Company:Pentest-Tools

From HandWiki
Revision as of 17:46, 26 October 2024 by Importwiki (talk | contribs) (import)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Pentest-Tools
TypePrivately held company
IndustryCybersecurity
FoundedMay 23, 2017; 7 years ago (2017-05-23)
FounderAdrian Furtună
Headquarters,
Romania
Area served
Worldwide
Key people
Adrian Furtună (CEO),
Andrei Pitiș (chairman)
ProductsCybersecurity software
ServicesComputer security,
Penetration test
OwnerAdrian Furtună
Number of employees
61 (2024)
Websitehttps://pentest-tools.com/

Pentest-Tools is a technology company based in Bucharest, Romania, that specializes in cybersecurity products and services, including software tools for penetration testing, vulnerability assessment, attack surface mapping and monitoring, vulnerability management, and other white hat hacking activities.

Its main product is Pentest-Tools.com, a security testing toolkit that incorporates over 20 penetration testing tools, including a port scanner, a subdomain finder, a network vulnerability scanner, a web application scanner for dynamic application security testing, a tool for URL fuzzing, a web application firewall detector, vulnerability scanners for content management systems such as WordPress, Drupal, Sharepoint, Joomla, and many more.

The product also has features aimed at scaling offensive security workflows, including automation options for multiple stages of an information technology security assessment such as vulnerability scanning, vulnerability management, and reporting.

The company founded and led by Adrian Furtună[1][2] serves over 2000 B2B customers in more than 119 countries.[3] As of 2024, the company employs more than 60 people.[4]

History

PentestTools SA was established in May 2017 by Adrian Furtună.

In April 2016, Furtună, who had been working as an IT security engineer since 2007, and as a security consultant and technical manager for security services at KPMG Romania,[5] started his first company, VirtualStorm. Later that year, at DevTalks Bucharest 2016, Furtună did the first live demo of what would later become Pentest-Tools.[6]

In February 2017, the first 2 employees joined the company and the initial team got accepted into the mentorship program Innovation Labs,[7] where they won the Grand Prize.[8]

In the same year, at the cybersecurity conference DefCamp, Adrian Furtună gave a presentation titled “Pentest-Tools: The first online penetration testing framework”,[9][10] officially launching the product.

In May 2018, Andrei Pitiș, co-founder at Innovation Labs,[11] Founder at VectorWatch (acquired by FitBit),[12] Former VP Product at Fitbit, and founder and CEO at Simple Capital, joined Pentest-Tools and in April 2022 he became chairman of the board.[13]

From 2017 to 2024, PentestTools SA expanded from 3 to 61 employees. It now serves customers in the small and medium business and enterprise segments, including Orange S.A., Assicurazioni Generali, Thales Group, the SETI Institute, the University of Southern California, and dozens more.[14]

Products

Pentest-Tools was the first product that made it possible for security practitioners to use previously disconnected penetration testing tools as a single, cloud-based solution delivered as software-as-a-service. This allowed security and IT specialists to do their security testing activities in the browser as opposed to installing tools locally, on their device - a manual, time-consuming, and resource-intensive process that also involved updating and maintaining them.

Additionally, Pentest-Tools provided the ability to see the tools’ unified output in the browser and generate a report that included findings from multiple tools, along with IT risk descriptions, and remediation recommendations. This enabled the penetration test report to present the reader with a comprehensive overview of the tested target (network asset or web application).

Initially, the team used specific open-source technology, such as Nmap, OpenVAS, and WPScan, as the foundation of their tools, but soon switched to creating proprietary software as their main product.

For instance, on December 10, 2020, at the height of the Covid-19 pandemic, Pentest-Tools launched pentest robots at BlackHat Europe 2020.[15] This proprietary robotic process automation (RPA) solution helps penetration testers and other security specialists automate time-consuming work by providing a visual studio where they can build custom testing flows for specific stages of a penetration test, such as reconnaissance or exploitation.

