If we had a model for an innovator, it probably would be Core Security. It is not so much what they do. It's how they do it. There are several penetration testers on the market and lots more available as open source. So what do you do if you want to sell a product into this space and do it for $30,000/ year a pop? You reinvent creativity and innovation or you go down in flames. Well, there have been no flames here, unless you want to include their perennially hot Core Impact Pro.
There is one thing that, in our view, characterizes Core's approach to the market and the technology: utility. The company has looked very closely at what professional penetration testers want beyond the ability to penetrate a network. In fact, today's pen testing professional has far more requirements than just penetrating the target.
Today's pen tester needs the ability to plan, execute and report on the vulnerabilities in a target network. The big challenge is that these tests must be repeatable, thorough and reliable. Core also recognizes that penetration testing is a profession and needs to be supported that way. That means integration with other tools and Core has an impressive ecosystem of partners. It also means developing test routines, penetration scripts and addressing individual vulnerabilities with custom scripts or modifications to existing ones.
Core Security goes to market by getting and staying close to the penetration testing community. Their innovation does not stop anywhere near existing products. I have watched Core Impact evolve through nine major releases, and while the desktop has not changed materially, the capabilities have grown by light years. That means that users have a familiar venue on which to work without sacrificing the growth in capability that comes with each new release.
Along the way, over the past four years that we have been following Core, we've seen an evolution from an automated script tool to today's mature, enterprise-centric test and analysis suite. The tool addresses both the enterprise directly and the clients of the enterprise with client-side web attacks. What is next? A major goal of Core Security is advancing the profession of professional penetration testing, becoming more scalable for use on huge enterprises while providing more ways for testers to automate. If they do all of that, we'll probably see them again next year.
AT A GLANCE
Flagship product: Core Impact Pro
Vendor: Core Security Technologies
Cost: $30,000/year/seat
Innovation: Professionalizing penetration testing and then providing an appropriate tool
Greatest strength: Unquestionably vision is key in this very hard market that could well be dominated by free open source tools and relative amateurs