Silent Break Security

BACKGROUND

Please describe your company and your position there.

I am the Vice President of Information Technology for a company of 1,000 employees.

OPPORTUNITY / CHALLENGE

For what projects/services did your company hire Silent Break Security?

We needed to have our annual 3rd party assessment done on any vulnerabilities in our externally exposed services.

What were your goals for this project?

Discovery of potential vulnerabilities and the risk any discovered represent.

SOLUTION

How did you select this vendor?

They were recommended to us 6 years ago. We've been working with them for 5 years.

Describe the project in detail.

We obtained a SOW for the project. Once we signed and returned it, their project manager scheduled a kickoff call on which we discussed anything in particular we wanted to focus on and what information they would need from us to proceed. We also agreed upon a date to begin the project.

After the call we provided information to them through a secure portal. The tester contacted us during the engagement with any issues he was having, which we promptly addressed. The technician wrote a report after the call, which we discussed in detail in a follow up call. The project was then closed.

What was the team composition?

Project manager and the technician doing the assessment.

RESULTS & FEEDBACK

Can you share any outcomes from the project that demonstrate progress or success?

Their testing identified some vulnerabilities to which they assigned risk levels. As a result we took steps to remediate the most serious ones.

How effective was the workflow between your team and theirs?

We've worked with them for several years so we're familiar with how they do business. It worked well as that's the way it always does.

What did you find most impressive about this company?

They have always demonstrated a high level of skill and professionalism. Working with them has helped us to improve our security considerably and is the best money we've spent in our security budget.

Are there any areas for improvement?

They do a great job and it's always a pleasure to work with them. They know their stuff.

BACKGROUND

Introduce your business and what you do there.

I’m a system engineer for a healthcare provider that caters to the employees of Union Pacific Railroad. I oversee server administration and network security.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with Silent Break Security?

We wanted someone to perform a cybersecurity audit so that we could identify security concerns and verify where we could improve.

SOLUTION

What was the scope of their involvement?

Silent Break Security performed an external penetration test where they scanned all of our outward-facing websites to check if they could gain access to our applications. They were also given access to our internal applications so they could pinpoint issues that could potentially compromise our systems. They reported back to us with the results of these two different scans.

How did you come to work with Silent Break Security?

We had an existing partner that we’d originally consulted, but they didn’t offer security scanning. They recommended and referred us to Silent Break.

How much have you invested with them?

We spent around $40,000.

What is the status of this engagement?

We engaged them in October 2019 and the project wrapped up in January 2020.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement? 

We were impressed by the information they were able to gather about our security systems. We were grateful for the data we received from the reports they provided.

How did Silent Break Security perform from a project management standpoint?

They did an excellent job from start to finish. They were quick to respond whenever we had questions for follow-ups.

What did you find most impressive about them?

While I don’t really have a basis for comparison, I was impressed by Silent Break’s initial gathering of information. They ensured that when they performed the scans, they were examining exactly what we wanted them to examine.

Are there any areas they could improve?

No, I don’t think so.

Do you have any advice for potential customers?

The information that they’re able to provide is high-quality and thorough. It’s not a gloss-over kind of test that they provide. The results they gave us were well worth the time and money we put into the project.

BACKGROUND

Introduce your business and what you do there.

We are a global manufacturer of commercial vehicles. I’m the chief information security officer.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with Silent Break Security?

We were looking for a firm to do penetration testing across our global environment, at a reasonable price that could also help train us along the way, with the overall goal of enhancing our security.

SOLUTION

What was the scope of their involvement?

They were to look at our entire corporate network and identify potential entry points through the use of tools and manual activities. They were to stop short of anything that could disrupt our manufacturing facilities or normal day-to-day operations. They used custom tooling along with tools readily available on the web. They worked hard to meet our needs.

For us, they have done mainly informed penetration testing. We provided them IP ranges they could go after, and ones they needed to avoid, to ensure we didn’t have any business disruptions. We provided them some basic account credentials for onsite and remote access. They also focused heavily on phishing for their initial point of entry. We were more concerned about what they could do once they were on the network then whether they could actually gain access. 

At the end of their tests, they provide a final report with recommendations for changes. We have typically implemented most of their suggestions relatively quickly. We have them return about a year later to validate work done and look for new potential exploits. They have been impressed by how much we were able to achieve between their visits.