The company also replaced their Website Vulnerability Scanner on April 5, 2021, with a new one, built from scratch. A public benchmark[16] puts its performance almost on par with top industry competitors such as Acunetix and Burp Scanner, part of Burp Suite. The scanner can identify and automatically validate cross-site scripting, SQL injection, Command injection, XML external entity attack, and other critical security issues specific to web applications.

On September 9, 2021, Pentest-Tools launched a new ethical exploitation tool - Sniper: Auto-Exploiter, which automatically detects and exploits critical vulnerabilities using real attack methods to extract proof – without disrupting the target.[17] The company also creates custom exploits for high-risk vulnerabilities in widely used software, such as Cisco, Apache, Magento, SolarWinds, PHP, Ivanti, and many more. Sniper: Auto-Exploiter uses these manually crafted exploits to simulate a cyberattack and validate the technology is vulnerable to that particular security issue.

In December 2021, Pentest-Tools was one of the first companies to develop detection for Log4Shell, the zero-day vulnerability in Log4j which involved arbitrary code execution and had a wide-ranging impact on technology used across the world. Detection was possible with two of the product's main tools, the Website Vulnerability Scanner and the Network Vulnerability Scanner. Log4Shell continued to be one of the most exploited vulnerabilities of 2022 and a persisting problem for the IT industry.

On October 24, 2022, the company published a Vulnerability & Exploit Database that provides public access to the security vulnerabilities and exploits customers can detect with the tools on Pentest-Tools and confirm as a realistic risk to their organizations. The database includes well-known vulnerabilities in the cybersecurity community, such as MOVEit, Spring4Shell, Shellshock, Heartbleed, POODLE, Dirty COW, EternalBlue, Zerologon, SIGRed, Logjam, and more. Many of these vulnerabilities are also part of the catalog maintained by the Cybersecurity and Infrastructure Security Agency which many organizations and specialists use as a key reference for their information security risk assessment activities.

A new API Vulnerability Scanner was added to the toolkit on Pentest-Tools in April 2023. The tool is designed to identify API-specific vulnerabilities, including SQL injection, server-side request forgery, Local File Inclusion, Code injection, Request URL override, and others using custom detectors. To execute tests that match the evaluated API's behavior, this vulnerability scanning tool parses the API specification file before checking for security issues.[18]

A Cloud Vulnerability Scanner became part of the company's product in June 2023, further expanding Pentest-Tools's capabilities in terms of vulnerability assessment activities. The technology behind this tool was showcased in a presentation at the cybersecurity conference DefCamp 2023.[19]

The organization continues to expand its range of tools by launching a Kubernetes Vulnerability Scanner in July 2024 to match increased usage of this open-source container orchestration system by IT infrastructure specialists. Designed to find security vulnerabilities in Kubelet API endpoints, cluster components, pods, logs, etcd instances, and other critical components, this vulnerability scanner also enables security practitioners to simulate an authenticated attack, provided they have a service account token.[20]

Awards and accolades

Pentest-Tools won the Grand Prize at Innovation Labs 2017, and the „Best Innovation” prize at the Startup Spotlight Awards 2018.[21] In 2021 Pentest-Tools was the only company that represented Romania at the Black Hat Europe 2021 event.[22]

It was also awarded Best Vulnerability Management Solution (highly commended) at SC Awards 2022.[23] In the same year, it was selected in Companies to Watch in the Deloitte Technology Fast 50 CE 2022.[24] The Employers' Association of the Software and Services Industry of Romania (ANIS) awarded the Software of the Year Award for Pentest-Tools, in 2021.[25]

In July 2024, Deloitte selected Pentest-Tools as one of the 500 fastest growing tech companies in EMEA, placing it at number 309.[26] The selection process was based on an analysis of the financial performance of the companies included in this report.

