Bug Bounty Hunting and Penetration Testing have evolved dramatically, with security landscapes constantly shifting as attackers and defenders adapt to new technologies and strategies. What once worked in traditional security assessments is no longer enough, as organizations implement stronger defenses, patch vulnerabilities faster, and expand their infrastructure to cloud-based and AI-driven systems. As a result, modern ethical hackers or hunters must go beyond conventional techniques, sharpening their expertise and adopting innovative methods to stay ahead of the game.

To maximize their effectiveness, hunters need to refine their skills, automate reconnaissance and exploitation processes, and leverage cutting-edge technologies like AI and cloud security testing. By continuously learning and evolving, hunters can uncover vulnerabilities that others might overlook, giving them a competitive edge in the bug bounty space.

In this blog, we’ll dive into some of the most advanced techniques in bug bounty hunting—straight from Secuna’s in-house hunters. These insights, gained through real-world experience, cover OSINT for historical data analysis, custom exploit development, cloud and container exploitation, AI-assisted pentesting, and automated reconnaissance. By adopting these proven techniques, hunters can significantly enhance their approach to security testing and discover high-impact vulnerabilities more effectively.

Weaponizing Old Information Through OSINT

One of the most overlooked yet powerful techniques in bug hunting is Open-Source Intelligence (OSINT). Many organizations have decade-old systems that still contain publicly accessible sensitive information, often due to poor security practices in the past.

Where to Look for Old Exposed Data:

• Wayback Machine & Archive.org – Older versions of websites may expose forgotten endpoints, sensitive files, or internal documents.
• Google Dorks – Advanced search operators can reveal exposed credentials, configurations, and private documents that shouldn’t be indexed.
• Old Forums & Developer Repositories – Public forums and code repositories may contain hardcoded API keys, internal documentation, or vulnerabilities that were never patched.

By combining historical reconnaissance with modern enumeration techniques, hunters can uncover security flaws that organizations may have long forgotten.

Mastering Scripting & Exploit Development

Many hunters rely solely on publicly available exploits, but those who can write their own scripts and develop custom exploits gain a significant advantage. Writing your own tools:

• Helps you understand vulnerabilities on a deeper level.
• Allows you to bypass common security patches where public exploits may fail.
• Gives you the flexibility to craft tailored exploits for unique environments.

How to Start Developing Exploits:

• Learn Python & Bash for automating reconnaissance and simple exploits.
• Study existing exploits and try to modify them to work in different scenarios.
• Explore buffer overflows, SQL injections, and RCE techniques to gain a strong foundation.
• Build your own enumeration tools to automate scanning and data extraction.

Being able to modify or create your own exploits will set you apart from other hunters and make you more effective in targeting real-world applications.

Cloud & Container Exploitation

With cloud computing dominating the tech landscape, cloud security misconfigurations have become one of the biggest attack surfaces. A majority of companies now use AWS, Azure, or GCP, meaning cloud exploitation skills are crucial for modern bug hunters.

Common Cloud Exploits:

• AWS & Azure Enumeration – Exploiting overly permissive IAM roles and misconfigured cloud storage.
• Container Breakouts – Taking advantage of misconfigured Docker, Kubernetes, or LXC environments to escape containerized restrictions.
• SSRF to Cloud Metadata Service – Exploiting Server-Side Request Forgery (SSRF) vulnerabilities to extract sensitive cloud credentials via 169.254.169.254.
• CI/CD Pipeline Attacks – Injecting malicious code into automated deployments to gain access to sensitive infrastructure.

Cloud security is a growing attack surface, and understanding how cloud services work will make your bug hunting skills far more valuable.

Leveraging AI & Machine Learning for Pentesting

Artificial Intelligence is reshaping cybersecurity, and ethical hackers can now use AI-powered tools to enhance reconnaissance, automate exploit development, and perform large-scale code analysis.

How AI Can Assist in Pentesting:

• Automated Exploitation with AI – Using Large Language Models (LLMs) to generate payloads for fuzzing or SQL injection attacks.
• AI-Assisted Code Audits – Tools like GPT-based analyzers can review codebases to identify security flaws, logic bugs, and vulnerabilities faster than traditional methods.
• Malware Generation & Evasion – AI can assist in understanding and simulating real-world attack techniques used by threat actors.

AI isn’t replacing security researchers—it’s amplifying their capabilities. Ethical hackers who integrate AI into their workflow will be far more efficient in identifying and exploiting vulnerabilities.

Automating Reconnaissance for Faster Bug Discovery

Reconnaissance is the foundation of every successful bug hunt. The more efficiently you can gather intelligence on a target, the faster you’ll find vulnerabilities. Automating recon can significantly boost productivity and help you identify attack surfaces more quickly.

Essential Tools for Recon Automation:

• Asset Discovery: amass, naabu, subfinder
• JS Enumeration: lazyeggs, JSLinkFinder, LinkFinder
• Web Crawling & Archive Analysis: wayback, GAU, Katana
• Service & Device Scanning: Shodan, Censys

Why Recon Automation Matters:

• Helps identify outdated frameworks and backend technologies used by the target.
• Quickly maps out API endpoints and web services.
• Saves countless hours manually searching for attack surfaces.

The more efficiently you can gather information about a target, the better prepared you’ll be to find vulnerabilities before anyone else.

FINAL THOUGHTS

Bug hunting and ethical hacking are an ever-evolving field, and those who stay ahead of the curve will always have an advantage. By expanding your skillset in OSINT, scripting, cloud security, AI-assisted pentesting, and automated recon, you’ll become a far more effective hunter.

If you want to stand out in the ethical hacking community, focus on:
✅ Uncovering old security flaws using OSINT
✅ Developing your own exploits instead of relying on public ones
✅ Mastering cloud & container security as cloud adoption grows
✅ Leveraging AI to automate vulnerability research
✅ Speeding up your recon process to gain an edge over competitors

By adopting these advanced techniques, you’ll increase your chances of finding high-impact vulnerabilities and elevating your bug bounty career to the next level.

Join our in-house hunters on their journey of expanding skillsets and widening collaborations! Register as Secuna Hunter here: https://platform.secuna.io/signup/hunter

Just as trust strengthens relationships, robust security is essential for a thriving business. With cyber threats continuously advancing, companies of all sizes must stay vigilant to protect their assets. A single cyberattack can lead to financial losses, reputational damage, and even legal consequences. That’s why understanding the basics of cybersecurity is crucial for protecting your business, your clients, and your future.

Check out the Cybersecurity & Infrastructure Security Agency (CISA) website for an overview of the current cyber threat landscape.

Common Cyber Threats That Put Businesses at Risk

As businesses become more reliant on digital systems, cybercriminals are constantly evolving their tactics to exploit vulnerabilities. Whether targeting small startups or large enterprises, hackers use a variety of sophisticated and deceptive techniques to compromise business security.

Understanding these common cyber threats is the first step in defending against them. Here are some of the most dangerous threats businesses face today:

Phishing Attacks

Phishing is a deceptive tactic where attackers impersonate legitimate organizations through emails, messages, or websites to trick employees into revealing confidential information. These attacks often use urgency and fear to manipulate victims.

Ransomware Attacks

This type of malware encrypts an organization’s files, rendering them inaccessible until a ransom is paid. Ransomware can cripple business operations, cause severe financial loss, and even lead to permanent data loss if backups are unavailable.

Insider Threats

These threats originate from within the organization—whether from employees, contractors, or business partners—who may accidentally or intentionally compromise security. Insider threats can result from negligence, lack of cybersecurity awareness, or malicious intent.

