Latest news with #penetrationtesting
Forbes
3 days ago
- Forbes
The Rise—And Risk—Of AI In Offensive Security
Gunter Ollmann is a global cybersecurity innovator with decades of experience, patented tech and leadership across 80+ countries. Offensive security tools, which are designed to proactively identify threats and vulnerable attack vectors before they occur, have long been exploited by threat actors. AI is, unfortunately, perpetuating the issue and, in particular, is making social engineering easier since it empowers criminals with native language capabilities, supercharging their effectiveness. But AI is also working to the defender's advantage by shaking up the traditional penetration testing sector, which once centered on "breadth," e.g., identifying as many vulnerabilities as possible using scanners and automated tools, so that it has now evolved into full-scale attack and breach simulation. This capability effectively puts the defenders in the attacker's "shoes" so they replicate the tactics of threat actors to help organizations understand how far an attacker could infiltrate their systems. How AI Enhances Offensive Security While Introducing New Risks As with most things AI-related, innovation is a double-edged sword. As tools improve, they benefit not only defenders but also attackers. For defenders, tools that once required manual triage are now equipped with AI that can scan, correlate and validate vulnerabilities. For instance, when different scanners return conflicting information, AI can determine which findings are likely false positives, saving human analysts hours of triage. Now, instead of sifting through lengthy lists of potential issues, testers can focus on what truly matters: issues that are exploitable and impactful. For attackers who used to rely heavily on manual efforts to gather intelligence on targets, they can now use AI to mine the internet, analyze social networks, access data dumps and even build virtual personas that can infiltrate private online communities. These personas can be tailored to a specific user's interests—we have seen train hobbyists targeted and used to establish trust before delivering a targeted phishing link or malware payload. These AI-generated personas may join relevant forums, interact with the target over time and build credibility in a way that was previously too labor-intensive to execute. AI also plays a major role in passive reconnaissance. Oftentimes, attackers don't even need to touch a target system and can use AI to collect extensive intelligence about an organization from public and semi-private sources. For example, it can determine which individuals have administrative access, what systems are publicly exposed and what historical vulnerabilities exist. This reduces the need for noisy scans and increases the chances of a successful, undetected breach. But of course, defenders can use these capabilities too, hence an ongoing game of "cat and mouse" between red teamers and threat actors. Evaluating Offensive Security Vendors AI without human expertise generates "noise," particularly hallucinations, which throw false positives and negatives into the mix, so it needs highly skilled experts who know how to interpret the findings and use the tools effectively. This pool exists as the discipline has evolved from an "art" into a "science," where a global community of elite testers all perform to the same standardized methodologies and regulatory standards. This has helped streamline the logistics of launching high-quality tests quickly, enabling better remediation, retesting and translation of findings into business-relevant language for developers and executives. With organizations assured of consistency across processes, it's up to vendors to differentiate on their ability to simulate modern threats, collaborate closely with internal teams and provide testing agility. Features such as retesting, contextual reporting and access to global talent pools are also critical. Humans Versus AI Pentesting has evolved from a niche security function to a broad organizational priority. Reports no longer go just to security teams; they are reviewed by engineering leaders, product owners and other business stakeholders. Findings are now written in context for the end audience, and AI helps facilitate this translation, ensuring that vulnerabilities are understood and fixed by the right teams. This ensures not only a faster resolution but also that development teams remain focused on delivering secure code from the outset. The biggest question facing the industry is whether AI will replace pentesters. The answer is "yes" for traditional average pentesting and "no" at the top end. AI can excel at automating routine tasks, but skills like red teaming at the highest level are a human endeavor. Elite testers bring knowledge of the best tools to use and the experience that can't be replicated by algorithms. We're seeing that currently, the best results come from hybrid teams where AI handles repetitive, data-intensive tasks and human