YourStory in conversation with Bikash Barai, CEO of iViZ on cloud-based penetration testing and raising Series A funding from IDG Ventures

If someone asked you to tell them about iViZ in about three sentences, what would you say?

iViZ is the industry’s first cloud-based penetration testing company. Unlike our competition, we provide consultant-grade quality of penetration testing for applications with an on-demand SaaS experience. We guarantee zero false positives with business logic testing and expert validation in an easy and cost-effective manner.

How did the idea for iViZ come about? How did you end up choosing the SaaS model?

While conducting one conventional penetration testing exercise, it dawned on us that even as a security expert; we cannot comprehensively detect all multi-stage attack path possibilities. Especially, once a network is successfully broken into, we tend to become complacent and the mental incentive to find all and every ways to penetrate diminishes.

To overcome this barrier related to basic human instinct, we explored the usage of Artificial Intelligence to simulate all multi stage attack possibilities. A prototype was built & refined over next 9 months and stabilized after testing it in several environments. Thus, the automated penetration testing product was born. This technology is currently under "patent pending" with USPTO (United States Patents & Trademark Office).

After successful installation of the product in a few client organizations, we realized that it is extremely difficult for an organization to hire good security persons and it is more difficult to retain them and hence they don’t have enough people to run the tool.

We felt that a penetration testing which can be done anytime, anywhere and anyhow is the need of the day. We decided to leave the software approach and adopted the emerging Software as a Service (SaaS) business model. Thus, the world’s first On Demand Penetration Testing was born!

How is iViZ different from other information security/network security companies?

What Salesforce did to CRM, iViZ did to penetration testing. To use another analogy, it is like Ernst and Young quality reports with a Qualys experience.

As you know that the usual products like Qualys, Appscan or any other tools generate a huge report with lots of false positives. So, you need to have consultants checking them and removing the false positives. They also need to do in-depth business logic testing for discovering the false negatives.  This would mean a lot of man-power cost or consultant cost. iViZ would guarantee that the report would match consultant grade quality.

However, with consultants, the problem is that they would only work regular hours. You cannot get a test done anytime you want. For example, your business may need testing on a Saturday night either due to some immediate need or because that’s the period when your system is used the least.

If you have to get a test done during that time by consultants or in-house people, it would mean paying them higher fee. Now, if you need 100 such tests to be done, it surely gets difficult since consultant-driven approach cannot scale. Also, imagine having hundreds of PDF reports. It becomes very difficult to manage them, get an overall picture, understand the trends or track the issues not fixed.

iViZ being on-demand and cloud-based eliminates all this problem and you can the tests done anytime. You can also use the on-demand portal and use the dashboard for better vulnerability management.

Tell us about your background, Bikash.

I have done a double B.Tech from Indian Institute of Technology (IIT), Kharagpur in 'Computer Science' (Hons) and 'Architecture' and also a Masters in 'Computer Science and Information Technology'. I worked in the areas like simulation of a hacker's mind using Artificial Intelligence, Cognitive Hacking, Social Engineering, Attack Simulation etc.

Is there acceptance for your concept? We understand that you’ve discovered a number of security flaws in software products worldwide. Can you throw some light on that? Also, who are your customers?

iViZ has won numerous awards for its technology from organizations globally. For example, iViZ was selected among the Top 6 Security companies by US Navy, US Department of Homeland Security and London Business School. iViZ also won awards from Red Herring, Business Today, NASSCOM and several others.

At iViZ, we believe in cutting edge security research and we have broken several products. You may be aware that a few years ago, the hard disc encryption tools like Microsoft Bitlocker, McAfee Safe boot and host of other products got broken. In fact, iViZ was the company which discovered this and presented in Defcon in Las Vegas. We’ve also broken the BIOS security of Intel, HP and Lenovo.

You may also have heard that there was news on how anti-virus could be used as a door for a hacker. Again, iViZ is the organization which discovered this. We broke products like AVG, Sophos and many others. In fact, we have broken products of Computer Associates, Symantec and probably at least one product of most good security companies.

iViZ works with more than 250 customer and 30 partners across the world. Several organizations like TCS, NetMagic, nRuns Germany, UBM Netherlands, Denyall France etc has partnered with iViZ. We work with major banks, telcos, online companies and large enterprises like HSBC, ING, Vodafone, Oracle, Fiat, Deutsche Post (German Post) etc.

