AI type/manual type security diagnosis service “RayAegis”
About RayAegis
RayAegis is a group of over 250 highly skilled white hat hackers and security engineers worldwide who provide security consulting services to government agencies, financial institutions, major manufacturers, transportation systems, and other systems
RayAegis' technical team is made up of highly skilled security engineers, including those with master's and doctoral degrees in computer and information security from Carnegie Mellon University, Purdue University in the United States, and the Department of Electrical and Information Science at National Taiwan University, as well as experts with various information security qualifications such as CISSP, CISM, and CEH
With years of experience, we have in-depth knowledge of how hacker methods, techniques, and management methods work together to protect your company's confidential information, including preventing it from being illegally obtained by hackers or employees
Combining the world's most advanced security and AI technologies, RayAegis' "RayScanner" and "RayInvader" use a database containing proprietary information synchronized with the US government to efficiently check whether websites and applications have been hacked, as well as for unknown vulnerabilities such as zero-day exploits, providing security services that meet the strictest international standards
RayAegis service features
As technology advances, malicious hackers are now using more advanced programs and attack tools to attack corporate systems and steal data. As for attack methods overall, rather than attacks that exploit a single vulnerability, multi-vector attacks are becoming more common, focusing on effective methods such as combining multiple vulnerabilities depending on the effect and situation, and attacking weak points in the entire system
To address these various security challenges, RayAegis utilizes industry-leading technologies, including AI, combined with deep security knowledge to offer security assessment service plans that are "easier, shorter, cheaper, and more advanced."
| Diagnosis target | ・Web applications ・Software ・Hosts ・OS/Platforms ・Mobile devices ・IoT devices ・Network devices |
| Diagnosis | ・Web security ・System denial of service (DoS) ・Data leakage ・Authentication management ・DB security ・Other customized diagnostic items |
| Diagnostic Tools | ・Uses different tools for each stage from over 50 different tools ・Proprietary automation plug-ins for various general-purpose tools ・Manual diagnostic tests by security engineers ・Proprietary AI tools "RayScanner" and "RayInvader" |
| International Standards | ・NIST SP800-115 ・OWASP TOP10 ・OWASP IoT TOP10 ・OSSTMM ・PCI DSS Compliance |
Security diagnostic service plan
Both services are provided in a way that is different from other companies, with a simple pricing structure based on a subdomain (FQDN) basis, regardless of the number of pages or requests, making them highly cost-effective services
| AI Quick Tool Vulnerability Assessment | AI remote vulnerability diagnosis | penetration test | Mobile App Diagnostics | |
| Features | Advanced automated vulnerability assessment using various proprietary tools | Advanced and comprehensive vulnerability assessment using various proprietary tools | Advanced penetration testing (including vulnerability assessment) that utilizes AI tools capable of automatically generating exploits and combines zero-day attacks | High-speed tool diagnostics for individual mobile app packages (server-side authentication and authorization systems are supported with the API diagnostics option) |
| Diagnosis target | Platform + Web Application | Web applications, intranets, etc | Mobile apps and app connection APIs | |
| Diagnostic items | 45 items | 68 items to 99 items | 100 items | OWASP TOP10 Mobile Risk Standard |
| Diagnostic methods | Remote diagnostics including AI tools | AI tools + manual remote diagnosis by security engineers | Package diagnosis using AI tools (API diagnosis includes manual diagnosis) | |
| Diagnosis period | 1 business day | 3 to 5 business days | 1 to 3 weeks | App only: 1 business day API: 3 to 5 business days |
| Pricing | Flat rate per subdomain/FQDN (Penetration testing is charged per IP/host except for web servers) | Flat rate per application package/API server | ||
| Report format | Report reviewed by security engineers | Reviewed report by security engineers + debriefing session | Report reviewed by security engineers | |
| After-sales support | Re-diagnosis included (within one month of the initial diagnosis) |
Re-diagnosis included (within 3 months of initial diagnosis) |
・Q&A regarding detailed repair procedures ・Re-diagnosis included (within one year of the initial diagnosis) |
・App re-assessment: Optional ・API re-assessment: Included in options |
Security diagnostic service inspection items
Each security assessment service performs assessments based on test items that comply with standards such as OWASP. The main diagnostic test items are as follows:
| Main inspection items | Overview of test items |
| Information gathering | Collecting platform information such as each server application in the target environment |
| Settings and configuration management inspection | Vulnerabilities related to allowed methods and network and application configurations |
| Identity Management Examination | Vulnerabilities related to account management, such as user registration and role settings |
| Authentication inspection | Vulnerabilities related to authentication, such as secure transfer of authentication information and password policies |
| Checking authorization | Vulnerabilities related to authorization bypass, etc |
| Session Management Inspection | Vulnerabilities such as bypassing the session management scheme |
| Data Validation Check | Data validation vulnerabilities such as SQL injection and cross-site scripting |
| Error control checks | Vulnerabilities related to error handling, such as returned error codes |
| Encryption Check | Vulnerabilities such as poor encryption and padding oracle attacks |
| Business Logic Inspection | Vulnerabilities related to business logic such as application processes |
| Client-side inspection | Client-side vulnerabilities such as HTML and CSS injection and JavaScript exceptions |