Cybersecurity Mistakes Businesses Must Avoid

Even well-meaning businesses can fall into cybersecurity traps that leave them vulnerable to attacks. Cybercriminals are constantly evolving their tactics and small missteps—whether due to oversight, lack of awareness, or resource constraints—can lead to devastating breaches, financial losses, and reputational damage. To build a resilient security posture, businesses must be proactive in addressing common pitfalls. Here are some of the most frequent and costly cybersecurity mistakes to avoid:

• Ignoring Software Updates and Patches: Every software update comes with security fixes designed to close vulnerabilities that hackers can exploit. Businesses that delay or ignore these updates are essentially leaving their digital doors unlocked, inviting cybercriminals to exploit known weaknesses. Ransomware attacks, data breaches, and system takeovers often stem from outdated software.
• Using Weak or Reused Passwords: Weak passwords remain one of the easiest ways for hackers to gain unauthorized access. Many cyberattacks exploit stolen or guessed credentials, often obtained through past data breaches. Reusing passwords across multiple accounts further amplifies this risk.
• No Multi-Factor Authentication (MFA): A single password is no longer enough to protect sensitive data. Without MFA, a compromised password can give attackers full access to business systems, customer data, and financial records. Multi-factor authentication adds an extra layer of security by requiring a second form of verification, such as a fingerprint scan, a one-time passcode, or a security key.
• Lack of Cybersecurity Training for Employees: Employees are the first—and often the last—line of defense against cyber threats. However, without proper training, they can inadvertently become an organization's weakest link. Phishing emails, social engineering tactics, and malicious links are common entry points for cyberattacks.
• No Incident Response Plan: Cyberattacks are no longer a question of if but when. Without a well-defined incident response plan, even a minor security breach can escalate into a full-scale crisis. A lack of preparation can lead to delayed responses, increased data loss, prolonged system downtime, and regulatory penalties. Businesses should establish a structured response strategy that includes threat identification, containment, mitigation, and recovery protocols.
• Not Investing in Proactive Cybersecurity: Many businesses take a reactive approach to cybersecurity, only addressing threats after an attack has occurred. This can lead to significant financial and operational damage. Proactive security measures—such as continuous monitoring, penetration testing, threat intelligence, and security automation—help businesses identify and mitigate risks before they become full-blown attacks.

First Steps to Strengthen Your Business Security

Taking proactive steps toward cybersecurity can make a significant difference. While no system is 100% immune to attacks, implementing strong cybersecurity measures early on can significantly reduce risks. By prioritizing security from the start, businesses can build a resilient foundation that protects sensitive data, customers, and long-term success. Here are the key first steps every business should take to strengthen its cybersecurity posture:

• Back-Up Important Data Regularly: Regularly back up critical data to ensure that you can quickly recover in the event of an attack or system failure. Use a combination of cloud-based and offline backups, follow the 3-2-1 backup rule (three copies of data, two on different storage media, one offsite), and test backups frequently to verify their integrity.
• Enforce Strong Password Policies: Require employees to use strong, unique passwords for each account and encourage the use of password managers to store and generate complex credentials. Implementing password policies, such as mandatory password rotation and length requirements, further strengthens account security.
• Implement Multi-Factor Authentication (MFA): MFA adds an essential extra layer of protection by requiring a second form of verification, such as a one-time code, biometric authentication, or a security key. This reduces the likelihood of unauthorized access, even if passwords are compromised.
• Educate Employees on Cybersecurity Best Practices: Regular cybersecurity training ensures employees can recognize threats, follow best practices, and respond appropriately to suspicious activity. Implementing security awareness programs, phishing simulations, and clear security policies can greatly reduce the risk of insider-related breaches.
• Limit Access to Sensitive Data: Not every employee needs access to all business data. Implementing role-based access controls (RBAC) ensures that employees only have access to the information necessary for their roles. Regularly review access permissions and revoke credentials for former employees to minimize insider threats.
• Develop an Incident Response Plan: Having an incident response plan ensures that your team knows how to react quickly and effectively in the event of a breach. A well-defined plan should outline roles, communication protocols, containment strategies, and recovery procedures. Conducting regular incident response drills prepares employees to act decisively when security incidents occur.
• Work with Security Professionals to Identify Vulnerabilities: Conducting vulnerability assessments, penetration testing, and security audits can help detect weaknesses before attackers exploit them. Partnering with cybersecurity experts ensures that risks are identified and mitigated before they escalate. At Secuna, we specialize in helping businesses enhance their security posture through proactive security testing and expert guidance. Identifying vulnerabilities early can mean the difference between staying secure and suffering a costly breach.

Secure Your Business Before It’s Too Late

Cybersecurity isn’t just an IT concern—it’s a critical business priority that affects every aspect of your organization, from operations to reputation, and ultimately your bottom line. In today’s interconnected world, cyber threats are no longer something that only large corporations need to worry about—small and medium-sized businesses are increasingly targeted as well.

All businesses must keep in mind that cybersecurity isn’t a one-time fix; it’s an ongoing process that requires constant vigilance and adaptation. As cybercriminals become more sophisticated, your security measures must keep pace. Regular audits, updates, and employee education are crucial to staying one step ahead of potential threats.

Evaluate your current security measures, train your employees to recognize potential threats, and partner with cybersecurity professionals to identify and address vulnerabilities before they are exploited. Don’t wait for a breach to prompt change—by acting now, you’ll prevent future headaches and safeguard your business.

If you need expert guidance, Secuna is here to provide proactive, tailored security solutions that fit your unique needs. Contact us at sales@secuna.io today!

Stay tuned for this week’s deep dive into Committing to Cybersecurity! Follow us on Facebook, LinkedIn, Instagram, and X for more insights and updates.

Reflecting on the cybersecurity landscape of 2024, ethical hackers emerge as pivotal figures in the fight against ever-evolving digital threats. Often referred to as “white hats” or “hunters,” these professionals have risen to prominence, using their expertise to anticipate and counteract malicious cyber activity. In a year marked by groundbreaking technological advancements and increasingly sophisticated attack vectors, ethical hackers have been at the forefront of defending businesses, individuals, and critical infrastructures. From combating AI-driven cyberattacks to addressing the growing threats of hacking-as-a-service platforms and deepfake technologies, 2024 underscored their essential role in navigating a complex and dynamic digital environment.

Notable Developments in 2024

Surging Demand for Ethical Hackers

There has been a significant global surge in the demand for ethical hackers, driven by the urgent need to counteract cybercriminals who use similar techniques for malicious purposes, with regions like India seeing a notable increase in this demand. Ethical hackers, often referred to as white hats, leverage their expertise to protect and strengthen digital infrastructures against evolving threats.

Hacking-as-a-Service and Deepfake Threats

Ethical hackers are increasingly focused on combating the growing threats posed by hacking-as-a-service platforms and the misuse of deepfake technology. These services, often paid for with untraceable cryptocurrency, allow cybercriminals to conduct sophisticated attacks, such as identity theft and fraud, challenging ethical hackers to develop new defense strategies.

AI-Driven Cyberattacks

A significant 83% of ethical hackers reported encountering AI-enhanced cyberattacks in 2024, signaling a shift in attack tactics. This evolution highlights the need for ethical hackers to adapt, as AI not only serves as a tool to improve defense systems but also enhances the complexity of malicious threats.

Ethical Hacking’s Role in Protecting Businesses in 2024

The rise of ethical hacking has been pivotal in safeguarding businesses against cyber threats. Ethical hackers are crucial in identifying vulnerabilities, securing digital assets, and supporting organizations in fortifying their security strategies, underscoring their essential role in modern cybersecurity.

Expansion of Bug Bounty Programs

As organizations recognize the power of crowdsourced security, bug bounty programs saw significant growth in 2024. For example, Microsoft paid $16.6 million to over 340 ethical hackers through its bug bounty programs, reflecting the increasing value placed on their contributions to identifying and addressing security flaws.

