An often cited best practice to help enable proper security is to test security by attempting to exploit it. That's the goal of security startup vThreat, which is gearing up to take its place in the cyber-security market with a new CEO and a plan to grow market share in 2016.
vThreat is the brainchild of founder and CTO Marcus Carey, a seasoned security professional whose experience includes time served in the U.S Navy, CSC (Computer Sciences Corporation) and Rapid7, among others. The company was started inside of the Mach37 cyber-security accelerator program in the fall of 2014. Now vThreat is naming Eric Whittleton as the company's CEO, to help grow the vThreat's commercial aspirations. Whittleton's resume includes a decade spent as COO and CEO of defense contractor Information System Support (ISS).
"For years I sat at the C-level, worrying about enterprise cyber-risk," Whittleton told eWEEK.
Whittleton himself was the lead investor in the initial seed round of funding for vThreat as he sees a real need for the technology platform that vThreat provides. He explained that at his previous employers, there was always a concern about the efficacy of the defensive technologies in place and, if a full cyber-attack occurred, how the organization would respond.
Whittleton first met Carey at the Mach37 program in 2014 and quickly realized that the vThreat idea was a potential answer to a security challenge that he had been anxious about for years. The promise of vThreat is that it will provide a security attack tool as a service that can help an organization determine risk and areas of weakness.
A popular platform for penetration testing is the open-source Metasploit project, which is one that Carey has a high degree of familiarity with, having worked at Rapid7, the lead commercial sponsor of Metasploit. Metasploit requires a researcher to actually exploit a system, according to Carey.
"I wanted to be able to do security simulations without actually exploiting boxes," Carey told eWEEK. "Nobody in a real enterprise really wants to exploit a live production network."
The big difference between Metasploit and vThreat is that vThreat is 100 percent cloud-based and is enabled by a user via a Web browser, he said. Going a step further, Carey explained that vThreat has created its own botnet that enables the company to emulate the actions of a hostile attacker.
"We have an automated network that enables enterprises to test security," he said. "We test every level of a defense in-depth profile and provide forensic data on what occurred."
By doing the automated simulations, vThreat is able to show enterprises areas that need to be improved and hardened to reduce security risk.
From a technology perspective, vThreat's tools are not based on open source, but rather have been built in-house, although Carey said that in the future vThreat might look to include open-source tools.
Penetration testing is a key requirement in a number of compliance regimens, including the Payment Card Industry, Data Security Standard (PCI-DSS). The ability to help organizations meet and exceed compliance requirements is an area of opportunity for vThreat.
"At vThreat we offer the ability to do continuous assessments," Carey said. "So we see a PCI-DSS play and [are] able to help [with] compliance."
Another key trend for security in 2016 is the ability to integrate security testing into a DevOps methodology for establishing and maintaining security best practices. Carey explained that vThreat has an API that can be used in DevOps workflows.
The vThreat go-to-market plan is also about helping security consultants benefit from the platform to help their own end customers.
"Consultants don't have to install any software on their clients' system and can still perform vThreat attack simulations," Carey said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.