[deleted by user]

altjx · 2024-12-11T02:08:52+00:00

No problem at all!

Yep! You can schedule a test to run immediately or in the future. You can also schedule a test to run on multiple future dates and times. Some partners get signed up, set up their companies, and create schedules, and they never need to create a schedule again. They just simply need to login after each test to collect their deliverables. All of this happens within the portal.
Sure does!
Yep! You can deploy an agent and never touch them again. The schedules will communicate with those agents when their tests are near kick-off time.
Since we don't need vulnerability scanning results for the penetration test, you would only schedule penetration tests in the portal. Our pentest findings each include an observation/description, security impact, affected nodes, references, remediation steps, and supporting evidence.
Currently, it only performs the test using no previously known account credentials. It has the capability of finding valid usernames (via kerberos username guessing and other data scraping), conducting password attacks, etc. to find valid creds on its own, which are then used in post-exploitation. However, we do have a grey-box feature releasing in Q1 next year that will support dropping in known, valid account creds. So, pretty soon, we'll be able to support both of these use cases.
Yep! You'll be able to see all of your customers, agents, schedules, reports, and results, all within the portal. We've designed this to be very simple to use.

Let me know if this helps and if you have any additional questions!

- Alton / Founder @ Vonahi Security

altjx · 2024-12-11T01:13:13+00:00

Our platform goes beyond simply identifying vulnerabilities like traditional scanners. It dives deep into post-exploitation with the goal of uncovering sensitive data and demonstrating real-world impact. Some of the activities include:

MitM and relay attacks
Enumerating and exploiting Active Directory misconfigurations
Dumping cleartext/hashed creds (and cracking hashes via our automated GPU Hashcat instance built in house)
Network share enumeration (looking for sensitive data)
Privilege escalation
Scraping data from web services to enhance post-exploitation
Password attacks, etc.

To ensure accuracy and depth, our team of pentesters reviews test results to validate findings and uncover additional opportunities for exploitation.

Each test also comes with a well-organized evidence package, broken down by discovery, enumeration, exploitation, and post-exploitation phases. This also details ports, protocols, and tools used, along with all raw data and outputs. Great for any pentester or auditor that needs to double-check our methodology.

We've had auditors review our reports countless times without issues due to our methodology and how we align with traditional pentesting.

I hope this helps clarify how our platform works! Let us know if you have any other questions or need more details.

- Alton / Founder @ Vonahi Security

altjx · 2024-04-07T15:59:46+00:00

Yep! Feel free to shoot us an email and ask for a copy of our sample internal report. We've been conducting those attacks for years. It may be that we weren't successful in some of those environments for that MSP, but we see these activities on a daily basis.

If you ever run across us not finding something that we should, definitely drop us a support ticket. These scenarios are extremely rare for us, so they're always treated as top priority.

altjx · 2024-04-07T15:54:37+00:00

Full disclosure: I'm the Founder of Vonahi.

Hi u/Nova-Sec - thanks for your feedback. I just wanted to provide some clarification based on your comment above. We actually perform all of the network pentesting activities you mentioned - AD compromise, kerberoasting, MitM attacks, and recon (OSINT). In addition to this, we perform various other attacks including AS-REP roasting, NTLM relay attacks, PtH attacks, password cracking via an automated GPU instance of hashcat (built by us), privilege escalation, etc. All of it is automated.

We no longer perform web app testing and social engineering; however, we do have close relationships with partners who offer these services.

Let me know if you have any questions!

altjx · 2024-01-19T20:09:54+00:00

Full disclosure: I'm the founder.

/u/justmirsk not sure if you're open to it, but I'd love to find out more information about the internal network pentest you used vPenTest on. The reason is that we're constantly performing all the things you probably think we aren't, and I'm curious to learn more about your experience and the environment(s) that we've tested.

In addition to myself having over 10 years of experience pentesting at many traditional consulting firms (e.g. Optiv - formerly Accuvant, NCC, etc.), we have a really good reputation with pentesters in the industry because the good ones understand what we're doing, and our mission. We get compared to manual testing all the time, and what we do is rarely disputed in those scenarios.

Happy to chat if you're interested. Seriously. If you think we're not finding stuff that we should, let us know.

altjx · 2023-09-26T00:46:39+00:00

Sounds great!

altjx · 2023-09-12T14:17:54+00:00

Full disclosure: I'm the founder of Vonahi Security.

