SafeBreach company logo

The profile is currenly unclaimed by the seller. All information is provided by CB Insights.

safebreach.com

Founded Year

2014

Stage

Series D | Alive

Total Raised

$106.5M

Last Raised

$53.5M | 9 mos ago

Mosaic Score

+10 points in the past 30 days

What is a Mosaic Score?
The Mosaic Score is an algorithm that measures the overall financial health and market potential of private companies.

About SafeBreach

SafeBreach provides a platform that simulates hacker breach methods across the entire kill chain to identify breach scenarios in environments before an attacker does.

SafeBreach Headquarter Location

111 W. Evelyn Avenue Suite 119

Sunnyvale, California, 94086,

United States

408-743-5279

Predict your next investment

The CB Insights tech market intelligence platform analyzes millions of data points on venture capital, startups, patents , partnerships and news mentions to help you see tomorrow's opportunities, today.

Research containing SafeBreach

Get data-driven expert analysis from the CB Insights Intelligence Unit.

CB Insights Intelligence Analysts have mentioned SafeBreach in 2 CB Insights research briefs, most recently on Jun 6, 2022.

Expert Collections containing SafeBreach

Expert Collections are analyst-curated lists that highlight the companies you need to know in the most important technology spaces.

SafeBreach is included in 1 Expert Collection, including Cybersecurity.

C

Cybersecurity

4,937 items

SafeBreach Patents

SafeBreach has filed 3 patents.

The 3 most popular patent topics include:

  • Trees (data structures)
  • Binary trees
  • Computer memory
patents chart

Application Date

Grant Date

Title

Related Topics

Status

12/28/2017

5/25/2021

Computer network security, Computer security exploits, Computer security, Trees (data structures), Operating system security

Grant

Application Date

12/28/2017

Grant Date

5/25/2021

Title

Related Topics

Computer network security, Computer security exploits, Computer security, Trees (data structures), Operating system security

Status

Grant

Latest SafeBreach News

5 ways to unite security and compliance

Aug 1, 2022

Which comes first, security or compliance? In an ideal world, they work together seamlessly. Here's how to achieve that. Thinkstock As numerous data compliance laws proliferate across the globe, security professionals have become too focused on checking their requirements boxes when they should be focused on reducing risk. Can the two work harmoniously together? The answer depends on how effectively IT security leaders can work with their auditors and speak to their boards, say experts. These are their top five recommendations: 1. Focus on data protection It’s well-known that compliance is about protecting regulated data, while cybersecurity is focused on keeping bad guys out. From a data protection perspective, the key security measure then is to avoid processing or storing regulated data that isn’t needed. If regulated data must be stored, make sure you’re using stronger-than-recommended encryption, says James Morrison, national cybersecurity specialist for Intelisys, the infrastructure support division of payment systems company, ScanSource. “In my career, I’ve seen small healthcare providers sending patient data in cleartext. So, to create compliant policies, ask how regulated data is handled from cradle to grave,” explains Morrison, formerly a computer scientist with the FBI. “You should be mindful of where your data exists, where it’s stored, how it’s stored, and for how long. That’s the right way to start the conversation around compliance and security.” 2. Make security auditors your friends As important as learning the perspective of auditors is helping them understand the basics of cybersecurity. As CISO at a previous company, Morrison held weekly meetings with his auditor to maintain a “two-way” conversation inclusive of compliance and security. By the time the company conducted its ISO 27001 infosec management update, the audit team was able to articulate clearly what they needed from the security team. Then Morrison himself gathered the information the auditors requested. “Auditors are more appreciative if you take a team approach like this. And so are the CEO’s and boards of directors,” he adds. However, teaching cybersecurity basics to auditors is difficult, adds Ian Poynter, a virtual CISO based on the U.S. east coast. This is especially problematic among auditors that come from the big  consulting firms, who he likens to “people with clipboards who ask questions but don’t understand the security and risk context.” In case after case, Poynter describes past experiences in which his clients passed their “clipboard” audits while fundamentally failing at security. For example, in one instance the auditor asked if the company had a firewall and the IT manager checked the “yes” box because they had a firewall, even though it was still in the package and hadn’t been installed yet. “The auditors didn’t understand that the firewall is not actually doing anything, although you still have a firewall,” Poynter says sardonically. “So, to audit properly, you need to know the context around the questions and how to ask the questions.” As a consultant to smaller companies, Poynter says it’s important to engage with auditors with those relationships to security and who understand the security and compliance aspects in tandem. For example, he points to a company preparing to spend $3 million on a SOC 2 provider. Going into the SOC 2 audit with the provider, Poynter provided both sides with security and vulnerability reports that were correlated against audit requirements. This, he says, greatly narrowed down the field of focus for the audit team, adding that it was a good example of how compliance and security mesh together to further the IT leader’s business skills and improve security posture. 3. Use compliance as a base to build better security Poynter also cautions that audit checklists go out of date regularly, so just passing an audit does not protect IT assets. Take, for example, passwords, which NIST used to require changing every 90 days. NIST has rescinded that rule because people can’t remember their passwords, and instead recommends using passphrases with numbers and symbols that users can remember. Avishai Avivi, CISO at security control validation company SafeBreach, agrees with Poynter. Avivi believes that compliance frameworks provide a basis for thinking about security programs, but compliance mandates are not prescriptive, nor do they rate the efficacy of controls. For example, he says, “A compliance checklist tells you that you need to have a firewall. It doesn’t tell you what type of firewall is suitable for your business, or what firewall rules to implement.”  He also points to requirements for annual penetration tests, even though threats evolve much more frequently than that. This gap leaves “compliant” companies at risk of new vulnerabilities they don’t know they have. Also open to interpretation is how to conduct the pen-test and against what computing resources, he continues. “We had a client that was only testing its external attack surface. So, we did a simulation from an internal corporate office network and showed them that if just one of their end-user stations is compromised, it can access all their development and production networks,” Avivi explains. “The client followed the compliance guidelines in terms of segmenting development from production networks, but there were no firewall controls to prevent someone from coming in from a corporate office to those environments.” In industrial control systems (ICS), NERC CIP and other standards are particularly bare-bones in their requirements, according to Jason D. Christopher, director of cyber risk at Dragos. “Due to the lack of OT-specific detection in industrial networks, it’s more difficult to interpret compliance rules. It’s a lot harder to have a compliance conversation because it’s hard to distinguish on a plant floor if you had a security incident that requires reporting or if it is a maintenance incident.” ICS systems like energy and power companies are already behind because their security controls are also at the low end of the maturity curve, Christopher continues. He then describes the compliance maturity curve in three stages. Crawling is filling in the check boxes. Walking is building a program around audit findings and cross-checking findings with compensating controls. In the run stage, network operators have exceeded compliance rules with the proper workflow and chain of command to support security and audit duties. Christopher stresses that the more mature the compliance and security programs, the better the collaboration and communication between auditors, CISOs, and the board. 4. Fix the vulnerabilities you find It’s that middle stage of maturity, the walk stage, where organizations mostly get hung up, say experts who call out many instances where organizations failed to make basic repairs based on audit findings. “We had a company that did their pen-test as required by compliance. Then, a year later, the new pen-test came back with exact same vulnerability finding because the client had not addressed the findings from the prior year’s pen-test,” Morrison says. “Ultimately, they suffered a second breach around the same vulnerability. This time, the company fell into trouble with regulatory bodies.” Morrison’s story sounds like a famous case currently winding through the U.S. District Court of San Francisco. In it, Joe Sullivan, CISO of Uber, faces prison time under federal charges because he didn’t report a second ransomware breach that took advantage of the same vulnerability the FTC had demanded they close after a prior breach. Recently, more charges of wire fraud were added in what the FBI is now calling a cover up. 5. Measure improvements in security and risk posture More than just a driver for reducing risk, compliance can also be used to measure improvements in security and risk posture. Morrison suggests a compliance dashboard to measure your risk score and using those dashboard policies to keep ahead of changing risks, such as adding a new tech or supporting a remote workforce. The dashboards should also help IT managers report to upper management in the business language of risk and reward that they understand. As Avivi from SafeBreach explains, “If you do security right, you’re probably compliant. But if all you care about is compliance, you’re probably not going to be secure.” Next read this

