NetSPI Launches New Vulnerability Management and Orchestration Platform

Minneapolis, Minnesota  –  NetSPI LLC, the leader in orchestrated vulnerability management and security testing, has announced the launch of NetSPI Resolve™, an end-to-end solution for vulnerability management and orchestration.

Companies face a growing number of vulnerabilities, leaving them at risk for data breaches that are expensive and damaging to their reputation. Resolve™ enables the orchestration of cyber security efforts across an entire organization, so businesses can shorten the vulnerability management life cycle and improve their security posture.

“Businesses are flooded by vulnerability data from scanners and pentesters, but all that information doesn’t add up to a coherent picture. Data piles up from multiple security testing sources, and there is no consistent way to track or prioritize vulnerabilities. It’s a manual and time-consuming process to try to make sense of your risk exposure, let alone track and report on it,” said Deke George, NetSPI CEO. “Resolve™ essentially brings order to this chaos. Not only does it help customers fix vulnerabilities faster – but it also gives them the insight they need to triage and prioritize remediation efforts, so they can focus their resources on the most critical issues and continuously reduce their risk.”

The number of disclosed vulnerabilities has increased each year. In an attempt to find them all, many organizations use multiple scanners along with in-house or third-party manual penetration testing, generating a large amount of overlapping data. Resolve™ automatically correlates this disparate data into a single system of record, allowing organizations to coordinate security teams’ efforts, track remediation progress, and report on vulnerabilities across teams and departments. The result is improved visibility of vulnerabilities, faster time to remediation, and reduced exposure to risk.

“There aren’t enough cyber security professionals – the unemployment rate for cyber security professionals is about zero,” George said. “The only way organizations can close critical security gaps is by automating and orchestrating security tasks to reduce manual overhead, so they can get more done without more employees or longer hours. We’re excited to offer customers a solution to some of their biggest cyber security challenges.”

NetSPI, which also offers pentesting and vulnerability management services, initially developed the platform to support execution and delivery of services to its customers. The platform was designed to ingest and correlate vulnerabilities from disparate sources, standardize the vulnerability knowledge base and remediation recommendations, ensure consistency in pentest execution and resulting outcomes, and track and report progress with actionable information to prioritize resources. NetSPI Resolve™ offers the same capabilities to customer’s internal security teams, as a cloud-based solution that can scale to handle tens of millions of vulnerabilities.

NetSPI Resolve™ will be showcased at a series of happy hour events during the last two weeks of March in Minneapolis, New York City, Atlanta, Seattle, Dallas, and Toronto. To register or learn more, visit Resolve™.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes security testing services, vulnerability orchestration software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit or follow us on Facebook, Twitter, and LinkedIn.


NetSPI Partners with University of Minnesota Masonic Children’s Hospital as Part of New Philanthropic Program

Minneapolis, Minnesota  –  NetSPI LLC, the leading provider of threat and vulnerability orchestration and security testing, announced today it will partner with University of Minnesota Masonic Children’s Hospital as part of a new philanthropic program called “NetSPI Gives.”

“While NetSPI continues to see business growth both nationally and globally, we haven’t forgotten about giving back to our local community,” said Vice President of People Operations, Meghan Hermann.

As a leading high-tech, research-focused cybersecurity company, NetSPI could immediately relate to the groundbreaking research going on at University of Minnesota Masonic Children’s Hospital. In particular, the hospital’s pediatric cancer advancements struck a chord.

“We were so excited to connect with the team at the hospital and knew immediately that we needed to make a big contribution,” said Hermann. “All 110 of our employees from across the country will be together in Minneapolis this week where we will kick-off the partnership with the hospital.”

To manage all of the company’s philanthropic activities so they can make the biggest impact possible, it decided to create a program called NetSPI Gives. As part of the new program, the company plans to donate time and money as part of a charitable initiative each quarter.

“Our physician-scientists are pursuing new avenues of research to develop powerful alternatives that are even safer and more effective treatments for childhood cancers,” said Nick Engbloom, Director of Community Partnerships for University of Minnesota Masonic Children’s Hospital. “We are excited to partner with NetSPI’s volunteer and philanthropic efforts, which will play an essential role in elevating the impact on pediatric cancer research here.”

“Our employees are always motivated by opportunities to give back to our community and are thrilled to be making a significant and lasting impact on children at the hospital,” said Hermann. “We’re excited about this important step in NetSPI’s growth and look forward to continuing to make a difference in the local community.”

Currently, plans are underway for a number of fundraising and charitable events at the hospital involving NetSPI staff. For more information and announcements, follow NetSPI on Facebook, Twitter, and LinkedIn.