Lessons Learned from 2024

1. The Rise of AI in Cybersecurity: AI has become both a powerful attack vector and a critical defense tool in cybersecurity. Ethical hackers face the challenge of countering increasingly sophisticated AI-driven threats, while simultaneously using AI to enhance their capabilities, such as faster threat detection and predictive analysis. This dual role of AI calls for ethical hackers to stay adaptive, balancing defense strategies with evolving attack tactics.
2. Collaboration Matters: Collaboration has become a crucial element in building stronger defenses. Ethical hackers bring a fresh, hands-on perspective to identifying vulnerabilities, while cybersecurity providers offer advanced tools and frameworks to help secure systems. Synergy accelerates response times, improves security measures, and ultimately strengthens the defense against ever-more sophisticated threats. As cyber risks continue to grow, collaboration will be key to staying ahead of cybercriminals.
3. Emerging Threats Require Vigilance: Hacking-as-a-service platforms and the misuse of deepfake technology highlight the increasing accessibility and sophistication of cyber threats. Ethical hackers are on the frontlines of combating these emerging challenges, working to identify and neutralize these threats before they escalate. Adapting quickly to these new risks is vital as malicious actors continue to exploit advanced technologies.
4. Sector-Specific Vulnerabilities: Sectors like automotive and IoT are becoming major targets due to their growing reliance on interconnected systems. Ethical hackers are focusing on identifying vulnerabilities in these areas, from securing autonomous vehicles to protecting smart devices. As these sectors expand, ethical hackers must continue refining their methods to safeguard new technologies and ensure secure integration into everyday life.

Gearing Up for 2025

1. Strengthen Collaboration with Cybersecurity Platforms: Partnerships with cybersecurity platforms like Secuna will be essential for ethical hackers. These platforms offer collaborative environments for identifying vulnerabilities in real-world settings, allowing hackers to sharpen their skills while contributing to the security of organizations.
2. Embrace AI for Enhanced Defense: As AI-driven cyberattacks continue to evolve, ethical hackers must familiarize themselves with AI technologies to enhance their own defense mechanisms. Leveraging AI tools for faster threat detection, anomaly identification, and automating repetitive tasks will be crucial for staying ahead of increasingly sophisticated attackers.
3. Adapt to Emerging Technologies: With the rapid growth of blockchain, quantum computing, and 5G, ethical hackers should focus on understanding the unique vulnerabilities these technologies present. By gaining expertise in these areas, ethical hackers will be better equipped to secure systems and anticipate future threats associated with these innovations.
4. Counter Hacking-as-a-Service Threats: The growing availability of hacking-as-a-service platforms means ethical hackers must develop strategies to identify and neutralize these services. Staying updated on new tactics and learning how to detect these services will be vital to protect organizations from cybercriminals using them for attacks.
5. Focus on Critical Infrastructure Security: As sectors like automotive, IoT, and healthcare become more interconnected, the need for specialized security assessments in these areas will rise. Ethical hackers should focus on these critical industries, honing their expertise to address specific vulnerabilities and provide robust protection for increasingly complex systems.

Conclusion

Looking ahead to 2025, the lessons of 2024 serve as a vital roadmap for ethical hackers and the cybersecurity community. The past year has underscored the importance of adaptability, innovation, and collaboration in the face of increasingly complex and sophisticated cyber threats. The battle against these threats is relentless, and the ethical hacking community stands as a beacon of hope in an increasingly interconnected and vulnerable world.

By embracing cutting-edge tools, refining their skills, and focusing on protecting critical infrastructures, ethical hackers are not just defenders of the digital realm—they are architects of a safer future. Their role in mitigating risks tied to emerging technologies such as AI, blockchain, and quantum computing will be crucial as these innovations continue to reshape the digital landscape. Moreover, their efforts in fostering global partnerships and enhancing cybersecurity awareness will serve as a cornerstone for building a resilient and secure digital ecosystem for all.

Are you ready to join the ranks of ethical hackers shaping the future of cybersecurity? Register and get verified on Secuna’s platform now!

As we move further into 2025, it’s essential to look back at the cybersecurity landscape of 2024. This past year was marked by high-profile breaches, rapid technological advancements, and evolving threats—each serving as a crucial reminder of the ever-changing nature of cyber risks. By analyzing these events, we can draw valuable lessons to fortify defenses and avoid repeating mistakes in the year ahead. In this blog, we’ll review the most significant cybersecurity moments of 2024, the key takeaways, and how businesses can build on these insights to prepare for a more secure and resilient 2025.

2024’s Notable Cybersecurity Highlights

High-Profile Cyberattacks

• Cybersecurity Threats to Government Infrastructure: In May 2024, the hacker group “DeathNote” launched a highly destructive cyberattack that compromised sensitive data from 31 government and private entities across the Philippines. The breach exposed a range of personal, financial, and government-related information, sparking widespread concern over the vulnerability of critical infrastructure. This incident underlines the importance of comprehensive cybersecurity frameworks to prevent such large-scale breaches in the future.

• Financial Systems at Risk: In 2024, fintech giant Finastra, which supports many of the world’s largest banks, disclosed a significant cyberattack. This breach impacted financial operations and exposed critical data, underscoring the growing risks faced by financial institutions. The incident highlights the need for enhanced cybersecurity frameworks to safeguard sensitive financial systems and prevent future disruptions in the fintech space.

• The Healthcare Sector Under Siege: In 2024, the United Nations highlighted the growing threat of cyberattacks targeting healthcare systems globally. These attacks not only disrupted patient care and compromised sensitive medical data but also led to significant financial losses for healthcare organizations. The rising impact underscores the urgent need for robust cybersecurity measures to protect critical health infrastructure.

• Cybersecurity Crisis Hits Education: In 2024, a cybersecurity breach within the Philippine Education Ministry exposed over 210,000 records, including sensitive personal and tax information of students. The incident serves as a stark reminder that educational institutions remain prime targets for cyberattacks. It underscores the urgent need for stronger cybersecurity posture to protect students and sensitive information from increasing digital threats in an ever-expanding online environment.

Patch Management and Update Challenges

• Zero-Day Vulnerabilities on the Rise: Zero-day vulnerabilities saw significant exploitation in 2024, becoming a favored tool for cybercriminals targeting enterprise systems. These vulnerabilities, often exploited before patches are available, were used in sophisticated attacks across various sectors. The rise in zero-day exploitation prompted increased efforts in vulnerability management and rapid patch deployment.

• Widespread IT Outage from CrowdStrike Update: In July 2024, a routine update from CrowdStrike caused a significant IT outage, impacting multiple organizations and leading to disruptions across Windows-based systems. The issue stemmed from a logic error in a CrowdStrike Falcon sensor configuration, which affected millions of devices. The incident highlighted the critical need for thorough testing of updates and strong contingency planning to avoid operational downtime and mitigate potential risks to cybersecurity.

Emerging Trends

• AI in Cyberattacks and Defense: 2024 witnessed AI being leveraged for both offense and defense in cybersecurity. Attackers used AI to craft sophisticated deepfakes and manipulate narratives in fake news campaigns, while financial fraud surged with AI-powered scams. On the defense side, AI played a critical role in real-time anomaly detection and phishing prevention.

• Critical Infrastructure Attacks: In 2024, critical infrastructure became an increasingly popular target for cyberattacks. High-profile incidents like the American Water cyberattack and the BianLian ransomware attack on Boston Children’s Hospital highlight vulnerabilities in essential sectors. These attacks serve as a reminder that as industries become more interconnected, the risks to public safety and national security grow. The trend shows that securing operational technology (OT) and strengthening defense measures in these sectors must be a top priority to prevent widespread disruption.

Lessons Learned from 2024

1. Proactive Measures Are Essential: Organizations with robust threat intelligence programs identified risks faster and reduced recovery times. By implementing proactive strategies such as threat monitoring and incident response planning, businesses significantly minimized disruptions and stayed ahead of emerging threats.
2. Employee Awareness Is a Strong Defense: Phishing attacks often exploit human error, making continuous security training vital. Tailored education programs that evolve with emerging threats empower employees to serve as the first line of defense against social engineering tactics and cyber threats.
3. Critical Infrastructure Requires Immediate Attention: Attacks on healthcare and essential services in 2024 exposed the vulnerabilities in critical infrastructure. Strengthening cybersecurity in these sectors is no longer optional—it is a vital step in protecting public health, safety, and national security.
4. Swift Action on Zero-Day Threats Is Crucial: The increasing number of zero-day vulnerabilities in 2024 demonstrated the urgent need for rapid patch deployment and vigilant vulnerability management. Any delay in addressing these weaknesses leaves systems exposed to fast-moving and sophisticated cyberattacks.

