9 Quotes that Capture the State of Offensive Security

We hosted the crew from Hacker Valley Media on LinkedIn Live for a conversation on the top takeaways gained from our 2023 Offensive Security Vision Report. The report analyzed over 300,000 anonymized findings from thousands of pentest engagements to shed light on the state of offensive security and provide insights into how security teams can tangibly approach the evolving threat landscape.  

NetSPI Head of Product Cody Chamberlain and guests Ron Eddings and Chris Cochran from Hacker Valley Media explored the highlights including the importance of prioritizing vulnerabilities, a constant reminder to focus on the basics, and how we can show empathy by asking for help while staying committed to the larger mission that keeps us connected: security.  

Watch the LinkedIn Live conversation here or download the original Offensive Security Vision Report for all the details.

Offensive Security Captured in 9 Quotes 

These quotes come directly from Cody Chamberlain, Ron Eddings and Chris Cochran while participating in our LinkedIn Live webinar, “An Inside Look at NetSPI’s Offensive Security Vision Report.” We pulled these soundbites because they capture the state of offensive security in today’s landscape.  

We’d love to hear what you’d add to this list! Share your two cents on the state of offensive security by tweeting us @ NetSPI. 

Prioritizing Remediation Efforts is the Key to Success 

  1. “You have to find the needle in the haystack on which vulnerability to focus on. Unfortunately, it’s like finding the needle inside the needle stack. When the needle looks like all the other needles, how do you really find it?” 
  2. “Prioritization is one of those beasts that’s just hard to wrangle.” 
  3. “If you don’t have a mechanism to prioritize, you’ll be lost. You’ll prioritize the wrong things, and ultimately, waste time.” 

Prioritizing vulnerabilities is crucial in breaking the cycle of vulnerability management challenges. Security teams simply can’t fix every vulnerability. Rather, they must focus on which vulnerabilities pose the greatest risk if exploited based on where they exist, the business priorities, the likelihood of exploitation, and the threat landscape. 

Without effective prioritization, security teams are faced with a constant influx of alerts and information, leading to analysis paralysis and misused time. Prioritization allows teams to allocate their precious time and resources to fix critical and high-risk vulnerabilities, ensuring that the most impactful security issues are addressed first. However, establishing a prioritization mechanism requires initial effort and a willingness to ask and answer difficult questions upfront.  

Go Back to the Basics 

  1. “You want to play but you’ve got to clean your room before you play, right? You have to make sure you don’t have any public facing s3 buckets before you start playing with ChatGPT.”  
  2. “It’s just another reminder that we really need to focus on the basics.” 
  3. “Going back to those fundamentals is what’s going to lead to success.” 

While the allure of new technologies is enticing, focusing on the basics and maintaining foundational security measures is essential to prevent breaches. Time and time again we find breaches happen because of simple mistakes that get overlooked.  

Security teams must strike a balance between addressing business-as-usual security tasks and exploring new technologies that keep teams engaged and motivated, while also ensuring that the necessary groundwork is laid before diving into the latest trends. By achieving a mature security posture through focusing on fundamentals, organizations gain the freedom to explore new technologies and initiatives with a solid foundation in place. 

Compliance Does Not Equal Security 

  1. “In our hearts, compliance does not equal security. But compliance gets a lot of budget, which helps us do security.” 

NetSPI’s Vision Report explored high-level industry data on vulnerabilities and security, showing the government, non-profit, and healthcare industries had the largest volume of critical and high severity vulnerabilities. On the other hand, the insurance and financial services industries had the lowest volume.  

This indicates a stark contrast between two highly regulated industries: healthcare and financial services.  

Healthcare security leaders have expressed challenges in keeping up with privacy regulations, while the financial services industry has leaned into evaluating and penalizing risk management deficiencies. Perhaps the healthcare industry will follow suit toward stricter enforcement. 

Plan for Hiring Early On 

  1. “A lot of times when you build your hiring plan, you don’t necessarily think, ‘okay, I’m going to need to articulate the value of someone entry level to my stakeholders.’” 

This situation can result in a harder sell for an entry-level hire when the need arises. Results from the Offensive Security Vision Report reveal a pressing need for increased investment in entry-level cybersecurity roles. A significant majority of security leaders (55 percent) reported having five or fewer roles budgeted for in 2023.  

