Tackling Threats from a Hacker’s Perspective: IOActive Leverages Decades of Experience to Provide Research-Fueled Security Solutions Across Industries

TL; DR: IOActive, a research-driven provider of specialized information security solutions, provides a range of full-stack penetration testing, program efficacy assessments, and hardware hacking services. The trusted partner helps Global 1000 enterprises safeguard their entire development process through a unique attacker’s perspective, maximizing security investments and improving business resiliency. Now, more than two decades after its inception, IOActive is looking to leverage its experience to protect entire industries from an ever-evolving threat landscape.

As any good medical practitioner will tell you, treating a symptom may help in the short term, but if you don’t uncover the underlying disease, you’ll never find a cure.

The same logic applies to computer systems: Protecting your business from sophisticated security threats requires the knowledge of specialists who can assess your operations holistically, then develop an action plan to improve your overall security posture.

Since 1998, IOActive has been that specialist, helping companies across the globe diagnose and treat systemic problems through a range of research-driven security solutions.

“At its heart, IOActive is a research company, and through that research, we find vulnerabilities that we build our methodologies around,” said Matt Rahman, COO at IOActive. “We’ve built a strong company with smart people at our core, and our methodologies are our secret sauce.”

And, because security is an evolving profession, the company’s goal is to remain vigilant as new risks emerge. “We’re trying to stay ahead of what we call the threatscape, consistently paying attention to threat actors and developing services to combat the biggest threats,” said Jennifer Steffens, CEO at IOActive.

Today, IOActive is a trusted partner for Global 1000 Enterprises who depend on the company to take on their most challenging security issues. The forward-thinking group researches every layer of the technology stack to safeguard the entire development process from a unique hacker’s perspective. With plans to leverage its extensive industry experience to protect entire industries from an ever-evolving threat landscape, IOActive is continuing to stake its role as a leader in online security.

IOActive was founded more than two decades ago by Josh Pennel, security entrepreneur, strategist, and developer. Before that, Josh played a significant role in the ethical hacking community, where he helped his team win DEF CON’s Capture the Flag — a now-infamous hacking competition. They won the event for three years in a row until they were politely asked by staff to stop playing so others could win.

For the next three years, Josh and his team took the competition from a pen-and-paper scoring system to a high-quality electronic contest. “In doing so, they caught the eye of folks like Microsoft and the state of Washington who wanted to bring them in to help with the security of their products and infrastructure.”

Thus, IOActive was officially born. Since then, the company has established a long track record of providing comprehensive security solutions to customers in a range of industries.

“For 21 years, our mission has been to make the world a safer, more secure place,” Jennifer said. “We will come in and assess the security from an attackers’ point of view, see where vulnerabilities lie, and suggest how they can improve their security posture and business resiliency.”

IOActive considers an organization’s overall business mission before making strategic decisions centered on security. “Security in a vacuum is never going to be as effective as it is if you can understand the organization’s goals, competitive landscape, and industry assets,” Jennifer said. “It’s critical to translate the security mission into business speak so the entire executive team and board can understand its importance.”

The IOActive team has seen its share of evolving trends over its 21 years in the online security industry. Most recently, Matt has observed a host of problems surrounding the digital transformation process, in which companies are using innovative technical solutions to improve their operations.

“We’ve seen this vast adoption of technology intended to increase efficiency, but what’s missing is a focus on security from a holistic perspective,” he said. “For the most part, businesses aren’t doing enough to protect themselves from online criminals and nation-states.”

To determine a baseline for security management within an enterprise, IOActive’s service begins with an in-depth organizational assessment of the organization’s risk posture, potential threat actors, and current defensive capabilities before crafting a plan for the future. The idea is to create an actionable security program that can be used by everyone in the company to successfully reduce risk.

The company also provides full-stack penetration testing across a spectrum of technologies, including mobile applications, embedded devices, IT infrastructure, and cloud environments. Because every industry faces different security challenges and threat actors, IOActive incorporates unique risk factors into the methodologies it uses for each customer.

This approach ensures the company can leverage the most effective testing metrics and provide sound remediation advice. “It’s critical to tailor our services to each client’s needs,” Matt said. “We help them understand their unique business risks, identify security gaps from an attacker’s perspective, and provide actionable recommendations.”

Matt said IOActive serves a number of large enterprises within various verticals, including energy, financial services, healthcare, retail, and telecommunications. At the same time, he said hackers frequently target midmarket organizations, which they consider the low-hanging fruit in terms of security.

“They often go after medium enterprises because they don’t have the resources or the budgets to acquire the security technology they need,” he said. “We serve a lot of large enterprises, but from our perspective, we’re available for anyone who needs our help, and we have different pricing and strategies for that midmarket approach as well.”

IOActive also serves a variety of tech companies, from hardware manufacturers and software developers to security vendors, who Matt said often seek an unbiased opinion. Boards overseeing tech companies have brought IOActive in to audit their people, processes, and infrastructure, and technical buyers have leaned on the company as an extension of their internal workforce.

“They come to us for validation and attestation of their software and hardware technology,” he said. “What we’re doing is pretty unique, and a lot of customers in both the public and private sector want to be able to leverage our expertise.”

To that end, Matt said IOActive is open to forming partnerships with some tech and security companies.

“We’ve already helped a lot of organizations be secure,” he said. “Now, we want to work with the security and tech community using our capabilities and our attributes to solve problems together, which would create a more harmonious world.”

Beyond future partnerships, Jennifer said IOActive is focused on driving the company forward through additional research and collaboration.

“We’ve got a number of upcoming bodies of research that we’ve worked to enhance over the last two years,” she said. “And, since we have been advocates of responsible disclosure from the start, we have come up with a more collaborative disclosure policy that has enabled us to get more information so that industries can be better protected as a whole.

Matt said IOActive will also focus on extending security in the transportation and gaming industries. “We have our ears to the ground, which helps us foresee future impacts to organizations and enterprises and determine how we can help defend and protect against them.”