Cyver Core launched in early 2020 as a startup. We’ve come a long way since then, despite navigating early growth during the height of the pandemic. Now, 2 years later, Cyver Core is still a bootstrapped startup and still growing. We’re proud of that growth. But, we’d like to look back on where Cyver Core came from, with an interview with our founders Luis Abreu and Mike Terhaar.
Luis is an experienced technical founder and entrepreneur behind several successful companies including Amsterdam-based Nmbrs. Mike Terhaar is a veteran pentester and cybersecurity consultant with 20+ years of experience.
An Outdated Delivery Model
Luis: “I was always responsible for cybersecurity in my old role as CTO at NMBRs.” Luis shared, “While I didn’t do pentesting, I was responsible for implementing tooling like DAST, SAST, and pentesting. Early on, that process made me painfully aware of how bad some pentest processes can be from a customer perspective. With DAST and SAST, findings were flagged, individually listed as tickets, and easy to share directly to developers.”
With pentesters, that was never the case. For example, I found several great pentest companies. But, the process was always manual and always relied on a single person, in this case, me. So, pentesters would interview about the project and scope and, even in instances where I thought my teams would be able to give better insight and more details, I was the only point of contact.
From there, I always had to wait a few weeks. Then, my pentesters would send a PDF report. I’d often have to go through that alone with the pentesters – despite the fact that it would have made more sense for the pentesters to talk directly to my teams, who would actually be doing the remediation. “
Mike: “I looked at it from a different perspective. I was working with a large bank. There, we had something like 400 pentests that our small team of pentesters would have to complete throughout the year and then repeat every year. Every one of those pentests needed a report. This led to a significant amount of manual work in scoping, building libraries, building reports, etc.
“So, I was very interested in how a pentest management platform could automate those repetitive tasks. For example, by using templates and storing information in a secure cloud portal. In addition, delivering that work directly to the developers, so pentesters could stop wasting their time building the large report, would save the organization time and money as well.”
Luis decided to look for the solutions he needed.
Luis: “I started looking for digitization options. I found pentest-as-a-service and started up with a company. It was everything I wanted. There was a cloud portal, teams were onboarded and part of the process, developers could discuss remediation with the pentesters, they could also request pentests themselves. It was also extremely easy to show auditors that pentests were happening and findings were being remediated.
Then I started asking why so few pentest companies were using this model. It dawned on me that pentesters wanted to focus on their core business, pentesting, not building a technology platform. Only major companies with the funding to develop a platform could have one.
I started asking around, trying to figure out if there were pentesters who felt like they could use a portal but didn’t have the opportunity to build one. That’s how I first found Mike, who was working as a freelancer in Amsterdam with his business, Counterhack.”
Mike: “I was very enthusiastic about Luis’ idea, I’d been looking into a solution for managing pentests and delivering findings directly to developers for some time, but no one was building. My idea was that a portal could allow pentests to shift away from the trend of making them as big and as expensive as possible and move towards Agile pentesting, where you do smaller tests more frequently.”
Luis: “Our prototype was drawn up on paper, and I showed it to our lead developer, Rodrigo , in a coffee shop. I asked him if he could start building, and we did. Mike started using Cyver Core from day one, and his feedback and insight allowed us to build it to the point where we could start onboarding clients. “
Mike: “I was the first Cyver Core user. It started out basic, you had to do a lot more manual work than now because a lot of the connections weren’t there. Now, we have integrated compliance frameworks for DigiD or ISO27001, you can easily connect findings to the scope of the test or to a compliance framework, you can easily generate tables, etc.
Once I started using Cyver Core, it proved my point. If I were to run those same pentests with Cyver Core, I’d probably spend an average of four hours less per pentest, because the report is always there, the template is there, the findings are there, and I don’t have to check and review for manual error from copy-pasting between Qualys and Nesus and Word – even without considering that Word always breaks or messes up the fonts and formatting when you paste between them.
The templates save me a lot of time, you only have to import scope information once. If the customer comes back later, you just have to verify it hasn’t changed and everything is right there. And, of course, in the last year, features like Merge Findings, vulnerability library support, etc., really save time as well”.
Luis: “Pentesting was a completely new industry for me. I knew what the customer side of the process looked like and what the end-result was, but not how pentesting was done. That’s where Mike came in. He really offered insight into workflows and processes that we built into the platform.”
Mike: “From day one, our push has been for more automation, automatically filling finding data, generating reports, etc. The more manual work we can automate, the more value we can add by reducing time spent on overhead, management, and delivering pentests and the more time we can spend on manual pentesting.”
Luis: “We also had some changes to how we deliver services. For example, I thought pentesters would be happy to deliver findings in a portal. But, everyone is still concerned about delivering a PDF report. We developed our pentest report generation tooling after we built the platform, simply because so many customers wanted it. Today, we still help most new customers import their old PDF into our portal to keep the same look and feel. I still believe that findings as tickets will eventually fully replace PDF reports, but the market still has to adapt to that”
Mike: “A large part of my role was helping to set up processes, designing them, and figuring out what should be included”, says Mike, “I’ve tested and offered feedback on every feature, even when those features were based on customer requests and feedback.”
Luis: “Cyver Core is a fully bootstrapped company. I believe that in the long run that’s better for the company because we can grow stably. In the short term, it’s a lot more challenging because you have budgets and timelines that wouldn’t be a concern with funding.”
Off to a Great Start
Two years in, and Cyver Core has clients on almost every continent, with tens of thousands of findings uploaded to the portal each year. In 2022, we had a 240% growth increase and hired on new team members to support our growing customer base. We’re proud of that growth and we look forward to continuing to expand, add new features, and onboard new customers.
Mike: “It’s important that we keep growing, and that growth has to be based on customer feedback and insight. We already have competitors with more funding because they aren’t bootstrapping, which creates risk for us, so we have to ensure that we can keep up with the market. “
Luis: “A lot of the experience I brought from Nmbrs on building SaaS for service providers really helped me with Cyver Core. I already understood how to set up the company, build the platform, and how to leverage platforms and open source technology – so I didn’t have to build everything from scratch like 15 years ago. We were also able to leverage Azure cloud, which allowed us to build very rapidly. “
Luis: “It’s also interesting that we launched during the pandemic because it means we work fully remote, and we always have. It was challenging at first, but now we’re remote from the core, which means we can leverage talent wherever it is, without having to worry about office locations. That allows Cyver a certain amount of flexibility when we need new people or skills.”
Mike: “One thing I’ve really loved about working with Cyver Core is how much we bring great ideas together. Originally, we started out with mostly my pentest processes. Over time, we’ve adapted the platform to include best practices from customers around the world by listening to feedback, taking feature requests, and working to make a pentester-first product.”