Where do you see information security and iViZ five years from now?

The information security market would obviously grow. It is something which the industry cannot live without. Application testing market is at the nascent stage and is growing rapidly at 17.9 CAGR.

As an organization, we would like to build a business that’s worth 40 to 50 million USD in the next 5 years.

However, the bigger dream is to change the way penetration testing is done. Today's approach of conducting penetration testing either lacks in quality or is non-scalable. We need a different approach to solve the problem. We believe that hybrid penetration testing on the cloud can solve the problem of quality and scalability. Our dream is to make this happen!

What is iViZ’s revenue model? Also, you’ve been funded about two years ago. How was that fund infusion utilized?

iViZ provides subscription-based penetration testing for applications via the cloud. Organizations can subscribe for penetration testing and get it done whenever they want. They don't need to buy any software or hardware or hire consultants.

iViZ also works with partners to launch their own branded cloud-based penetration testing so that they can scale their revenue while maintaining zero operational cost. We work with security consulting organizations, data centers, managed service providers and resellers on a revenue sharing model.

In 2008, IDG Ventures invested 2.5 million USD. After raising the Series A fund, we used it to build the SaaS infrastructure so that we can start offering the cloud-based penetration testing business. We used the capital to build the senior management team, build global presence and strengthen our technology.

As an entrepreneur, what are your joys? What are the challenges?

As an entrepreneur, the joys are in overcoming challenges, solving problems and bringing in success for customer, team and shareholders. I find the journey equally important as to reaching the goal.

Every day, I get to learn something new from the people around me irrespective of their positions or backgrounds. The joy of learning something, building something unique and path breaking keeps me moving. For me, it's not just business success but the way I achieve it is also very important.

Our dream is to change the way penetration testing is done so that we can solve this challenge of false positives and lower quality automated reports. I find joy in challenging the status quo and making things possible which are seemingly impossible.

There are several challenges as an entrepreneur. Right now, scaling is an interesting challenge and I believe we’ve got the fundamentals in place and that we’re are demonstrating good progress.

At times as an entrepreneur, it becomes lonely. I am very passionate about people and I love my team and people around me. However, I have faced where I’ve needed to take decisions which goes against individuals and that's when you start losing them from being near to you. This is an interesting challenge where probably one needs to learn on how to balance and accept this hard reality. One can probably not keep everybody happy every time and being comfortable about it is something which I need to learn gradually.

How big is the iViZ team? Are you looking at hiring?

We are around 55 in terms of team size. Our American operations are headed by Scott Bradley, who holds a Masters in AI and robotics from an Ivy League school with more than 20 years of experience in heading business in USA with companies like Oracle, Sun, Network Intelligence etc.

Our Europe operations are headed by Kevin with more than 25 years of experience in building business from scratch with companies like BrightMail, WebRoot etc. Our engineering is headed by Arnab Chattopadhyay, who has more than 15 years of experience with BT in building their SaaS platform.

We are aggressively hiring people in sales, online marketing, engineering and application security testing.

How has the journey been so far? Also, let us know about your expansion plans.

We already have offices in Boston, London and Bangalore. We have presence in more than 20 countries through our partners. Our goal is currently to focus on USA and Europe and make the business successful. We are aggressively building our sales team and are expecting to grow more than 200 percent in terms of team size this year.

We have more than 250 customers and 30 partners across the globe. Our offering of on-demand application testing is quite popular with our customers as well as partners. Our partners can now scale their security testing business at zero operational cost. They simply love us since we make their life simple and help in increasing revenue and decreasing cost. Last year, due to recession, organizations were signing more of one-time deals. However, there is a reverse trend now where most of our customers are going for multi-year deals.

We at YourStory wish Bikash and iViZ all the very best. To know more, check out www.ivizsecurity.com.  Also, do let us know what you think of this story. You can write to us at [email protected].

Sriram Mohan | YourStory | 5^th May 2011 | Bangalore