Skip to content

Why I founded CovertSwarm after annual pen tests failed me

Almost every business I worked for got breached. Our teams did the same thing each time: an occasional pen test, a thick report full of findings, then wait another year. Meanwhile, our attack surface changed daily. That false economy is exactly why CovertSwarm exists.

Anders Reeves

CEO, Founder

  • Resources
  • News
  • Why I founded CovertSwarm after annual pen tests failed me
Wooden garden shed where CovertSwarm founder Anders Reeves conceived the idea for continuous penetration testing during COVID-19 lockdown

My team here at CovertSwarm asked me to write a piece this week reflecting on the foundational story of the business, and whether I feel the cyber gap spotted back in 2020 is still valid today across industry. 

It’s a story I’ve found myself retelling to our new starters and to members of my network curious as to how the business came to exist and scale as quickly as we have. 

It began almost 6 years ago, when I was sat in the wooden shed at the bottom of my garden. Something I increasingly did to escape the young-family-mayhem in our house as the world locked down during the Covid-19 pandemic, as homes became schools for young, energetic sons and daughters. 

I was nearing my 40th birthday and had gained an insatiable and growing itch to found a business to solve three simple career goals: 

        • Fill a room with new jobs that no one else offers 
        • Make £1 of revenue challenging an industry 
        • See the resulting business pass its 10th birthday 

I began mulling an issue that I was increasingly convinced needed to be addressed in the cyber market. 

 

The problem I couldn’t ignore 

I realised that almost every business I’d worked for had experienced some form of cyber breach, and that our talented teams had always done the same things to try and avoid being breached: an occasional penetration test or, where budget might allow, a one-off ‘big hitter’ red team engagement. 

      • ‘Value’ came in the form of a thick report, full of risk ratings and noisy cyber findings.
         
      • ‘Pain’ came in the form of me and my teams working out what to tackle first. What was a false positive. How to convince a product owner that the critical finding on page 245 needed fixing in their next release.
         
      • ‘False economy’ came from lack of continuity between these ad-hoc cyber engagements, plus the spin-up and reporting time where little actual cyber value could be derived in-test. 

 It struck me that I needed to found a business that would sell the cyber service that I wish I and my former teams could have purchased to genuinely outpace the cyber threats we faced over those first two decades of my career. 

What had to change 

      • ‘Ad hoc’ cyber testing had to be replaced with a continuum of smart, contextualised, human-in-the-loop attacks. 
      • ‘Scopes’ had to be scrapped and replaced with a new concept of ‘whole brand’ targeting. 
      • ‘Hacking’ had to expand beyond what had been cornered into ‘keyboard-based’ pen testing, to a fully comprehensive spectrum of social, digital, and physical assaults. 

Procurement red tape and delays were replaced with a simple ‘t-shirt’ sized subscription concept. Sign up once and co-exist, forever. 

And, of course, those delivering the service would need to be highly diverse, curious, and possess supernatural offsec abilities. 

I and a small, pre-revenue team set to work building a platform through which our service could be offered, again challenging the traditional ‘windowpane’ reporting and GRC systems offered by what we had started to (and still) refer to as ‘the legacy cyber vendors.’ 

You know who you are. 

And, as the French would say, ‘voila!’ The foundations of the CovertSwarm value proposition were established. 

Almost a year to that day in my shed, in April of 2021, CovertSwarm went to market and our first clients signed up on our very first day of trading.  

The pitch that still works today 

So what was, and remains, our pitch? 

I won’t leave you guessing. 

      •  How often do you release code? 
      • When did you last hire a member of your team? 
      • Have you acquired any businesses lately? 
      • Opened any new premises? 
      • Changed the membership of your board? 
      • Added any new technologies to your stack? 
      • Gained profile in the press? 

…and then the obvious one: 

How often do you cyber attack yourselves? 

The prospect’s lightbulb moment came again and again during those early pitches.  

And still to this day.  

Why it still matters 

 One-off cyber testing is out of date the moment the report lands on your desk. The reports slow down your ability to innovate and remain competitive, effectively applying the brakes to what you most want to accelerate. 

Limited scopes are for consultants, not genuine attackers. They don’t play by constrained rules. Neither do we. 

Lookalike pen testers deliver lookalike tests. Diverse attackers deliver realistic attacks. 

As I know you do, I took security seriously in all my previous roles. But we were failed by traditional cyber testing. It sold us a dream of false security, and in many cases we paid a heavy price as a result. 

So is the foundational story still relevant today? CovertSwarm continues to grow. Steeply. Eating the lunch of the legacy cyber vendors. 

And continues to fill that proverbial room with new job after new job. For our amazing ethical hackers that deliver genuine value to clients that genuinely value modern cyber engagements. 

Today, I count that we work with hundreds of brands, and with a team spanning more than a dozen time zones, it’s fair to say those first two career ambitions have been firmly ticked off the list. Six years in, the momentum only seems to be gaining pace. 

Just like your real attackers. 

 

If you’re still relying on annual pen tests, let’s talk about what you’re missing. 


The gap between how often you change and how often you test is where breaches happen. We can close that gap. 

Schedule a call with our team | See how we’ve helped companies like yours