Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Artificial Intelligence

Horizon3.ai Introduces AI-Assisted Service to Prioritize and Patch Vulnerabilities Faster

SaaS-based, AI-assisted penetration service allows proactive defensive action against exploitation of new vulnerabilities.

Combining elements of both human-assisted and autonomous artificial intelligence (AI), Horizon3.ai has added a Rapid Response service to its NodeZero SaaS-based penetration testing platform. The idea is to react so fast to new vulnerabilities that the process becomes proactive in preventing malicious attacks by highlighting the areas that must be fixed fast.

The basis for this service is the impossibility for security teams to adequately triage the volume of new vulnerabilities against the complexity of their IT environments.

Verizon’s 2024 DBIR found that it can take 55 days for organizations to address 50% of critical vulnerabilities after patches become available, and urged defenders to respond faster.

At the time of writing, NVD has received 12,296 new CVEs this year (more than 3,000 per month). For the most part, triaging these vulnerabilities is normally a manual task: which are the most critical vulnerabilities, and is my configuration susceptible?

There are multiple problems with this approach – not the least being the amount of manual labor and human skill required. Criticality is often measured by two scores: the common vulnerability scoring system (CVSS) and FIRST’s exploit prediction scoring system (EPSS). These are neither always accurate nor available (see CVE and NVD – A Weak and Fractured Source of Vulnerability Truth). And, of course, there are further known vulnerabilities unknown to the CVE system.

The Horizon3 Rapid Response service determines critical vulnerabilities, not merely those listed by NVD, and then allows customers to automatically check whether they are exposed to exploitation via those vulnerabilities. This is done at speed, so that customers can determine what needs mitigating or patching before an adversary is able to launch an attack. 

A combination of AI and human expertise is used in this service: AI for its ability to perform analysis at speed; and human expertise for its ability to reason. Human expertise knows what is likely to be important. AI can uplift the same process used by adversaries in developing exploits: comparing the new patched code with the old vulnerable code to find the vulnerability being fixed. Snehal Antani, Horizon3’s CEO and co-founder, explains the concepts.

“Imagine a very complicated product, like VMware vCenter,” he explains. “You have millions of lines of code in version one [the vulnerable version], and you have millions of lines of code in version two [the fixed version]’. You want to compare them to see what changed. You’ll do a binary diff to see these changes, but you’ll find way too much for a human to quickly understand.”

Advertisement. Scroll to continue reading.

Enter LLMs. “So, you pass those clusters to an LLM, and it will say, ‘there appears to be a sequel injection error here, or a cross site scripting error there’.” This same process can, of course, also highlight any new errors introduced with the new version. “You end up using AI like a source of unlimited interns to find which blocks of code are likely to have a security problem within them. It’s a great way to reduce a very complex problem to a very manageable problem.”

Re-enter the human expertise and knowledge to develop the safe exploits that are used to test whether a customer is not merely vulnerable but specifically exploitable. Fundamentally, there is little difference in this process to that used by adversaries – it’s just that Horizon3’s platform is geared to do it faster. It is this speed that allows the firm to claim proactive defense by being one step ahead of the attacker.

Once the exploit is developed, it is used autonomously. “In many ways,” continued Antani, “we’ve built an autonomous agent that can discover an environment, execute self-directed actions with no human involvement and achieve an objective like steal your data or compromise your environment. And the more attacks we run, the smarter the underlying algorithms become, because of reinforcement learning and feedback loops. And that is the novel kind of innovation of Horizon3 that no one else has built yet.”

Horizon3 creates safe exploits. But its investigations are not limited to the new vulnerability descriptions. It checks for misconfigurations and credential weaknesses. These may have been noted and fingerprinted in an earlier test but were not at the time specifically exploitable. Now a new vulnerability appears – Horizon3 immediately knows the customer is exploitable and should be warned urgently without the customer being limited by internal triaging constraints.

“In the swiftly evolving arena of cybersecurity, where threats emerge and proliferate with alarming speed, the essence of a robust defensive posture lies in responding rapidly. We enable organizations to move faster by prioritizing critical vulnerabilities that have the most potential impact on their organization,” says Antani. “Our Rapid Response service is engineered to provide a preemptive shield, arming cybersecurity teams with the necessary knowledge, insights, and tools they need to protect their vital infrastructure.”

Founded in 2019 by Antani and Anthony Pillitiere, San Francisco-based Horizon3 raised $40 million in August 2023 through a Series C funding round led by Craft Ventures with participation from Signal Fire, bringing the total raised to date to $78.5 million.

Related: NCC Group Releases Open Source Tools for Developers, Pentesters

Related: Death of the Manual Pen-Test: Blind Spots, Limited Visibility

Related: After Nation-State Hackers, Cybercriminals Also Add Sliver Pentest Tool to Arsenal

Related: Investors Pump $90 Million Into Pentesting Firm NetSPI

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.