Interview: Blacklock Security pioneers pentesting as a service in Asia Pacific
Blacklock Security is a New Zealand security firm with an offering that's the first of its kind in Asia Pacific. The company, led by founder and CEO Nilesh Kapoor, has pioneered penetration testing as-a-service (PTaaS). Within four weeks of its launch, the company was already listed on the AWS marketplace, established an advisory board, secured funding, and much more.
Kapoor comes from technical and customer-centric roles in security consulting and penetration testing for startups and security consultancies. We chatted with him to find out more.
"While I was working for these companies, I experienced the complexities that both customers and consultants encounter in the security testing process. I soon realised that it becomes incredibly challenging because both parties have to continuously manage vulnerabilities and produce or consume penetration testing reports. This inevitably becomes unmanageable and more expensive over time."
In 2018 Kapoor set his mind to building a more transparent, scalable solution that was easy to use. In 2020 he had completed the business foundation. In July 2021, Blacklock Security was born, with positive feedback from industry leaders.
Kapoor explains, "Blacklock is an on-demand PTaaS that automates the discovery of security vulnerabilities in your internet-facing assets. It also manages them from a single dashboard with a click of a button. Customers can perform feature-specific scans or request a retest at a flat one-time fee to meet their agile penetration test requirements."
"The back-end testing processes are automated with a scan engine which uses custom scripts and wrappers that integrate with multiple tools for accuracy and cover a wider surface area. Our expert penetration testers then validate and verify the results before providing a clear and actionable report to our customers. From here, customers can download a management report or a developer report."
These reports classify the vulnerabilities in terms of type and severity to help customers understand their IT environment before moving on to patching and vulnerability mitigation.
"Blacklock is the first PTaaS solution in the APAC region that automates the phases in traditional penetration testing, including scoping, customer onboarding and invoicing, collecting target details, digital SoW signoff and report generation. The back-end testing processes are automated with a scan engine and use custom scripts that integrate with multiple tools for accuracy and covering a wider surface area."
- Reduced cost – a unique process automation and tool integration saves 30% on every pentest.
- Continuous testing – feature-specific scans and retests support security testing needs for agile development environments.
- Faster turnarounds – automation of pentest processes, reporting and scan engine helps deliver faster than traditional penetration test approaches.
- Greater controls on customers' penetration test – Blacklock transfers the control to the customer with an on-demand capability.
- Single platform delivery – Clients can view or download all previous test reports from one place to gauge the overall security posture of each information asset.
It's an offering that will support and protect New Zealand's growing digital sector - the fintech sector alone has grown 33.2%. However, he adds that the COVID-19 pandemic has pushed companies over the tipping point, and at least every business can spin up a temporary solution to meet customer demands.
Kapoor says several key threats are affecting the New Zealand landscape. He cites CERT NZ, which names phishing, malware and unauthorised access as the biggest threats. He explains that unauthorised access has increased 18% from the previous quarter, resulting in a direct financial loss of close to $1 million.
"We are in an era where every business with an online presence needs security testing, whether it’s due to regulatory requirements, compliance checks, due diligence or evaluating their security posture."
"Most businesses have adopted agile software development approaches, indicating the shift in security testing requirements and the need for digitalisation in penetration testing. We have already seen the development and adaptation of other SaaS security solutions in SOC2 & ISO 27001 compliance, breach and attack simulation (BAS), offensive services such as Red Team and cloud security."
These concerns, along with rapid growth within the cybersecurity sector, are what spurred Kapoor to take action and explore the PTaaS space.
"With more businesses moving towards digitalisation, we are speeding with a 7.2% growth rate per year in the global cybersecurity industry. Consequently, traditional penetration tests aren’t scalable to meet these demands. The main reasons are skill shortages, cross-border data restrictions, large volumes of repetitive work and high management overheads."
On top of that, penetration tests can take up to two weeks to complete, while Blacklock aims to complete tests within 24 hours - 5 days depending on the complexity of the application.
The company has already added phenomenal achievements to its belt in just four weeks from its launch. Kapoor says the achievements are more than the company expected.
Blacklock: Successfully listed its PTaaS service on AWS marketplace; secured an additional US$4,000 through the AWS start-up founders program; established an advisory board with industry security leaders; and conducted 10+ demos across various industries, including software development businesses, startups and NZ government agencies.
But that's not all - the company continuously develops and enhance its product to make sure it meets clients' demands and to make sure it offers offensive and defensive security services.
The company's roadmap includes the development of additional features such as:
- Scan engine extension — Expanding scan engine capabilities to perform manual application-layer attacks, i.e. unauthenticated and authenticated test cases for web applications.
- Scan engine integration with reporting — Accelerates report automation directly from scan results.
- Basic shielding services — Integrate with existing platforms to offer vulnerability remediation or shielding services.
There's no doubt that the company has made a strong start in cybersecurity, so we asked what the future holds for Blacklock.
"Blacklock’s vision is to bridge the gap between automated and manual penetration testing – with automation. This involves optimising our scan engine to automate manual security testing cases and integrate existing products to provide defensive services.
"In parallel, we are working with investors for seed funding and aim to grow our presence in the APAC, US and UK regions," says Kapoor.
Customers can find Blacklock on the web at www.blacklock.io, AWS marketplace and social platforms including LinkedIn, Twitter, and YouTube. The company also offers free trials and demos, also available on its website.