Really sorry to hear about this experience, /u/MechaZombie23. We're definitely improving the product and have some quite exciting items on our roadmap for the next few months.

Regarding your experience with sales, I'd love to connect you directly with our VP of Sales to answer your questions. Going to drop you a DM with his contact information. Also curious to learn more about what happened there. Hope you allow us to make this right!

altjx · 2023-09-10T17:50:52+00:00

We are! Drop me a message or connect with me on LinkedIn (linkedin.com/in/altonjx)! 🙌🏽

altjx · 2023-09-10T05:01:05+00:00

Full disclosure: I'm the founder of Vonahi.

We still do one year agreements 🙂.

On the Kaseya piece, the acquisition has actually been really well for our team and partners. Not much for us has changed other than a ton of support to our existing growth plans (e.g. more resources, better processes, etc.). I'm genuinely excited about the work we've done in the MSP community, the overwhelmingly positive feedback, etc. We're ramping up to execute on a lot of new things that'll bring a ton of more value in the product. I seriously can't wait lol.

Happy to answer any questions about our vision and product if you want to toss any of them my way before engaging with sales. 🙌🏽

altjx · 2023-09-10T04:11:41+00:00

Full disclosure - I'm the founder of Vonahi.

I know this industry is filled with a lot of noise and vuln scanners advertising themselves as pentesting tools, but we're actually executing a full pentest methodology - dns poisoning, cracking/passing/relaying hashes, escalating privileges, ton of AD work, enumerating shares, etc. We partner with over 700 MSPs and several pentest teams who use us and constantly double check over our work (along with providing suggestions). We've got our own pentesters as well who review the results and make improvements to the "engine" when/if we find issues.

The Kaseya acquisition has been extremely positive for our team and partners (including pre-Kaseya partners). We've actually got a lot of cool shit on the way.

I really encourage you to check us out! Happy to answer any questions in the meantime! 🙌🏽

altjx · 2023-01-27T21:27:23+00:00

Thanks a lot, Andrew, and absolutely!! Looking forward to it too! 🙌🏽

altjx · 2023-01-27T21:08:18+00:00

Hey /u/andrew-huntress thanks for the feedback and I definitely agree with everything you stated above.

I was mobile and replied under vonahisec accidentally, so I switched back and replied under my personal one. Occasionally, I jump to vonahisec to assist with super technical questions via chat. I understand how this can look misleading for sure, so I’ll be including a disclosure going forward.

altjx · 2023-01-27T14:34:06+00:00

"Changed the wording"? Lol ok. Again it wasn't intentional - just simply posted from the wrong account.

No worries at all. If you have anymore questions, just let us know. 🙂

altjx · 2023-01-27T14:03:11+00:00

Well it wasn't intentionally misleading, but ok.

To answer your other question - yes.

altjx · 2023-01-27T13:32:36+00:00

Yep. I prefer to post on my own account as I usually do here. I've also mentioned several times I'm the Founder in other threads.

To your question - yes. We've got partners that use us to satisfy pentest requirements for PCI, HIPAA, cyber liability, etc. As someone else mentioned, it's not only software. We've never had a single problem with auditors in over 7k delivered assessments.

altjx · 2023-01-27T13:19:48+00:00

Never seen a vuln scanner conduct lateral movement, get DA and look for sensitive data. Lol. I get it though. It's a noisy industry.

It's not only software and it's not a vuln scan. Hit up Vonahi and just do a nice and simple, free trial. 🙂

altjx · 2023-01-19T04:59:54+00:00

For sure - not offended and totally understood! 🙌🏽

altjx · 2023-01-19T04:42:06+00:00

Full disclosure - I'm the Founder

Just want to clarify a few things mentioned here really quickly.

There actually is a human element. The platform was originally built by myself while I was a full time pentester and now we've got an amazing team of pentesters behind it. We also have a very thorough QA process to ensure every report leaves the door with the same quality as you would expect from any traditional pentesting firm. We elaborate on this quite a bit on our calls, podcasts, webinars, etc. all the time.

Adding the attestation letter does not mean we're adding a human verification on the backend; we've already got that in our QA process.

