In 2014, Guy Bejerano and Itzik Kotler set out to fundamentally change the way enterprises understand and manage cyber risk. Their journey began when they were introduced over a shared interest in addressing a frustrating—yet seemingly accepted—issue in the security industry: that security leaders could spend a fortune on security controls, yet still be unable to confidently assess their level of preparedness against specific threats.
Guy and Itzik met and, within minutes, knew they were onto something. And, as they say, the rest is history. Over the next 10 years, their vision for a powerful breach and attack simulation (BAS) platform that could help organizations take a more proactive approach to security came to life with the help of a talented team, dedicated customers, and supportive partners.
Over the last month, SafeBreach has had the honor of celebrating this 10-year journey. We kicked off the month with highlights of the standout milestones and memories from our 10-year history and had the opportunity to toast with our teams in both virtual and in-person celebrations across the globe.
To sweeten the celebration, we were also recognized this month on both the Forbes list of America’s Best Startup Employers and as a 2024 Gold Globee® Award Winner for Company of the Year in the Security Software category.
Finally, to close out our month-long celebration, we spent some time with Guy and Itzik as they reflected on the last 10 years of SafeBreach. Read on to hear some of the personal and professional highlights, challenges, and lessons learned from their decade-long journey as pioneers in the BAS industry.
Guy: Before founding SafeBreach, I was a very non-traditional CISO. Instead of trying to chase the downside in security and look only at risk, I tried to see how security could actually help the business move faster. But one of my biggest challenges as a CISO for a cloud-based company was being able to show the level of efficacy of our security program—how well we were protecting our customers’ data. At the time, there was nothing to really help me do that. So, I was inspired to change that to help the industry think differently about security and provide a non-traditional solution that could help CISOs, like myself, better understand the efficacy of their security program and make data-driven decisions—no more guessing what to do.
Itzik: Based on my background as an ethical hacker, I was developing offensive content to help organizations overcome what Guy and I framed as “asymmetrical warfare”: the idea that in cybersecurity, an attacker only needs to be successful once, but a defender needs to successfully defend 100% of the time. I wanted a way to turn my knowledge into a tool that anybody could operate. Traditionally, offensive security has been considered a bit of a mystery—there’s no “hacker” university. People often gain this knowledge through technical experience and personal curiosity and, as a result, it often remains confined to certain circles. But I don’t believe it should be a kind of magic that only a few people know—it should be commercialized and commoditized and accessible to everybody. That is what inspired me and that was the goal of SafeBreach: to help organizations break this cycle of asymmetrical warfare by utilizing offensive security for defense.
Guy: When we started, there was no BAS category, and we really had to fight to convince the market that BAS was not only needed, but was necessary. So, I’m really proud of the success we’ve seen in changing the way the market thinks about offensive security, which is evidenced by the industry giants that we call customers today. These huge enterprises see the value in our technology and have adopted it as part of their core security strategy. That’s an amazing feat—something I would never have imagined we could achieve. The other thing I’m really proud of is how we have managed to build a culture that is truly unique and special—everyday, I am impressed by the caliber of individuals we have on our team, by the resilience we display in the face of constant change, and by the way we continue to operate as one unit, regardless of the challenges we experience.
Itzik: There are a lot of moments I can think of, but one of my proudest moments for me is actually something that has happened recently around our original research. A lot of the content in our Hacker’s Playbook comes from known threats and hackers that have already made the news. But a key part of the value of our SafeBreach Labs team is their ability to try to predict the future by developing new threats that are unknown. Often, we’re invited to present this research at events like Black Hat, DEFCON, and RSA. But we’ve also started adding this groundbreaking research—like our Pool Party research—to our platform. Now, we’re seeing our customers using our platform and our original content. I’m very proud of this level of adoption because it means that customers not only recognize the need for BAS, but they also recognize the need for the exclusive, original content only the SafeBreach Labs team is able to offer. The intersection of our technology and thought leadership is amazing to see.
Guy: Well, we’ve encountered many challenges over the years. But one of the most consistent challenges has been trying to change the mindset of the security industry, which is a highly saturated market. It was an uphill battle in the beginning and there was a lot of skepticism about whether we could actually build this technology—which was so unique—at scale to serve large enterprises. It’s a challenge we faced head on and, again, I think our customer base proves how we’ve managed to shift that mindset in some of the largest organizations in the world.
Itzik: I think the biggest challenge has been understanding that there is a difference between innovation and actually making that innovation mainstream. As a company that pioneered a new category, it was an uphill battle early on. People really liked our technology, but there were lengthy approval processes at the large enterprises we were going after and it took time for them to adopt it. 10 years in that can still be a challenge sometimes, but we’ve obviously had great success evidenced by the fact that we get to call some of the largest financial services, healthcare, manufacturing, and transportation organizations in the world our customers.
Guy: I’ve learned to embrace the fact that this is going to be a rollercoaster ride and to try not to get too excited by the highs or the lows along the way. I’ve also learned to force myself to stop every once in a while to appreciate what we’ve accomplished. That’s something that you don’t always allow yourself to do—it can feel like an endless race as we are constantly trying to achieve the next big thing. And this year, like every other in the past 10 years, we have some big goals to accomplish. But we need to take a moment to celebrate what we’ve done so far and this is a good opportunity to do just that.
Itzik: For me, I think I’ve learned a lot about patience. I think this is an interesting quality for entrepreneurs, and especially for people like myself who are technologists. My background as a builder means I write code and, if things compile and execute correctly, I get to see the outcome of my work quickly. But being an entrepreneur, I’ve had to learn that things take time. While this can often feel like a sprint—we need to be moving fast and making things happen—it really is a marathon in the grand scheme of things. In a marathon, you need to manage your resources and have patience. And over the years, I’ve really worked on developing that ability.
Guy: We’re on a path to build the platform that CISOs will use to not only understand their residual risk, but to make data-driven decisions around their risk. It will help them develop the right strategy by helping them understand things like the set of tools they need to invest in, the way they need to build their operation, the way they need to measure their efficacy, etc. The platform will inform everything around risk, eventually helping CISOs reduce risk to a point where the business can live with it. That’s the way we see the market going and we are working to converge our capabilities with adjacent capabilities to build that entire platform. Stay tuned!
Itzik: SafeBreach technology was always designed to help companies prevent a breach. But we believe balancing between the offensive (red) component and the defensive (blue) component is going to become a very important thing. There is a huge amount of value in showing companies the vulnerabilities that exist that could lead to a breach, but it’s also equally important to try to automate the processes to prevent a breach as much as we can. The benefit of our platform, and of attack simulation, is to have the ability to predict whether a specific threat, like ransomware, will be successful. So, I think we will continue to build capabilities that will empower customers around predictive prevention—not only to understand vulnerabilities but to prevent the use of them in advance, rather than in real time.