INDUSTRY
Technology
PRODUCTS
SaaS cyber security testing platform
LOCATION
Santa Clara, CA
ANNUAL REVENUE
$36.4M
ASSIGNMENT
Apply security assessment over the AICPA SOC 2 Trust Services Criteria (TSC) to identify where client could clearly demonstrate the success verbiage needed to meet SOC 2 requirements. Map TSC to the NIST 800-53 and create baseline controls to meet future compliance frameworks such as HIPAA and FedRAMP.
Project Challenges
As the largest independent vendor in the breach and attack simulation (BAS) market, AttackIQ supports customers across a variety of industries including government, FSI, technology, manufacturing, and healthcare. These customers increasingly sought details about how AttackIQ addresses security themselves as part of due diligence of the supply chain. The Company needed a streamlined, more efficient way to communicate the details, rather than using clunky spreadsheets and questionnaires.
Overview
AttackIQ offers a SaaS-based solution that continuously evaluates the effectiveness of their customers’ security controls. This unique platform offers dozens of solutions for real-world security scenarios including automated testing, control auditing, and software supply chain security.
Insight
AttackIQ enlisted RKONto review and validate AttackIQ’s robust business and platform security program, leveraging RKON’s years of success helping clients meet SOC 2 compliance via deep AWS security expertise.
AttackIQ sought expert-to-expert consulting, and understood that a third-party audit against a recognized framework would build trust with enterprise procurement teams, thus accelerating sales. AttackIQ selected the SOC 2 compliance framework to communicate how they successfully manage the security, confidentiality, and availability of their platform.
Services Provided
First, the RKON team examined the entire security posture of their cloud business ecosystem. Together the team reviewed minor modifications to deliver a more secure environment without a ton of retooling or long lead time. After that, the RKON team applied our security assessment over the AICPA SOC 2 Trust Services Criteria (TSC) so that we could identify where theAttackIQ team could more clearly demonstrate the success verbiage needed to meet SOC 2 requirements. Further, we mapped the TSC to the NIST 800-53 and created a solid baseline of controls to allow AttackIQ to meet future compliance frameworks such as HIPAA and FedRAMP.
RKON delivered the CloudSec Kickstart – SOC 2 engagement that included an interactive SOC 2 bootcamp, a platform security architecture review, and a SOC 2 compliance readiness assessment. The written report provided tailored analysis and recommendations to leverage AWS services and security features to reduce friction for developers and lower operating costs.
Results / Impact / Highlights
AttackIQ ended their engagement with us with discrete and specific outcomes: they had a list of prioritized recommendations that they could pursue to optimize their containerized workloads on AWS; and they had a line-by-line list of executable directions to successfully demonstrate SOC 2 compliance. Finally, they had a brand new set of NIST-sourced controls for their company that would scale into the more comprehensive frameworks in preparation of pursuing additional markets.
