Search Go hack yourself with Detectify

An EASM blog from Detectify

Detectify Year in Review 2018

December 20, 2018

It’s been a great year for Detectify and there’s a lot that’s happened for us as we continue to grow our teams and business. Join us for a proverbial toast to the year as we share a recap of our highlights: Detectify year in review 2018

Successfully raised 5 million EUR in March 2018

In March, we were pleased to announce a successful series A funding round that raised €5 million led by New York-based venture capital and private equity firm, Insight Venture Partners. Our existing investors, Paua Ventures and Inventure, also participated in the funding round. The investment supports Detectify’s international expansion and continued R&D.

Over 50,000 vulnerability findings from Detectify Crowdsource submissions

In its second year, the Detectify Crowdsource white hat hacker platform has welcomed several high-profile hackers to our community. This year we created 185+ new security tests from our Crowdsource vulnerability submissions and these have generated over 50,000 unique findings in our client scan profiles. Want to meet a couple of our hackers? Check out our Meet the Hacker interviews with Gerben and Fredrik on the Detectify Youtube channel.

4 Hacker Schools

Knowledge sharing is a key part of the Detectify culture and part of our strategy on how to help our clients improve their own security skills and stay updated on our company happenings. For this reason, we started hosting Hacker Schools in our Stockholm office and invited our valuable customers to show our appreciation for our partnerships. This year our events featured hacker talks from our Detectify Crowdsource members, Gerben Janssen van Doorn, Carl SvenssonFrans Rosén (Detectify Security Advisor) and Fredrik N. Almroth (Detectify Co-founder). We also invited Spotify, Pipedrive and SBAB to speak about how they work with Detectify in their teams. We noticed that the concept took off this year and we started to see our office become a meeting point for Stockholm security professionals to network and exchange best practices on how to make their own organizations more secure. We look forward to more in our new office in 2019! Fredrik at Hacker School Image: Detectify co-founder Fredrik Nordberg Almroth speaking at Hacker School Photo collage of Detectify Hacker Dinners Image: Collage of Hacker Dinner Events in MEATMission in London, Stack in Las Vegas and REM Eiland in Amsterdam

Internationally hosted Hacker Dinners

We now have customers in 50+ countries and to build upon this presence, we hosted exclusive Hacker Dinner events in some of our up and coming country markets including London, Las Vegas and Amsterdam. We brought together some of our Detectify Crowdsource white hat hackers together with security professionals to dispel some myths of the hacker profile, talk about cool hacks and show how powerful crowdsourced security can be. These dinners also featured live lightning talks from Detectify’s own co-founder and security researchers, Fredrik N. Almroth, Linus Särud and Frans Rosén.

We attended 31 events with speaker or panel spots at 27 of these.

Highlights for the year include Frans Rosén’s keynote talk at AppSec EU and our debut at Black Hat. These events included app- and info-security conferences, client-side inspirational sessions and developer knowledge events. We gained a lot of security knowledge and shared our company swag with new friends to tag them with #gohackyourself. Martina, Detectify software engineer, has continued to show other security-interested developers how she previously hacked her own code to strengthen her coding skills at Code Night and two events dedicated to women who code – Technigo and PyLadies Stockholm. We look to continue supporting the security community and security-interest folks, share our product and research with everyone and keep pushing automation forward. We’ve created an events page where you can follow us on the road! Our CMO, Yasmin Tilles, has also shared the marketing secrets of Detectify with keynote presentations at various conferences including Conversion Jam and Business Model Summit.


Detectify achieves advanced technology partner status with AWS

We are now recognized as an advanced technology partner at Amazon Web Services and we were granted pre-authorization for application vulnerability scanning of AWS hosted applications.

Implementing Practical web cache poisoning module

In August, Portswigger Security Researcher, James Kettle, published research that got a lot of attention from the security and developer world. Web cache poisoning has long been thought of as a theoretical threat that a developer ought to think about but was never really taken seriously. However, Kettle proved how vulnerabilities could be realized and our security researcher team implemented tests to detect for this including adding several authentication bypasses.

API v2

Security should be easy to integrate into the development process and to make it easier for our customers we updated the API to version 2.0. This allows you to easily trigger scans and get Detectify data, all while supporting the standard REST format. Integrating it is easy as you can generate the API keys directly in the Detectify tool. This option is available for our professional and enterprise plans, and you can read the API v2 documentation here.

Added Domain monitoring service and 6 SAML integrations

We added Domain Monitoring Service (DMS) as a regular feature in the Detectify tool. It started with a customer request in order to monitor security issues on abandoned or forgotten domains.  We realized the potential and need for this and rolled it out as a regular feature in our tool. We also made it even easier for some teams to access the Detectify tool by building six different Security Assertion Markup Language (SAML) integrations including G-Suite and Onelogin.

Rebuilding of the dashboard & account completion

This year we took in a lot of helpful customer feedback to rebuild the tool into a more intuitive interface and continue to drive transparency while encouraging continuous monitoring. On the dashboard, users now see the Latest Scanner Updates and features posts from our Detectify Blog and Detectify Labs.

Widget on the Detectify tool dashboard Image: new widgets showing new security tests added and new content

We also added the “Account Completion” guide at the top menu to show you whether your Detectify account has been fully set up yet, to ensure you are not missing out on the best bits of our tool. Account completion menu in the Detectify Tool

Image: account completion feature

Let’s Encrypt SSL-certificates, GraphQL, Upload Policies and bypassing HTTPS

Our top story on Detectify Labs from 2018 was from Detectify Security Advisor and top-ranked white hat hacker, Frans Rosén. His research showed us all how he exploited ACME TLS-SNI-01 by issuing Lets Encrypt SSL certificates for any domain using shared hosting. Additional popular research included GraphQL Abuse, Bypassing Upload Policies and Signed URLs, and MITM regardless of HTTPS.

CORS misconfigurations

Our top article from 2018 on Detectify Blog was an explanation of CORS misconfigurations by Detectify Security Researcher and Technical Content Writer, Linus Särud. CORS is a header set by the web server and this article shares the most common ways to misconfigure it. View the article here.

20+ new employees and 18 different nationalities

It’s been a year of adding (a lot) more new faces to the team. In fact, we’ve welcomed 22 new colleagues so far in 2018 with many added to our tech teams. Diversity is a key part of our company as we are made up of 18 different nationalities at Detectify, and 40% of us are female! Want to join us? Check our job openings here.

A new and bigger office!

We were operating at capacity in our office, bribing one another for meeting rooms and getting creative with the spaces to squeeze in more people. In December, our new and larger office was finally ready and we have a lot more space for more.


Jury’s choice of Most Promising Cybersecurity Solution and Hottest Nordic Startups List

Our CCO Carl Svantesson was invited to pitch our company at PwC’s Cybersecurity Week in Luxembourg and won the prize of Most Promising Cybersecurity Solution – Jury Award! Thank you, Luxembourg! We were also listed as one of the hottest Nordic startups to look for in 2018 by Business Insider Nordic and Dagens Industri (in Swedish).   What a great year it’s been and we are looking forward to even bigger and better things next year! Will you join us on this journey in 2019?