Moreover, when asked about the number of entry-level positions, 71 percent of respondents indicated that less than one-fourth of the budgeted roles were allocated for entry-level candidates, and 46 percent had no plans for entry-level hiring in 2023. These findings underscore the urgency for the industry to prioritize investment in cultivating new talent. To address the global skills gap, it is crucial to provide hands-on training and support for individuals entering the cybersecurity field. By investing in entry-level professionals, the industry can move toward bridging the gap and fostering a robust pipeline of skilled cybersecurity experts. 

Consider the Interconnected Nature of Your Role 

  1. “The work we do is in the weeds. It’s asset management. It’s vulnerability management. It’s thankless, it’s frustrating. So anything that we as an industry can do to remind each other that there is a mission — there’s a bigger mission than all of us — is appreciated because security is interconnected.” 

While it’s easy to get lost in the details on which vulnerabilities deserve the bulk of our attention, we need to stay grounded in the bigger picture: it’s not just about checking the box on a single task, but seeing how your effort fits into the larger picture of creating a secure end state for a business. 

Ready to Dig into the Data?

Download NetSPI’s Offensive Security Vision Report!


Anti-Scraping Part 1: Core Principles to Deter Scraping 

Introduction and Motivations for Scraping 

Scraping usually refers to the practice of utilizing automation to extract data from web applications. There are a multitude of motivations for scraping which range from hackers trying to amass a large amount of phone numbers and email addresses which they can sell, to law enforcement extracting pictures and user data from social media sites to assist in solving missing persons cases. Although there is a wide range of both well-intentioned and malicious reasons to scrape web applications, allowing vast amounts of user data to be extracted by third parties can result in regulatory fines, reputational damage, and harm to the individuals who had their data scraped.  

Anti-Scraping refers to the set of tactics, techniques, and procedures intended to make scraping as difficult as possible. Although completely preventing scraping is probably not possible, requiring scrapers to spend an inordinate amount of time trying to bypass an application’s protections will most likely deter the average scraper. 

Anti-Scraping Core Principles 

In our view there are 5 core principles in Anti-Scraping: 

  1. Require Authentication 
  2. Enforce Rate Limits 
  3. Lock Down Account Creation 
  4. Enforce Data Limits 
  5. Return Generic Error Messages 

These principles may look simple in theory but in practice are increasingly difficult with scale. Protecting an application on a single server with hundreds of users and a dozen endpoints is an approachable problem. However, dealing with multiple applications spread across global data centers with millions of concurrent users is an entirely different beast. Additionally, any of these principles taken too far can result in a hindrance to the user experience.  

For example, enforcing rate limits sounds great on paper but exactly how many requests should the user be able to send per minute? If it’s too strict then it can result in a normal user being unable to use the application, which may be entirely unacceptable from a business perspective. Hopefully further diving into these topics can help illuminate both what solutions organizations can try to implement and what hurdles to expect along the way. 

Fake Message Board 

In this series of blogs, a fake message board site we developed will be utilized to demonstrate the back and forth between defenders hardening their application, and scrapers bypassing those protections. All the users and data shown in the application were randomly generated. The application has typical login, account creation, and forgotten password workflows.

Screenshot of login screen on a fake message board.

Once signed into the application the user is shown 8 recommended posts. There is a search bar in the top right which can be used to find specific users.

Additionally, each user has a profile page which returns information about the user (name, email, bio, birthday, email, phone number) and their posts (date, content, comments).

No attempts were made to restrict scraping. Let’s see how complicated it is to scrape all 500,000 fake users on the platform. 

The Scraper’s Perspective 

One of a scraper’s first steps will be to proxy the traffic for the web application by using a tool like Burp Suite. The goal is to find endpoints that return or leak user data. In this case there a few different areas of the application to look at: 

  1. Recommended Posts Functionality 
  2. Search Bar 
  3. User Profile Pages 
  4. Account Creation 
  5. Forgot Password 

Recommended Posts Functionality 

The recommended posts functionality returns 8 different posts every time the home page is refreshed. As shown below, the user data is embedded in the HTML.  

Example of a recommended post for reading on a fake message board.

