The gap between what enterprises believe is secure and what actually is defines Pentera’s mission. Rather than adding another layer of defence, the company tests whether existing ones hold up under real attack conditions.
In this interview with Frontier Enterprise, CEO Amitai Ratzon explains how Pentera’s approach to security validation challenges traditional cybersecurity models and forces organisations to confront the reality of their defences.
How do you define security validation?
Basically, Pentera coined the term “security validation” back in 2019. At the time, Gartner had no such acronym or category in security. We came out of stealth in 2018-2019, when the market was full of breach-and-attack-simulation players, and we made it clear that we weren’t one of them. Our approach has always been to operate like real attackers, dynamically exploiting infrastructure in live environments. If attackers use no agents, Pentera uses none either. If attackers deploy malware in production against a server, we do the same, but in a safe, controlled manner by design.
After years of discussions and briefings with Gartner, the term “security validation” was formally recognised in 2023. It is now part of Gartner’s Continuous Threat Exposure Management (CTEM) framework, which consists of three components: asset management, vulnerability management, and validation.
To elaborate, asset management helps CISOs identify all digital assets that need protection, both known and unknown. Vulnerability management, handled by traditional players like Tenable, Qualys, and Rapid7, maps and ranks vulnerabilities across Windows and Linux systems, typically categorising them as critical, high, medium, or low.
The third component, validation, is where we come in. Once a CISO knows there are, say, 10,000 assets and 17,000 related vulnerabilities, the question becomes: So what? Can all those vulnerabilities be exploited or just some? Which ones can attackers realistically use to compromise the environment? Validation answers these questions. It identifies the vulnerabilities that truly matter from an attacker’s perspective, narrowing thousands of potential issues down to a manageable 10 to 15 that a security team can effectively address.
How does Pentera narrow thousands of vulnerabilities to a few critical ones?
Our approach focuses on what real attackers could actually do within a specific environment, based on our technology and research. Instead of showing every possible issue, we highlight what can truly be exploited. For instance, if a company like Tenable identifies 200 vulnerabilities in a network segment, Pentera might find that only about 7% of those are exploitable. That’s a statistical distinction.
We also factor in misconfigurations and human errors that traditional vulnerability assessment tools from companies like Microsoft or those using CVEs don’t capture. Human mistakes and misconfigurations are subjective; one person’s configuration error might differ from another’s. Pentera combines exploitable vulnerabilities from the Tenable, Qualys, and Rapid7 ecosystem with these human and configuration issues to produce a focused list. This helps narrow down thousands of potential problems from 10,000 to about 10 to 15 critical issues that matter most from an attacker’s perspective. These usually represent the root causes behind the vast majority of possible compromises. If desired, we can still display the remaining vulnerabilities, but we recommend addressing the exploitable ones first.
We know which vulnerabilities matter because we actively exploit them in the environment. It’s similar to comparing a bystander to a burglar: A bystander might see 30 windows, 10 doors, and three chimneys and assume they’re all entry points, while a burglar tests each one to find which is real. You only know which door is usable when you touch it, and that’s what we do, as opposed to simply observing from afar.
You mentioned an outside-in approach. Why is it so difficult to execute?
It’s not that others didn’t think of it; it’s just very difficult, and I’d say dangerous, to execute. This isn’t a commodity technology. Many assume that AI can make anything possible, but that’s not the case. Even if something is technically feasible, organisations like DBS would never approve a solution that could compromise their infrastructure or leave residual issues after testing.
To make such an approach safe by design, researchers must develop malware that never causes damage or leaves any footprint once the test concludes, and it’s just not easy.
For example, an attack surface management vendor might identify which databases are exposed under a domain such as DBS’s, but it may not be able to run an SQL injection. Pentera can perform the injection safely, interact with the database without harm, and show that the exploit could actually occur.
How do you establish that trust with your customers?
We’re now a 400-person company serving 1,200 customers across 65 countries. When Pentera began, we had no customers. I went out with Arik Liberzon, my co-founder and CTO, trying to convince people that we’d developed a way to challenge infrastructure safely by design. At the time, most said no; even Gartner thought we were crazy.
We had to work hard to land our first few customers. Once the first 20 to 50 enterprises saw that we could operate safely by design, and after we secured Series A funding from Blackstone, those milestones gave us legitimacy. Today, Pentera’s customer base includes major financial institutions, Fortune 500 companies, a large supermarket in Singapore, a major retail chain in Spain, and firms such as BlackRock and Blackstone.
Are you replicating what asset management companies like Armis do?
No, not at all. We’re actually good friends with Armis, and in fact, we’re partners. Armis is the leader in asset management. In the vulnerability space, Wiz is probably the leader in cloud configuration, while Tenable, Rapid7, and Qualys are the biggest players in visibility for on-premises environments.
The third pillar of CTEM, validation, is where Pentera operates. Just as CrowdStrike focuses on endpoint detection and response, Wiz on cloud security, and Recorded Future on threat intelligence, Pentera focuses on security validation.
What’s next for Pentera and the cybersecurity industry?
First of all, we recognise the ongoing debate between platforms and best-of-breed solutions. In many cases, a platform that delivers around 80% of what multiple specialised tools offer can still be preferable, since it comes from a single vendor with unified support. Companies like Check Point, Palo Alto, CrowdStrike, and Zscaler provide broad platforms covering most prevention and detection needs, from basic firewalls and antivirus to endpoint and network detection and response.
Pentera, however, remains agnostic to this platform approach, because our role is to challenge those very platforms. We’re not an extension of CrowdStrike or Palo Alto; we test them. Our customers don’t say they can get Pentera from Palo Alto, because they can’t.
By design, we don’t complement these solutions, we test them. It’s a constructive relationship, but we’re not another point solution that integrates into a prevention-focused suite. If prevention tools are the walls around the castle, Pentera is the one testing those walls. Our uniqueness lies in that distinction: We’re not another layer of protection, but a way to verify whether all the defences you’ve invested in actually work.
