Felons, Fraudsters Flog Offensive Cybersecurity Startup
Trust in security vendors demands rigorous due diligence, especially for offensive capabilities.
This story about a shady offensive security startup isn’t really about the startup. It’s about whether your vendor risk management program is more than just paperwork.
What happened
KrebsOnSecurity is reporting that a new offensive security company trying to buy zero-day exploits is run by convicted felons and fraudsters. The people involved have a history of using aliases, running shell companies, and pushing deceptive “intelligence” and AI ventures.
Basically, the kind of people you would never knowingly hire for sensitive security work are trying to get into the business of acquiring and potentially using powerful exploits.
What people will get wrong
The easy take is to read this, shake your head, and move on. It feels like a weird, one-off story. But that’s the mistake. This isn’t just news; it’s a perfect test case for a process that breaks all the time: third-party risk management (TPRM).
The headline is about the fraudsters, but the lesson is about the system that would—or wouldn’t—catch them. This is where security programs fail, not in a massive breach, but in the boring, everyday process of procurement and vetting.
A practitioner’s view
This is really an ownership problem. Most organizations have some kind of vendor security review process. It usually involves a questionnaire, a contract review, and maybe a look at a SOC 2 report. That sounds simple, but it’s where things fall apart.
What I’d want to know is, who on your team is responsible for doing more than just checking the box?
- Does your TPRM process include basic open-source intelligence on the company’s principals, especially for a vendor you’re about to trust with network access or exploit material?
- Who actually owns the decision to say “no”? Is it the security team? Procurement? Legal? If the business unit buying the service has the final say, risk management is just security theater.
- For a high-risk service like offensive security, are you doing the bare minimum or are you doing real due diligence? The dashboard that says “150 vendors reviewed” is not the control. The control is the quality of that review.
Engaging with a vendor is an extension of your own attack surface. If you onboard a company run by known criminals to test your defenses, you’ve fundamentally misunderstood the risk. That’s not a tooling problem; it’s a governance failure.
What to watch next
Forget watching the startup. Watch your own process. Use this story as a reason to ask some pointed questions internally.
Pull up the list of vendors you use for pentesting, red teaming, or any other offensive service. Can you prove you know who the key people are? Can you prove you did more than read their marketing slicks? The real failure mode is assuming someone else checked, and finding out nobody did.
Source: Felons, Fraudsters Flog Offensive Cybersecurity Startup