Securing the Future in 2025

Invest in Proactive Cybersecurity

• Partner with top-tier cybersecurity providers like Secuna to gain access to advanced technologies and specialized expertise.
• Regularly review and upgrade security infrastructure to proactively address emerging threats and vulnerabilities.

Train and Educate Employees

• Implement ongoing training to ensure employees can recognize phishing attempts and other social engineering tactics.
• Establish clear reporting protocols so employees can quickly escalate suspicious activity, minimizing potential damage.

Back Up Critical Data Frequently

• Automate data backups to ensure consistency and reduce the risk of human error during manual processes.
• Store backups securely offsite to protect data from both cyber incidents and physical disasters.

Regularly Update and Patch Software

• Maintain a routine patch management schedule to address vulnerabilities and reduce exposure to cyber threats.
• Prioritize critical patches to quickly mitigate risks from newly discovered exploits.

Create and Test an Incident Response Plan

• Define clear roles and responsibilities within the plan to ensure a coordinated response during a crisis.
• Regularly test the plan through drills to ensure readiness and identify areas for improvement.

Conclusion

2024 reinforced the ever-present truth that cybersecurity is not just an IT issue but a business imperative. The key takeaways for organizations are clear: prioritize proactive security measures, address vulnerabilities swiftly, and foster a culture of awareness. Businesses that embrace proactive cybersecurity strategies, like regular threat assessments and comprehensive employee training, position themselves to stay ahead of evolving threats.

As we navigate into 2025, the commitment to “Security First” will differentiate resilient businesses from vulnerable ones. By learning from the past and investing in robust strategies, businesses can not only protect their assets but also build trust with their stakeholders.

Want to make sure you have a safe, more secure year ahead? Collaborate with us now!

Launched just two years ago, CodeChum has made significant strides in bridging the gap between academia and tech industry. With partnerships across 70 schools and a growing user base of 15,000 students, CodeChum connects learners with both local and international companies, empowering students to transition from education to employment. As their platform expanded, so did their need for robust cybersecurity to protect sensitive student and institutional data. They recognized that securing their platform was paramount in maintaining trust with their users, schools, and corporate partners.

CodeChum’s increasing responsibility to safeguard sensitive personal information, student performance metrics, and other confidential data brought them to a critical juncture: securing their platform was no longer optional—it was essential.

The Intersection of Education and Cybersecurity

In recent years, the education sector has faced a sharp rise in malware and ransomware attacks globally. According to SonicWall’s 2023 Cyber Threat Report, malware attacks in the education sector surged by 157% in 2022. Similarly, Malwarebytes’ 2024 report labeled 2023 as the “worst year on record” for ransomware in education, with a staggering 70% increase in such attacks.

While digitalization in the education sector remains important and continues to rise amidst these cyber threats, it has become equally essential for Educational Technology (EdTech) platforms like CodeChum to pay important attention to cybersecurity.  As these platforms handle sensitive information, including students’ personal details and performance records, it is crucial to protect these data to preserve user trust and credibility while continuously providing innovative solutions to improve their users’ learning experiences.

By partnering with Secuna, CodeChum has reinforced its commitment to safeguarding the personal information and performance metrics of thousands of students, ensuring that their platform remains secure and trustworthy in an increasingly vulnerable digital world.

CODE to Cybersecurity Commitment

CodeChum’s dedication to cybersecurity and preserving the trust of their clients are reflected in the code of their core principles:

Credibility: CodeChum ensures that their platform remains a trusted resource by implementing rigorous security measures. Their focus on maintaining credibility strengthens relationships with partners and users, proving their commitment to data protection.

Heightened Trust: By partnering with Secuna, CodeChum was able to deliver a Certificate of Cybersecurity Compliance along with other relevant documents to their partners, providing a formal assurance that the platform has been thoroughly tested and secured by a reputable cybersecurity company.

User Protection: Securing their users’ sensitive information is an important priority for CodeChum. By finding and reducing vulnerabilities in their assets, they lessen the risk of exposing their users to data breaches, securing their long-term success and the integrity of their platform.

Mitigating Risks: CodeChum’s approach to cybersecurity is strategic, ensuring that security is not an afterthought but a critical business value, protecting both their platform and their community.

Why Secuna?

Selecting the right cybersecurity partner is pivotal to a platform's security. For CodeChum, this decision was crucial, driven by the urgent need for robust protection and rapid response.

From the outset, CodeChum needed a cybersecurity partner that could deliver quick results while providing extensive asset protection. With their growing user base and sensitive student data, it is imperative to mitigate risks as quickly as possible. Time was of the essence, and the security of their platform was paramount to maintaining their partnerships and user trust.

Secuna quickly stood out as the top choice for several compelling reasons. As the first cybersecurity company recognized by the Department of Information and Communications Technology (DICT) to reach out, Secuna immediately demonstrated its credibility as a proactive and reliable partner in securing organizations. Additionally, Secuna’s deliverables—including a Certificate of Cybersecurity Compliance and a comprehensive, well-documented pentest report—offered significant value to CodeChum, providing the tangible proof of platform security needed to reassure both their partners and users.

The Engagement

The collaboration between CodeChum and Secuna was marked by an efficient and thorough approach to identifying and addressing security vulnerabilities. Here’s a detailed look into the engagement:

• The penetration testing for CodeChum’s programming education platform was done based on frameworks like OWASP WSTG, the Top 10 Web Application Vulnerabilities, and the Top 10 API Weaknesses.
• Secuna’s own methodologies for penetration testing were also applied to CodeChum’s platform.
• Detailed reports were provided in real-time in the Secuna platform, allowing CodeChum to immediately address high-priority items even while the testing was still ongoing.
• Secuna provided unlimited retesting to properly verify the effectiveness of the fixes applied by CodeChum on the discovered vulnerabilities.
• Secuna and CodeChum maintained agile and highly collaborative communication between teams through the Secuna Platform, making remediation and verification of fixes highly efficient.

And these actions yielded the following outcomes:

• The Secuna team submitted the first detailed report within the first 5 hours of the engagement, with reports consistently delivered promptly.
• Among the identified vulnerabilities, two (2) were rated with Critical severity by the Secuna team, one of which had the highest possible severity score on the CVSS.
• The two (2) critical issues were reopened multiple times during the retesting phase, highlighting Secuna’s meticulous fix verification process and CodeChum’s eagerness and diligence in implementing robust fixes for these key vulnerabilities.
• The CodeChum team fixed a total of five (5) vulnerabilities identified by the Secuna team.
• The CodeChum team demonstrated impressive efficiency by resolving the first valid report submission within just 3 days, showcasing their dedication and speed in applying fixes.
• The CodeChum team showed a commendable average remediation time of 2.6 days.
• The CodeChum team met their engagement deadline by swiftly addressing and resolving issues, showcasing the effectiveness of Secuna’s real-time reporting and agile pentesting approach through Secuna’s platform.

Moving Forward

By partnering with Secuna, CodeChum was able to significantly bolster the security of their platform. The vulnerabilities identified during the penetration test were promptly resolved, allowing CodeChum to maintain the trust of their students, schools, and corporate partners. Not only did they fix the immediate issues, but the engagement also led to long-term improvements in CodeChum’s development workflow.

According to CodeChum, while their security practices were already in place, the collaboration with Secuna pushed them to adopt more robust measures, such as conducting regular code security reviews and incorporating additional security tools into their development pipeline. Their successful partnership with Secuna has laid the groundwork for a more secure and reliable platform, which they will continue to build upon.

