Detectify is a vulnerability scanning system available in two formats: one for internal scanning, suitable for applications under development, and one that performs external vulnerability scanning that IT operations teams should use.
While most vulnerability scanners look for well-known exploits, such as SQL injection, Detectify has a different approach. The company has created an agency to reap the research of “white hat hackers” and discover new weaknesses that could secretly allow hackers to damage systems.
Detectify AB is a Swedish company that started operations in 2013. The company’s founders included a white hat hacker and builds on an established open-source cybersecurity research method – the bug bounty.
Behind Detectify is an organization called Detectify Crowdsource. This is a system in which anyone can register and then report a security weakness. Suppose that weakness isn’t already covered in the Detectify library. In that case, it gets added, and the contributor earns a fee every time that weakness is discovered in a client system during a vulnerability scan.
The open-source security research mechanism behind Detectify is the company’s unique selling point. It is constantly adding to its list of known vulnerabilities, and it doesn’t share these with the wide cybersecurity industry. Better yet, Detectify has no upfront costs in running a research team. Penetration testers only get paid if they discover a new exploit.
Discovering product-specific weaknesses can be a waste of money for cybersecurity companies because as soon as that producer learns about the problem, it issues a patch and that weakness no longer exists. Essentially, all software producers get free system testing services from the cybersecurity companies operating research labs. By turning itself into a middleman, Detectify has eradicated the high cost of research and passed the risk of never recovering research costs to individual technicians.
About bug bounties
The cybersecurity industry has been deploying bug bounties for some time. This offers a prize for anyone that can find a weakness in a specific system. In short, this can work out cheaper than contracting a penetration testing team because the commissioner only has to pay one fee and potentially gets the services of a vast number of white hat hackers.
Anyone attempting to break into a system to claim a bug bounty is essentially accepting a bet. The work of those who do not fail. Only the few that manage to find an exploit get any money for their efforts.
Naturally, companies that issue bug bounties are already aware of all the exploits, such as the OWASP Top 10. These are the security flaws that every vulnerability scanner searches for. Therefore, a company that offers a bug bounty will have already closed off all of its vulnerability scans revealed exploits. Thus, only those hackers that discover new weaknesses that cybersecurity firms don’t already know about will stand a chance of making money from the challenge.
A bug bounty is usually an ongoing offer, so the company offering it gets constant confirmation that its security systems are working. They don’t have to pay anything for that verification, so the cost of paying out when security is finally compromised is a small price to pay.
By setting up Detectify Crowdsource, Detectify has a permanent bug bounty system operating. Thus, it will always have a more extensive library of exploits than regular vulnerability scanning services. As the company doesn’t pay a lump sum, but a commission, a rarely encountered exploit doesn’t cost them anything.
Detectify’s agency model means that it can list an infinite number of potential weaknesses that could be exceptionally, very rare, and would otherwise be uneconomical to bother with. Even if a software producer closes off an exploit, that error is still worth searching for because there might be many installations in the world that haven’t applied the patch that fixes the problem.
Detectify offers three plans. The first two of these are Deep Scan, which applies to scan within an organization, and Asset Monitoring, an external vulnerability scanner. The third plan is Get It All, a combination of Deep Scan and Asset Monitoring, plus a range of bespoke system security advice.
It is possible to take out a subscription to both Deep Scan and Asset Monitoring. However, this still won’t fully model the Get It All plan because that top system is a customized proposal and includes added consultancy services.
The Deep Scan system is suited to DevOps environments. It offers on-demand, scheduled, and continuous scanning, ideal for integration into a CI/CD pipeline.
The scanner can be invoked either for an on-demand run or through an autodiscovery process. Identifying all assets and scanning is also possible to get the system running by loading up a list or getting a feed from a platform like AWS Route 53 or Google Analytics.
However the system is run, the scan results give you a list of assets identified (which could be just one) and an assessment of the security of each. Any weaknesses can be fixed using the guidance that accompanies the results report.
The Deep Scan knowledge base is constantly updated by discoveries contributed by the Detectify Crowdsource system. The service also deploys the concept of fuzzing to test a range of input options and test the application’s reactions.
The main benefit of the Deep Scan system is its ability to work as part of a DevOps project system. Integrations with Jira, Slack, Trello, OpsGenie, Webhooks, and Splunk make it possible to automate test launches and feedback paths. This makes the automated launch of application security testing possible.
Detectify Asset Monitoring is an external scanning service that doesn’t rely on dynamic testing strategies; in fact, that system advertises itself as a service that catches vulnerabilities that a DAST method would miss.
This service is run from the dashboard of the Detectify SaaS platform. The user inserts a URL into a field in the dashboard and then turns on automatic scanning. The vulnerability manager will start a discovery service that chains through all pages in a given website and identifies all components. It then looks for the location of those services and scans them for lower layers of supporting functions. This recursive process continues until all supporting infrastructure has been traced.
