NetSPI Doubles Down on Pen Testing With nVisium AcquisitionBuying nVisium Will Give NetSPI More Personnel to Conduct Pen Tests on AWS, Azure
Rising offensive security star NetSPI bought boutique penetration testing firm nVisium to help customers assess cloud defenses.
The Minneapolis-based attack surface management vendor says Washington, D.C.-area nVisium's deep understanding of the niceties of different cloud platforms will come in handy since Azure penetration testing differs from AWS pen testing, says CEO Aaron Shilts. Hacking - with permission - into cloud-based apps requires different skill sets than testing the security of traditional web applications or networks.
The terms of the acquisition, which closed Dec. 22 and was announced Jan. 3, aren't being disclosed. All 50 of nVisium's employees will join NetSPI, including founder and CEO Jack Mannino, who will focus on R&D and building next-generation technologies for clients and testers as part of the NetSPI labs organization (see: Pen Test Firm NetSPI Gets $410M Boost From KKR to Fuel M&A).
Why Customers Need Cloud Pen Testing
An ongoing mass migration to cloud environments from on-premises data is driving demand for cloud penetration testing, according to Shilts. He says NetSPI is already one of the leaders in the cloud pen testing space but will benefit from nVisium's capabilities. The Washington firm excels at working with businesses with mature security programs in highly regulated industries such as energy and financial services, Shilts says. Financial services has long been one of NetSPI's largest markets, but the CEO says little overlap exists between the NetSPI and nVisium clients' bases.
Shilts plans to fully integrate nVisium into the NetSPI organization by Feb. 1, with a focus on training, onboarding and familiarizing nVisium's staff with NetSPI's platform and programs. According to Shilts, nVisium customers should be able to more easily meet developer and testing timelines thanks to the size of the NetSPI organization.
NetSPI's automation tools focus primarily on the tester experience, report automation and report generation, and Shilts says these tools will be integrated and brought into NetSPI's mainline code base. NetSPI today has both employee-facing automation tools similar to what nVisium offers as well as client-facing automation tools that are unlike anything nVisium provides today.
The nVisium deal comes just three months after NetSPI received a $410 million growth investment from private equity giant KKR to pursue acquisitions and expand its technological and geographic footprint - money that helped move the nVisium acquisition across the finish line.
More Acquisitions on the Way?
nVisium is only the second acquisition during NetSPI's 22-year history but comes just two years after the company bought Utah-based Silent Break Security to strengthen its network and application testing, red-teaming and adversary simulation skills. Shilts says NetSPI would consider additional acquisitions that allow NetSPI to expand in Europe and build on the organic business it has developed in the United Kingdom.
Although nVisium's customers are almost exclusively headquartered in North America, Shilts says their client base includes large multinational organizations with offices around the world. NetSPI's rivals range from fellow cybersecurity companies such as NCC Group to large accounting firms to boutique firms with between $5 million and $20 million on revenue that do penetration testing in a specific geography.
From a metrics standpoint, Shilts says NetSPI plans to closely track retention figures for both nVisium's employees as well as its customers. Beyond that, Shilts hopes the nVisium acquisition will accelerate NetSPI's revenue and profitability growth. NetSPI expects to grow its organic business between 50% and 60% in 2023, and Shilts says M&A will become a more prevalent part of its strategy going forward.
"With organic growth being the foundation, bringing the right M&A on top of it at the right time will continue to be an important part of our strategy," Shilts says. "But if the right opportunities aren't there that check all the boxes - most importantly, the box of fitting our culture - we're not going to jam anything in unnaturally."