5:08 pm 5:08 pm

Exploit Acquisition Program Shut Down

We've decided to terminate our Exploit Acquisition Program (again).   Our motivation for termination revolves around ethics, politics, and our primary business focus.  The HackingTeam breach proved that we could not sufficiently vet the ethics and intentions of new buyers. HackingTeam unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations.  While it is not a vendors responsibility to control what a buyer does with the acquired product, HackingTeam's exposed customer list is unacceptable to us.  The ethics of that are appalling and we want nothing to do with it. While EAP was an interesting and viable source of information for Netragard it was not nor has it ever been Netragard's primary business focus. Netragard's primary focus has always been the delivery of genuine, realistic threat penetration testing services.  While most penetration testing firms deliver vetted vulnerability scans, we deliver genuine tests that replicate real world malicious actors.  These tests are designed to identify vulnerabilities as well as paths to compromise and help to facilitate solid protective plans for our customers. It is important to mention that we are [...]

8:36 pm 8:36 pm

The HackingTeam breach & EAP

The Exploit Acquisition Program was founded in 1999 with ethics in mind.  Our goal was to provide researchers with safe and trusted place to sell their exploits with the comfort of knowing that their exploits wouldn't end up in questionable hands.  To facilitate that we established a set of policies that we would use to regulate our distribution exploits.  One of those controls required our buyers to be US based entities.  In mid 2014 we modified those controls and made an exception when HackingTeam was introduced to us by a trusted US based partner.  It was our mutual understanding that this buyer maintained the same code of ethics as our own.  Unfortunatley we were very, very wrong. The breach of HackingTeam is a blessing in disguise.  The breach exposed their customer list which contained a variety of questionable countries known for human rights violations.  Their customers are the very same customers that we've worked so hard to avoid.  It goes without saying that our relationship with them is over and we've tightened our vendor vetting process.  The breach also exposed the one exploit that we sold them (as is evidenced by their leaked emails). Interestingly enough, that exposure makes us quite [...]

4:46 pm 4:46 pm

What real hackers know about the penetration testing industry that you don’t.

The information security industry has become politicized and almost entirely ineffective as is evidenced by the continually increasing number of compromises. The vast majority of security vendors don’t sell security; they sell political solutions designed to satisfy the political security needs of third parties. Those third parties often include regulatory bodies, financial partners, government agencies, etc.   People are more concerned with satisfying the political aspects of security than they are with actually protecting themselves, their assets, or their customers from risk and harm. For example, the Payment Card Industry Data Security Standard (PCI-DSS) came into existence back on December 15th, 2004. When the standard was created it defined a set of requirements that businesses needed to satisfy in order to be compliant. One of those requirements is that merchants must undergo regular penetration testing. While that requirement sounds good it completely fails to define any realistic measure against which tests should be performed. As a result the requirement is easily satisfied by the most basic vetted vulnerability scan so long as the vendor calls it a penetration test (same is still largely true for PCI 3.0). To put this into [...]

7:55 pm 7:55 pm

0-Day Exploit Acquisition Program Update

We are writing this quick blog entry to let people know that we've made some significant changes to our Exploit Acquisition Program.  Those changes include the creation of an on-line registration form, online exploit submission form, the introduction of additional buyers to our program, and faster turnaround for each item submitted by registered developers.  Another change is that we've created a referral program.  If you refer someone to our program and their item is purchased by one of our buyers then we will provide you with a percentage of the total sale value. If you are interested in registering for our program please click here: If you have general questions please contact us at :

6:33 pm 6:33 pm

Penetration Testing Vendor Comparison. How To Select The Right Vendor.

Video Overview: Not all penetration testing services are equal. This video discusses what to watch out for when selecting a penetration testing vendor. Penetration Testing Vendor Comparison Video Below. Not all Penetration Testing companies are created equal. In this video we walk through the right way to conduct penetration testing versus the wrong way. Most testing firms are not performing genuine penetration tests, they are selling thinly disguised scans. This video will help you make sure you don't fall victim to such scan based services.

