Combining elements of both human-assisted and autonomous artificial intelligence (AI), Horizon3.ai has added a Rapid Response service to its NodeZero SaaS-based penetration testing platform. The idea is to react so fast to new vulnerabilities that the process becomes proactive in preventing malicious attacks by highlighting the areas that must be fixed fast.
The basis for this service is the impossibility for security teams to adequately triage the volume of new vulnerabilities against the complexity of their IT environments.
Verizon’s 2024 DBIR found that it can take 55 days for organizations to address 50% of critical vulnerabilities after patches become available, and urged defenders to respond faster.
At the time of writing, NVD has received 12,296 new CVEs this year (more than 3,000 per month). For the most part, triaging these vulnerabilities is normally a manual task: which are the most critical vulnerabilities, and is my configuration susceptible?
There are multiple problems with this approach – not the least being the amount of manual labor and human skill required. Criticality is often measured by two scores: the common vulnerability scoring system (CVSS) and FIRST’s exploit prediction scoring system (EPSS). These are neither always accurate nor available (see CVE and NVD – A Weak and Fractured Source of Vulnerability Truth). And, of course, there are further known vulnerabilities unknown to the CVE system.
The Horizon3 Rapid Response service determines critical vulnerabilities, not merely those listed by NVD, and then allows customers to automatically check whether they are exposed to exploitation via those vulnerabilities. This is done at speed, so that customers can determine what needs mitigating or patching before an adversary is able to launch an attack.
A combination of AI and human expertise is used in this service: AI for its ability to perform analysis at speed; and human expertise for its ability to reason. Human expertise knows what is likely to be important. AI can uplift the same process used by adversaries in developing exploits: comparing the new patched code with the old vulnerable code to find the vulnerability being fixed. Snehal Antani, Horizon3’s CEO and co-founder, explains the concepts.
“Imagine a very complicated product, like VMware vCenter,” he explains. “You have millions of lines of code in version one [the vulnerable version], and you have millions of lines of code in version two [the fixed version]’. You want to compare them to see what changed. You’ll do a binary diff to see these changes, but you’ll find way too much for a human to quickly understand.”
Enter LLMs. “So, you pass those clusters to an LLM, and it will say, ‘there appears to be a sequel injection error here, or a cross site scripting error there’.” This same process can, of course, also highlight any new errors introduced with the new version. “You end up using AI like a source of unlimited interns to find which blocks of code are likely to have a security problem within them. It’s a great way to reduce a very complex problem to a very manageable problem.”
Re-enter the human expertise and knowledge to develop the safe exploits that are used to test whether a customer is not merely vulnerable but specifically exploitable. Fundamentally, there is little difference in this process to that used by adversaries – it’s just that Horizon3’s platform is geared to do it faster. It is this speed that allows the firm to claim proactive defense by being one step ahead of the attacker.
Once the exploit is developed, it is used autonomously. “In many ways,” continued Antani, “we’ve built an autonomous agent that can discover an environment, execute self-directed actions with no human involvement and achieve an objective like steal your data or compromise your environment. And the more attacks we run, the smarter the underlying algorithms become, because of reinforcement learning and feedback loops. And that is the novel kind of innovation of Horizon3 that no one else has built yet.”
Horizon3 creates safe exploits. But its investigations are not limited to the new vulnerability descriptions. It checks for misconfigurations and credential weaknesses. These may have been noted and fingerprinted in an earlier test but were not at the time specifically exploitable. Now a new vulnerability appears – Horizon3 immediately knows the customer is exploitable and should be warned urgently without the customer being limited by internal triaging constraints.
“In the swiftly evolving arena of cybersecurity, where threats emerge and proliferate with alarming speed, the essence of a robust defensive posture lies in responding rapidly. We enable organizations to move faster by prioritizing critical vulnerabilities that have the most potential impact on their organization,” says Antani. “Our Rapid Response service is engineered to provide a preemptive shield, arming cybersecurity teams with the necessary knowledge, insights, and tools they need to protect their vital infrastructure.”
Founded in 2019 by Antani and Anthony Pillitiere, San Francisco-based Horizon3 raised $40 million in August 2023 through a Series C funding round led by Craft Ventures with participation from Signal Fire, bringing the total raised to date to $78.5 million.
Related: NCC Group Releases Open Source Tools for Developers, Pentesters
Related: Death of the Manual Pen-Test: Blind Spots, Limited Visibility
Related: After Nation-State Hackers, Cybercriminals Also Add Sliver Pentest Tool to Arsenal
Related: Investors Pump $90 Million Into Pentesting Firm NetSPI
