Less than a year after an executive reshuffle prompted questions about its direction and viability, Core Security Technologies has hired a new chief executive to pilot its push beyond the niche penetration-testing market.
Core Security, which employs about 130 people in offices in Boston, Mass., and Buenos Aires, Argentina, has tapped former Sophos executive Mark Hatton as its new CEO amidst strong hints that new technology pieces could be added to position the company as more than a specialized vulnerability scanning outfit.
“We have a really good opportunity to rise above the niche pen-test market,” Hatton said in an interview with eWEEK. “We already provide very valuable insight as to where vulnerabilities lie and show [an enterprise] the extent of damage that can occur. We can add a few pieces and provide a much more unified view of how well the security infrastructure is working.”
Hatton declined to discuss future strategic moves, but a quick glance at his track record at Sophos, an enterprise-facing anti-virus vendor that successfully repositioned itself as a full-fledged endpoint security player, suggests that Core Security could be moving in that direction.
“We are in a position today where [Core’s] technology is good and the marketplace is generally opening up,” Hatton said. “If you look at the evolution of Sophos, it was a specialized anti-virus company in the beginning and then it redefined endpoint security and NAC-type offerings. I see Core taking a similar path. We’ll define and evolve this market beyond pen-testing.”
Core Security has taken in $9 million in two rounds of venture capital financing to build and market Core Impact as the most comprehensive product for assessing an organization’s ability to detect, prevent and respond to information security threats. Core Impact, which sells for about $25,000 per seat, includes exploits that can be used to simulate real-world hacker attacks against network servers and workstations, user systems, and Web applications, promising help to find and fix security issues before data incidents occur.
It is a specialized niche market that’s potentially lucrative, but the emergence of cheaper-and even free-alternatives has put Core Security under the microscope. In July, when news leaked out that CEO Paul Paget and Product Manager Max Caceres were leaving the company, analysts at The 451 Group immediately issued a report questioning whether Core Security’s bet on a turnkey approach to pen testing was paying off.
Cheaper alternatives are an obstacle
The report, written by analysts Nick Selby and Paul Roberts, argued that Core’s claim of 500 customers paying $25,000 per seat should put the company near profitability or at least cash-flow positive at this point. However, because the company was not profitable, The 451 Group suggested that the market was too small, specialized and crowded to justify the investments, but Core Security was quick to respond, arguing that it is rapidly growing its customer base and pushing towards profitability.
“We have about 625 customers today and that’s growing quarter over quarter,” said marketing director Mike Yaffe. “There’s no shortage of opportunity to raise capital, depending on the strategy we want to put in place.”
The company has seen players in the Web application and vulnerability management space-SPI Dynamics, Watchfire and ISS Security-feature in big-money acquisitions by the likes of Hewlett-Packard and IBM, and there’s a sense that Hatton’s priority is to prepare Core Security for an exit.
It won’t be easy, if Core Security sticks to its penetration-testing roots. The market is littered with cheaper alternatives-among them Immunity Canvas, SAINT, and the free, open-source Metasploit Framework-and a burgeoning vulnerability scanning market made up of companies like eEye Digital Security, NetClarity, NGS Software, StillSecure and Qualys.
For example, Immunity has branched out beyond pen testing, adding specialized training and consulting services, while companies like eEye have added endpoint security management and even anti-malware capabilities to its vulnerability scanning services.
Hatton is banking on the sophistication of Core Impact and the company’s well-respected research team to help provide enough differentiation from competitors. He said enterprise buyers are skeptical about the limitations of free or inexpensive offerings, arguing that Core Security has invested heavily in research and development to create a high-end security management product.
“I think, in places where security is a big issue, cost of this solution is negligible based on actionable insight they get out of it,” Hatton said. “We have a strong customer base that’s vocal about wanting to do more with our product. They want to see more development in areas beyond pen-testing. That’s where we’re focusing our efforts.”