Text4Shell Validation Text4Shell Validation-mask

Automated Penetration Testing – How BAS Killed the Pen Test

Cymulate’s Breach and Attack Simulation (BAS) as-a-Service has forever changed pen tests as we know them. From months to minutes, cloud-based BAS has revolutionized how fast organizations can get security assessment results, and how much they must pay to know how secure they are at any given point in time.

Predicting the Present

In February 2018, Mr. Augusto Barros, Research VP at Gartner, predicted that breach and attack simulation technology (BAS), combined with vulnerability assessments, would kill the traditional penetration testing.

A year later, we can safely say that Barros’ prediction was in fact spot on. At least as far as network penetration testing is concerned. We are currently witnessing the very final days of the outdated service paradigm that security service and consulting firms—including the Big Four—offer their clients. Meanwhile, one can easily find new cybersecurity companies that have long been developing tools and platforms for automated penetration testing, and in this fashion are decisively eliminating the old ways of performing pen tests.


A Pen Test Paradigm Shift

A good analogy to describe what is happening in the pen-testing world today is to think of consulting firms as the equivalent of Nokia, who did not read where the market was going, nor the changing needs of their customers—all while BAS companies are the iPhone (and later, Android) of the pen-testing world. They are fast, and agile and provide organizations with immediate results. You can use them on a daily basis, at any given moment, to get a clear picture of your organization’s security posture.

Twenty years ago, I worked as the CISO of a large national telco, during which time I consumed consulting services that included risk assessments and penetration tests.

Today—two decades later—consulting firms’ work methodologies have not changed an iota. As the manager of an organization’s security operations or IT security department, you are still expected to select one or more consulting firms to work with. The consulting firms send over their teams of cybersecurity experts and pen testers to conduct audits or pen tests, gather information, and return to the office to write up the report. On average, this entire process—from the first day of testing until the report is submitted—takes no less than 30 days. I believe that most security professionals would agree that the report, on the day of submission, is no longer relevant, as the internet is an ever-changing place, where cyber threats continuously morph and evolve. A report covering tests that were performed 30 days earlier is at that moment largely irrelevant.

Why I Founded Cymulate

Driven by the idea of changing this ‘old world’ methodology, my colleagues and I decided to found Cymulate. Prior to starting up the company, I served as VP of Business Development at a large information security consulting firm.  I recall a particularly extensive project that we carried out for a client in Asia. We deployed our teams there to perform the very same tests I mentioned earlier. Our experts flew to the client’s premises numerous times, ran the tests, and wrote up their reports. All told, the project took half a year to complete.

On one of those flights, I started thinking, “What if we could let our clients perform those very same tests by themselves? What if we could simply impart our knowledge to them? Couldn’t they have performed those very same pen tests themselves, had they been given the knowhow and tools?”


The BAS Revolution

And that is how Cymulate’s breach and attack simulation as-a-service was born. One should consider that the very same project in Asia could have been performed today by the client himself within a single working day using Cymulate’s technology, including the publishing of two types of reports—an executive brief and a technical brief, complete with all of the gaps identified by the platform along with practical recommendations on how to remediate those security holes in a detailed and comprehensive manner. No one would have to fly in. No hardware would have to be installed. No manual pen tests would have to be performed. All these activities would now be replaced by automated penetration testing.


Cymulate Crowned “Cool”

Last year, Cymulate was named a “Cool Vendor” in Gartner’s May 2018 “Cool Vendors in Application and Data Security” report for its BAS platform, which tests an organization’s security posture from an attacker’s point of view, and uniquely does so 100% from the cloud.

Today, we serve customers large and small across the globe—delivering multi-vector security assessments that leverage a team of top-notch security researchers combined with publicly available threat intelligence. Cymulate takes just a few minutes to set up, and only a few more to get test results.
Admittedly, some good ideas can come from suffering on long flights…

Don’t take my word for it, though. See for yourself why Cymulate is not only cool but also revolutionary.


Start a free 14-day trial of Cymulate, no credit card is required.

Start A Free Trial