experts focus on strategy, interpretation and innovation. This is a continuation of a long-term trend whereby so-called "tier one" security analysts were automated some ten years ago. It means smaller teams can achieve more with routine tasks such as scanning, correlation and log analysis handled by AI, while expert humans focus on complex and strategic areas. Cybersecurity Is About People AI is revolutionizing offensive security, bringing with it both immense promise and considerable peril. The tools of the trade have evolved, and so too must the people and processes that govern them. As the attacker-defender arms race accelerates, the role of AI will only grow. But in the end, cybersecurity is still about people. Penetration testing and Red Teaming are driven by highly skilled individuals who understand how adversaries think, and they leverage AI as a tool to sharpen their edge. The adversaries are human—and so too must be the defenders. To truly stay ahead, organizations need to blend elite research talent with smart technology and never lose sight of the human element that defines success in security. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
TechCrunch
28-05-2025
- Business
- TechCrunch
Security startup Horizon3.ai is raising $100M in new round
a cybersecurity startup that provides tools like autonomous penetration testing, is seeking to raise $100 million in a new funding round and has locked down at least $73 million, the company revealed in an SEC filing this week. NEA led the round, according to two people familiar with the deal. One person said that the startup is believed to be valued upward of $750 million, although TechCrunch couldn't verify whether that valuation is pre- or post-money. Another person believes the company did (or will) sell the whole $100 million, and added that the company is generating about $30 million in annual recurring revenue. Neither Horizon, nor NEA responded to TechCrunch's requests for comment. With this deal, becomes NEA's second major cybersecurity startup investment in less than a month, following Veza's $108 million funding round at an $800 million valuation announced in April. In August 2023, raised $40 million in a Series C round led by Craft Ventures with participation from SignalFire. That round brought the startup's total fundraising to $78.5 million and was aimed to expand its R&D, channel presence, and team of engineers, co-founder CEO Snehal Antani told TechCrunch at the time. Founded in 2019, comprises a team of former U.S. Special Operations cyber operators, entrepreneurs, and cybersecurity experts. Before launching the startup, Antani served as CTO at Splunk and led teams within the U.S. Military's Joint Special Operations Command. With all things AI being deployed across the tech world, AI-powered automated attacks are also on the rise. The San Francisco-based startup helps protect against such attacks with its autonomous threat detection tools. Earlier this month, received FedRAMP authorization, enabling it to sell its wares to federal agencies. It also announced in February that it saw 101% year-on-year revenue growth and exceeding 150% of its Q4 pipeline targets, without sharing specific numbers.
Forbes
23-05-2025
- Business
- Forbes
Having Clarity On Cyber Risk Is Power
Zach Fuller - Founding Partner of Silent Sector - an Expertise-Driven Cybersecurity services firm protecting companies across the U.S. getty "We don't know what we don't know." If you've ever said this when it comes to cybersecurity, you're not alone. That uncertainty is one of the biggest threats mid-market and smaller companies face today. Too many organizations operate without a clear cyber risk management strategy. It's not because they don't care but because they're unsure where to begin. Fortunately, organizations can discover and address most cyber risks with two complementary activities: • Cyber Risk Assessment: A structured, organization-wide review of the company's policies, procedures and technical controls. • Penetration Testing: A real-world exercise where ethical hackers simulate attacks to uncover technical vulnerabilities. The Blind Spot Crisis: The Greatest Security Threat The vast majority of breaches stem from vulnerabilities companies didn't know existed. Risk assessments provide a holistic overview of cyber risk across the organization. Penetration testing identifies technical gaps a cybercriminal can use while conducting an attack. Together, they provide unmatched clarity and a direct path to fortify defenses. However, many companies focus on shiny tools while overlooking the fundamentals like incident response planning or operational continuity after a breach. That's like buying a high-end alarm system while leaving the front door wide open. Organizations serious about resilience need a proactive, comprehensive strategy that protects not just their data but their ability to operate. Conducting Cyber Risk Assessments: The Proactive Method A well-run cyber risk assessment sets the stage for everything else. Measuring