I was thrilled to catch up with ForAllSecure during Black Hat USA 2024. ForAllSecure
is an organization of hackers, developers, and security professionals dedicated to research and innovation in the cybersecurity industry. ForAllSecure is also a cybersecurity company founded in 2012 by a team of researchers from Carnegie Mellon University. The company’s mission is to revolutionize the way organizations approach cybersecurity by automating the process of finding and fixing software vulnerabilities. Mayhem, by ForAllSecure, is an AI-driven application security platform that pinponts reachable, exploitable vulnerabilities in your code and APIs.
In my PANCCD™ cybersecurity model, code is only second to data, our most treasured assets and apps are closest to our people, the highest risk:
Yet application security and secure code has been overlooked for far too long. What Is PANCCD? This acronym represents a model for understanding Cybersecurity at every level:
- P – People
- A – Applications
- N – Networking
- C – Computing Devices
- C – Code
- D – Data
Each of these areas represent potential security risks and opportunities to improve the strength and resiliency of your Cybersecurity efforts. When an attack threatens your system or data or a successful breach occurs, it is usually associated with one of these elements.
Application security is noisy and inaccurate. Only 55% of security risks reported by current developer tools are real. So, it’s no wonder two-thirds of development teams spend more time triaging application security results than fixing actual issues. Mayhem eliminates noise so you can fix what matters.
With Mayhem, every result is real. Unlike traditional approaches to application security that rely on static scans or curated dynamic tests, Mayhem starts with your application or API and uses runtime intelligence to pinpoint reachable and exploitable vulnerabilities.
First, Mayhem’s Dynamic SBOM builds a profile of every component that’s invoked as your application runs. This delivers a clear picture of software supply chain risk – showing you the third party dependencies, open source libraries, and more – that are actually being used by your code. Observed CVEs are highlighted and prioritized for development teams to fix, so you can skip triage and move straight to remediation.
Mayhem’s Behavioral Testing identifies exploitable vulnerabilities in your applications and APIs. It combines multiple analysis techniques – symbolic execution, fuzz testing, binary analysis, and more, pairing them with an AI engine that creates tailored test suites for your application or API. By combining analysis techniques and sharing data between them, Mayhem is able to maximize coverage of your application. Mayhem tests have one goal – find exploitable vulnerabilities, known or unknown.
Together, the Mayhem platform gives you a continuously updating picture of application risk, while eliminating the noise of traditional application security and freeing your developers from time wasted on triage and reproduction.
“After the dust settled from DevSecOps, it was clear that all we’d done was shift a bunch of noise into the development workflow. Mayhem was built to cut through that noise.”
“Integrating Mayhem into our development process was a breeze, only taking a few minutes to configure and deploy… Mayhem allowed us to easily expand automated testing that would have taken significantly more effort with other solutions.”
Alessandro Ghedini – Systems Engineer, Cloudflare
Mayhem cuts through the noise and delivers only actionable results. By focusing on reachable, exploitable vulnerabilities, Mayhem enables your team to concentrate on what truly matters—securing your applications without being bogged down by false positives. Get a demo by visiting https://mayhem.security/demo and find them on Twitter (X): @MayhemSec #ApplicationSecurity #APISecurity #DevSecOps
About the Author
Gary Miliefsky is the publisher of Cyber Defense Magazine and a renowned cybersecurity expert, entrepreneur, and keynote speaker. As the founder and CEO of Cyber Defense Media Group, he has significantly influenced the cybersecurity landscape. With decades of experience, Gary is a founding member of the U.S. Department of Homeland Security, a National Information Security Group member, and an active adviser to government and private sector organizations. His insights have been featured in Forbes, CNBC, and The Wall Street Journal, as well as on CNN, Fox News, ABC, NBC, and international media outlets, making him a trusted authority on advanced cyber threats and innovative defense strategies. Gary’s dedication to cybersecurity extends to educating the public, operating a scholarship program for young women in cybersecurity, and investing in and developing cutting-edge technologies to protect against evolving cyber risks.