For organizations that prioritize the safety of their clients, CodeChum’s advice is simple:

“Choose Secuna for your VAPT needs. They align with your business goals and consistently go above and beyond to meet deadlines.”

Secuna remains committed to providing top-tier cybersecurity solutions, helping clients like CodeChum secure their platforms, protect their data, and stay ahead of potential threats.

Want to experience it first-hand? Collaborate with us now!

Introducing LISTA PH
Empowering a thriving community of over 1 million users to achieve their financial aspirations, Lista has transformed the Filipino landscape of financial management since its grand debut in November 2021. With its easy-to-use financial tools, Lista has streamlined the process of managing money, making it effortlessly accessible and seamless for individuals to navigate their financial journeys.

As Lista continues to expand their community and introduce loads of fun features to bring more practical and positive benefits to their users' daily lives, the commitment to protecting their users' data and privacy from digital threats also become their top priority. Recognizing the importance of the trust placed in them by their user base, Lista has teamed up with Secuna. This collaboration involves routine checks and comprehensive testing to ensure that their application, from the main products down to their backend services, is safe and secure.

Changing the Game of Managing Finances
In an era marked by digital transformation, a shift further accelerated by the COVID-19 pandemic, consumers have significantly gravitated towards online channels. In response, companies and industries have swiftly adapted to this changing landscape.

Notably in the Philippines, a prominent shift has been observed in digital payments, with Filipinos increasingly embracing cashless transactions through mobile wallets or card-based payments. Concurrently, organizations, spanning from SMEs to large enterprises, are continuously and proactively seeking ways to align with and adapt to this ongoing digital transformation.

This shift in both individual and organizational behavior presented a great opportunity for Lista to pursue its mission of helping Filipinos keep their finances in check through their handy mobile application. From budgeting and expense tracking to setting and reaching your own financial goals, Lista has become one of the leading apps on financial management in the Philippines.

Listing Cybersecurity Promises
Lista, being committed to guaranteeing the protection and privacy of their users’ data, seeks to deliver this promise by overcoming the following challenges:

• Let users’ data be constantly protected from security vulnerabilities
• Introduce new features consistently while keeping the app also consistently secured
• Secure their infrastructure as they continue to scale, preventing any hiccups that could cause any trouble
• Test API resources thoroughly to ensure that there are no broken authentication or security vulnerabilities introduced to their system
• Achieve regulatory compliance with partners by presenting security testing results

Why Secuna?
Secuna, as a community-powered cybersecurity testing platform, is well known for their collaborative approach in conducting security testing.

From the initial engagement, Lista expected that Secuna’s team of skilled and seasoned penetration testers would provide high-quality and detailed reports — and they successfully delivered. In addition, being able to directly communicate with the penetration testers and discuss remediation recommendations made the process of fixing vulnerabilities on their end more seamless. This level of expertise and professionalism has not only drawn Lista back for not just one or two, but three successful collaborations in 2023 alone — and they are looking forward to teaming up again in future engagements.

Continuously Elevating Cybersecurity Standards
Lista engaged in several collaborative efforts with Secuna, initiating a comprehensive penetration testing for the entire system of their Android and iOS mobile applications during their first engagement. Subsequently, upon the introduction of new features such as Budget Buddy, OCR, and the KYC process, a targeted round of testing was conducted to assess the security of these specific modules. Lastly, Lista took a proactive stance in enhancing its security posture by extending the assessment to include the security evaluation of their AWS cloud infrastructure in their latest engagement in 2023.

The collaboration highlights the following actions:

• The penetration testing for Lista’s mobile applications was done based on frameworks like OWASP MSTG/MASVS and OWASP Top 10 API Vulnerabilities.
• Secuna’s own penetration testing methodologies along with other cloud exploitation frameworks were applied for Lista’s cloud asset.
• Detailed reports were provided in real-time in the Secuna platform, prompting immediate action on the most important items, over the course of each engagement.
• Agile and highly collaborative remediation approach was utilized through the Secuna platform.
• Secuna provided unlimited retesting for 1 month for each engagement to properly verify the effectiveness of the fixes applied by Lista on the discovered vulnerabilities.

And these actions yielded the following outcomes:

• The Secuna team, on average, submitted the first vulnerability report within 4.5 days from the start of engagement.
• The Lista team successfully fixed a total of 24 security vulnerabilities identified by the Secuna team.
• Among the identified vulnerabilities, six (6) were rated from High to Critical by the Secuna team based on the industry-standard scoring system CVSS 3.1.
• The Lista team demonstrated a commendable response time, averaging 34.5 days to remediate the first valid report submission.
• The Lista team showcased an impressive average remediation time of 34.5 days.
• During the retesting phase, only 25% of the applied fixes were reopened, highlighting Lista team’s ability to deliver immediate and effective remediation.

Making a Difference
As Secuna and Lista continue to work together, the latter has now adopted multiple security practices to enhance the protection of their assets and users’ data.

Lista indicated that they have incorporated and followed Secuna’s recommendations to boost their security — this includes readying tools for automating code scans to check for vulnerabilities and improve code quality.

Moreover, along with applying specific practices on their own, Lista also stated the importance of having the security of their products and services regularly tested by an organization that they trust, which has been Secuna for over a year and counting.

As a company that extends their commitment to cybersecurity to everyone, here’s a piece of advice Lista has for other organizations that are considering getting penetration testing services,

“Don’t compromise on cybersecurity, as even minor vulnerabilities can significantly impact your organization. Collaborate with seasoned partners like Secuna to assess the security of your products, services, and infrastructure.”

Are you ready to secure your platform? Collaborate with Secuna now!

In today's tech-filled world, the surge of cyber threats poses significant risks to individuals, organizations, and even entire nations. As our dependence on wireless networks expand, so does the playground for malicious actors, resulting in frequent date breaches, ransomware attacks, and cybercriminal activities. In this digital landscape that brings unparalleled convenience and efficiency, prioritizing cybersecurity through services like Vulnerability Assessment and Penetration Testing (VAPT) stands as a critical proactive measure to secure our digital assets and protect both our valued users and organization.

Vulnerability Assessment and Penetration Testing (VAPT): The Crucial First Step Toward Safeguarding Your Assets

VAPT stands as an essential pillar for an organization's digital security. It allows organizations to proactively identify, analyze, and fix weaknesses within their digital infrastructure before they become exploitable targets for malicious actors.

Vulnerability Assessment involves a systematic review of software, networks, and systems, usually through the use of automated scanning tools, to uncover potential weaknesses. Penetration Testing goes a step further by allowing a team of security researchers (hunters) to simulate real-world cyber attacks to identify vulnerabilities, assess the resilience of defenses, and uncover potential security gaps. These combined approaches empower individuals and organizations to reinforce their digital defenses, stay ahead of evolving threats, and guarantee the confidentiality, integrity, and availability of sensitive information. In a time where cyber vulnerabilities wield unprecedented impact and consequences, VAPT becomes a crucial first step towards safeguarding an organization's assets and developing a more secured digital environment for everyone.

What Weakens Your Defense From Digital Threats?

Various factors contribute to the vulnerability of digital platforms. These vulnerabilities can range from flaws in software and hardware design to human errors and malicious intent. Unraveling these causes is vital in crafting  an effective and robust cybersecurity strategies to safeguard your digital assets and preserve the integrity of the interconnected world we navigate today. Let's explore some of the multifaceted origins of vulnerabilities, according to a report released by National Security Agency (NSA) way back in 2020, and shed light on the intricacies of the challenges faced in the field of digital security:

• Poorly configured system
• Poor access control management
• Shared tenancy between multiple software and hardware systems
• Vulnerabilities introduced by supply chains

Why is VAPT Important?

VAPT, as a proactive and strategic methodology, plays a pivotal role in identifying, evaluating, and mitigating potential security risks in our systems. Understanding the importance of VAPT involves recognizing the dynamic nature of cyber threats and the potential vulnerabilities that lurk within digital assets.