In our last test, we had to reduce some of our controls to allow them access for their tools to run, as we blocked most of their initial penetration techniques. As noted, we are more interested in what a hacker could do after breaking through our barriers, than can get through. A determined hacker can always find a way in.

What is the team composition?

For each of the collaborative tests, they sent two people to our site. We worked with those individuals directly.  At times, they would coordinate with some of their remote colleagues for assistance.

How did you come to work with Silent Break Security?

I first engaged them for a project about three years ago and we have continued to approach them for their services. We initially selected them as penetration specialists and since then have used their collaborative pen test offering to help train our employees. Their prices were competitive, and we feel they have provided value to us.

What is the status of this engagement?

We began working together in 2016, and the partnership is ongoing.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

We’ve had many quick wins, that were relatively easy changes, that helped enhance our security.

How did Silent Break Security perform from a project management standpoint?

They coordinated with us well upfront to ensure they could hit the ground running. They provided solid technical leaders, who could also manage each engagement and ensure the time spent was where it provided the most value. They also did a good job of balancing the attacks with the training to ensure the team learned.

Their management summary reports didn’t always hit the mark for our company. We needed to work with them on verbiage to ensure the message was at the appropriate level for our senior management teams and that it was clear on some of the actionable things we could do, but without going to deep technically. They worked well with us on this, but it did take a few go-rounds to get there. Probably would have been the same with any company we worked with.

What did you find most impressive about them?

Their collaborative penetration tests really stand out. They brought people onsite to explain their process, and our team learned a lot from them. They helped us look at things differently and showed us how a potential hacker thinks.

Are there any areas they could improve?

I can’t think of any improvements off the top of my head.

Do you have any advice for potential customers?

Provide as much clarity as you can on your objectives. We were very clear about what they could and could not test, which ensured minimum to no disruption to daily operations.

BACKGROUND

Introduce your business and what you do there.

I’m the manager of the security operations center of a fixed annuities company. I’m in charge of vulnerability analysis, incident response, and security patching.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with Silent Break Security?

We run both internal and external penetration tests on an annual basis, and we’ve always ascribed to the notion of changing external penetration testing companies on a semi-regular basis. This can be 2–3 years, depending on what we’re doing. Bringing in new partners introduces us to new methodologies for finding vulnerabilities and attacking systems.

SOLUTION

What was the scope of their involvement?

We spoke briefly to discuss our needs and determine the targets they’d be attacking. Then, after agreeing on a statement of work including a timeframe, expected outputs, and warranty period length (not many vendors provide this), we articulated rules of engagement.

They started with black-box tests to test our current security and response to their intrusions. I was largely out of the loop as to when the tests would occur, so as not to be biased, but I knew a general period (within two months). We caught their attacks multiple times and asked them to pivot to a gray-box approach. In this situation, we gave them access to our environment to understand what would happen if someone did break in. We logged what we saw during that process and confirmed our findings with them. They let us know what we did and didn’t spot and what they actually did, so we could remedy our weaknesses.

What is the team composition?

I worked with their account manager on any issues, but I’m not sure how many people worked for us. Two Silent Break resources handled the attack phase, and we communicated with them via an internet portal. The tool let us upload details of the engagement and made communication easy.

How did you come to work with Silent Break Security?

My boss recommended them after speaking with them at a conference. We considered several other companies, including one we’d used in our last round of testing, but Silent Break’s caliber of reporting won me over. I appreciated their recommendations for fixes, as well as their data’s readability.

How much have you invested with them?

We spent $50,000–$100,000.

What is the status of this engagement?

We worked together from November 2017 until January 2018. We did a second test in February 2019, and we plan to work with them again later this year.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

Silent Break’s findings were always easy to follow, and we made the changes they recommended. While they had a huge impact, it's difficult to pinpoint because we're measuring it against what might have happened had we not plugged those holes.

During the actual tests, we were able to execute our internet response plan and investigate how my team would respond to a real attack. We’d spent a lot of time revamping our internet response time over the past 18 months, and it was beneficial to see the effectiveness of those efforts. 

How did Silent Break Security perform from a project management standpoint?

Silent Break was very responsive to emails, and they kept us on target. We were running multiple projects, making it easy to get sidetracked, but it was refreshing to be pushed to meet our goals. Once the tests began, it was easy to get a hold of Silent Break and ask if they were behind the suspicious activity we were observing.

