Detectify, a security platform that employs ethical hackers to conduct attacks designed to highlight vulnerabilities in corporate systems, today announced that it raised $10 million in follow-on funding led by Insight Partners. CEO Richard Carlsson says that the new cash, which brings Detectify’s total raised to $42 million, will be put toward product development and improving the overall user experience.
Detectify was founded by four ethical hackers from Stockholm, including Carlsson, who realized the business potential in combining security research with automation. In an interview with TechCrunch, Carlsson pointed out that product development workflows have changed dramatically over the past few years, with new teams within organizations spinning up internet-facing apps and adding potentially vulnerable assets to their employer’s environment. The trend toward low- and no-code tools has lowered the app development barrier to entry, but it’s also made the jobs of security specialists that much harder.
Illustrating the challenges, a recent Dark Reading survey found that 26% of IT and security experts don’t trust the platforms used to create low- and no-code apps. Roughly as many — 25% — said that they don’t even know which apps within their companies are being created by these tools.
“While companies should integrate security best practices earlier in their development cycle and try to catch vulnerabilities in development, production is what truly matters,” Carlsson added via email. “Unless you have a completely linear development process, which no company actually has, you will never catch everything. And this legacy mindset and over-reliance on ‘shifting left’ instills a sense of false confidence in organizations that actually increases their risk level.”
Detectify’s approach crowdsources real payloads — pieces of code that execute when a hacker exploits a vulnerability — from a private community of ethical hackers and uses these contributions for payload-based tests. Carlsson claims that Detectify tests customers’ entire attack surfaces, exposing how malicious attackers might exploit internet-facing apps in production.
In the near future, Detectify plans to roll out new functionality that’ll give security teams the ability to create custom alert policies. Teams will be notified if attacks on vectors like hosts, domains or DNS records are detected, Carlsson says.
“With Detectify, organizations can maintain an external point-of-view of exactly how attackers would exploit their attack surface, manage exposure and prioritize their remediation efforts,” Carlsson said.
Detectify currently has 2,000 customers, including “large government digital services” in Europe, and a user base exceeding 10,000. Carlsson asserts that demand remains robust in the face of competition like Cycognito, Crowdstrike’s Reposify, IBM’s Randori, Google’s Mandiant and Microsoft’s RiskIQ, driven by digital transformation efforts around the pandemic.
“To put it simply, the external attack surface has never been more complicated and harder to defend. This insulates Detectify against market headwinds,” he added. “While no company is immune to market trends, in cybersecurity, the pressure to reduce spend is pitted against cybersecurity teams’ need for best-of-breed solutions to protect the business against nation-state-level attacks.”