Professional certifications

Members of the Pentest-Tools team hold cybersecurity certifications such as:

  • GSE - GIAC Security Expert
  • CISSP - Certified Information Systems Security Professional
  • OSCP - Offensive Security Certified Professional
  • GCIH - GIAC Certified Incident Handler
  • GCIA - GIAC Certified Intrusion Analyst
  • GPEN - GIAC Penetration Tester
  • CRTP - Certified Red Team Professional
  • OSWP - OffSec Wireless Professional by Offensive Security
  • OSWE - Advanced Web Attacks and Exploitation by Offensive Security
  • OSEP - Advanced Evasion Techniques and Breaching Defenses by Offensive Security
  • CEH - Certified ethical hacker
  • eJPT - Junior Penetration Tester by INE Security

Based on their particular focus, engagements include manual breach and attack simulations, in-depth network security evaluations that uncover vulnerabilities which can lead to a supply chain attack, identifying business logic vulnerabilities attackers can manipulate for financial gain and cyber extortion, and discovering and ranking application security issues based on their real business impact. Professional offensive security services rely on manual testing and exploitation and a deep knowledge of the client environment.

Community contribution

Pentest-Tools offers free versions for most of their tools which anyone can use, provided they have the legal right to scan a particular target (web application or network host). These free penetration tools run passive tests that do not endanger the confidentiality, integrity, and availability (the CIA triad) of the tested system.[27]

The company also provides a target that exposes deliberately vulnerable services[28] related to both web applications and network hosts, which cybersecurity students and beginners can use to develop their skills and knowledge.

Pentest-Tools sponsors community events such as BlackHat Europe, OffensiveCon,[29] NahamCon,[30] Hexacon,[31] and DefCamp, which provide access to specialized knowledge and research through presentations, training, and live hacking activities.

The organization also contributes with educational resources such as vulnerability research articles on issues such as the XZ Utils backdoor,[32] RegreSSHion,[33] SMBGhost,[34] security problems in Roundcube (which was used in cyberwarfare), Magento and other widely used technologies.