Let’s delve into the significance of VAPT and highlight why this proactive approach to cybersecurity is crucial in identifying and addressing vulnerabilities before they can be exploited by malicious actors:

• To identify security gaps in your organization's systems
• To strategically prioritize the mitigation of discovered risks
• To improve your product Software Development Life Cycle (SDLC) process

Secuna Pentest: Your Modern Approach to VAPT

Secuna Pentest is a proactive approach that simulates real-world attacks in order to conduct thorough manual assessments of digital assets. Combined with the utilization of the Secuna Platform, vulnerabilities are reported instantly to organizations, enabling prompt triaging and prioritization of the mitigation of critical risks. Our service aims to empower organizations to seamlessly integrate cybersecurity testing to their software development life cycle to elevate their defenses, proactively mitigate potential risks, and enhance the overall strength of their cybersecurity early on during the development to defend against evolving threats before they become an even more expensive problem.

Diversified Secuna Penetration Tests

• Web App Pentesting
  We provide an efficient manual and automated exploitation of your custom-developed or CMS web applications.
• Mobile App Pentesting
  We exploit vulnerabilities in both iOS and Android mobile applications, providing valuable insights into the potential risks that your applications may encounter.
• Network Pentesting
  We conduct thorough security assessments of both external and internal network infrastructures to identify and mitigate potential vulnerabilities that could put your servers at risk.
• Cloud Pentesting (AWS)
  Our Cloud Penetration Testing (AWS) service provides an intensive assessment of your cloud infrastructure’s to discover potential misconfigurations and other potential lapses in your security defense.
• API Pentesting
  Safeguard your digital assets and protect your organization’s data with our API Penetration Testing service, exclusively focused on GraphQL and REST APIs.

Benefits of Secuna Pentest

• Satisfy Security Compliances: Ensure adherence to compliance and regulatory requirements, including but not limited to PCI-DSS, HIPAA, ISO 27001, SOC 2 Type II, DPA of 2012, GDPR, and CCPA through the strong security measures provided by Secuna Pentest.
• Highly Experienced Hunters: Our certified hunters with certifications like OSCP, OSWE, CEH, CySA+, CISSP, CompTIA (Network+ and Security+), CCS-SCOR, and more  undergo a rigorous screening process, ensuring that you collaborate with the best experts in the security field, guaranteeing the highest standards of excellence, credibility, and trustworthiness.
• Extensive Vulnerability Identification: Mitigate and minimize risks within your digital assets through our efficient and comprehensive testing. We proactively identify and address weaknesses and vulnerabilities in your application, preventing potential exploitation by malicious attackers.
• Elevated Security Posture: Strengthens your overall security posture and reduces the likelihood of successful cyber attacks. Secuna Pentest ensures that potential weak points are protected, contributing to a more secure and resilient digital environment.

As we navigate through the ever-evolving digital landscape, the importance of protecting our digital assets, to protect both our organizations and valued users, cannot be overstated. VAPT serves as the first step in developing a proactive security measure, offering crucial insights into potential security risks and vulnerabilities. Secuna Pentest, with its diversified and modern approach in conducting penetration testing as well as its commitment to compliancestandards, stands as a beacon of cybersecurity commitment. Secuna’s highly experienced hunters and comprehensive vulnerability identification contribute to an elevated security posture, reducing the likelihood of successful cyber-attacks. In embracing Secuna Pentest, together, we strengthen our defenses, mitigate risks, and collectively shape a more secure and resilient digital future.

Don’t have second thoughts on protecting your assets.
Collaborate with us now!

Every organization, though sharing an industry, carries its own unique identity shaped by its vision, mission, and core values. This individuality is further defined by industry nuances and distinct assets that they use to run their organizations or businesses.

Secuna, powered by its community-powered platform, extends its commitment beyond securing your business. We value your distinctiveness and prioritize your specific security needs.

This is embodied in one of our products, Secuna Response (Vulnerability Disclosure Program), a security program designed to cater to your organization’s unique objectives. Here, you wield the power to customize your security program to employ the expertise of our experienced hunters in our community in securing your assets while keeping everything aligned precisely with your organization’s security requisites.

What is SECUNA RESPONSE?

Secuna Response stands as a steadfast security initiative, showcasing your unwavering commitment to cybersecurity. This program engages a community of trusted cybersecurity professionals (hunters) who responsibly report vulnerabilities in your digital assets. This welcomes a “See Something, Say Something” process that helps ensure that potential security vulnerability reports end up with your team for you to properly and swiftly respond to before threat actors exploit them.

To know more about how Secuna Response works, read here.

Fine-Tune Your Secuna Response Program to Perfection

Starting your own Secuna Response program is just a few clicks away. Simply select the plan (Basic, Standard, Enterprise) that aligns with your organizational needs and proceed with the payment for the chosen subscription. Our Basic plan is complimentary, yet requires the submission of supporting documents for verification and approval before you can st2art setting up your program.

Once you are all set, you will be guided to customize your program according to your specific requirements. Here are the essential steps to tailor your program:

1. Program Information: Provide essential details to present your security program in the best light.

• Program Name
  Create an engaging and memorable program name that intrigues hunters, encouraging them to explore your program further. Consider using your organization’s brand or product name for a simple yet effective choice.
• Program Description
  Provide a concise description of your organization’s brand or product, providing insight into what your platform offers. Capture the hunters’ passion to help by effectively communicating your vision with them.
• Program Visibility
  Select the program visibility that aligns with your organization’s comfort level to determine who can view and participate in your program, ensuring a suitable fit for your security measures.
  
  Public Visibility - everyone can view non-sensitive information of your program but only registered and logged in hunters can participate in your program.
  
  Protected Visibility - all registered and logged in hunters can view non-sensitive information of your program but only verified hunters can participate in your program.
  
  Private Visibility - only invited verified hunters can view and participate in your program.

Here is a good example of what you can put in your program information:

• Program Name: Secuna
• Program Description: Secuna is a community-powered SaaS platform that helps protect organizations by allowing researchers to submit quality vulnerability reports.
• Program Visibility: Protected

2. Program Policy: Craft a distinct disclosure policy, outlining guidelines for participating hunters.

Here is a template that follows industry-standard ISO/IEC 29147 and disclose.io that you can use as reference.

3. Assets: Define in-scope (the list of assets you want our hunters to test) and out-of-scope (list of assets that’s not included in the program scope) assets to guide hunters in their testing efforts, with limits based on your subscribed plan.

Here you will provide the type of asset/s (e.g. Custom Web App, iOS Mobile App, Cloud, etc.) you want our hunters to test, their description, and their identifiers (URL, App ID, IP Address).

4. Program Members: Add key team members from your organization to oversee program management, with limited seats based on your subscribed plan.

To add a team member from your organization to the program, simply choose a role and supply their email address.

5. Hunter Invitation (For Private Programs): Handpick specific hunters for exclusive participation through personalized invitations.

To help you choose the most suitable hunters for your program, you can view their profile to see their ranking, skills, certifications, total points, resolved reports, thanks received, and total bounties received.

6. Schedule: Plan the launch of your program strategically by scheduling its start date effectively. Opt for an immediate launch post-setup or set a specific date for a scheduled launch in the future.

7. Launch: Complete the program setup process and wait for your program to launch!

Once your program becomes active, you'll seamlessly transition to your program dashboard, providing a comprehensive overview of your program. Now, all you have to do is to wait for reports from our hunters to come in, and promptly address any identified issues. Additionally, the platform provides the option for you to pause the program while maintaining your subscription, allowing you to temporarily halt the submission of new reports as you address the other existing reports first. You can resume your program at any time right after.

Secuna Response values more than just your security initiative, it extends to the principles of your organization and what it upholds. With Secuna Response’s customization functionality, from choosing plans to crafting program details before activation, you now have more capability in fortifying your digital assets according to your business objectives while ensuring a safer cyber-environment.

Are you excited to align your objectives with our program? Connect with us now!

