Securitybulls is a penetration testing and infrastructure security service provider that analyses threats to a company’s digital assets from a hacker's point of view.Sindhu Kashyap
Securing data is a key requirement for any company, especially with the rising need to digitise data. While there are several security startups in Tier I cities, Geet Vaishnav and Prateek Sharma decided to start one in their hometown - Indore.
The duo founded Securitybulls - a penetration testing and infrastructure security service provider - in 2016. The platform analyses a company’s digital assets from a hacker's point of view to provide a blueprint for remediation to help build or enhance a protection strategy.
“We decided to start up here because no one in central India is providing this sort of service. We wanted to become the first penetration testing and infrastructure security service provider in central India,” says Prateek.
Geet and Prateek saw a lack of understanding when it came to security, and felt the need for organisations to be more focussed on it.
During his engineering days in Indore, Geet had decided to become an Offensive Security Certified Professional (OSCP). This gave him the exposure to work on different projects while still in college .He thought to do something his own and help secure data of different organisations. He decided to drop the college and began freelancing on the same. He says he has worked on different projects with data companies and financial institutions. As an OSCP security freelancer, he has also worked and taught other college students.
Prateek began working with different organisations during his engineering days in coding and security, and worked in business development at Infograins Software Solutions, Code Decode Labs and Teleperformance India. After he finished his engineering in Mumbai, Prateek moved back to Indore to pursue a certification course in International business from IIM Indore.
It is here that the two met. They decided to build a company that looked at security. Soon, they roped in Rohit Asoliya, Rishabh Dogra, Thrivikram Gujrathi, and Medha Singh.
As the focus is on analysing threats from a hacker’s point of view, the team needs to be updated with the latest attack vectors. Prateek says the team is trained in advance exploitation techniques that malicious users can use to compromise networks, systems, and applications to gain access to sensitive data and critical resources.
One of the biggest differentiators for Securitybulls is its location. However, starting up in a Tier II city has its own challenges. Prateek says they faced a lot of barriers while making new connections with like-minded people as there are no meetups, conferences or events there. To overcome this, the team has to travel around the country or even abroad, which can be quite expensive for a startup with a limited budget.
“It is also tough to sell such services in a city like Indore as companies here are looking to buy a Benz at the price of a Nano. Also, people are not aware about information security and its importance, so it's hard for us to sell in Indore. But then, there also are no security startups in central India and Indore is our hometown,” says Prateek.
The team is currently working on building an AI-based web vulnerability scanner, which would be based upon their own research of various vulnerabilities. “It will be helpful to spot out business logic flaws as well. Since Blockchain is an emerging technology, we’re interested to create an AI-based smart contract code review platform,” says Prateek.
Securitybulls started with several packages. Its clients include Angel Broking, Arihant Capital and US-based Agfirst Farm Cred, Amar Ujjala in Noida, and Zerodha in Bengaluru.
Depending on client needs, the company charges $200 - $1500 per day, per engineer. At present, the team works with different engineers and hackers on a part-time basis.
“We've completed two years successfully and our monthly revenue is now around Rs 5 lakh. In 2017, our revenue was Rs 35 lakh,” says Prateek. The company has also been recognised at the Data Centre Summit in Mumbai in 2017 under the ‘Data Security’ category.
Prateek explains, “We perform various attacks on the given set of scope and provide a detailed report containing the PoCs. We use our own scripts to breach the security of our clients and help them mitigate the issues in their infrastructure.”
First, the team works with a client to understand the company’s business goals. Then, it identifies the different threats that can affect these goals and helps it plug them. The bootstrapped startup tests across different vulnerabilities including Open Web Application Security Project (OWASP) Top 10 and SANS 25. “We run on-going audits of applications and networks for vulnerabilities we derive from a prioritised researched list,” adds Prateek.
At present, the team uses penetration testing, which is a way to replicate real-world attacks by using the same techniques used by malicious hackers.
“We provide network penetration testing to identify and mitigate risks in your network, which cannot be easily detected by vulnerability scanners. This is done for both internal and external networks to ensure that your network is as secure as possible,” says Prateek.
The startup works on external network penetration testing for web servers, email servers, entry points, HTTP/HTTPS, firewalls and IDS/IPS. It has internal network security services that focusses on exploiting private or internally accessible infrastructure and services. It also offers web app penetration testing, mobile app penetration testing and Blockchain security.
The co-founder explains, “A large part of Blockchain hacks take place because of a lack of security around web applications selling tokens, and social engineering attacks. We help organisations dispatch their ICOs safely and enable them to assemble secure stages.”
The Government of India has allocated 10 percent of its IT budget towards cybersecurity. In July 2018, it notified a Preferred Market Access order to support Made-in-India cybersecurity products.
According to Gartner, by 2023, more than 30 percent of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine distributed denial of service (DDoS) protection, bot mitigation, API protection, and WAFs. At present, this stands at less than 10 percent, leaving a huge market to be tapped into.
India has several security startups. While cybersecurity startups are fast growing in India, few have been able to gain the needed traction. Lucideus Tech, based out of Delhi, is harnessing the potential of Blockchain and emerging technology, Mumbai-based Block Armour, launched in 2016, aims to disrupt cybersecurity. There also is Noida-based HaltDos which is an AI-driven website protection service that secures websites against cyber threats.