HTTP Request:

GET /home HTTP/1.1
Cookie: session_cookie=60[TRUNCATED]

HTTP Response:

HTTP/1.0 200 OK 

<div class="w3-row w3-row-padding"><div class="w3-col l3 m6 w3-margin-bottom" style="padding-bottom:30px"> 
	<img src="/images/fake_profile_pictures/158.jpg" alt="Profile Picture" style="width:100%;height:300px"> 
	<h3>Kamden Marin</h3> 
	<p class="w3-opacity">kmarin590</p> 
	<p>You'll see the rainbow bridge after it rains cats and dogs.</p>
	<p><a class="w3-button w3-light-grey w3-block" href="/81165/profile/">Profile</a></p>

As a scraper trying to figure out which endpoint to target, here are a few key questions we may ask ourselves: 

  1. Is authentication required: Yes 
  2. How much data is returned: 8 users/response 
  3. What data is returned: User ID, name, username, bio 
  4. Is the data easy to parse: Pretty easy, it’s just in the HTML 

Search Bar 

The search bar by default returns 8 users related to the provided search term. As shown below, there are multiple interesting aspects to the /search endpoint.

HTTP Request:

POST /search?limit=8 HTTP/1.1


HTTP Response:

HTTP/1.0 200 OK 

    "0": [ 
    "4": [ 

One of the first features to check is whether authentication is required. In this case the server still returns data even after removing the user’s session cookie. Additionally, any time there is a parameter which tells the server how much data to return that is potentially a great target for a scraper.  

What happens if we increase the limit parameter from 8 to some higher value? Is there a maximum limit? As shown in the screenshot below, changing the limit parameter to 500,000 and searching for the value “t” results in 121,069 users being returned in a single response. 

Example of adjusting the limit parameter from 8 to 500,000 to return 121,069 matches.
  1. Is authentication required: No 
  2. How much data is returned: No max limit 
  3. What data is returned: User ID, name, username, birthday, email, phone number 
  4. Is the data easy to parse: Very easy, it’s just JSON 

User Profile Pages 

Visiting a user’s profile page returns information about the user, posts they have made, and comments on those posts. 

HTTP Request:

GET /419101/profile/ HTTP/1.1
Cookie: session_cookie=60[TRUNCATED] 

HTTP Response:

HTTP/1.0 200 OK 

<div class="w3-margin-bottom" style="padding-bottom:30px;width:25%"> 
	<img src="/images/fake_profile_pictures/153.jpg" alt="Profile Picture" style="width:100%;height:300px"> 
	<h3>Ashton Weeks</h3> 
	<p class="w3-opacity">aweeks950</p> 
	<p><b>BIO: </b>People keep telling me "orange" but I still prefer "pink".</p> 
	<p>Birthday: 3/25/1980</p> 
	<p>Phone Num: 381801397</p> 

Since the user IDs are sequentially generated we can just start at user ID “1” and increment up until 500,000. 

  1. Is authentication required: Yes 
  2. How much data is returned: 1 targeted user and 3 commentors per post 
  3. What data is returned: User ID, name, username, bio, birthday, email, phone num 
  4. Is the data easy to parse: Pretty easy, it’s just in the HTML 

Account Creation 

The account creation functionality requires a username, email, password, and optionally a phone number.

HTTP Request:

POST /createAccount HTTP/1.1 


HTTP Response:

HTTP/1.0 200 OK 


The server responds with a “success” message when given a new username/email/phone. What happens if a username/email/phone number is provided that is already in use by a user? 

HTTP Request:

POST /createAccount HTTP/1.1 


HTTP Response:

HTTP/1.0 200 OK 

{"response":"phone number taken"}

In this case an account is already using the phone number “893183164” and the server leaks that information. Although this endpoint doesn’t return user data, it still leaks information. This can be utilized by a scraper to, for example brute force all possible phone numbers and collect a list of all numbers used by users on the platform. 

Additionally, since there appears to be no protections on the account creation workflow, we can create a ton of fake accounts which can then be used for future scrapes.

Forgot Password 

The forgot password functionality requires a username and sends a recovery email/sms if the account exists.

Screenshot of forgot password screen on a fake message board.

HTTP Request Valid User:

POST /forgotPassword HTTP/1.1 


HTTP Response Valid User:

HTTP/1.0 200 OK 

{"success":"email sent to"}

Observe that if a valid username is provided then the server returns the email address of the account. This can be utilized by scrapers to collect email addresses by either brute forcing usernames or collecting usernames from elsewhere in the application. For reference, if an invalid username is provided then the server returns an error message as shown below. 