In today's interconnected world, the continuously evolving technology offers us convenience in our daily lives but it is significant to acknowledge that it also presents us with various threats in the cyberspace.

This year, the Philippines witnessed a string of breaches across  notable government agencies like PhilHealth, the Philippine Statistics Authority, and law enforcement institutions such as the Philippine National Police. Private institutions like De La Salle University also had their own fair share of security incidents.

Amidst this evolving virtual landscape and growing cyberthreats, Secuna emerges with solutions such as Secuna Response (Vulnerability Disclosure Program), designed to boost your confidence and reinforce your security measures.

What is SECUNA RESPONSE?

Secuna Response is a continuous security program that will show your constant commitment to cybersecurity by allowing a community of trusted cybersecurity professionals (hunters) to properly and responsibly report security vulnerabilities concerning your digital assets that can be addressed before threat actors exploit them.

How does SECUNA RESPONSE work?

Secuna Response stands as a powerful initiative to boost your organization's security initiatives. It is essential to have a deeper understanding  on how it works to ensure that you can tailor your security program to seamlessly align it with your organization's business goals and specific requirements.

Here is a quick guide to help you get up and running with your first Secuna Response program:

Step 1: PROGRAM POLICY TAILORING and LAUNCHING
Our platform will allow you to create a customized security program policy tailored to your organization's unique requirements before launching the program. This step enables you to set the necessary rules and guidelines for the hunters to follow as they conduct tests in your organization's assets.

For a deeper understanding of policy tailoring, read the Secuna Response Program Customization here.

Step 2: NOTIFYING HUNTERS and VULNERABILITY HUNTING
Once you launch your program on the Secuna Platform, our hunters will be notified and swing into action. They will meticulously gather information about your application and carefully map its external footprint to pinpoint potential source of breaches during testing.

Step 3: MANAGING REPORTS
After discovering vulnerabilities, hunters will submit a comprehensive report of their findings through your Secuna Response program that will be reviewed, validated, and addressed by your internal team.

As a token of gratitude for their invaluable contributions to your Secuna Response program, our hunters receive the following acknowledgement from your organization:

• Thanks - this recognition is granted for each program once a report submitted by a hunter has been successfully resolved, enabling them to track the number of programs they made impactful contributions on the Secuna Platform.
• Reputation Points - hunters receive points or demerits to their reputation depending on the status of their reports. These points reflect the quality of their reports and their collaborative efforts with programs, shaping their standing in the Secuna community.

Why do you need SECUNA RESPONSE?

A great way of showing the world your devotion to building a safer cyberspace for everyone is through Secuna Response. These are what’s in the bag for you, along with real-life practice of placing high significance to cybersecurity:

Ready to experience Secuna Response first-hand? Collaborate with us now!

Dragonpay is the pioneer in alternative online payments in the Philippines giving access to customers to purchase goods or services online and pay for them using cash at physical, brick-and-mortar payment counters, ATMs, mobile wallets, or through online bank debit. Today, Dragonpay has processed over 100 million online transactions for Filipinos globally.

Since its founding in 2010, Dragonpay’s mission is to provide a more secure yet easily available e-commerce payment channel for the broad market.

Currently, they want to:

• maintain their commitment to have a secure solution
• get tested and certified by DICT-recognized cybersecurity assessment company
• identify if they are vulnerable to cyber attacks and exploits

After searching around for a penetration testing service provider, Dragonpay reached out to Secuna after a friend recommended its services. They talked to other local and foreign vendors but they decided to move forward with Secuna because of its reputation in the startup community and its recognition from DICT.

Secuna, a DICT-recognized cybersecurity assessment provider, helps ensure that any organization has their assets protected from potential cybersecurity issues and data breaches with service rates that are very equitable.

Secuna provided a Web Application Penetration Testing service to thoroughly assess the security of Dragonpay’s website application.

After a month of thorough penetration testing, 17 unique security vulnerabilities were reported, validated, and resolved. Three of which were found that had a severity score of higher than 7.0 in reference to Common Vulnerability Scoring System (CVSS).

Dragonpay team is very happy with the results and they would engage with Secuna again for future cybersecurity needs.

"We're very happy with the results. The service was very friendly and helpful."
– Robertson “Dick” Chiang, Founder and COO/CTO of Dragonpay Corporation

To learn more about DragonPay, visit their website https://www.dragonpay.ph/

Ready to secure your platform? Get in touch with one of our cybersecurity experts today.

Dashlabs.ai is a Y Combinator-funded company that started out as a volunteer effort to help combat the pandemic. Its lab software now powers the Philippine Red Cross, helping to automate and process more than 5 million COVID-19 RT-PCR tests in the Philippines.

Being the tech provider for the largest healthcare institutions in the country, Dashlabs.ai deals with a lot of healthcare provider and patient transaction data that needs to be processed on a daily basis. Processing large volumes of information is not just time consuming, but can also be prone to a lot of errors and security issues. This led to their partnership with Secuna.

Challenges

Dashlabs.ai was facing challenges brought by the persistent threats on healthcare providers and patients data due to lack of time and resources to monitor its platform’s security.

They requested a continuous security assessment to help identify potential weakness and exposure of personal health information (PHI) in their platform. This included checking potential entry points that cybercriminals may utilize to compromise its platform and network infrastructure.

Raising the bar on security

Secuna, the Philippines' community-powered cybersecurity testing platform, is known to help ensure that SMEs have their assets protected from potential cybersecurity issues and data breaches with service rates that are very equitable.

Ethical hackers are not only trained to spot vulnerabilities but are capable of preventing further online crimes. Their understanding of the breakdown of a data breach, where the common vulnerabilities are, and how to potentially resolve these before they become a problem helps reduce a company's risk of being breached.

Secuna provided a Bug Bounty Program service that is vital for spotting any vulnerabilities on time. Bug bounty programs incentivize security researchers for reporting a valid and impactful security vulnerability. This kind of program is now considered as an industry standard or best practice in identifying and receiving vulnerabilities. It is currently leveraged by the different government agencies and organizations across the globe.

Learn more about Secuna’s Bug Bounty Program. Book a call with one of our cybersecurity experts today.

Creating an impact with ethical hackers

With the successful Bug Bounty Program, Dashlabs.ai has managed to analyze potential hazards and act promptly on existing conditions of vulnerability that together could potentially harm exposed data.

Currently, this collaboration garnered the following results:

• Dashlabs.ai received multiple reports from the community of vetted and trusted hackers in Secuna platform
• First valid report was received 2 hours after launching the bug bounty program
• More than $10,000 was awarded to all hackers who reported valid reports

As the Dashlabs.ai team continues to work with Secuna, they keep sharing insights and looking to further strengthen the security of its platform.

"Secuna has helped our team improve the efficiency and security of the platform. As our team iterates quickly, we've been working with Secuna to help add security to our platform. Through Secuna, our team is able to gain further insight on security flaws while being able to iterate quickly."
– Philly Tan, CIO and Co-Founder of Dashlabs.ai

Ready to secure your platform? Get in touch with one of our cybersecurity experts today.

Twala helps businesses to legally and securely sign, and manage tamper-proof documents online with its blockchain digital signature and ID verification services. Furthermore, their platform manages sensitive data and critical documents of businesses.

Twala is compliant with the Philippines' E-Commerce Act and Supreme Court's Rules on Electronic Evidence. They are also legally accepted in other jurisdictions such as the US, EU, ASEAN, and many more. However, to meet regulatory security requirements and fend off cyberattacks, Twala needed a security partner to go beyond the traditional penetration testing and provide a real-world simulation of threats.

Challenges

Twala had the following challenges about cybersecurity:

• Make sure their platform is secure from all possible data breaches
• Validate the security measures implemented against unauthorized logins
• Make sure that identities in the Twala system cannot be taken over by malicious actors
• Identify if there are sensitive data leakages in their platform
• They had to engage with a cybersecurity firm that is certified by the Department of Information and Communications Technology (DICT) that is reasonably priced

Why Secuna

Twala Management realized that only qualified and experienced penetration testers could effectively test their platform, to identify security vulnerabilities, and verify if security measures are correctly implemented; before cybercriminals could exploit them.

