Preactive Security Exchange Rules of Engagement
AttackIQ’s Preactive Security Exchange (PSE) is founded on AttackIQ’s mission to make the world safe for compute by providing the critical missing ingredient: feedback on security control effectiveness. The term “Preactive Security” refers to the practice of being proactive about preventable failure. The Preactive Security Exchange (PSE) is a platform for both customers and partners to do precisely that.
For us, the mission is the most important thing. We accomplish this mission not just by working with customers of our software but by working collaboratively with providers to improve their products and services and to improve the quality of AttackIQ’s solutions, in service of our joint customers.
In order to do this effectively, AttackIQ must operate in the service of our mission with independence, discretion, and openness:
- Data-Driven Independence: We present our customers with data that is based upon our independent and objective assessment of the way that threat actors and emulated attacks exercise security controls. We are transparent in the way that we present the performance of every single security control.
- Neutral & Discrete: We do not publicly or privately endorse or criticize any particular partner’s products or services. While it is true that customers sometimes use AttackIQ’s products to benchmark competitors, we do not influence the customers’ evaluation, nor do we disclose anything that we have learned about our partners, either publicly or to another partner.
- Open & Adaptive: Subject to the limitations on independence and discretion, we operate openly, honestly, and responsively. We do not assume that we are right but welcome feedback on the effectiveness of our own testing. In turn, we seek to work with partners on the same basis.
We recognize that the cybersecurity industry is historically very competitive and adversarial and that some vendors may be confused about our mission and motivations at first. That’s fine. Different vendors may understand and appreciate the PSE mission quickly, while others may take more time to appreciate its advantages for them. Regardless, we are ready to engage and collaborate.
We also recognize that the principles above are fairly general. With time we expect to get feedback on these commitments and to run into situations that will require that we improve their clarity. We pledge to enhance these rules of engagement with transparency and to strive for consistency with our general principles of independence, discretion, and openness.
Frequently Asked Questions (FAQs) about the PSE:
In line with our principle of openness, here are some FAQs about how these principles play out:
Q: What sorts of options are available for different PSE members that want to join the PSE at different levels?
A: Flexible ways to engage AttackIQ: We offer multiple options for potential partners considering working with us as PSE members. We are happy to provide a path for collaboration with AttackIQ at whatever level of collaboration is comfortable. The different tiers of our program (Affiliate, Certified, Certified Plus, Preferred, and Premier) allow for that. We reserve the right to accept or deny any potential partner to the PSE Program, as well as any tier, depending upon what makes the most sense for customers. Further information on the requirements and benefits of each of the PSE Program tiers are outlined on our website and we’re happy to further discuss their details with potential PSE partners.
Q: Will the PSE provide customers with recommendations against certain vendors that have weak efficacy results?
A: Non-disparagement of ANY security controls vendors: No, we simply will not disparage vendors. We’ll let our customers draw their own conclusions from the data that our platform provides about each vendor’s efficacy.
Q: Is PSE member information exchanged with the PSE, on efficacy and other sensitive topics, confidential?
A: Discretion and confidentiality: We’ll always exercise professional discretion when working with PSE member companies and will never publish the results of our ongoing work with them externally. That exchange of information remains between AttackIQ and each respective PSE member company, with each companies’ intellectual property and strengths and weaknesses fully protected under the MNDA agreed between our two companies.
Q: What options are available to PSE members to engage with AttackIQ on an ongoing basis?
A: Open Communication channels: We’ll provide PSE members with multiple modes of communication so that they can always feel comfortable to reach AttackIQ and the PSE management team. In addition to email and phone access, we also offer PSE members an opportunity to sync with our team on a regular basis, upon the mutual agreement of a schedule between both the PSE member and AttackIQ staff, resources permitting.
Q: Will the PSE benchmark the efficacy of one particular PSE member over another or run its own vendor “bake-offs?”
