- Cybersecurity is a white-hot investment space, with over $7.8 billion invested globally in 2020.
- One startup, Cobalt, has drawn millions in funding for its penetration testing-as-a-service.
- While cybersecurity is moving towards automation, Cobalt bets human pentesters will always have a job.
- See more stories on Insider’s business page.
The $150 billion cybersecurity industry is moving rapidly towards automation, with companies racing to develop AI-powered tools to detect and patch security vulnerabilities. But one startup is betting that hackers can never be replaced by machine learning — and investors are pouring millions into its vision.
Cobalt, a cybersecurity startup founded in 2013, is one of the first startups to build its business around the notion of “penetration testing as a service,” allowing companies to hire these so-called pentesters on demand.
Pentesters are “white hat” hackers hired to experiment with companies’ cyber defenses. In exchange for a fee, they try their best to break into a company’s systems, prodding its software for weak points and testing its employees to try to gain access. They then counsel the company on how to fix the vulnerabilities they found.
So far, investors are buying Cobalt’s vision that artisanal white hat hackers will always have a job. In the past five years, Cobalt grew from ten employees to over 180, and has raised over $37 million — most recently including a $29 million series B round in August led by Highland Europe and executives from firms including Google and Adobe.
Penetration testing itself isn’t a new practice, but Cobalt pitches itself as faster and less expensive than traditional tests carried out by in-house IT teams or security contractors.The San Francisco-based startup offers access to a network of pre-vetted white hat hackers who test companies’ defenses on a freelance basis, as well as a platform to guide clients through patching vulnerabilities the testers find.
While security software increasingly promises to automate the routine manual tasks involved in sniffing out and patching vulnerabilities, Cobalt believes humans will always be able to find gaps that AI cannot, chief strategy officer Caroline Wong told Insider.
“The most impactful types of security vulnerabilities are not found by using a tool to scan; they’re not found by going through a checklist,” Wong said. “It actually has to do with the creativity of the hacker mindset.”
Greg Nicastro, an executive VP of product at the security firm Veracode, is an angel investor in Cobalt. Nicastro told Insider he expects penetration testing as a service to grow as a category in the booming cybersecurity industry.
“Manual penetration testing is a necessary evil. And I like investing in things that are necessary evils because you don’t have to convince anyone — it’s obviously a problem,” Nicastro said.
How Cobalt’s white hat hackers try to break into clients’ software
Cobalt’s white hat hackers work in teams of three to try to breach clients’ software. According to Wong, they typically focus on three types of vulnerabilities that automated tools can’t spot on their own.
One category is business logic flaws, or ways that hackers can use software in a seemingly legitimate way for malicious ends. For instance, hackers might abuse a company’s “I forgot my password” feature to gain information about a user’s email address, which can be used to trick them into handing over more credentials or crack into their account.
“That would be a big, bad security flaw. There’s no tool that’s going to find that,” Wong said.
The white hat hackers will also look for race conditions, or software features that rely on the timing of other uncontrollable software, which are notoriously easy to exploit. Finally, they’ll try out chained exploits, which combine other known vulnerabilities, making them hard for automated tools to sniff out.
With the rise of cloud services, companies increasingly rely on software developed by other firms in order to operate. Wong thinks this trend will only build the need for penetration testing, which builds trust in the security of a company’s code before other companies adopt it.
“Because of this interconnectedness, every time there’s a new connection, people want to do a pen test,” Wong said. “If my company is going to use your company’s software, then your company’s security posture becomes my company’s security posture.”
Source: Read Full Article