Since he was 11 years old, growing up in New Orleans, Alton Johnson (pictured above) has loved to hack. So pen testing would seem like a perfect career path, right? Except that Johnson, the founder of Vonahi Security, hated the tedious, manual, and repetitive tasks involved with creating the documentation and the reports that accompanied his pen testing engagements.
Johnson wanted to make himself a more efficient pen tester. He started writing code to automate some of those repetitive tasks.
Turns out, he was onto something when he founded Vonahi Security in 2018. But it wasn’t the market he expected.
Managed service providers (MSPs), who traditionally haven’t offered their clients penetration testing because of the expense and skilled resources required, caught wind of Johnson’s automated solution. As a result, Vonahi Security, now a Kaseya company, took off with a simple-to-use platform that makes internal and external network penetration testing more affordable and accessible for MSPs and their small and medium business customers.
Providing Network Pen Testing For MSPs Without Breaking The Bank
Johnson founded Vonahi with $6,000 from his savings, continuing to take on contract work as a pen tester as he built the company. “I was very laser focused on solving the problem and making the product as good as I can make it,” he says.
In 2019, he hired a developer to help add more functionality to the foundational product. Johnson also hired a marketing professional and contracted with a sales rep.
When he posted his journey to automated pen testing on LinkedIn in 2019, he got a call from an MSP asking for a demo. Then he got another call. He learned someone had posted about his solution on Reddit.
“I think the idea of automating pen testing, especially to the MSP subreddit, was extremely attractive, and it still is today. People just started calling in. So I never advertised it. It was just a LinkedIn article. It just went on Reddit.”
As Vonahi got more and more calls, “I realized that there’s a demand here,” Johnson recalls, adding that he had little experience with MSPs up until that point.
His team sprang into action. “We were trying to put together pricing models and trying to understand how MSPs work,” he explains. Traditional enterprise pen testing services, Johnson’s background, are expensive. He knew that was out of range for MSPs.
The results of those efforts, vPenTest, is a full-scale penetration testing platform. It incorporates the latest knowledge, methodologies, techniques, and commonly used tools of multiple consultants into a single platform—all at an affordable price.
Putting vPenTest To Work To Protect Customers – And MSPs Themselves
Pen testing prices have typically been based on the size of the environment, he explains. To meet MSPs’ needs, however, Johnson knew he needed a different model. So with Vonahi, MSPs can buy a pool of IP addresses and scan multiple customer companies.
He also wanted to simplify and speed the process of a pen testing engagement. An automated form on the platform enables MSPs to answer standard questions about the engagement. It includes what hours they want the test to run, what alerts they want to get, etc.
The entire pen testing process is automated, but Vonahi also has a team of QA pen testers who look for vulnerabilities that the solution may have missed. “And if they can find anything, they document that and then we study how they were able to find it. Then we try to automate that the next time. So, it’s a good loop,” Johnson notes.
MSPs also get access to detailed reporting. “We have an executive summary which is very high level, and a technical report which is way more in depth. It has a narrative which paints the picture of every single thing we were able to do and how each thing related to each other, and then it has the actual findings which talk about each specific issue, what it means, how to fix it. So they have all the steps that they need to understand what the issue is and how to fix it.”
Because of the affordability, Johnson says MSPs can conduct pen testing more often, rather than once a year. He recommends quarterly testing to stay on top of any new vulnerabilities that may arise after a pen test.
He also encourages MSPs to pen test themselves regularly too. “With the introduction of things like ChatGPT and more AI tools, I think one of the biggest things that MSPs are definitely going to have to be aware of is the ability for a lot more malicious attackers to execute a lot more attacks.”
Making Pen Testing For MSPs A No Brainer
When Kaseya acquired Vonahi in April of 2023, Johnson had grown the company to 25 employees and about 300 MSP partners. He adds, “We were highly profitable, and we’ve been that way since the beginning.”
Since the acquisition, Vonahi has grown to 1,600 MSP partners with over 10,000 of their customers tested through the platform. Vonahi has also doubled its development team.
Johnson has more to do, too. While he does like to shoot pool and modify and race cars in his free time, “I do work a lot because I’m doing what I love. So it’s hard to not think about something new that I can implement into the platform to make it better for MSPs.”
The accessibility and affordability of the vPenTest platform have been driving the adoption among MSPs, Johnson says. Another driver is cyber liability insurance, with some policies adding pen testing to the requirements checklist, he notes.
“We’re seeing a lot more like acceptance,” Johnson says. Once they see vPenTest, it is kind of a no brainer because it just makes the perfect amount of sense for MSPs.”
