Content

Penetration testing: Core Security


If we had a model for an innovator, it probably would be Core Security. It is not so much what they do. It's how they do it. There are several penetration testers on the market and lots more available as open source. So what do you do if you want to sell a product into this space and do it for $30,000/ year a pop? You reinvent creativity and innovation or you go down in flames. Well, there have been no flames here, unless you want to include their perennially hot Core Impact Pro.

There is one thing that, in our view, characterizes Core's approach to the market and the technology: utility. The company has looked very closely at what professional penetration testers want beyond the ability to penetrate a network. In fact, today's pen testing professional has far more requirements than just penetrating the target.

Today's pen tester needs the ability to plan, execute and report on the vulnerabilities in a target network. The big challenge is that these tests must be repeatable, thorough and reliable. Core also recognizes that penetration testing is a profession and needs to be supported that way. That means integration with other tools and Core has an impressive ecosystem of partners. It also means developing test routines, penetration scripts and addressing individual vulnerabilities with custom scripts or modifications to existing ones.

Core Security goes to market by getting and staying close to the penetration testing community. Their innovation does not stop anywhere near existing products. I have watched Core Impact evolve through nine major releases, and while the desktop has not changed materially, the capabilities have grown by light years. That means that users have a familiar venue on which to work without sacrificing the growth in capability that comes with each new release.

Along the way, over the past four years that we have been following Core, we've seen an evolution from an automated script tool to today's mature, enterprise-centric test and analysis suite. The tool addresses both the enterprise directly and the clients of the enterprise with client-side web attacks. What is next? A major goal of Core Security is advancing the profession of professional penetration testing, becoming more scalable for use on huge enterprises while providing more ways for testers to automate. If they do all of that, we'll probably see them again next year.

AT A GLANCE

Flagship product: Core Impact Pro

Vendor: Core Security Technologies

Cost: $30,000/year/seat

Innovation: Professionalizing penetration testing and then providing an appropriate tool

Greatest strength: Unquestionably vision is key in this very hard market that could well be dominated by free open source tools and relative amateurs


Product title
Penetration testing: Core Security
Product info
Name: Core Impact Pro Description: Price: $30,000/year/seat

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.