Pen Testing Platform Maker Ramps Up Partner Program

Core Security Technologies is ramping up its partner program, attempting to compete in the vulnerability assessment market by forging relationships with Microsoft, McAfee and others as well as adding channel VARs that specialize in security and vulnerability management.

The Boston-based company sells a platform that combines penetration testing and vulnerability scanning. Core sells two products: Core Impact, a full-fledged pen testing suite used by hardcore penetration testers, and Core Insight, an automated vulnerability testing platform introduced in 2010 for chief information security officers and other executives.

The company's new channel chief, Joe Schramm, said he joined Core last year to formalize the company's partner program. Core needs to make the case that businesses need ongoing penetration testing in their environment and compete against the likes of another Boston-based security firm, Rapid7, which integrates the commercial Metasploit pen testing tool into its Nexpose vulnerability scanning software. Meanwhile, Miami-based Immunity, Inc. sells the Canvas pen testing platform.

[Related: Google Aurora Attackers Behind Internet Explorer Zero-Day Attacks ]

Sponsored post

There is growing momentum around using penetration testing and vulnerability management data as part of risk management programs to influence decision making with non-IT executives, said Paul Proctor, chief of research for security and risk management at Gartner. If presented well, executives can use the data to make budgeting decisions for security and prioritize business units based on their security posture, Proctor said.

By 2014, Gartner predicts that 80 percent of the Global 2000 will be required to report the state of security to the board of directors on an annual basis, Proctor said.

"All of these tools are starting to go from being techie toys to being something that can produce information with a business context," Proctor said. "CISOs have a significant interest in being able to translate what is very technical stuff into something that can be understood by a decision making body like a board of directors."

Schramm said Core needed a plan to build up formal relationships with technology partners and add a cadre of channel resellers and solution providers. The new partner program, launched by Schramm last year, has signed on 23 partners and resellers, including nine resellers in the U.S.

"The company didn't have any formalized technology partnerships and few channel relationships," Schramm said. "Historically the company transacted a high volume through its channel, but it was more of a pass-through; none of it originated from the channel."

NEXT: Channel provider finds interest from c-level executives

Core's Schramm points to vast improvements in its channel strategy as the reason for the early success. The company rolled out a new partner portal, making it easier to navigate while adding more relevant information. It built out a program guide and franchise kit, providing partners with white papers, data sheets and co-branded information materials, Schramm said. Cheat sheets and battle cards were designed to provide partners with compliance requirements and other information useful to the healthcare, government and financial services industries.

"Security has moved into the boardrooms," said Justin Kallhoff, CEO of Lincoln, Neb.-based channel provider Infogressive, which sells Core products. Kallhoff, a certified forensics analyst, said getting automated pen testing into small and midsized businesses is a challenge, but it is making the case for managed services.

"There's a lot more interest in analytics and reporting from the C-level people," Kallhoff said. "Before it was about letting those nerds do what they do, but there's a growing need to better understand what they're finding."

Schramm said an ideal reseller must be selling around the areas of vulnerability, risk management and attack simulation. Some partner organizations may be consultancies with a security practice, others will be smaller and highly specialized, he said.

The company is also trying to jump-start its technology partner relationships. It is currently going through certification to integrate McAfee's e-Policy Orchestrator and expects to gain certification in the spring, Schramm said. It also has relationships with defense industry giant Raytheon and with IBM's security practice, where it is building integration in with IBM-Q1 Labs QRadar SIEM appliance.