AttackIQ is by no means alone in its business model. Reston, Virginia-based Verodin has attracted Series A funding from Blackstone, Rally Ventures, Crosslink Capital, and Cisco Investments for its platform designed to test, evaluate, and monitor a networks entire security infrastructure.

In a statement announcing a new round of funding, Blackstone Chief Information Security Officer (CISO) Jay Leek said, “CISOs shouldn't have to assume. They need to know how their people, processes and technology will perform when attacked, and Verodin’s platform makes that possible.”

SafeBreach, based in Sunnyvale, California and Tel Aviv, calls its approach “offensive security,” and it claims to simulate breaches across the entire cyber kill chain—from malicious entry to data exfiltration. Boston-based Cybric, meanwhile, claims that its “patent-pending technology platform rapidly orchestrates exact replicas of an application environment and aggressively scans for security vulnerabilities by containerizing and automating security solutions.” And vThreat, based in Austin, Texas and Northern Virginia, offers many of these same features and functionalities.

The idea of attack simulation is not new. I referenced white hat hackers and bounties before, and pen tests are common practice. And Microsoft and many others have used red teams for years to pick apart vulnerabilities. A quick search turned up a white paper on the topic from 2003.

The New Class

So what’s different about this new breed of start-ups?

Automated:
Find a skilled hacker who can pick apart your network looking for flaws. Now find several. Now find an army of hackers. You still probably don’t have enough eyeballs to comb through a complex network with layered security tools. A heavily-automated solution doesn’t run into problems on the manpower front, allowing for greater scope at a lower cost.

Continuous:
Pen tests and red teaming are spot checks. They may locate systemic issues, but there’s no guarantee a new vulnerability won’t show up immediately after the exercise wraps, free to linger unnoticed for months or years. The simulated attacks need to be as relentless as attackers are.

Lightweight:
The majority of these solutions are cloud-based, with on-premise deployments available only in special cases. They are generally compatible with any OS and don’t require hardware deployments or complicated software integration.

Easy to understand:
And pretty much every tool I’ve come across in this arena has robust visualization designed to convey information about vulnerabilities in a useful way to audiences from engineering to the C-suite.

These attributes all jibe with wider software trends, but there seems to be real momentum right this second for these solutions and the possibilities they represent. By vetting your own network rigorously and constantly, you can patch the holes before the vandals get through.

And between ransomware, malware, DDOS attacks, and data exfiltration, that’s an edge we could all use.