HTTP Request Invalid User:

POST /forgotPassword HTTP/1.1 


HTTP Response Invalid User:

HTTP/1.0 200 OK 

{"error":"Invalid Username"} 


Let’s review how the Fake Message Board application is performing with respect to our 5 core anti-scraping principles. 

  • Require Authentication 
    • The /search endpoint is accessible logged-out 
  • Enforce Rate Limits 
    • Rate limiting is nonexistent throughout the application 
  • Lock Down Account Creation 
    • There are no protections in place 
  • Enforce Data Limits 
    • The /search endpoint accepts a “limit” parameter with no maximum enforced value 
  • Return Generic Error Messages 
    • The /createAccount and /forgotPassword endpoints both leak information through error messages 

With no protections in place, scraping all 500,000 fake users of the application can be trivially done in minutes with only a few requests. In part two we’ll begin implementing anti-scraping protections into the application and examine how scrapers can adapt to those changes. 


NetSPI Offensive Security Solutions Updates: June 2023 

NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities.  

We maintain a leadership position in the industry by listening to client feedback, analyzing industry trends, and investing in breakthrough technology developments. Over the last few months, our development teams have been busy, and are excited to introduce a variety of new features and capabilities across our Breach and Attack Simulation, Attack Surface Management, and Penetration Testing as a Service (PTaaS) solutions.

Breach and Attack Simulation (BAS)

Companies often spend thousands, even millions, of dollars on detective controls. However, very few validate the effectiveness of these solutions. After initial testing, NetSPI Breach and Attack Simulation (BAS) data shows that on average 80 percent of common attack behaviors are missed by traditional EDR, SIEM and MSSP out-of-the-box solutions… YIKES! 

NetSPI’s BAS is designed specifically with this use case in mind, evaluating the effectiveness of detective controls and equipping security professionals with easily digestible and actionable KPIs. The latest updates to our BAS platform include: 

  • 185 new Living Off the Land Binaries and Scripts (LOLBAS) plays designed to validate detective controls and measure KPIs with more detail than ever before.  
  • 8 new Advanced Plays, which deliver extreme playbook customization and allow teams to create and simulate almost any scenario they can come up with. 

In summary, we have added more common and customizable plays to Evaluate detective controls, Educate on attack behaviors, and Enable SOC teams with actionable information to make fact-based decisions and improve resilience where it is needed most. 

If you would like to learn more about these updates, or other recent releases within our Breach and Attack Simulation platform, we encourage you to read our release notes, or contact us for a demo.

Attack Surface Management (ASM)

NetSPI’s Attack Surface Management (ASM) helps security teams manage risk by providing an ongoing external view and personalized risk assessment of an organization’s attack surface, assets, and risk profile in between security tests.  

A recent example demonstrating the need for companies to invest in an ongoing attack surface management solution can be found in the Fortigate CVE announced on June 13. This announcement disclosed a critical pre-authentication remote code execution (RCE) vulnerability in SSL VPN devices that affected all versions of Fortigate SSL-VPN devices and allowed unauthenticated access for RCE. The NetSPI ASM Operations team heard of this and immediately created an automatic detection to push vulnerability alerts for this CVE to our customers, expediting the discovery and remediation process.  

Also, we recently upgraded our World Map view within Attack Surface Management. Many companies host assets in different countries or regions around the globe. We’ve added a “zoom in” capability which allows users to see exactly which assets are hosted in which locations. This provides an easy way for users to locate both know and unknown assets, as well as exploitable assets infringing on their attack surface. 

To learn more about these updates, or other recent releases within our Attack Surface Management platform, check out our release notes, or contact us for a demo.

Penetration Testing as a Service (Resolve™)

NetSPI’s Resolve, our penetration testing as a service (PTaaS) platform, has been an industry leader for years, allowing users to visualize their test results and streamline remediation by up to 40 percent. This product remains the leader due to continued updates from our product development teams.  