Their reports were thorough and came on time. A proper penetration test can yield a lot of results, and it can take a while to go through them. Silent Break was easy to work with after the testing was done, confirming some of their findings and validating that we fixed any issues.

What did you find most impressive about them?

Their attention to detail is great, but the true differentiating factor is the customer service. I’ve called Silent Break multiple times, and someone I know and who was aware of our project always answers it. Right before we started, we upgraded our app to a new platform, and Silent Break agreed to push the date multiple times. This stretched into a new calendar year, and they were well within their rights to back out. They stayed with us the entire time, however, and were right beside us when we got the new version ready.

They seem to be a tight-knit company where everyone knows what’s going on and can respond to clients. We’ve had multiple positive testing engagements with other vendors, and Silent Break is definitely at the top. We’ll likely use them again.

Are there any areas they could improve?

I don’t know if there’s much they could’ve done differently. We’ve run a couple of engagements with them, and I assume their knowledge goes past even what I’ve seen. Silent Break has services we haven’t utilized, but we’ve simply never needed them.

BACKGROUND

Introduce your business and what you do there.

I’m the chief information security officer of a medical manufacturing and distributing company.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with Silent Break Security?

We wanted to hire an independent firm to perform penetration testing on our organization.

SOLUTION

What was the scope of their involvement?

The test was as blank as we could make it. We only gave them our company name; they had no information about our architecture, infrastructure, or protection methodology. Our only other parameter was that they avoid our SAP system. Their goal was to attempt to get into our system and, if successful, to show us what they were capable of gaining access to by assembling a formal findings document for our senior leadership. Once the test was finished, they shared the results with us and discussed our positives and negatives, as well as potential action plans.

What is the team composition?

We had a point of contact in sales and a technical lead. I’m not sure how many additional tech staff worked on our test.

How did you come to work with Silent Break Security?

There were many options, so we narrowed it down by looking for firms that had presented at large conferences in our industry. Once we had a list of prospective choices, we examined their philosophies and the skill level of their testers.

How much have you invested with them?

We spent around $50,000.

What is the status of this engagement?

The project lasted from December 2018–January 2019.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

Their results demonstrated that, although we had strong security overall, there were areas we could modify to optimize it further.

How did Silent Break Security perform from a project management standpoint?

They were responsive and documented everything well.

What did you find most impressive about them?

Their levels of knowledge and skill were very high, which is part of why we chose them in the first place.

Are there any areas they could improve?

Nothing that I can think of.

Do you have any advice for potential customers?

For this kind of testing, it’s important to find the right people and respect their professional capabilities. Once the test is finished, be prepared to implement any changes they suggest.

BACKGROUND

Introduce your business and what you do there.

I was the chief information security officer for a Fortune 500 retailer.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with Silent Break Security?

We were looking for penetration testing services to remediate or reduce our company’s risk and enhance our cybersecurity.

SOLUTION

What was the scope of their involvement?

We had a planning meeting with Silent Break Security so to discuss our challenges and where we saw risk within the company. They helped to define the scope for testing. As it would be impossible to test 100% of the environment in a single test, Silent Break would provide valuable expert input as we developed the scope of each test.

Following each test, they produced a well-organized report that went into detail on their approach and execution of the test, along with the results and recommendations. It was a thorough approach, which added value to the exercise.

What is the team composition?

My first point of contact was always their VP of global strategy. I had an established relationship with him, and he understood my needs. On the backend, we engaged with their founder/principal security consultant, who’s worked with the NSA. There are occasions when we work with other members of the Silent Break team, and we found them just as experienced and knowledgeable.

How did you come to work with Silent Break Security?

Historically, I did business with their VP of global strategy when he was at a previous company. When he moved to Silent Break Security, we had a conversation about the company, their services, and their skills and expertise. I was impressed with their pedigree of resources. They stood out to me because they had people who’d worked with the NSA, so I recognized that they could add value to the problem. 

How much have you invested with them?

We spent $150,000–$300,000 over 2–3 years.

What is the status of this engagement?

We began working with Silent Break Security at the end of 2014 or beginning of 2015. There were multiple penetration tests, sometimes as many as 2–3 per year. Silent Break continues to be a valued partner on an as-needed basis.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

Their recommendations were actionable and absolutely valid.

How did Silent Break Security perform from a project management standpoint?

