The money will fuel Bishop Fox’s visibility and continued testing for all services
Michael Novinson (MichaelNovinson) •
July 15, 2022
An emerging offensive security player closed an eight-figure funding round to boost visibility and continuous testing capabilities across its service offerings.
Bishop Fox says the $75 million funding will allow the Phoenix-based company to scale from just offering attack surface testing on its Cosmos platform to offering all service offerings, including Application Penetration Testing, Network and External Penetration Testing, and Red Team. The Series B round was led by Carrick Capital Partners and brings Bishop Fox’s total funding to $100 million since its founding in 2005.
“We have enormous stability in a very fragile economic environment,” co-founder and CEO Vinnie Liu told Information Security Media Group. “So we hope that will then serve as a source of strength for us.”
Bishop Fox tapped Carrick to lead Series B because of the investment firm’s experience helping portfolio companies expand their go-to-market movement and move from traditional managed services to technology and based on the platform, according to Liu. He says Bishop Fox plans to grow from just under 400 employees today to over 500 workers a year from now (see: Electronic health records: highlighting the risks).
“The transition from services to platform is very unique to Carrick,” says Liu. “The thing that we’re really pivoting on is that they’ve successfully helped companies make this transition.”
Ditch the pinpoint tests
The traditional approach to penetration testing that organizations have taken over the past 15 years involves customers telling a third-party vendor like Bishop Fox what and where to test for a two-week period. But for the remaining 50 weeks of the year, Liu says, the company’s defenses are untested and the third-party vendor has no visibility into its customer’s security posture.
Bishop Fox’s launch of the Cosmos platform aims to help organizations move from one-time assessments to ongoing assessments of their IT environment, Liu said. The launch of Continuous Attack Surface Testing on Cosmos means that customers now have a much better view of what their attack surface really is as they can now see when assets are moving in the cloud or in and outside of cloud environments.
With attack surface testing now on Cosmos, Liu says, customers now know throughout the year whether there are serious or commonly exploited vulnerabilities on their external attack surface. Migrating External Pen Tests, Application Pen Tests, and Red Team to Cosmos will require a decent amount of engineering work since each service was developed separately and has its own complexities.
External Penetration Testing and Application Penetration Testing are currently in the early stages of beta testing and are expected to be available within the next three months and in the first quarter of 2023, respectively. The shift to continuous pen testing for applications means that customers will learn more quickly where vulnerabilities lie in their custom applications so that weaknesses can be patched before they are exploited.
“We do it against custom apps, which is incredibly hard to do,” Liu says.
The red team that never stops
The Red Team continues on Cosmos will allow Bishop Fox to emulate a wide variety of ransomware attacks in a nearly fully automated fashion so that customers can determine how susceptible they are to different strains of ransomware. This means customers can determine the most likely attack paths without having to allocate many internal resources since the work is almost entirely automated, he says.
As a result, Liu says, it frees up time for customer vulnerability management and security personnel to have more strategic conversations about other areas of security testing they want to focus on and do more ad-hoc assessments. .
From a metrics perspective, Liu hopes the Series B funding and subsequent Cosmos expansion will increase the rate at which Bishop Fox discovers new assets or changes in the attack surface. He also anticipates that the money will increase the speed at which highly exploitable vulnerabilities are identified as well as the speed at which those vulnerabilities are patched by working in partnership with customers.
“There’s actually an opportunity for us to enable technology for our platform, for all of our services,” Liu said. “And that’s really going to be a game-changer for us, because we can really strengthen the whole business, all of the services that we offer.”