An Interview with Horizon3: Why You Can’t Afford Not To Pen Test
Vandis’ CEO, Andy Segal, sat down with Snehal Antani CEO & Founder of Horizon3.ai to discuss its fully autonomous SaaS-based solution, NodeZero, and how it empowers security teams to assess their organization’s security readiness.
Andy Segal: Thank you for joining me today, Snehal. Can you tell us about Horizon3.ai?
Snehal Antani: Horizon3.ai is a fusion of former U.S. Special Ops cyber operators, startup engineers, and frustrated cybersecurity practitioners. We’re committed to helping solve our common security problems: ineffective security tools, false positives resulting in alert fatigue, blind spots, “checkbox” security culture, cybersecurity skills shortage, and the long lead time and expense of hiring consultants for security assessments and manual pentesting.
Prior to the formation of Horizon3.ai, I worked with my co-founder Anthony Pillitiere in United States Special Operations Command (USSOCOM). We realized we needed to access the security of our own IT infrastructure, so we hired third-party penetration testers to test our environments, and the pentesters found some issues. Our teams went on to remediate the discovered security issues, yet we had to wait months to have the same pentesters return to validate our issues were resolved.
We knew there had to be a better way, and as a result, Anthony and I joined forces and started Horizon3.ai, and named our solution NodeZero.
Andy Segal: Can you tell us more about algorithmic cyber warfare?
Snehal Antani: Algorithmic cyber warfare will come down to “maneuver decisions per minute” – how many decisions can an attack algorithm make, and how quickly can defensive algorithms anticipate & react to stifle the compromise. Beyond, algorithmic cyber warfare, we have entered a new era of cyber-enabled economic warfare, where nation-states are able to achieve national objectives through cyberattacks with minimal risk of kinetic response (e.g. boots on the ground). Attackers don’t need to compromise organizations directly; rather, disrupting the supply chain can achieve the objective. Companies that embraced just-in-time logistics and lean manufacturing are especially susceptible.
Andy Segal: Why have you introduced Autonomous Pentesting to the market?
Snehal Antani: Today, organizations of all sizes must reduce their cybersecurity risk by finding the exploitable weaknesses in their network. These weaknesses are the primary enablers of the human-operated, ransom-based attacks (e.g., ransomware) that are plaguing organizations worldwide. To defeat these attacks, organizations need a solution that goes beyond finding known and patchable vulnerabilities, such as easily compromised credentials, exposed data, misconfigurations, poor security controls, and weak policies. We developed NodeZero to uncover the truly exploitable weakness in any organizations’ internal, external, and cloud infrastructures
Andy Segal: What sets Horizon3.ai apart from other vendors in the market?
Snehal Antani: Unlike other penetration testing solutions on the market, NodeZero is a fully autonomous SaaS-based solution. It discovers and exploits weaknesses just as an attacker would. It freely moves laterally in any environment by compromising credentials through credential attacks, mines exposed data, bypasses security controls, and exploits key vulnerabilities and misconfigurations. NodeZero orchestrates hundreds of offensive security tools and chains weaknesses together. Our customers use NodeZero to discover their truly exploitable weaknesses and fix them before attackers take advantage of them.
NodeZero lets security teams conduct pentests from different perspectives so they can fully assess the organization’s security readiness. NodeZero helps teams “threat model” any environment. Teams can test the impact of breaches in each network segment or in data centers and they can simulate what would happen if a specific user’s credentials were compromised. The use cases for NodeZero are very numerous.
Andy Segal: Can you share your insights on the impact of phishing and talk about how to combat it?
Snehal Antani: Every day, IT and security teams leverage sophisticated, state-of-the-art security training and in-house phishing tests to raise security awareness and identify susceptible human targets, yet every day, new attacks succeed because humans are naturally responsive, and attacks are increasingly sophisticated.
Our Phishing Impact test is first-to-market and gives security teams the ammunition required to drive meaningful improvements to reduce the credential attack surface of their organization. Business leaders often dismiss the threat of entry-level employees who click on malicious links, leading to frustration by IT and security organizations. Our Phishing Impact test can help security teams accurately convey the “blast radius” of those phished credentials, proving that sensitive data could indeed be at risk.
Andy Segal: Can you share with us the economic benefits of utilizing your solution?
Snehal Antani: In a recent study we commissioned called “The Total Economic ImpactTM of the NodeZero Platform, October 2023” performed by Forrester Consulting, it shows how a composite organization received vulnerability and risk intelligence that exceeds traditional approaches through use of the NodeZero platform and achieved a 63% return on investment (ROI). In addition, operations time savings freed up the equivalent of one member of their four-member security team to focus on other security activities.
Key findings for the cost savings over a three-year period were improvement in security operations productivity by 30% worth $348,000, savings of $255,000 in eliminating third-party penetration test costs, and savings of $206,000 from reduced vulnerability scanner costs. This resulted in a financial benefit of $809,000 for this composite midsize organization. These results alone offer a compelling argument for autonomous pentesting. But the study also highlights many additional security and business benefits that will provide significant value.
To learn more about the value of autonomous pentesting and to see the solution in action, watch the recorded webinar and demo.