Our latest updates focus on tracking and trending vulnerability data, and making that data easily digestible for yourself, your team, and your executives. Our new Vulnerability Trend Dashboard allows users to build customized views to display vulnerability data however is most impactful for each audience. Filter the customized views on whatever specific time, assets, projects, or findings are most relevant for each individual, and save them to review whenever is needed.  

The information shown in each view automatically updates with new vulnerability data throughout each test, ensuring the latest and greatest information is shown to streamline communication and empower teams. Users can also add additional viewers to each saved view or export the charts to streamline reporting. 

If you would like to learn more, we encourage you to read our release notes, or contact us for a demo

This blog post is a part of our offensive security solutions update series. Stay tuned for additional innovations within Resolve (PTaaS), ASM (Attack Surface Management), and BAS (Breach and Attack Simulation). 

Read past solutions update blogs: 


ITSP Magazine: Building A Better Defense With Attack Surface Management | A Company Briefing From Infosecurity Europe 2023

During Infosecurity Europe 2023, NetSPI Field CISO Nabil Hannan caught up with Sean Martin of ITSP Magazine to discuss API security, attack surface management, and more. Listen to the podcast here.


Live on-location from Infosecurity Europe 2023, Sean Martin connects with Nabil Hannan, the field CISO at NetSPI, to discuss Attack Surface Management (ASM) and how it has evolved in recent years to become the minimum cybersecurity benchmark that organizations need. ASM provides a more targeted approach to vulnerability management, allowing testers to focus on building a platform with automation that identifies areas that need attention and validates them.

Sean and Nabil also cover API security, the challenges of authentication and authorization, and the need for organizations to prioritize building secure-by-design frameworks. Nabil stresses the importance of understanding an organization’s external perimeter and what exposures might exist, as well as the need for good cybersecurity hygiene that starts with good cybersecurity basics before bringing others in to help with the problem.

ASM is an important element in modern cybersecurity with its role as the first line of defense reinforces the critical need to have a continuous view of an organization’s external-facing perimeter.

Listen to the full podcast episode below or online here.


#Realtalk with Aaron Bregg [Ep 88]: Rethinking Pentesting and Moving Towards Attack Surface Management

NetSPI Field CISO Nabil Hannan joins the #Realtalk with Aaron Bregg podcast to discuss attack surface management. Listen to the full episode here:


In this episode I had a chance to talk with Nabil Hannan about rethinking your penetration testing strategy and moving towards Attack Surface Management. Nabil is the Field Chief Information Security Officer for NetSPI and has a ton of useful information to share about starting this journey.

Talking points include:

  • What are the biggest misconceptions with pentesting?
  • The problem with buying security ‘things’
  • Understanding your Attack Surface using Breach and Attack Simulations
  • Targeting your ransomware readiness

8th Layer Insights [Ep 34]: Something Wicked This Way Comes: Pentesting Your Environment w/Chad Peterson of NetSPI

On this episode of the 8th Layer Insights podcast, Perry sits down with Chad Peterson, Managing Director at NetSPI, to discuss the importance of penetration testing. We touch on aspects of social engineering, discussing complex security issues with Boards of Directors, the prevalence of ransomware, and some of the unique challenges facing the healthcare industry.

Listen to the full podcast episode below or online here.


Harnessing Exposure Management with Continuous Attack Surface Testing 

As cyber risks grow, evolve, and become more sophisticated, traditional approaches to cybersecurity are no longer effective. According to research from Gartner, enterprises must move beyond vulnerability management to focus on threat exposure management as remote work, cloud storage adoption, and other factors expand organizations’ attack surfaces and potential vulnerabilities faster than threat detection and response controls can mature.  

While attack surface management (ASM) doesn’t replace pentesting, a combination of external network penetration testing and ASM can help organizations enable continuous attack surface testing and more effectively focus cybersecurity resources on the most valuable remediation efforts.

What is Exposure Management?

From a broad perspective, exposure management is the practice of identifying and analyzing possible exposures and taking steps to minimize the impact of associated risks. While the term exposure management is used broadly in other industries, for the purpose of this article, we’re focusing on exposure management from a cybersecurity lens — also referred to as threat exposure management (TEM) or continuous threat exposure management (CTEM).   

Exposure management in cybersecurity involves seeing the complete, accurate picture of an organization’s attack surface and being prepared to make the right decisions to prioritize remediation and effectively reduce overall cyber risk. The full attack surface includes all points of entry and external-facing assets that a cybercriminal could exploit to gain access to your company data—such as hardware, software, web applications, certificates, unsecured APIs, cloud assets, and much more. 