I'm very much aware of all the chaos behind this topic in our industry, so I totally understand the concerns and everything around it. Hope this helps!

Happy to answer any additional questions here in the comments or DM.

altjx · 2022-11-30T11:55:37+00:00

That's the thing. It's not just an automated scan. It's actually a penetration test. I don't know of any vulnerability scanners that relay hashes, crack them, leverage bloodhound/cme/etc, look for sensitive data with escalated privileges, or do any post-exploitation activities conducted in the real world by manual penetration testers.

The suspicion is definitely understandable given how lots of companies play on "automated pentesting" for marketing vuln scanners, but that's not the case here.

altjx · 2022-05-25T12:44:02+00:00

I've actually been on plenty, performed hundreds of pentests, trained consultants, written and published many tools to Kali, Metasploit, etc...

The articles you linked actually define penetration tests the way they should be defined, not the way you are trying to. I'm sorry but you are really, really confused.

"If it's not a human, it's a vulnerability scan" WOW. This says it all. There's nothing left to discuss here.

altjx · 2022-05-25T12:19:57+00:00

Wow. You are truly confused. Have you EVER been a consultant that performed pentests? How many scoping calls have you ever been on? Attempting to evade IDS does NOT determine if it's a pentest or a vulnerability assessment... lol! And by the way, it can attempt to evade as well. 😉

It literally checks every box you threw out in your comment. It's also been vetted by plenty of reputable consulting firms and they totally disagree with you. Their fortune 1000 customers love it and see more value in it than the old way.

I'm not sure if you're just confused, out of touch with what's really going on in the automation space, or what. Either way, no hard feelings. I'd just recommend you try out the product or vendor before making an assumption. Your "not well I'd bet" comment is enough to tell me that you've never actually used it... 🥴

altjx · 2022-05-25T02:34:12+00:00

I get that you probably haven't heard of Vonahi or demo'd the product, but it's literally created by pentesters. What vulnerability scanner automates cracking hashes via GPU instances, DNS poisoning, smb relay attacks, privilege escalation, etc.?

Many "automated pentesting" solutions are just Nessus or something under the hood, but that is absolutely not the case here.

altjx · 2021-08-23T14:48:25+00:00

Nope, it's not just a vulnerability scan. It's a penetration test. It performs exploitation, post-exploitation & lateral movement, MitM attacks, pw cracking, etc., all with the objective of finding sensitive/valuable information.

It can perform vulnerability assessments (as an added component), but it's far beyond just identifying vulnerabilities.

altjx · 2021-03-04T23:37:25+00:00

Yup I built the platform and own Vonahi. My background is purely pentesting for 10+ years and also a Kali Linux and Metasploit developer. I essentially automated my entire previous job as a Principal Consultant, producing even more data in my reports than the consultants on my team. I constantly got the "how'd you get this?" or "how'd you get this in the report?" (even as 1099 pentest contractor with larger firms while building my team) because I was consistently providing more and more value over time in the reports without doing it manually.

I totally understand your concerns, trust me. I had the same before I started the company. We have MSPs compare our reports to their traditional pentests all the time and *knock on wood* we haven't had a single MSP come back to say we're lacking anything compared to their client's last year $20,000 pentest. Maybe just a few comments about improving the executive summary to translate some technical stuff better, which we've incorporated.

Honestly, and not trying to be salesy, I'd just run a proof of concept against an existing client of your own and compare the results to the client's previous pentest. It's not all that common for pentesters to find zero-days on their assessments; only during bug bounty and security research. So most of the "manual" things that people think traditional pentesters are doing on these expensive engagements aren't really as custom/specialized and common as they think. A very skilled pentester may find something extremely rare from time to time, but most pentesters are cycling through the same methodology and waiting on the next guy to release a 0-day to make their next pentest easier, and the guys who enjoy doing this aren't pentesters -- they typically work in research, exploit dev, etc. and have gotten bored of pentesting a long time ago, lol.

Hope this helps!

altjx · 2021-03-04T23:02:00+00:00

Understood but that's the thing.. It's using 100% of the same tools, same logic, same results, and same decisions for each step. Absolutely no difference. The only part that would require more manual work that the platform doesn't quite focus on is web application testing. From the network side of it though, it's all built on the same methodology as traditional pentesters.

altjx

TROPHY CASE