VulnCheck, a vulnerability intelligence startup powered by former lead researchers at Tenable, Rapid7, Dragos, and Veracode, has raised a $3.2 million seed funding round led by In-Q-Tel - a non-profit venture capital firm funded by the Central Intelligence Agency to develop cutting edge, national security technologies for the intelligence and national security space - as well as Sorensen Ventures.
Founded in 2021 by Anthony Bettini, former head of Tenable research and former founder of FlawCheck and Appthority, VulnCheck aims to reshape how enterprises, government agencies, and cybersecurity vendors respond to and prioritize vulnerabilities.
The goal to offer newer methods around the vulnerability management process came after Bettini ran the Tenable research team, where he led developers to write detection code for all Tenable products but faced prioritization challenges.
"There are almost 200,000 vulnerabilities, yet there is only so much time in a day. Which ones should we spend the time on, and which ones are we going to ask our customers to spend time remediating? None of the organizations I've worked for have a great handle on this problem," Bettini told SC Media in an interview.
While the National Vulnerabilities Database (NVD) and MITRE use CVSS scores to guide security teams on vulnerability management, these methods can only measure the severity of a bug, not risk. Critics frequently note that scoring systems like CVSS don’t always capture essential elements of a vulnerability in ways that can both overinflate and underestimate the dangers and exploitability of certain bugs.
"When we look at these databases, a majority are labeled with 'high' or 'critical' score, yet only about 2.25% of vulnerabilities end up being associated with active attacks in the wild or having weaponized exploits," he said.
To address those gaps, VulnCheck researchers developed their own vulnerability intelligence platform that supports more modern ways to prioritize vulnerabilities based on exploit intelligence, CVSS temporal scores, FIRST EPSS scores, and CISA’s Known Exploited Vulnerabilities catalog. Additionally, the team monitors open-source git repositories for exploit code and associates them with known CVEs, while also correlating exploitation of CVEs to specific threat actors, botnets, and ransomware families. They also develop custom exploits and detection artifacts in-house for critical CVEs to help organizations get coverage out the door faster.
Tony Spinelli, venture partner at Sorenson Ventures, told SC Media that their investment represents a belief that the startup is providing a truly unique synthesis of sources that can better guide organizations when prioritizing their patching needs or responding to particularly dangerous threats.
"VulnCheck is filling a massive gap in the threat intelligence market, enabling organizations to prioritize and patch the vulnerabilities that matter the most. "When it comes to vulnerability and exploit intelligence, they have more intel and depth of data and publish faster than anyone else we've seen in the space," Said Spinelli.
Katie Gray, senior partner at In-Q-Tel, echoed that belief, saying that compared to traditional solutions such as the NVD, VulnCheck's products provide more context to help organizations prioritize remediation efforts.
With the $3.2 million funding, the company plans to double its headcount in 2023 to enhance its capabilities in the field of vulnerability and exploit intelligence, Bettini said.
While Bettini acknowledged that the cybersecurity industry at large faces challenges amid the economic downturn when businesses are more careful with their security spending, he said VulnCheck is well-positioned to continue growing its customer base this year if it helps solve some of the fundamental problems that organizations have.
The company also secured funding from angel investors, including Dave Cole, co-founder of Open Raven and former CPO at CrowdStrike and Tenable, and Oliver Friedrichs, founder of Pangea and former chief executive at Phantom and Immunet.