SafeBreach Web Traffic

Rank
Page Views per User (PVPU)
Page Views per Million (PVPM)
Reach per Million (RPM)
CBI Logo

SafeBreach Rank

  • When was SafeBreach founded?

    SafeBreach was founded in 2014.

  • Where is SafeBreach's headquarters?

    SafeBreach's headquarters is located at 111 W. Evelyn Avenue, Sunnyvale.

  • What is SafeBreach's latest funding round?

    SafeBreach's latest funding round is Series D.

  • How much did SafeBreach raise?

    SafeBreach raised a total of $106.5M.

  • Who are the investors of SafeBreach?

    Investors of SafeBreach include Bright Pixel Capital, Israel Growth Partners, Leumi Partners, Sands Capital, ServiceNow Ventures and 11 more.

  • Who are SafeBreach's competitors?

    Competitors of SafeBreach include Veracode, PlexTrac, HackerOne, Pentera, XM Cyber, SCYTHE, Horizon3.ai, ForAllSecure, Snyk, Noetic Cyber and 23 more.

You May Also Like

Pentera Logo
Pentera

Pentera utilizes an automated penetration-testing platform that assesses and validates corporate cybersecurity risks. By applying the hacker's perspective and performing machine-based penetration testing, its software identifies, analyzes, and prioritizes remediation of cyber defense vulnerabilities and instrumentation.

Bugcrowd Logo
Bugcrowd

Bugcrowd provides Crowdcontrol, which is used by companies to proactively uncover and resolve security bugs in their products - leveraging a vetted community of more than 27,000 security researchers. The company also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements.

Cymulate Logo
Cymulate

Cymulate is an Israeli cybersecurity startup that conducts penetration tests. The company has developed a platform enabling enterprises to simulate cyber attacks in real-time while testing the security system's resilience from the potential attacker's perspective. Among other things, Cymulate makes it possible to assess an enterprise's readiness for ransom and phishing attacks and for detecting more complicated breaches through which hackers can take over an enterprise's computers and apps.

Vulcan Cyber Logo
Vulcan Cyber

Vulcan Cyber is a Continuous Vulnerability Remediation solution that integrates, automates and orchestrates existing tools and processes, eliminating the most critical risks caused by vulnerabilities while at the same time avoiding any unexpected impact to business operations.

HackerOne Logo
HackerOne

HackerOne is a vulnerability management and bug bounty platform. HackerOne empowers companies to protect consumer data, trust, and loyalty by working with the global research community to surface the most relevant security issues.

Detectify Logo
Detectify

Detectify offers a website vulnerability scanner that is in part powered by the crowd.

Discover the right solution for your team

The CB Insights tech market intelligence platform analyzes millions of data points on vendors, products, partnerships, and patents to help your team find their next technology solution.

Request a demo

CBI websites generally use certain cookies to enable better interactions with our sites and services. Use of these cookies, which may be stored on your device, permits us to improve and customize your experience. You can read more about your cookie choices at our privacy policy here. By continuing to use this site you are consenting to these choices.