BLACK HAT USA — Las Vegas – Wednesday, Aug. 9 — Vulnerability remediation startup Mobb won the Startup Spotlight competition at Black Hat USA 2023, beating out startups focused on firmware security, cloud infrastructure security, and software security.
The four finalists — Binarly, Endor Labs, Gomboc.ai, and Mobb — were selected after a video pitch competition in June. Each one received booth space in the Black Hat Business Hall, a consultation with an Omdia analyst, and the opportunity to make a 10-minute presentation during the conference at the Startup City theater in front of the judges. To be considered for the competition, companies had to be less than 2 years told and have fewer than 50 employees.
After the 10-minute presentation, the panel of judges asked three to four questions to clarify some points they felt had not been addressed in the pitch. The judges were Ketaki Borade, senior analyst in Omdia’s Infrastructure Security research practice; Trey Ford, deputy CISO at Vista Consulting Group; Hollie Hennessy, senior analyst in Omdia’s IoT cybersecurity practice; Lucas Nelson, founding partner at Lytical Ventures; and Robert J. Stratton III, principal & strategist at Polymathics and venture partner at Nextgen Venture Partners.
“In the startup market, sometimes companies are trying to do too much, but Mobb was confident about its capabilities,” says Omdia’s Hennessy, one of the judges. “One of the real challenges of cybersecurity is to bring together different parts of the business — in this case, developers and security. Mobb’s product bridges that gap, improves security, and increases productivity.”
AI was a common thread to all the presentations. Some were very upfront about their use of AI (“Gomboc.ai — the AI is in our name,” CEO Ian Amit told the judges), while others touched upon their AI use when explaining their technology capabilities. “In reality, most cybersecurity companies are using AI to some extent, [but] now we’re hearing about the intricacies of it more given the current hype,” says Omdia’s Hennessy, one of the judges. “I think it showcases the value of AI in the latest cybersecurity solutions, and I’m interested to see how we continue to see innovation in this space.”
Finalists Pitch the Judges
Alex Matrosov, CEO and founder of Binarly, laid out his case for firmware security, noting that if the firmware is broken, “everything else is compromised.” Firmware issues require an ecosystem approach because the vulnerability doesn’t just exist in one device — but in every device that uses that vulnerable component. Binarly created a binary analysis tool that finds known and unknown vulnerabilities in firmware and works with device manufacturers such as Dell, vendors making the components, and enterprises looking for transparency in their environment. According to Matrosov, it can take 171 days for firmware vulnerabilities to be fixed.
“Focusing on firmware security as a first point of call is a necessary approach for device protection, and it’s promising that Binarly is seeing interest from across the ecosystems of operators, makers, and firmware developers,” says Hennessy.
Varun Badhwar, CEO and co-founder of Endor Labs, focused on open source code security, around helping developers make better choices with code and fix vulnerabilities in open source components. Badhwar referred to the “developer productivity tax” — the amount of time developers spend investigating vulnerability reports to identify which ones actually need to get fixed. While 80% to 90% of modern software development may consist of open source components, Badhwar claims just 12% of the code is actually used in the code. So a vulnerability in a function in the open source library that is not being used in the application may not be as high of a priority to fix. Endor Labs also has a recommendation engine to help developers make better decisions about what libraries and components to use — since there will be fewer issues to fix if the package itself has been vetted to not already have vulnerable code.
Endor Labs — also an Innovation Sandbox finalist at this year’s RSA Conference — was voted the audience favorite.
“What I liked was they are paying attention to the open source code security,” says Omdia’s Borade, another one of the judges. “I see them getting acquired by the big fishes who struggle to grow organically in this domain.”
Amit, CEO and co-founder of Gomboc.ai, focused on remediating cloud infrastructure issues, noting that it was not possible for security engineers to learn every possible configuration or across every cloud environment.
Gomboc.ai was founded by cloud infrastructure veterans — Amit and his co-founder are both former Amazon Web engineers. Gomboc.ai has human analysts define security policies and uses AI to apply those policies. Security teams use regular language to define policy, such as “Public-facing assets can’t be written to.” The AI engine identifies the code required to turn that policy into the proper cloud configuration. “Humans are good at saying what they want,” Amit said. “AI is good at finding solutions.”
Gomboc.ai relies on deterministic AI, not generative AI. Generative AI can give different answers each time, while deterministic AI will always give the same answer every time for the same set of inputs, which is important when trying to address vulnerabilities and apply policy.
The Winning Pitch
Eitan Worcel, CEO and co-founder of Mobb, focused on how to save organizations money using the following illustration: A vulnerability report may list four issues, but three of them may not be exploitable. It may take a developer 30 minutes to investigate the report to identify which of the issues need attention and 15 minutes to open a ticket with all the relevant information. It may take four hours to actually fix the issue. If the organization spends $200 (USD) an hour for the developer’s time, that is about $1,000 being spent — and organizations have thousands of issues.
Mobb accepts vulnerability scanning reports from a range of static application security testing (SAST) tools and assigns a confidence score to various parts of the code. Mobb provides recommendations based on best practices on how to fix those issues. When the developer accepts the recommendation, Mobb then applies the fix, Worcel says. The company currently supports Java and Node.js, and .NET support is on the way.
Mobb “made a good case of how they will save money for the organizations,” Borade says, noting that one of the findings from the Omdia Decision Maker Survey 2023 was that high costs were among the top three cloud security challenges for enterprises. “Mobb had a very straightforward answer about how it will solve part of the vulnerability remediation issue and save time for developers.”
Three of the finalists — Endor Labs, Gomboc.ai, and Mobb — touched upon vulnerability prioritization, and their approaches for helping security teams understand which issues were the most pressing. Software security is obviously an area of high interest in the startup ecosystem — last year’s winner, Phylum, was also a software security startup.