Against A Cybersecurity Framework Cybersecurity isn't a "make it up as you go" type of matter. Organizations can't just throw tools at the problem and hope it works out. It's critical to follow an industry-recognized cybersecurity framework. This is a structured set of controls that guides security posture in alignment with proven best practices. Industry-backed frameworks provide a reliable benchmark. A few of the most respected options include: • NIST CSF 2.0: Widely adopted across industries, especially in the U.S. • CIS Controls: Prioritized into "implementation groups" for different organizational sizes. • ISO 27001: A global standard, particularly for international or compliance-heavy businesses. These frameworks are starting points rather than rigid rules. Every company is different, and each must tailor its assessment to its business, industry and risk tolerance. A good cybersecurity partner can help prioritize the controls that matter most and cut through the noise. The Three Pillars Of Security Strong security isn't just about tech. It's about building strength across three areas that cybersecurity frameworks cover: • People: The first line of defense—and often the weakest link. • Processes: Defined, repeatable methods for doing things securely. • Technologies: Important, but only as good as the strategy and configurations. Companies love buying new security tools, but I find that most don't need more tech to strengthen security. They need better implementation of what they already own. They don't solve complexity by adding more complexity. They solve it with clarity, discipline and alignment across their people, processes and technologies. Security Road Map: Getting Everyone On The Same Page Once organizations have completed a cyber risk assessment, they'll see where the gaps are and what needs to happen next. That's the road map. This isn't about pie-in-the-sky "initiatives." It's about practical, prioritized actions: • What reduces the most risk the fastest? • What aligns with business priorities? • What can be done within the team's capacity and budget? Balance quick wins with longer-term projects. Show progress, build momentum and always tie every security initiative back to business goals. Security for the sake of security doesn't resonate. Security that supports growth, continuity and reputation does. Penetration Testing: See What The Enemy Sees Risk assessments show where security controls fall short across the organization. Penetration tests provide a technical vantage point, showing organizations where an attacker could get through. Ethical hackers use the same tools and tactics as malicious actors to uncover weaknesses that organizations might not even know exist. A pen test isn't just a scan—it's a hands-on simulation of a breach attempt. A comprehensive test includes real cybersecurity experts (humans, not just automation) using the latest tools, technologies and methodologies to identify exploitable attack surfaces. Pen Test Scope Pen tests should focus on what matters most to the business. Depending on the environment, that could include the external network, internal network, cloud platforms, web applications, wireless networks, operational technology (OT) and even the people inside the organization through social engineering. The Three "Boxes" Of Pen Testing Pen tests come in a few flavors, each with a different perspective: • White-Box: Full access and information. Thorough, but not as realistic. • Black-Box: Simulates an outsider's view. Realistic but limited. • Gray-Box: The sweet spot. Enough access to be efficient, enough realism to simulate an attacker's perspective. Think of pen testing as an organization's chance to "fight the enemy before the enemy fights them." Just like risk assessments, it's not one-and-done. It should be a regular part of the cybersecurity strategy. Gaining Clarity: Knowing And Understanding Risks This is the goal. A proper cyber risk assessment, guided by an industry framework, tells organizations where their defenses are strong and where they're lacking. A penetration test shows how an attacker would exploit those weaknesses. Together, they provide full-spectrum clarity—technical and strategic. That clarity is power. It allows companies to direct resources where they're needed most. It gives leadership teams real answers, not guesswork. It transforms cybersecurity from a cost center into a strategic enabler. The Bottom Line Organizational leaders don't need to be cybersecurity experts, but they do need to know where their risks are and what to do about them. Companies that thrive in this new threat landscape aren't the ones that buy the most tools or shout the loudest about compliance. They're the ones who understand their vulnerabilities, prioritize wisely and take consistent, confident action. Start with visibility, build the road map, test defenses and move forward with clarity. "We don't know what we don't know" cannot be left unsolved in today's environment. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
