April 14th, 2023

Horizon3.ai, a leading cybersecurity firm specialising in autonomous penetration testing, today launched a major product refresh, doubling down on its commitment to help organisations continuously verify their security posture.

“Our product investments focused on 3 key areas: first, to increase our attack surface coverage, which spans on-prem, multi-cloud, and perimeter, but now also includes advanced capabilities to ‘live off the land’ just as attackers do; second, to improve our AI explainability so that defenders (aka ‘Blue Teams’) can quickly understand how we successfully compromised their organisation and focus their remediation efforts on security weaknesses that are actually exploitable; and finally, an API interface that allows users to integrate pentest results into existing security processes and workflows, including integration with their defensive tools to quickly identify potential blind spots in their detection and response,” said Snehal Antani, CEO and co-founder of Horizon3.ai.

Foundational to Horizon3.ai’s philosophy is to use offense to inform defense, a derivative of the military principle to “train like you fight” in order to be prepared for a real cyber attack. NodeZero, Horizon3.ai’s continuous penetration testing platform, enables organizations to test their infrastructure at scale by chaining together harvested credentials, misconfigurations, dangerous product defaults, and exploitable vulnerabilities to achieve critical impacts like domain compromise and sensitive data exposure.

“NodeZero was able to compromise a financial services organization in 7 minutes and 19 seconds. This customer purchased best-in-class security tools, yet few alerts were triggered, and defenders were unable to react fast enough to stop the attack. Security effectiveness is the critical initiative every enterprise should undertake to ensure they are getting the most impact out of their security investments, and the best way to verify that effectiveness is through continuous penetration testing. The alternative is to wait for a real breach to find out that you forgot to enable OS Credential Dumping in your EDR,” said Antani.

The updated user experience puts powerful new insights into security teams’ hands to make autonomous pentesting a force multiplier. At the heart of the refresh are detailed attack paths with proof of exploitation, prioritized fix actions, and 1-click verification that the remediation was successful.

“There are less than 5,000 OSCP-certified ethical hackers in the United States, and it takes 10 years of hands-on experience to become a senior penetration tester. Meanwhile demand for security testing has increased exponentially, so we have a fundamental supply versus demand problem – a spike in demand for security testing but an extreme shortage in the supply of experienced ethical hackers. This is where NodeZero fits in. Defenders have the power of self-service pentesting to harden their networks proactively, and red teams can use NodeZero to conduct reconnaissance and exploitation at scale so that they can focus on attack paths that humans are uniquely gifted to uncover,” said Tony Pillitiere, founding engineer at Horizon3.ai.

“NodeZero sets the conditions for a purple team culture,” said Monti Knode, VP of Customer Success at Horizon3.ai. “The new product refresh enables red and blue teams to quickly understand how an attacker could compromise the network while also showing where the defensive tools detected, logged, and stopped the attack. Or more likely, how the defensive tools failed to stifle the attack and what must be done to improve detection & response,” said Knode.

Leading by example: During a recent autonomous pentest of a large enterprise, NodeZero successfully elevated privileges to become a domain administrator while also compromising the organization’s business email system. The autonomous attack took 30 minutes to execute, with no humans involved, and chained together a variety of techniques including:

  1. User enumeration combined with password spraying to compromise a domain user
  2. Dumping the SAM database by exploiting local admin privileges assigned to the domain user
  3. Reusing local admin credentials across multiple machines
  4. Discovering a domain administrator credential by dumping credentials in LSA on a neighboring machine
  5. Pivoting from domain admin to the Microsoft Azure Active Directory infrastructure (AzureAD)
  6. Gaining access to the domain administrator’s email, which did not have multi-factor authentication (MFA) enabled

“The sequence of events in this attack path are typical of APT’s and ransomware organizations,” said Naveen Sunkavally, chief architect at Horizon3.ai. “What’s incredible is that this attack path isn’t hard coded as a runbook or predefined scripts anywhere in the product. Our machine learning techniques were able to figure out how to combine these different steps into an exploitable attack sequence safely in a production environment,” said Sunkavally. “Honestly, the hardest part of this problem is conveying these complex attacks in a way that allows an overwhelmed IT admin with no ethical hacking experience to understand exactly what to fix, and that was our focus in this product refresh.”

KEY FEATURES OF NodeZero:

  1. Attack paths that clearly explain the exact sequence of events that lead to a critical impact, with proof of exploitation and detailed descriptions for exactly what to fix.
  2. Leverage scoring that helps organizations prioritize fix actions based on risk to the organization as well as return on effort. For example, leverage scoring can help an IT admin determine that fixing a single issue will eliminate 70% of all exploitable attack paths discovered in the pentest.
  3. Automatically generating compliance reports required for SOC2, HIPAA, GDPR, and other common compliance requirements.
  4. Surfacing systemic issues and policy recommendations to help organizations identify the true root cause for their exploitable attack surface. For example, poor credential policies can lead to systemically weak passwords that can be easily cracked by attackers. Compare Pentest Feature helps teams easily complete the Find-Fix-Verify Cycle by confirming that weaknesses and vulnerabilities identified in previous tests have been fixed.
  5. Self-service user experience that makes pentesting conveniently accessible to all types of users, from early career IT professionals to 20-year pentesting experts.
  6. Features specifically valuable for MSSP’s and MSP’s, including white labeled reporting, multi-client management, and auto-generating statements of work for remediation services.

“While our results speak for themselves, our customers and partners do the talking for us,” said Knode. “We’ve cultivated a user and partner community of radical champions, some of whom probably now have Horizon3.ai tattoos, I’m not kidding. These radical champions operated as design partners and helped shape our investments in explainability, integrations, and attack content.”

“I’m incredibly proud of the team, the product, and our community of radical champions,” said Antani. “Our customers will be inspired by the new self-service product experience, and our competitors should be terrified.”

About NodeZero

NodeZero™ provides continuous autonomous penetration testing delivered as a self-service SaaS offering. With NodeZero, cybersecurity teams proactively find and fix exploitable vulnerabilities before attackers can exploit them. Like APTs, ransomware, and other threat actors, NodeZero discovers and fingerprints your internal, cloud, and external attack surfaces, identifying the ways exploitable vulnerabilities, misconfigurations, harvested credentials, and dangerous product defaults can be chained together to compromise your enterprise. NodeZero is safe to execute against production systems and is designed to enable a purple team culture by helping red and blue teams work together to fix problems that truly matter.

About Horizon3.ai

Horizon3.ai was founded in 2019 by former industry and U.S. National Security veterans with the mission to help organizations to see their networks through the eyes of the attacker and proactively fix problems that truly matter, improve the effectiveness of their security initiatives, and ensure organizations are prepared to respond to real attacks.