Like Deep Scan, Asset Monitoring can be linked to project management tools, such as Jira and Slack. The scan results can also be fed to crucial personnel, including recommendations for fixes to identified problems.
The Detectify Crowdsource research feeds into the vulnerability scanner used for the Asset Monitoring service. A scan covers peripheral supporting services, such as DNS records, containers, and container management systems. The system also identifies channels for unintentional information disclosure and carelessly hardcoded values.
How much does Detectify cost?
The two lower plans of Detectify have subscription pricing. The Enterprise package is more of a negotiated service that may incur one-time fees and ongoing subscriptions.
The base prices for Detectify services are:
- Deep Scan: $85 per month billed annually, $105 month-to-month
- Asset Monitoring: $420 per month billed annually, $570 month-to-month
Both plans can be experienced on a two-week trial.
Detectify deployment options
Detectify is only available as a SaaS platform. That means you access the service through a dashboard hosted on the Detectify server, and its processing functions are all run there.
A series of integrations make the service interact with other tools. This is particularly important in the CI/CD pipeline deployment options for Deep Scan. You can install free plug-ins for the system to interact with apps such as Jira, OpsGenie, and Splunk.
Detectify Pros and Cons
Here is a summary of the good and bad points of a Detectify subscription.
- A unique list of exploits culled from the hacker community
- A low price when compared to other CI/CD testing services or vulnerability scanner
- An easy-to-use service that just requires an asset address to be entered into the dashboard
- No need to host any software – all software maintenance on the cloud server is included in the price
- A choice of internal and external scanning strategies
- The distinctive strategy of exploit detection provided by Detectify Crowdsource might not be very effective
Alternatives to Detectify
Detectify’s unique method of gaining extra intel on system security through its Detectify Crowdsource system is hard to beat. This service means that the Detectify vulnerability scanner will always have access to information about security weaknesses that other research labs have not yet discovered. What’s more, the system finds new opportunities for damaging Web applications without any outlay on funding a research team, so the company can keep its costs low and undercut similarly thorough vulnerability scanner providers.
Other innovative methods available for discovering zero-day exploits and other security testing services could offer better strategies than those provided by Detectify.
Here is our list of the five best alternatives to Detectify:
- Invicti ACCESS FREE DEMO This service can be used as a vulnerability scanner for IT operations or as a continuity tester for CI/CD pipelines. Although the headline dynamic and interactive application security testing systems in this package are effective, Invicti’s edge comes from its Hawk detector system that plays through extended scenarios that spot out-of-band vulnerabilities that wouldn’t count as errors in competitor testing systems but could easily compromise a system. Available for installation on Windows or Windows Server or as a cloud service. You can get a free demo.
- Acunetix ACCESS FREE DEMO This service includes an external vulnerability that searches for 7,000 exploits and an internal network scanner that looks for 50,000 network-based exploits. This system can be used for IT operations or DevOps testing. The service prioritizes scanning of assets that are more likely to be exposed to attack. Acunetix is available in three plans that cater to different business sizes and types. The service is an on-premises software package for Windows, macOS, and Linux. Register for a free demo.
- GitLab Ultimate This is the top edition of GitLab, a highly respected DevOps project management environment. The lowest edition of GitLab is free, but the Ultimate version is the only plan that includes integrated security scanning with a DAST system. This tool competes with the Deep Scan option of Detectify and isn’t suitable for those specifically looking for a vulnerability scanner for IT operations. This system operates from a cloud platform, and you can either host it on your cloud account or take out a subscription to the SaaS version. Experience the hosted version on a free trial.
- Rapid7 InsightAppSec This system is offered by the sponsors of Metasploit. It can be utilized as a vulnerability scanner for established live assets or integrated into a development environment, so it models both critical editions of Detectify. The reports that this system delivers for discovered exploits include demonstrating the code, enabling developers to understand how to resolve the issue in a re-write. This cloud-based service is free for 30 days.
- HCL AppScan This service offers dynamic, static, and interactive security scanning for Web applications under development. The system can also be used for external vulnerability scanning for established Web systems, so it is a good competitor for Detectify’s Deep Scan and Asset Monitoring. This system can also be used to scan mobile apps for vulnerabilities. The package is available for installation on Windows and Windows Server, and it is also known as a SaaS platform. AppScan is available for a free trial.
There are potential flaws in the Detectify bug bounty strategy. The lack of an upfront prize means that the low reward offered by the service doesn’t necessarily attract all of the intel gathered by its registered researchers. A white-hat hacker might make money over time through Detectify through its commissions’ system, but that might not be as immediately satisfying as perhaps selling the new attack concept on the Dark Web for an upfront payment.
In short, while Detectify’s Crowdsource strategy looks good on paper, it could just be picking up the low-value exploits that the hackers of the world discover. Instead, it offers a bargain bin for hackers who work out that they can’t make much money for some of the exploits that they find out.
It is worth looking into the capabilities of Detectify, but it should also be benchmarked against alternative Web application security testers before you decide to buy.