Not Just Another Rubber Stamp

Back in 2016 when I did my very first vulnerability assessment I was very nervous. It surprised me, because with extensive training and almost 20 years experience as an IT consultant there was nothing to be nervous about. I should have been ready. I kept thinking "what if I don't find any vulnerabilities? that will be really embarrassing". I knew I could do it, but I just wasn't 100% sure I could deliver the same value as my competitors. It didn't help that in this case my competitor was the biggest cyber security firm in North America (let's call them X). Their brand was intimidating.

To limit the possible damage to my reputation I told my client: "Go ahead and hire X to do the vulnerability assessment. I will do mine independently for free. We will compare results at the end". To cut long story short: as a rookie, I blew my competitor out of the water. I found many more severe vulnerabilities and included proof-of-concept source code as a bonus. I kept track of my time spent during all this. In the end, my client would have spent fraction with me for a superior outcome. Needless to say, the client awarded the subsequent vulnerability assessment contracts to me.

This experience made me feel proud but angry at the same time. If a "rookie" like me could deliver better value than a "top" information security company, then it means that what X was handing out was nothing more than a rubber stamp. Their assessment had little meaning and no real impact on security. It was just another example of the snake oil sold by the cyber security industry. Since I was now going to be part of the same industry, it put me in the same bad light. And I was not going to allow that to happen. ArmorEye does not sell rubber stamps. ArmorEye vulnerability assessments have meaning.