The Growing Need for Exposure Management 

Attack surfaces continue to expand in today’s connected environment, even overnight. The broader the scope of an attack surface and an organization’s digital footprint, the higher the risk of external assets facing vulnerabilities and exposures.  

Another challenge with exposure management is that organizations often have unknown attack surfaces or assets. As highlighted by Forrester in its report, The External Attack Surface Management Landscape, Q1 2023, “You can’t secure what you can’t see.”

With a proactive approach to exposure management and the right attack surface management tools, organizations can identify previously unknown assets and attack vectors—before attackers do—to avoid exposures.

Top reasons exposure management is important include:  

  1. Attack surface sprawl is increasing
  2. Unknown assets pose greater risks
  3. Threat actors are becoming more sophisticated  
ASM In Action: NetSPI’s Attack Surface Management Demo

Why Companies are Prioritizing Continuous Attack Surface Testing 

As both known and unknown attack surfaces expand, companies are increasingly using attack surface management tools to bridge the gap between vulnerability management solutions and manual penetration testing.

Traditionally, a common approach has been for organizations to perform penetration testing annually or a few times a year to meet compliance regulations. Following standard pentesting, at times little to no action is taken on the findings for months because security teams lack research-backed prioritization of which vulnerabilities to fix first. This trend is backed with research in NetSPI’s Offensive Security Vision Report, which concluded a lack of resources, aka people, is the number one barrier to timely and effective remediation. 

Attack surfaces and threats can expand and change overnight. Completing only one pentest per year isn’t enough to secure your attack surfaces and protect against new exposures that emerge over the course of a year.  

Instead of relying on periodic pentesting, leverage a combination of external network penetration testing and attack surface management tools to enable continuous, always-on pentesting. Keep pace with expanding attack surfaces and find vulnerabilities as they arise. As a result, organizations are better prepared to prioritize and focus their cybersecurity efforts.

How Continuous Attack Surface Testing Works 

Here’s a step-by-step overview of NetSPI’s process: 

  1. NetSPI’s attack surface management platform identifies known and unknown assets to provide visibility of attack surfaces. 
  2. Our human pentesters combined with our advanced scanning capabilities triage and prioritize exposures. 
  3. For each vulnerability, our ASM operations team provides descriptions, remediation steps and verification steps. 
  4. This prioritization reduces the number of false positives reported and creates actionable results for your security team. 

How to Achieve Always-On Security with Continuous Pentesting  

An always-on approach to pentesting is the gold standard for cybersecurity today. Attack surface management doesn’t replace external network penetration testing, but rather pairing the two together works in harmony to enable continuous coverage. This helps organizations achieve higher levels of security in today’s evolving threat landscape.  

As an added benefit, from an operational standpoint, this approach also helps organizations with vendor consolidation. Providers such as NetSPI offer both attack surface management tools and external network penetration testing in-house. Businesses that partner with NetSPI have access to an expert team of manual pentesters who complete more than 250,000 hours of pentesting each year. 

Enable Continuous Attack Surface Testing with NetSPI 

Rather than replacing pentesting, attack surface management paired with manual external penetration testing is an advanced method for continuous attack surface testing. We created our attack surface management platform based on three key pillars of ASM—human expertise, always-on, continuous pentesting, and risk prioritization.  

Leverage NetSPI’s attack surface management tool for expert human analysis to prioritize the most important exposures, bring alignment between security and IT teams, and focus vulnerability remediation efforts to create a better overall security posture. Try NetSPI’s ASM tool for free!

Try our Free ASM Scan Tool

NetSPI Named a 2023 Top 200 Workplace in Minnesota, Honored for Cultural Excellence 

Minneapolis, MN – June 16, 2023 — NetSPI, the global leader in offensive security, has been named one of the Top 200 Workplaces in Minnesota by the Star Tribune. The company was selected as one of the best places to work in the state for a third consecutive year, based on an employee survey measuring engagement, organizational health, and satisfaction. 