Secuna has a reputable background and is known to help SMEs ensure that their assets are protected from potential security issues and data breaches with reasonable service rates.

Solutions Provided

Twala worked with Secuna in May 2021 to conduct Vulnerability Assessment & Penetration Testing (VAPT). Some of the service highlights provided during the engagement:

• Thorough penetration testing of website app, mobile app, and API assets based on OWASP Web Security Testing Guide v4.1
• Targeted penetration testing for blockchain digital signature and ID verification services
• Agile and highly collaborative vulnerability remediation approach through Secuna’s secure platform
• Unlimited retesting period to ensure fixes deployed were effective

Learn more about Secuna’s VAPT Methodology. Book a call with one of our cybersecurity experts today.

Results

After a month of extensive testing, this collaboration garnered the following results:

• Twala Team fixed 47 security vulnerabilities identified by Secuna Penetration Testing team.
• Secuna Penetration Testing team rated eight security vulnerabilities from High to Critical using CVSS 3.1, an industry-standard scoring system.
• Detailed technical report with easy to follow steps to replicate each vulnerability.

"We had a superb experience working with Team Secuna. They are very attentive to details and highly collaborative. Apart from delivering the business side of things, we loved how Paulo and AJ were super hands on all the way through our engagement. Kudos guys!"
– Charlie, COO Twala

Ready to secure your platform?
Get in touch with one of our cybersecurity experts today.

Generally, the term hackers pertains to individuals or organizations that gain access to a target system using methodologies and tools designed to bypass security of computer systems. However, NOT ALL HACKERS ARE BAD. Some type of hackers are actually GOOD GUYS that can greatly help your company deter cybercriminals from compromising your system.

There are 3 types of hackers:

• Black Hat Hackers , they are the Cybercrminals;
• White Hat Hackers, also known as Ethical Hackers, they are The Good Guys; and
• Gray Hat Hackers, well... read on below to know what makes them 'gray'.

'Black Hat’ Hackers

A Black Hat hacker is an individual who gains unauthorized access into a system to exploit it for malicious reasons. They are the ones deemed as CYBERCRIMINALS.

The Black Hat hacker does not have any permission nor authority to compromise their targets. They try to inflict damage by compromising systems, altering functions of websites and networks, or shutting down systems. They often do so to steal or gain access to passwords, financial information, and other personal data.

‘White Hat’ Hackers

White Hat hackers, often referred to as Ethical Hackers, are deemed to be the good guys, working with organizations to strengthen the security of a system.

A White Hat has permission to engage the targets and to compromise them within the prescribed rules of engagement. They exploit security networks and look for backdoors when they are legally permitted to do so and always disclose every vulnerability they find so that it can be fixed before they are being exploited by malicious actors.

‘Gray Hat’ Hackers

Gray Hats exploit networks and computer systems in the way that black hats do, but do so without any malicious intent.

Usually, Gray Hat hackers go around the net looking for targets, hack into their computer systems, the notify the administrator or the owner that their system/network contains one or more vulnerabilities that must be fixed immediately.

The Global Hacker Community

YES, there is actually huge Global Hacker Community that congregates regularly to share knowledge and experiences in hacking. Events such as the Annual Defcon Event (International), and locally in the Philippines - the Annual Rootcon Event are well-attended by mostly Ethical and Gray Hat Hackers. Most of these events are even sponsored by big tech companies namely Google, Facebook, etc. (in addition to the hacker conferences these tech companies hold themselves).

How the Global Hacker Community can help your Company

At Secuna, we help companies hunt for security bugs or vulnerabilities in their websites and apps continuously with the help of the Secuna Global Community of Ethical Hackers. However, unlike the traditional one-time security audit commonly known as Vulnerability Assessment and Penetration Testing (VAPT) – usually a requirement of regulators here in the Philippines – Ethical Hackers participating in the Secuna Bug Bounty Program continuously hunt for vulnerabilities and report any discovery via the Secuna Discover Platform. This keeps you continuously updated on any vulnerability that may be present in your system, specially due to the frequent releases after the VAPT.

If you are serious in enhancing your cybersecurity measures, check out our how our Discover Platform can help you run your own Bug Bounty Program: https://secuna.io/discover

Or, you may send us an email at: hello@secuna.io

Cybercriminals have been hard at work in the past few months. It's not just small business and start-ups that are at risk, schools are in just as much risk, specially as Philippine Schools are transitioning to online education in the next couple of months.

The news of FEU, UP Visayas and San Beda's websites being hacked have been circulating in social media but there are actually more schools that have been breached in one month alone. This clearly shows schools are not exempt from cyber crimes, and this leads us to question: are Philippine Schools ready to go online?

Just this June 2020 the following schools that have been hacked:

1. ACCESS Computer College
2. San Beda University
3. University of the Philippines Visayas
4. Far Eastern University
5. Cebu Normal University
6. Tarlac Agricultural University
7. University of St. La Salle
8. ICCT Colleges
9. AMA University
10. Manuel S. Enverga University Foundation
11. Polytechnic University of the Philippines Sta. Mesa
12. University of Mindanao
13. Apayao State College
14. Mabalacat City College
15. Bulacan State University
16. DepEd Caraga
17. Lipa City Colleges
18. University of the East
19. Technological Institute of the Philippines
20. Angeles University Foundation
21. Camarines Sur Polytechnic Colleges
22. Trinity Christian School
23. Our Lady of Fatima University
24. Northwest Samar State University
25. Polytechnic University of the Philippines Taguig
26. De La Salle University
27. Samar State University
28. Rizal Technological University

‌‌See the details here: https://github.com/ajdumanhug/gothacked

Though a one-time Vulnerability Assessement and Penetration Testing (VAPT) for their online assets will help Philippine Schools to kick-off their Cybersecurity Program, they need something that will continuously help them discover security vulnerabilities in their systems, as cybercriminals are constantly on the prowl. Being open to a Coordinated Vulnerability Disclosure Assistance Program is a good step, but running a Bug Bounty Program will give them even more advantage.

One idea of a Cyber Security Program, if a school has IT-related courses, is to hone their students' ethical hacking skills and incentivize them to look for security vulnerabilities in their own school's digital assets – perhaps a School Bug Bounty Program. However, this may take some time to set-up and run. Schools need to be secured as soon as possible!

We at Secuna are always ready to help these schools quickly start their Cybersecurity Programs. With our robust platform built for Bug Bounty and Vulnerability Disclosure plus a community of 700+ registered cybersecurity professionals, schools can setup a program in a few days and start getting Vulnerability Reports after just a few hours.

If you know anyone who may benefit from this, please let them contact us. So we can help them secure their school's online assets.

Secuna has been striving to be at the forefront of cybersecurity in the Philippines. Since our inception in 2017, we have committed ourselves in helping companies, organizations and even the government secure their digital assets.

We have been constantly improving and innovating the way we help our clients discover, verify and remediate vulnerabilities in their digital assets to ultimately secure their organizations -- from offering comprehensive Vulnerability Assessment and Penetration Testing (VAPT) services, launching the first ever Coordinated Vulnerability Disclosure Assistance Program in the Philippines, and introducing Philippine Companies to the first and only Bug Bounty Platform in the Philippines, we are enabling businesses to run their Vulnerability Disclosure Programs efficiently and effectively enhances their Vulnerability Management.

We appreciate the Department of Information and Communications Technology (DICT) of the Philippines for maintaining us in their list of their recognized cybersecurity assessment providers in the Philippines: https://dict.gov.ph/recognition-scheme-cybersecurity-assessment-providers/

In 2021 and  onwards we are continuing our commitment to secure Philippine companies; may they be startups, enterprises or NGOs. With the guidance of the DICT, we are here to apply the highest level of cybersecurity standards.