Latest news with #penetrationtesting
TechCrunch
6 days ago
- Business
- TechCrunch
Security startup Horizon3.ai is raising $100M in new round
a cybersecurity startup that provides tools like autonomous penetration testing, is seeking to raise $100 million in a new funding round and has locked down at least $73 million, the company revealed in an SEC filing this week. NEA led the round, according to two people familiar with the deal. One person said that the startup is believed to be valued upward of $750 million, although TechCrunch couldn't verify whether that valuation is pre- or post-money. Another person believes the company did (or will) sell the whole $100 million, and added that the company is generating about $30 million in annual recurring revenue. Neither Horizon, nor NEA responded to TechCrunch's requests for comment. With this deal, becomes NEA's second major cybersecurity startup investment in less than a month, following Veza's $108 million funding round at an $800 million valuation announced in April. In August 2023, raised $40 million in a Series C round led by Craft Ventures with participation from SignalFire. That round brought the startup's total fundraising to $78.5 million and was aimed to expand its R&D, channel presence, and team of engineers, co-founder CEO Snehal Antani told TechCrunch at the time. Founded in 2019, comprises a team of former U.S. Special Operations cyber operators, entrepreneurs, and cybersecurity experts. Before launching the startup, Antani served as CTO at Splunk and led teams within the U.S. Military's Joint Special Operations Command. With all things AI being deployed across the tech world, AI-powered automated attacks are also on the rise. The San Francisco-based startup helps protect against such attacks with its autonomous threat detection tools. Earlier this month, received FedRAMP authorization, enabling it to sell its wares to federal agencies. It also announced in February that it saw 101% year-on-year revenue growth and exceeding 150% of its Q4 pipeline targets, without sharing specific numbers.
Forbes
23-05-2025
- Business
- Forbes
Having Clarity On Cyber Risk Is Power
Zach Fuller - Founding Partner of Silent Sector - an Expertise-Driven Cybersecurity services firm protecting companies across the U.S. getty "We don't know what we don't know." If you've ever said this when it comes to cybersecurity, you're not alone. That uncertainty is one of the biggest threats mid-market and smaller companies face today. Too many organizations operate without a clear cyber risk management strategy. It's not because they don't care but because they're unsure where to begin. Fortunately, organizations can discover and address most cyber risks with two complementary activities: • Cyber Risk Assessment: A structured, organization-wide review of the company's policies, procedures and technical controls. • Penetration Testing: A real-world exercise where ethical hackers simulate attacks to uncover technical vulnerabilities. The Blind Spot Crisis: The Greatest Security Threat The vast majority of breaches stem from vulnerabilities companies didn't know existed. Risk assessments provide a holistic overview of cyber risk across the organization. Penetration testing identifies technical gaps a cybercriminal can use while conducting an attack. Together, they provide unmatched clarity and a direct path to fortify defenses. However, many companies focus on shiny tools while overlooking the fundamentals like incident response planning or operational continuity after a breach. That's like buying a high-end alarm system while leaving the front door wide open. Organizations serious about resilience need a proactive, comprehensive strategy that protects not just their data but their ability to operate. Conducting Cyber Risk Assessments: The Proactive Method A well-run cyber risk assessment sets the stage for everything else. Measuring Against A Cybersecurity Framework Cybersecurity isn't a "make it up as you go" type of matter. Organizations can't just throw tools at the problem and hope it works out. It's critical to follow an industry-recognized cybersecurity framework. This is a structured set of controls that guides security posture in alignment with proven best practices. Industry-backed frameworks provide a reliable benchmark. A few of the most respected options include: • NIST CSF 2.0: Widely adopted across industries, especially in the U.S. • CIS Controls: Prioritized into "implementation groups" for different organizational sizes. • ISO 27001: A global standard, particularly for international or compliance-heavy businesses. These frameworks are starting points rather than rigid rules. Every company is different, and each must tailor its assessment to its business, industry and risk tolerance. A good cybersecurity partner can help prioritize the controls that matter most and cut through the noise. The Three Pillars Of Security Strong security isn't just about tech. It's about building strength across three areas that cybersecurity frameworks cover: • People: The first line of defense—and often the weakest link. • Processes: Defined, repeatable methods for doing things securely. • Technologies: Important, but only as good as the strategy and configurations. Companies love buying new security tools, but I find that most don't need more tech to strengthen security. They need better implementation of what they already own. They don't solve complexity by adding more complexity. They solve it with clarity, discipline and alignment across their people, processes and technologies. Security Road Map: Getting Everyone On The Same Page Once organizations have completed a cyber risk assessment, they'll see where the gaps are and what needs to happen next. That's the road map. This isn't about pie-in-the-sky "initiatives." It's about practical, prioritized actions: • What reduces the most risk the fastest? • What aligns with business priorities? • What can be done within the team's capacity and budget? Balance quick wins with longer-term projects. Show progress, build momentum and always tie every security initiative back to business goals. Security for the sake of security doesn't resonate. Security that supports growth, continuity and reputation does. Penetration Testing: See What The Enemy Sees Risk assessments show where security controls fall short across the organization. Penetration tests provide a technical vantage point, showing organizations where an attacker could get through. Ethical hackers use the same tools and tactics as malicious actors to uncover weaknesses that organizations might not even know exist. A pen test isn't just a scan—it's a hands-on simulation of a breach attempt. A comprehensive test includes real cybersecurity experts (humans, not just automation) using the latest tools, technologies and methodologies to identify exploitable attack surfaces. Pen Test Scope Pen tests should focus on what matters most to the business. Depending on the environment, that could include the external network, internal network, cloud platforms, web applications, wireless networks, operational technology (OT) and even the people inside the organization through social engineering. The Three "Boxes" Of Pen Testing Pen tests come in a few flavors, each with a different perspective: • White-Box: Full access and information. Thorough, but not as realistic. • Black-Box: Simulates an outsider's view. Realistic but limited. • Gray-Box: The sweet spot. Enough access to be efficient, enough realism to simulate an attacker's perspective. Think of pen testing as an organization's chance to "fight the enemy before the enemy fights them." Just like risk assessments, it's not one-and-done. It should be a regular part of the cybersecurity strategy. Gaining Clarity: Knowing And Understanding Risks This is the goal. A proper cyber risk assessment, guided by an industry framework, tells organizations where their defenses are strong and where they're lacking. A penetration test shows how an attacker would exploit those weaknesses. Together, they provide full-spectrum clarity—technical and strategic. That clarity is power. It allows companies to direct resources where they're needed most. It gives leadership teams real answers, not guesswork. It transforms cybersecurity from a cost center into a strategic enabler. The Bottom Line Organizational leaders don't need to be cybersecurity experts, but they do need to know where their risks are and what to do about them. Companies that thrive in this new threat landscape aren't the ones that buy the most tools or shout the loudest about compliance. They're the ones who understand their vulnerabilities, prioritize wisely and take consistent, confident action. Start with visibility, build the road map, test defenses and move forward with clarity. "We don't know what we don't know" cannot be left unsolved in today's environment. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