A: No benchmarking or bake-off comparisons of controls vendors: We will not pit vendors against each other for benchmarking or bake-off purposes. Note that while our customers do frequently utilize the AttackIQ platform for the purpose of conducting their own bakeoff comparisons of controls vendors, which is the decision of AttackIQ customers. AttackIQ will never initiate that activity ourselves, as we would view that as compromising our commitment to independence and discretion.
Q: Will the PSE be “pay to play” and allow certain partners to “stack the deck” in their favor, regarding efficacy measurement?
A: No Pay to Play: We will not charge PSE members a “favoritism” fee in order to present one vendor in a positive light versus another vendor. That’s not consistent with our mission as a company.
Q: Will the PSE “play favorites” when asked by customers which vendor is better?
A: Commercial responsiveness but no preferential treatment: We’ll follow PSE member companies into deals with customers where they bring in AttackIQ from a commercial standpoint, but will never recommend one particular vendor to a customer over another.
Q: What sort of commercial relationship can PSE members seek with AttackIQ?
A: Go-To-Market (GTM) Investments by the PSE will follow commercial lift, without compromising objectivity: AttackIQ will engage in joint GTM activities with those PSE members who provide commercial lift to AttackIQ in the form of net new customer leads or other commercial introductions or revenue. However, AttackIQ offers those same commercial opportunities to all PSE members via its tiered program. Examples of joint GTM activities include joint press, pre-sales and post-sales motions, joint webinars, and other coordinated GTM activities. The various tiers of our PSE program (Affiliate, Certified, Certified Plus, Preferred, and Premier) provide PSE members with a host of options for commercial partnership with AttackIQ, depending upon the PSE member’s appetite to invest in joint GTM with AttackIQ.
Q: Will PSE members be given the chance to highlight their respective strengths?
A: Help vendors showcase their strengths wherever possible: We recognize that our partners’ products have different strengths. We are happy to let our partners use our product to demonstrate those strengths.
Q: What perspective does the PSE take when testing PSE member products?
A: Efficacy first for customers: We’re committed to constantly tuning and enhancing our best-in-class diagnostic testing methodology to examine how partners perform when tested against the behavior and techniques of real threat actors.
Q: What is the AttackIQ SLA for turning around updated integrations for PSE Members with API updates for existing integrations?
A: Timely integration updates: We commit to update the integrations as expeditiously as possible. Practically, when PSE members publish material updates to their APIs, we commit to ensure that our AttackIQ integration with each vendor is current within no more than 30 days, at the very latest, of AttackIQ being notified by that PSE member of an updated release of its API.
Q: Will PSE members whose products may initially not perform as they would have liked upon the initial integration have an opportunity for improved efficacy measurement via the PSE?
A: Ongoing path to improvement: We recognize that many products have robust features and capabilities that may require nuances to how a test is performed/enumerated. As an open system testing platform, AttackIQ routinely works with vendors and customers to best understand the various aspects of their prevention and detection logic. AttackIQ is committed to the quality of testing on our open system testing platform.
Q: When a customer uses AttackIQ and identifies a problem with a PSE member’s control, how can the member help to resolve that problem?
A: Equal opportunity for remediation: In recognition of the problem that so many customers face alert fatigue and confusion around prioritizing the next steps to resolution, we’re committed to providing actionable solutions. We work with each of our PSE members to help drive better closed loop integrations that deliver customers actionable, tangible paths to resolution of issues that trigger testing failures. Whether those are due to misconfiguration of a particular security control or other reason that can be solved by better exchange of information among the PSE member, the customer, and AttackIQ, we’re constantly seeking better remediation recommendations on behalf of our mutual customers.
Q: How will the PSE handle cases that are not yet addressed in these Rules of Engagement?
A: Err on the side of independence, discretion, and openness: We will seek to honor our principles of independence, discretion, and openness as we encounter corner cases and individual challenges in our collaboration with the partner ecosystem. In addition, the PSE Rules of Engagement will evolve over time based upon the collective feedback that AttackIQ receives from both our customers and PSE Member Partners.