NetSPI ranks #12 on the midsize companies list, and was honored for its cultural excellence, with special recognition for its innovation, employee appreciation, work-life flexibility, compensation and benefits, leadership, and purpose and values. These recognitions exemplify NetSPI’s values and are a core driver for its continuous growth and positive impact on the cybersecurity industry. 

“Our workplace culture is the foundation of our success. Recognition like this is a great reminder of how special the people at NetSPI are,” said Heather Crosley, VP of People Operations. “It’s no easy feat to maintain a strong culture while experiencing exponential growth. I’m proud of this team for maintaining a positive environment of innovation and collaboration not only in Minnesota, but across our global offices.” 

NetSPI is on a growth trajectory, most recently achieving 58 percent organic revenue growth in 2022. This advancement continues to be driven by an emphasis on evolving its powerful offensive security platforms for its Pentesting as a Service, Attack Surface Management, and Breach and Attack Simulation solutions, global expansion in the EMEA region, and a customer-first approach to cybersecurity. Last year, the company hired more than 230 employees and promoted over 170 staff members. In 2023 to date, NetSPI has welcomed 136 employees to the team to support the delivery and development of its award-winning offensive security solutions

“The companies in the Star Tribune Top 200 Workplaces deserve high praise for creating the very best work environments in the state of Minnesota,” said Star Tribune CEO and Publisher Steve Grove. “My congratulations to each of these exceptional companies.” 

A complete list is available at and will also be published in the Star Tribune Top Workplaces special section on Sunday, June 18. 

For a glimpse of what it’s like to work at NetSPI read the blog post recap of the company’s Employee Kickoff event, written by CEO Aaron Shilts. Visit to explore open job opportunities. 

About NetSPI 

NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India. 


Evo Cyber Security [Ep 38]: Penetration Testing – The Art And Science Of Hacking Your Own Applications

In this episode of the Evo Cyber Security podcast, host James Price dives into the fascinating world of penetration testing, exploring the art and science of hacking your own applications. Joining him are esteemed guests Ron Kuriscak, Managing Director at NetSPI; Derek Fisher, Head of Product Security at Envestnet, Inc.; and Abhishek Ramchandran, Penetration Testing Team Lead at Siemens.

Together, they share their expertise and insights, shedding light on the critical importance of proactive security measures in an increasingly interconnected digital landscape. Don’t miss this enlightening discussion with top industry professionals.

Listen to the full podcast episode below or online here.


Enterprise Security Tech: US Government Agencies Amongst Victims of Global Cyberattack Exploiting Software Vulnerability

NetSPI EMEA Senior Security Consultant Tyler Sullivan comments on the MOVEit CVE in Enterprise Security Tech. Read the preview below or find the full article at


While the Russian hackers were the first to exploit the vulnerability, experts warn that other groups might now possess the necessary software code to conduct similar attacks. The CLOP group had initially set a deadline for victims to contact them regarding ransom payments. Afterward, they began listing additional alleged victims on their dark web extortion site. However, as of the latest update, no US federal agencies were listed. The hackers even reassured government entities by stating that they had erased all their data and had no intention of exposing such information.

The CLOP ransomware group is part of a larger collection of gangs primarily based in Eastern Europe and Russia, notorious for their focus on extracting significant sums of money from their victims.

This latest cyberattack highlights the extensive impact that a single software vulnerability can have when exploited by skilled criminals. The hackers, a well-known group that emerged in 2019, began exploiting a new flaw in MOVEit, a widely used file-transfer software, in late May. Their approach appeared opportunistic, targeting as many vulnerable organizations as possible and leaving them susceptible to extortion.

Progress, the US company that owns MOVEit software, has advised victims to update their software packages and has issued security recommendations to mitigate the risks.

Tyler Sullivan, Senior Security Consultant, NetSPI provided insights on how a shift in security strategy implementation could help thwart this type of threat in the future:

“To slow third-party software vendor-based attacks, a paradigm shift is required, from standard perimeter-based networks to a Zero Trust architecture. Additionally, it’s critical for organizations to minimize the attack surface and reliance on the supply chain – this means decreasing the amount of third parties used and regularly auditing them for any security gaps.

There is not a single responsible party for the supply chain, it’s down to the vendors, the repositories, the software consumers and the developers. The second half of 2023 should be when we see meaningful progress by all parties involved to control the supply chain and ensure it can be used in a secure way.”

You can read the full article here!

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.