengths, and also ensure that the team works together to brainstorm and create plans and strategies on how to accomplish specific objectives outlined in the engagement.

AS: What background or qualifications are beneficial for a red team professional?

NH: Professionals with military and law enforcement backgrounds are a valuable addition to a team because they can help navigate the legal and physical security aspects of an engagement. And it’s critical to have professionals on the team who have the resources and technical expertise to be able to identify and exploit vulnerabilities in software systems to find ways to circumvent security controls and accomplish the objectives of the engagement.

AS: Is there risk for red teams to get in trouble with the law while participating in an engagement?

NH: There have been some incidents, but they are very rare. Typically, during Red Teaming assessments, the assessors are provided with a “get out of jail free” letter that they are required to carry throughout the engagement. These letters have details provided regarding the engagement, who the sponsor is, and contact information of the client to call and confirm the rules of engagement and scope of the assessment by law enforcement. The cyber security community typically isn’t worried about their assessors getting arrested and facing criminal charges, because they were performing the work on behalf of an organization, and they have contractual languages that protect them.

Red teaming professionals certainly have their work cut out for them, as cyber security adversaries continue to evolve and find new ways to access sensitive systems and data. Let this article be a reminder to thank red team assessors next time you see them – and talk with them about how IT and security leaders can better enable them to work collaboratively, use all available resources, and use their creative, yet technical, minds to help organizations assess security threats and ultimately improve their security posture.

Our security experts are the authors of one of the industy’s leading blogs. Read our technical blog, Hack Responsibly.

The post Q&A with Nabil Hannan: An Inside Look at Red Teaming Culture appeared first on NetSPI.

Penetration testing has been around for decades and has remained at the foundation of vulnerability testing and management programs. But as the modern enterprise continues to evolve, and attack surfaces become much more complex, pentesting has remained relatively unchanged. Following a pentest, security and IT teams are typically left with an immense amount of vulnerability data that ends up in PDFs with limited context, making it challenging to process and collaborate with development teams for vulnerability remediation. In addition, many organizations struggle with the breadth of their security testing coverage and lack the time or financial resources to adequately pentest all of the applications and systems in their environment – and they can’t remediate all the vulnerabilities from each test. According to Gartner, once a company discloses a vulnerability and releases a patch, it takes 15 days before an exploit appears in the wild.

To ensure critical assets are secure and their entire attack surface has some level of pentesting coverage, today’s modern enterprise requires a more continuous and comprehensive penetration testing process.

Enter Penetration Testing as a Service, or PTaaS: a hybrid approach to security testing that combines manual and automated ethical hacking attempts with 24/7 scanning, consultation and streamlined communication and reporting delivered through a single platform. By delivering pentesting “as a service,” organizations receive a broader, more thorough vulnerability audit year-round instead of relying on point-in-time pentests, which are typically executed just once a year.

Point-in-Time Pentesting Versus PTaaS

While an important starting point, point-in-time penetration testing has its limitations. Once a test has been completed, how can one be sure that no new vulnerabilities arise during the remaining 364 days of the year? To better understand the impact of PTaaS, here are four core differences between point-in-time penetration testing and PTaaS. PTaaS gives organizations:

1. Visibility and control. Through PTaaS, organizations are put in control of the pentest. Security teams gain the ability to request and scope new engagements, see the progress and status of all open engagements, easily parse the vulnerability trends, and work to understand and verify the effectiveness of remediations, all within a single online platform.
2. Paths to quicker remediation. The penetration testing reports, often static PDFs, created after a standard pentest leave much to be desired when it comes to vulnerability remediation. On average, it takes 67 days to remediate critical vulnerabilities. PTaaS platforms allow findings to be actionable as they can be sorted, searched, filtered, and audited. As the vulnerability or exploit evolves over time, the data related to it will be updated, not remain unchanged in a document. Additionally, PTaaS provides development teams with the most up-to-date and relevant information for remediation, with assistance and consultation from the team of pentesters who found the vulnerability.
3. More security testing possibilities. Due to both the cost savings of automation and the efficiency provided for remediating vulnerabilities, companies are able to do more with their budgets and internal resources. The faster vulnerabilities are found and remediated, the quicker the company can move on to protect itself from the next vulnerability.
4. Prioritized, actionable results. PTaaS platforms, like NetSPI’s Resolve will aggregate and correlate the findings, eliminating manual administrative tasks while providing a result set that drives the right set of actions in an efficient manner for all organizations. According to Gartner, one of the most common ways to fail at vulnerability management is by sending a report with thousands of vulnerabilities for the operations team to fix. Successful vulnerability management programs leverage advanced prioritization techniques and automated workflow tools to streamline the handover to the team responsible for remediation.

Whether it’s scoping a new engagement, parsing real-time vulnerability reports, assisting you with remediation, or keeping you compliant year round, NetSPI PTaaS has you covered. Learn how NetSPI uses our full service portfolio to deliver world-class, continuous service testing for you.

What’s fueling the desire for an “as a Service” model for penetration testing?

Businesses, no matter the industry, are constantly changing and are on the lookout for technology that can scale with them. Because of the constant flux that businesses remain in today, whether from engaging in a merger or acquisition or integrating a new software program, there is a desire to uncover the most efficient way to maintain an always-on vulnerability testing strategy, while also ensuring capacity to remediate. PTaaS is scalable, so that organizations of all sizes and maturity can use it to maintain a small part of their security testing program – or the entire program.

Further, heavily regulated industries – such as financial services, healthcare, and government – benefit greatly from an “as a Service” model, given the level of sensitive data stored and pressures of maintaining compliance. With PTaaS, organizations can consume their data, on-demand, in many formats for their various regulatory bodies and gain the visibility to know what is happening in their security testing program, and what actions need to be taken.

PTaaS is the new standard for vulnerability testing and remediation as security teams recognize that annual testing does not enable a proactive security strategy. Pentesting engagements are no longer a once-a-year tool for compliance and have evolved into a critical part of day-to-day security efforts.

The post Four Ways Pentesting is Shifting to an “Always On” Approach appeared first on NetSPI.