About University of Minnesota Masonic Children’s Hospital

University of Minnesota Masonic Children’s Hospital brings hope and healing to children and families by caring for one child at a time, while advancing education, research, and innovation on behalf of all children. By working as one health care team centered on its youngest patients, University of Minnesota Masonic Children’s Hospital and pediatric clinics create exceptional care experiences for children and their families in Minnesota and around the world.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes security testing services, vulnerability orchestration software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit or follow us on Facebook, Twitter, and LinkedIn.

Media Contacts
Krystle Barbour
Media and Public Relations Specialist
M Health


NetSPI Releases Vulnerability Management Integration Framework

Minneapolis, Minnesota  –  NetSPI LLC, the leader in vulnerability management tools and penetration testing services, has released the NetSPI Resolve™ vulnerability management integration framework. The data integration tool allows financial, healthcare, retail, technology, and other businesses to automate time-consuming manual processes and improve vulnerability management.

More than 20,000 new software vulnerabilities are identified annually. Cyber-attackers use these vulnerabilities to breach networks, websites, and applications – and steal sensitive data. Many companies run multiple vulnerability scanners in an effort to find and fix vulnerabilities before attackers exploit them. Unfortunately, each vulnerability scanner uses its own data format and definitions. Making sense of the scanner data, manual penetration testing reports and remediation status from across a global enterprise is a massive manual effort.

NetSPI Resolve™ vulnerability management and orchestration platform makes sense of the data from all these sources and makes a risk-based assessment to identify the most critical vulnerabilities to prioritize for remediation. With data integration, Resolve™ can also show the remediation status of identified vulnerabilities – whether their status is open, in remediation, or risk-accepted. The result is vulnerability management processes that scales for global organizations.

The NetSPI Resolve™ vulnerability management integration framework enables companies to:

Save time with automated data flows. The visual integration framework lets users automate the bidirectional flow and mapping of disparate data – quickly and easily – while maintaining the performance of existing vulnerability management workflows.

Connect popular tools with out-of-the-box integrations. The integration framework supports the most popular application scanners, network scanners, ticketing, remediation, and governance tools, including AppScan, Qualys, Jira, Archer, and more.

Build custom data integrations. Users can build their own integrations for other tools using Java, JavaScript, Ruby, Python, or Jython.

Get data from structured and unstructured sources. The integration framework can connect Resolve™ to enterprise data sources, such as corporate databases and Active Directory. In addition, Resolve™ can ingest data from semi-structured and unstructured data sources, such as penetration testing reports.

Push data out to other systems. Users can send notifications when vulnerabilities reach a threshold and push vulnerability data to remediation ticketing systems and governance, risk, and compliance (GRC) systems.

Join NetSPI at the Gartner Security & Risk Management Summit
The Resolve™ integration framework will be demonstrated publicly for the first time in Booth 1017 at the Garner Security & Risk Management Summit, June 17-20 in National Harbor, MD. Attendees can request a private demo, or attend the vulnerability management panel, Best practices for updating your vulnerability management program, on Tuesday, June 18 at 1:15 p.m.

Learn more about Resolve™ at here.

About the Gartner Security & Risk Management Summit 2019

The Gartner Security & Risk Management Summit 2019 features programs focusing on key topics such as business continuity management, cloud security, privacy, securing the Internet of Things (IoT), and the chief information security officer (CISO) role. Gartner analysts will explain the latest information on new threats to enable digital business in a world of escalating risk.

About NetSPI

NetSPI LLC is the leading provider of application and network security testing solutions that supports organizations in scaling and operationalizing their threat and vulnerability management programs. The solution portfolio includes penetration testing services, vulnerability management software platform, and advisory services. Trusted by seven of the top 10 United States banks, the largest global cloud providers, and many of the Fortune® 500, NetSPI has deep expertise in financial institutions, healthcare providers, retailers, and technology companies. To learn why the world’s top brands trust NetSPI, visit or follow us on Facebook, Twitter, and LinkedIn.


Make it Easy on the Development Team

Software development teams are often at odds with application security teams, specifically penetesting teams. In this post we explore why this happens and what five steps you can take to improve participation in security testing by the development team in your organization.

Conflicting Objectives

At a macro view, the objectives of software development and application security align. Organizations need software and security to operate. But at the micro level, each team has very different objectives that don’t align.

Development teams are measured on delivering functional code on time and on budget, yet development teams regularly struggle to meet release deadlines. There are various reasons as to why, some avoidable and some not. Common reasons include scope creep, scope underestimation, unforeseen roadblocks, and bad planning.