References

  1. Zacks, Aviva (27 May 2021). "Interview With Adrian Furtuna – Pentest-Tools". https://www.safetydetectives.com/blog/interview-adrian-furtuna-pentest-tools/. 
  2. Zacks, Aviva (29 December 2021). "Interview With Adrian Furtuna – Pentest-Tools.com". https://www.privateinternetaccess.com/blog/interview-with-adrian-furtuna-pentest-tools-com/. 
  3. "About Pentest-Tools.com". https://pentest-tools.com/about. 
  4. "The People Behind the Tools - The Pentest-Tools.com team". https://pentest-tools.com/team. 
  5. Kovacs, Eduard (1 December 2022). "DefCamp 2012: Bypassing Security Tokens for Exploitation of Rounding Vulnerabilities". https://news.softpedia.com/news/DefCamp-2012-Bypassing-Security-Tokens-for-Exploitation-of-Rounding-Vulnerabilities-311258.shtml. 
  6. "Adrian Furtuna - Founder and Ethical Hacker at VirtualStorm Security, live at DevTalks Bucharest 2016". 4 August 2016. https://www.youtube.com/watch?v=8CpL4xOTyEY. 
  7. "Innovation Labs 2017 - Pentest-Tools.com". 2017. https://innovationlabs.ro/teams/Pentest-Tools.com. 
  8. Voinea, Oana (23 May 2017). "Innovation Labs 2017 și-a desemnat câștigătorii" (in Romanian). Revista Biz. https://www.revistabiz.ro/innovation-labs-2017-si-desemnat-castigatorii/. 
  9. "Adrian Furtuna". https://def.camp/speaker/adrian-furtuna-4/. 
  10. DefCamp (4 January 2018). "DefCamp 2017 - Pentest-Tools: The first online penetration testing framework". https://www.youtube.com/watch?v=CTztRKLpkjM. 
  11. "Andrei Pitis". https://www.linkedin.com/in/andreipitis/. 
  12. Butcher, Mike (10 January 2017). "Fitbit acquires the Vector smartwatch startup, as the wearable giant continues its roll-up". https://techcrunch.com/2017/01/10/vector-smart-watch-startup-acquired-by-fitbit-as-wearable-giant-expands-its-team/. 
  13. "About Softbinator Technologies". https://m.bvb.ro/info/Raportari/CODE/CODE_20220414104205_EN-CODE-2021-Annual-Report.pdf. 
  14. "Who's using Pentest-Tools.com". https://pentest-tools.com/customers. 
  15. "Meet Pentest Robots - launched at Black Hat Europe 2020". 3 December 2020. https://www.youtube.com/watch?v=RomYecXDJ5M. 
  16. "Website vulnerability scanners benchmark 2024". https://pentest-tools.com/benchmarks/website-vulnerability-scanners. 
  17. "Sniper – Automatic Exploiter from Pentest-Tools.com ("Best Emerging Technology" finalist at SC Europe Awards 2022)". https://def.camp/sniper-automatic-exploiter-from-pentest-tools/. 
  18. "API Vulnerability Scanner". https://pentest-tools.com/website-vulnerability-scanning/api-scanner. 
  19. "From bits to breaches: vulnerability detection in multi-cloud environments @DefCamp 2023". 19 January 2024. https://www.youtube.com/watch?v=wPvfWgZIwXk. 
  20. Bors, David (3 December 2020). "Kubernetes security simplified: Scan for critical vulns in minutes! (40+ tests)". https://www.youtube.com/watch?v=de_Md09bWNM. 
  21. "Un buzoian, în singura firmă românească prezentă la Black Hat Europe, cel mai important eveniment mondial de cybersecurity" (in Romanian). 11 December 2019. https://opiniabuzau.ro/un-buzoian-in-singura-firma-romaneasca-prezenta-la-black-hat-europe-cel-mai-important-eveniment-mondial-de-cybersecurity/. 
  22. "Start-up-ul local Pentest-Tools a dezvoltat un instrument ce poate simula în doar câteva minute un atac împotriva vulnerabilităţilor critice în software folosit de milioane de utilizatori". https://www.zf.ro/business-hi-tech/start-up-ul-local-pentest-tools-a-dezvoltat-un-instrument-ce-poate-20350945. 
  23. "Winners 2022 - Best Vulnerability Management Solution". https://www.scawardseurope.com/winners-2022. 
  24. "Deloitte Technology Fast 50 Central Europe 2022 Powerful Connections". https://www.deloitte.com/content/dam/Deloitte/ce/Documents/ce-technology-fast-50-report-2022.pdf. 
  25. "Câştigătorii premiilor industriei IT sunt: FintechOS, Medicai, Bittnet Systems, Pentest-Tools.com, Softech, Qubiz, DB Global Technology şi Endava" (in Romanian). https://www.bursa.ro/gala-anis-2021-castigatorii-premiilor-industriei-it-sunt-fintechos-medicai-bittnet-systems-pentest-toolscom-softech-qubiz-db-global-technology-si-endava-81179244. 
  26. "2023 EMEA Fast 500 Recognising growth and innovation". https://www2.deloitte.com/content/dam/Deloitte/ro/Documents/EMEA%20Fast%20500%202023.pdf?nc=42. 
  27. "Free pentesting tools you can use right now". https://pentest-tools.com/for/free. 
  28. "Vulnerable apps to benchmark your scanners and your skills". https://pentest-ground.com/. 
  29. "Offensivecon - 2023 Sponsors". https://www.offensivecon.org/sponsors/2023.html. 
  30. "Nahamcom". https://www.nahamcon.com/. 
  31. "Sponsors of Hexacon". https://www.hexacon.fr/sponsors/. 
  32. Bors, David (2 July 2024). "CVE-2024-3094 - The XZ Utils Backdoor, a critical SSH vulnerability in Linux". https://pentest-tools.com/blog/xz-utils-backdoor-cve-2024-3094. 
  33. "What is CVE-2024-6387? Understand RegreSSHion, the OpenSSH vulnerability". 11 July 2024. https://pentest-tools.com/blog/regresshion-cve-2024-6387. 
  34. Cornea, Cristian (1 April 2024). "How to chain SMBleed and SMBGhost to get RCE in Windows 10". https://pentest-tools.com/blog/smbleedingghost-exploit. 

External links