If you are familiar with any aspect of the cybersecurity industry, you know just how important it is to make sure your data is secure and information kept private. But what many people don’t know is just how susceptible their data is to malicious hackers or cybersecurity attacks, let alone just how frequent or successful those attacks can be. Penetration testing is one method used by businesses and agencies to test the durability of their digital defenses, but traditional methods and models of penetration testing are slow, costly, and often unreliable.
To help understand the importance of penetration testing, we sat down with Seemant Sehgal, founder and CEO of Breachlock, Inc. Sehgal is a seasoned cybersecurity professional with nearly 20 years of experience in the industry, and his company has made waves in the penetration testing market since being founded in 2018, winning dozens of awards and industry-recognized certifications for its innovative approach to penetration testing.
What inspired you to create a startup in the cybersecurity industry?
I have been working in cybersecurity for about two decades. I’ve worked with both the ‘offense’ side and the ‘defensive’ side of the industry, and it has been made clear to me that much more money goes into cybersecurity defenses than offenses. I never wrapped my head around that. The only reason you would build a defense is because you know that defense will face an offensive attack one day, but there is no point pumping money into a defense if you can’t be certain it will work when it needs to.
When I worked in the corporate field of cybersecurity, I watched companies funnel capital into their cybersecurity defenses. My job was to find out whether those investments in their defenses paid off or not. More often than not, the only question I got asked was “Is it working? Is it secure?” It made no sense to me at all. These companies were dumping money into their defenses, but had to keep asking the same people the same question over and over.
The problem wasn’t that they were investing this money into it. The problem was that they weren’t even sure whether or not it worked. That found me asking myself the question, “why aren’t we testing the defense enough to make sure it works?”
That led me to realize there are two similar, but separate, camps when it comes to testing cybersecurity defenses: automated testing, and penetration testing. Automated testing is a software tool, so it’s naturally less accurate and susceptible to cyber-attacks itself. Penetration testing uses human consultants on billable consulting hours to test your defenses but is completely human dependent. It’s time-consuming, cost-prohibitive, and there is a huge gap in the supply vs. demand of penetration testers, meaning we would never be able to test enough to remain efficient and relative.
In realizing this, I thought about solving the problem another way by using a blend human penetration testers who are guided by automated AI in a way that lets them do and find more in less time. That solution is what became Breachlock Inc.
How is AI changing penetration testing platforms and services?
Returning to the mention of penetration testing done using human capital, a lot of firms will routinely spend $200-300 per hour, per consultant, to perform penetration testing. Those consultants might spend three days researching your company and its cyber defense, two days penetration testing, three more days to draft and format a report, then two days to discuss their findings before they leave.
For us, all of that – except the penetration testing itself – is done using AI. What I’ve seen from experienced and certified testers is this: they love to hack, so that’s what we let them do. Instead of paying someone $200 or $300 an hour to do a $50-per-hour job, AI helps remove the discussion of hourly wages by moving away from the consulting-based model of testing towards a subscription-based penetration testing model.
We qualify the target via an application on our network, give you a single predictable price, and can repeat the testing process as many times as you want in as many days as you want, all within 24 hours of you signing the proposal. There’s no 3-week or 1-month lead time, which means CEOs and CIOs don’t have to worry about excess spending on billable consulting hours, and they know what is being tested, when it’s being tested, and how.
Why is penetration testing a vital SaaS for the coming decade?
In 2019, we recorded about 2,100 successful data breaches. For 2020, we’ve recorded 3,950. Successful data breaches have nearly doubled just in the last year. Nowadays, everything goes onto the cloud, and the number of cybersecurity professionals is being perpetually and exponentially overwhelmed by the number of malicious cyber-attacks. One factor we can’t separate in regard to these attacks is the speed of technological innovation. Our technology and data, and the ways we create, share, and store that data changes constantly, meaning we’re introducing more targets for hackers faster than ever.
In terms of cyberdefense, the U.S. alone spent $160B in securing ourselves online in 2020. Now compare that to the security testing market valued at $6.1B. It’s not that we’re spending enough money to defend, the problem is we don’t test to make sure the defenses we spend so much funding actually work.
It’s important to solve this problem because the current model is still consultant-based. A consultant will do his job, then leave, but we don’t have enough consultants to test as much data as we need, or as fast as we need them to. The current model isn’t agile, but penetration testing as a platform-based SaaS makes the model agile. Human capital can’t match the speed of a cloud-based data in this age of technology. Penetration testing in a SaaS model can start testing in 24 hours, giving you benefits of human expertise, but the mundane tasks get done via AI.
In what ways do you see penetration testing and/or “ethical” hacking evolving in the coming years?
To best answer this, we need to understand the three different types of companies in the market. There are fully automated scanners, penetration testing firms and the consultants they employ, and companies like us with penetration testing SaaS platforms. For other companies using SaaS platforms for testing, most of them crowd-source hackers from around the world. This isn’t a model CEOs and CIOs want to follow for cybersecurity, because there needs to be an element of trust before they open up their company’s network to someone else, regardless of who, where, or how experienced or talented they are.
The ‘traditional’ penetration testing market and model still operates by standards set decades ago. With COVID happening this past year, we’ve seen a significant increase both in the number of technological devices (e.g., smartphones) and the software applications for those devices. I think we will see more people look at cybersecurity from the perspective of a hacker, which will force them to ask questions about the integrity of their data and cyber defenses.
Over the next 5-10 years, I think we will see ‘traditional’ penetration testing firms using the consultancy model become almost – if not, entirely – extinct. I think we will still see some companies appear that use the crowd-sourcing model, but I firmly believe we will see even more platform-oriented companies like Breachlock popping up, especially if there are more CEOs or CIOs who want to solve their issues regarding penetration testing but don’t want to crowdsource anonymous talent or purely rely on AI for automated testing.
Seemant Sehgal is the Founder & CEO of BreachLock Inc. – the world’s first AI-powered full stack and SaaS-enabled Penetration Testing as a Service. Since 2019 BreachLock has quickly emerged as a market disrupter in the traditionally human dependent Penetration Testing market.