I have no complaints. The thing that stands out to me is the upfront planning and the extent to which they tried to understand the business problem so they could add their expertise up front. Sometimes, we wanted a penetration test and we asked for specific items with no discussion. Other times, we wanted to figure out what we could test that we didn’t normally test and that added to our risk mitigation strategy. They allowed us to decide the extent to which we wanted to engage with them and benefit from their expertise, and that’s a huge plus in working with them.

What did you find most impressive about them?

The people I worked with directly at Silent Break Security understood what my job was, what my concerns were, and what I had to do on behalf of the company I worked for. They put themselves in my shoes. They fully appreciated that there’s a right way of doing things, but how it’s applied to business is different from one company to the next.

Are there any areas they could improve?

No, I can't name anything.

Do you have any advice for future clients of theirs?

Someone working with them should communicate the goals, objectives, and concerns, and listen to their expertise on how to approach and scope the engagement. Silent Break Security can absolutely add value if clients allow them to place themselves in their shoes.

BACKGROUND

Introduce your business and what you do there.

I’m a security architect for a health finance company. I’m responsible for all of the infrastructure security, including the network, penetration testing, and secure configuration analysis.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with Silent Break Security?

We needed a skilled partner to help with your annual assessments and penetration tests.

SOLUTION

What was the scope of their involvement?

Silent Break Security came on site and discussed the scope of what we wanted to test. We told them our goals and showed them the different types of systems we had, giving them specific target areas to test. They tested each one, including specific apps, code, and network components. They then wrote up reports highlighting security concerns and recommendations. Our team sat down with them to discuss the findings and determine what needed to be fixed.

What is the team composition? 

We mainly interacted with the project manager, but they provided testers for the internal network, our apps, and the external components.

How did you come to work with Silent Break Security?

We wanted a partner who’d be able to customize the tests and provide an in-depth evaluation of system vulnerabilities. We talked to a few partners and members of the security community, and many recommended Silent Break Security.

How much have you invested with them?

We spent around $40,000.

What is the status of this engagement?

We worked together from July–September 2018. 

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

They found several system risks that a traditional test wouldn’t have found. The results were specific, and so were their recommended solutions.

How did Silent Break Security perform from a project management standpoint?

In addition to daily updates, they came onsite to provide presentations about the project. We mainly communicated via email, and they were highly responsive.

What did you find most impressive about them?

The types of tests they ran were targeted and customized to our needs.

Are there any areas they could improve?

They could improve their documentation and be more proactive about it.
 

UPDATED REVIEW

This review was updated by a software security architect at the client's company on April 27, 2020. The original star ratings were: Overall - 4.5, Quality - 4, Schedule - 4, Cost - 5, NPS - 5. New content is below:

BACKGROUND

Introduce your business and what you do there.

I’m the software security architect at a financial services company that deals with benefits such as HSA. One of my roles is a penetration test coordinator.

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with Silent Break Security?

At regular intervals, we have security assessments in the form of penetration tests. Although they are routine procedures, we want to make sure that they are high quality and we get value out of them. Silent Break Security is one of the companies we’ve worked with before, so we reached out to them this time as well.

SOLUTION 

What was the scope of their involvement?

They provided the penetration test. This time around, the scope was a mobile security assessment for a mobile app, as well as a web application security assessment. Recently, they performed a retest. 

Last year, they found some vulnerabilities and we fixed them. Silent Break Security then came back and performed the exact same test again. The team updated the report for us to show that the vulnerabilities no longer existed.

What is the team composition?

We worked with a project manager, an individual tester, and an operations teammate. We also work with Brady (Founder) from time to time. 

How did you come to work with Silent Break Security?

We found out about them through a former employee of ours who got in touch with several vendors, including Silent Break Security. We then had a good first experience with them, which is why we hired them again. 

How much have you invested with them?

For this project, we spent about $30,000–$40,000.

What is the status of this engagement?

This project lasted from October 2019–April 2020.

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement? 

Their work allows us to show our partners that even when there are vulnerabilities, we fix them. Additionally, risk reduction is a great benefit. For every vulnerability that Silent Break Security finds and we fix, that’s one malicious attack that’s been prevented. 

It’s hard to prove the value of something that didn’t happen, but that’s the nature of the work. The vulnerabilities don’t come back to haunt us. For example, if an attack does happen, it takes lots of hours to rectify and requires lots of damage control. 

