Our origin story.
The short version of how we got here.
OSec began in 2010. After years spent in security operations and offensive security, we’d come to believe a few things:
The world needed security that actually worked, and that actually reduced spend over time.
Security fights the way a business runs: every dollar cut from overhead lifts profit. But your attacker treats the damage they can do as their own investment. You’re incentivized to spend less; they’re incentivized to spend more. That asymmetry is the whole game.
The endless slicing of security solutions is really a bait and switch. Organizations think they’re getting multiple products at a decent price; what they end up doing is paying ever more for features that add little. Much of it can be combined into one solution.
Even back in the ’10s, we realized continuous testing was going to be needed.
So we built a company the old-fashioned way: bootstrapped, organic growth, really bad marketing. VC money would have meant doing things we didn’t want to do from day one. With an investment from a few friends, and an idea of how the world could be saved (at least in a cybersecurity sense), our company began.
It was tricky at first. Coming from big companies, and having friends inside them, didn’t translate to a startup. Getting past the procurement teams of large banks, as one person, was brutal.
But with perseverance, a few “hacks” (an mp3 of office sounds playing while we took calls, door closed to hide the one-man team), some good people, and a lot of excellent work, we grew.
As we grew, we built out the capabilities we knew assessment needed: threat intel to inform testing, and backend work around threat hunting, purple teaming, and more. Leaving a client with a list of problems and coming back a year later was never the way to go.
Then we built Incenter, our continuous testing platform, for everyone who needed a way to keep up with the endless onslaught of vulnerabilities and the threats who use them. It folds components usually sold as separate services into one.
Then AI showed up, which only proved the point we’d been making: more issues found, most of them irrelevant to any given organization, and without context anyone tasked with security was left drowning in noise. AI also gave us a way to make our own operators faster, so our expert services and consulting deliver clients more for the same price.
The pace of change isn’t slowing down. AI has brought benefits and risks alike, both financial and technical, to a lot of organizations. Our goal remains what it always was: secure the cyber world, so organizations can focus on doing what they do, without worry.