6:58 pm 6:58 pm

Not All Penetration Testing Services Are Created Equal

9:03 pm 9:03 pm

How we breach retail networks…

  We recently delivered an Advanced Persistent Threat  (APT) Penetration Test to one of our customers. People who know us know that when we say APT we’re not just using buzz words.  Our APT services maintain a 98% success rate at compromise while our unrestricted methodology maintains a 100% success at compromise to date.  (In fact we offer a challenge to back up our stats.  If we don't penetrate with our unrestricted methodology then your test is free. If we do get in then you pay us an extra 10%.)  Lets begin the story about a large retail customer that wanted our APT services. When we deliver covert engagements we don’t use the everyday and largely ineffective low and slow methodology.  Instead, we use a realistic offensive methodology that incorporates distributed scanning, the use of custom tools, zero-day malware (RADON) among other things.  We call this methodology Real Time Dynamic Testing™ because it’s delivered in real time and is dynamic.  At the core of our methodology are components normally reserved for vulnerability research and exploit development.  Needless to say, our methodology has teeth. Our customer (the target) wanted a single /23 attacked during the [...]

5:15 pm 5:15 pm

What you don’t know about compliance…

People are always mystified by how hackers break into major networks like Target, Hannaford, Sony, (government networks included), etc.  They always seem to be under the impression that hackers have some elite level of skill.  The truth is that it doesn’t take any skill to break into most networks because they aren’t actually protected. Most network owners don’t care about security because they don’t perceive the threat as real.  They suffer from the “it won’t ever happen to me” syndrome. As a genuine penetration testing company we take on dozens of new opportunities per month.  Amazingly, roughly 80% of businesses that request services don’t want quality security testing, they want a simple check in the compliance box. They perceive quality security testing as an unnecessary and costly annoyance that stands in the way of new revenue.  These businesses test because they are required to, not because they want to.  These requirements stem from partners, customers, and regulations that include but are not limited to PCI-DSS, HIPAA, etc. Unfortunately these requirements make the problem worse rather than better.  For example, while PCI requires merchants to receive penetration tests it completely fails [...]

7:43 pm 7:43 pm

Don’t become a Target

All of the recent news about Target, Neiman Marcus, and other businesses being hacked might be a surprise to many but it’s no surprise to us. Truth is that practice of security has devolved into a political image focused designed satisfy technically inept regulatory requirements that do little or nothing to protect critical business assets. What’s worse is that many security companies are capitalizing on this devolution rather than providing effective solutions in the spirit of good security. This is especially true with regards to the penetration testing industry. We all know that money is the lifeblood of business and that a failure to meet regulatory requirements threatens that lifeblood. After all, when a business is not in compliance it runs the risk of being fined or not being allowed to operate. In addition the imaginary expenses associated with true security are often perceived as a financial burden (another lifeblood threat). This is usually because the RoI of good security is only apparent when a would-be compromise is prevented. Too many business managers are of the opinion that "it won't happen to us" until they become a target and it [...]

1:15 pm 1:15 pm

How much should you spend on penetration testing services?

The right way versus the wrong way to price a penetration test The most common question asked is "how much will it cost for you to deliver a penetration test to us?". Rather than responding to those questions each time with the same exact answer, we thought it might be best to write a detailed yet simple blog entry on the subject. We suspect that you'll have no trouble understanding the pricing methods described herein because they're common sense. The price for a genuine penetration test is based on the amount of human work required to successfully deliver the test. The amount of human work depends on the complexity of the infrastructure to be tested.  The infrastructure's complexity depends on the configuration of each individual network connected device. A network connected device is anything including but not limited to servers, switches, firewalls, telephones, etc. Each unique network connected device provides different services that serve different purposes.  Because each service is different each service requires different amounts of time to test correctly. It is for this exact reason that a genuine penetration test cannot be priced based on the number of [...]