How did Silent Break Security perform from a project management standpoint?

When I work with them, everything goes smoothly. The team is willing to working with us and our timelines. Sometimes when I’m not able to get tasks done quickly enough, Silent Break Security is usually very good at accommodating that.

The technology they use is also great. The portal we use to share information is very secure. They upload the reports there and send me an email. Then, I can go into the portal and download the reports. I can also upload information securely onto the portal. 

What did you find most impressive about them?

I’m really grateful that they were willing to do the retest, even though I forgot to make sure that that was included in the contract. Silent Break Security was very much interested in our success, helping us to achieve our goals.

The quality of their work and, consequently, their reports is very good. Sometimes vendors run basic assessments that don’t provide as much value. This team’s work was of the highest quality. They found novel and interesting issues and explained them well in the reports. 

Are there any areas they could improve?

No, I have no suggestions, Everything has been smooth with them. I’ve worked with other companies where we’re not on the same page, but that’s not the case with Silent Break Security. They’re always willing to work with us where we’re at. 

Do you have any advice for potential customers?

Generally speaking, the more information you can give them and the more background you can provide them, the better. That’s especially important when they’re testing a custom solution. 

It’s not possible for them to have a comprehensive understanding of custom software, so it’s important to provide them with as much information as possible so that they can provide you great value.

BACKGROUND

Introduce your business and what you do there.

I work for a company that makes law enforcement technologies like body cameras, TASER electrical weapons, and cloud storage solutions for law enforcement. I'm the chief information and security officer. 

OPPORTUNITY / CHALLENGE

What challenge were you trying to address with Silent Break Security?

We needed a web application assessment for our large cloud solution. A few years ago, we first reached out to Silent Break Security for quarterly penetration testing. 

SOLUTION

What was the scope of their involvement?

Over the years, most of Silent Break Security services have been quarterly web application penetration tests against our cloud solution. A couple of times, they've provided more traditional black box penetration tests against the entire corporate infrastructure including things like phishing assessment. They present their findings to us in written reports. As needed, they follow up in person or over phone calls for clarifications on technical questions we might have. 

The reporting includes recommendations for remediation and how we might reduce the risk of any particular issue they found. We have never used them for services to implement the fixes before, but we certainly have leveraged their recommendations. 

What is the team composition? 

We always have a project or program manager assigned to us, although it’s not the same person every time. Behind them, the actual penetration testing team performs the work. It usually seems to be one or two people since we don’t have a terribly large scope. We have direct access to the actual testers and project manager and can reach out to any of them at any time. 

How did you come to work with Silent Break Security?

Through some personal relationships, we had known Brady (Founder and CEO, Silent Break Security) for a long time. 

How much have you invested with them?

We've spent between $200,000 and $1 million. 

What is the status of this engagement?

We've been working together since early 2016. 
 

RESULTS & FEEDBACK

What evidence can you share that demonstrates the impact of the engagement?

Silent Break Security has had a markedly positive impact on our company. All the penetration tests they've done have been conducted professionally. They've yielded solid, actionable results that help us remediate real issues we need to fix. We've been able to operationalize their insight to make our system more secure. 

They've taken care to ensure any findings they point out to us are impactful and worth fixing. The reports are never full of fluff just to look impressive. They only present concerns they know are definitely worth our attention and effort. 

How did Silent Break Security perform from a project management standpoint?

From a communications and documentation standpoint, Silent Break Security has performed very well. They've been very available to answer our questions, schedule meetings, and follow up to discuss the reports. We haven't had any problems at all. 

What did you find most impressive about them?

Silent Break Security's ability to focus on the most actionable issues differentiates them from other cybersecurity consultants we've partnered with in the past is. They keep our critical problems top of mind instead of trying to list every potential one holistically. Rather than reporting on countless theoretical concerns, they conduct their testing based on real-world scenarios and impacts to help us narrow our focus. 

Are there any areas they could improve?

To improve growth going forward, I would suggest having a larger variety of employees. Since we've used Silent Break Security so frequently, the same couple of few people have done most of the work each time. Once their company grows, they'll be able to hire more talent to assign to work on projects. 

Do you have any advice for potential customers?

I've never had to worry about getting productive work out of Silent Break Security. They take care of everything that needs to be done right off the bat.