The application security team is at least partially measured on how many vulnerabilities they find. If they don’t find vulnerabilities, that means the development team did a good job, but the security team has a hard time justifying the value they provide. Security teams scrutinize applications deeply because their reputation depends on what they can find. More often than not, they succeed in doing their jobs. The vulnerabilities they find have to be fixed.

The application security testing (AST) process further increases the deadline pressure experienced by development teams. Fixing vulnerabilities takes time and delays code pushes. The outcome is a double whammy. First, development team’s ability to deliver on time is put in jeopardy. Second, the developers feel as though their own reputations have been tarnished if their code is found to have flaws.

It’s no wonder development teams often chafe, drag their feet, or otherwise hinder the application security testing process. They submit to testing because it’s required, but they are generally not willing participants.

Evaluating Possible Solutions

Rational arguments for application security are already well understood by developers. Training and explanations do nothing to align the conflicting objectives and outcome of application security testing. Reasoning and rationale can only increase willingness so much.

Some organizations try to bake security into the software development lifecycle (SDLC). Time is allocated for application security testing between the release date and the production target. As development projects slip, security is often the first thing to be pushed out so the deadline can be met. Development teams would rather get all the features in and risk an unknown number of security flaws, hoping none exist. This reasoning leads back to the conflicting objectives.

Automation built in during the SDLC to help catch problems early can reduce the findings during a pentest. There is a diminishing return, though. More scanners will not eliminate all of the vulnerabilities found during a pentest. And this does not solve the conflicting objectives.

Five Steps to Buy in

The best security solutions are also the most convenient. Security is often viewed as a necessary evil by those burdened by the requirements. Reducing the effort needed is the best way to improve buy-in and willingness.

Application security testing orchestration (ASTO) delivers on convenience in many ways:

Step 1

Test scheduling should be as simple as possible. Ideally it should be possible to allow self-service for development teams to view, filter, and schedule security testing slots based on the availability of application security testing resources. This approach reduces the human effort needed to coordinate and schedule tests.

Software delivery dates often slip. Rescheduling pentesting at the last minute can cause a great deal of disruption to the security team. In this case, a backlog of scheduled tests can provide a buffer. For the backlog to work, scoping information for scheduled tests must be ready well ahead of time.

Step 2

Make the process of scoping security testing as seamless and convenient as possible. Your application security testing orchestration tool should track the application scope information on an ongoing basis. Annual application security tests should allow for development stakeholders to carry over prior information. Stakeholders should review and revise it prior to testing, but it’s much easier to revise than to write the entire form again.

Passing a Word document back and forth with comments and track changes gets messy and is hard to manage. Scoping questionnaires should be collaborative web interfaces where security and development can both participate. After the development team has submitted revised scoping information, the security team should review it quickly and verify it from a queue.

If any errors or discrepancies are found, communication should be easy to follow and track. Comments and markup on the scoping form are an ideal way to enable the communication flow. The web form can be mapped into a database in a standardized way and used in automated processes, which is something a Word document cannot do.

Step 3

Vulnerabilities will be found during testing. Providing full context of how to fix the vulnerabilities with high-quality remediation instructions can save the developers much time. Avoid making the developers work to figure out how to fix the problem by providing a remediation instructions library with vetted content. Sure, pentesters can write instructions, but consistency and quality will come from a standard library.

Step 4

Developers work in their own tools. Giving them a laundry list .CSV file of vulnerabilities or a static report is not going to make it easy for them. Don’t make them load the list into their tool or force them to track on a spreadsheet. Manual processes risk losing track of vulnerabilities and increasing developers’ workloads.

Integrate directly with the development SCRUM tool. Push vulnerabilities into developers’ existing workflow with the included remediation instructions to save them time and effort . Having a bidirectional sync with the SCRUM tool also makes it much easier to track remediation.

Step 5

Retesting and verifying that vulnerabilities have been fixed should be expedient and as automated as possible. Waiting to retest for weeks or months after a developer has fixed the problem will only increase the frustration the developers feel. Some scanners can automatically verify a vulnerability has been fixed, which can be triggered based on an application security testing orchestration process. Adding retest tasks to a queue for the application security team and having a service level agreement (SLA) on the task will also ensure that the security team is following up on the fix in a timely fashion.


While it may not be possible to entirely remove the conflict between application security and software development, it’s certainly possible to ease the inconvenience. Development teams understand the need for security. The experience is generally the problem. Improve the user experience for your developers, just like you would for any customer, and you will have a much easier time getting buy-in for the application security testing process.

Discover why security operations teams choose NetSPI.