AI type/manual type security diagnosis service “RayAegis”
About RayAegis
RayAegis is a group of over 250 highly skilled white-hat hackers and security engineers around the world who work as security consultants for systems such as government agencies, financial institutions, major manufacturers, and transportation systems.
RayAegis' technical team includes master's and doctoral degrees in computer and information security from Carnegie Mellon University, Purdue University, and National Taiwan University in the United States, as well as various information security qualifications such as CISSP / CISM / CEH. It is made up of excellent security engineers, including experts who have acquired the following certifications.
With years of experience, we have a deep knowledge of hacker techniques and how techniques and management methods combine to protect sensitive corporate information, including preventing unauthorized access by hackers and employees.
Combining the world's most advanced security and AI technologies, RayScanner and RayInvader, developed by RayAegis, use a database containing proprietary information synchronized with the U.S. government to detect whether a website or application has been hacked. We also efficiently check for unknown vulnerabilities such as zero-days and provide security services that meet the strictest international standards.
| RayAegis Service Details | RayAegis |
|---|
RayAegis service features
As technology advances, malicious hackers are using sophisticated programs and attack tools to attack corporate systems and steal data. As for attack methods as a whole, we focus on effective methods, such as using multiple vulnerabilities in combination depending on the effect and situation, rather than attacks that exploit a single vulnerability. Multi-vector attacks have become mainstream.
In response to these various security issues, RayAegis utilizes industry-leading technologies such as AI along with deep security knowledge to provide solutions that are easier, faster, cheaper, and more effective. We offer plans for advanced security diagnostic services.
| Diagnosis target | ・Web applications ・Software ・Hosts ・OS/platforms ・Mobile devices ・IoT devices ・Network devices |
| Diagnosis details | ・Web security ・System denial of service (DoS) ・Data leakage ・Authentication management ・DB security ・Other customized diagnostic items |
| diagnostic tools | ・Use different tools for each stage from over 50 tools ・Ownly developed automation plug-ins for various general-purpose tools ・Manual diagnostic tests by security engineers ・Ownly developed AI tools “RayScanner” and “RayInvader” |
| international standards | ・NIST SP800-115 ・OWASP TOP10 ・OWASP IoT TOP10 ・OSSTMM ・PCI DSS Compliance |
Security diagnosis service plan
Each service is provided as a highly cost-effective service, with a simple pricing system based on "subdomain units (FQDN units)" that is not related to the number of pages or requests.
| AI Quick Tool Vulnerability Diagnosis | AI remote vulnerability diagnosis | penetration test | mobile app diagnostics | |
| Features | Advanced automatic vulnerability diagnosis using various proprietary tools | Advanced and comprehensive vulnerability diagnosis using various proprietary tools | Advanced penetration testing (including vulnerability diagnosis) that utilizes AI tools that can automatically generate exploits and combines zero-day attacks. | High-speed tool diagnosis of a single mobile app package (server side authentication/authorization system is supported by API diagnosis option) |
| Diagnosis target | Platform + Web application | Web applications, intranets, etc. | Mobile app/App connection destination API | |
| Diagnostic items | 45 items | 68 items to 99 items | 100 items | OWASP TOP10 Mobile Risk Standard |
| Diagnostic method | Remote diagnostics including AI tools | AI tools + manual remote diagnosis by security engineers | Package diagnosis using AI tools (API diagnosis includes manual diagnosis) | |
| Diagnosis period | 1 business day | 3-5 business days | 1-3 weeks | App alone: 1 business day API: 3-5 business days |
| Fee structure | Flat fee per subdomain/FQDN (for penetration testing, charges are charged per IP/host for everything other than the web server) | Application package/Flat rate fee per API server | ||
| Report format | Reviewed report by security engineer | Reviewed report by security engineer + report meeting | Reviewed report by security engineer | |
| After-sales support | With re-diagnosis (within 1 month after initial diagnosis) |
With re-diagnosis (within 3 months after initial diagnosis) |
・Q&A regarding detailed repair procedures ・Re-diagnosis included (within 1 year after initial diagnosis) |
・App single re-diagnosis: Optional ・API re-diagnosis: Included in option |
Security diagnosis service inspection items
Each security diagnosis service conducts a diagnosis based on test items that comply with standards such as OWASP. The main diagnostic tests to be performed are as follows.
| Main inspection items | Overview of inspection items |
| Information gathering | Gather platform information such as each server application in the target environment |
| Inspect settings and configuration management | Vulnerabilities related to allowed methods and network and application configurations |
| Inspecting identity management | Vulnerabilities related to account management such as user registration and role settings |
| Certification inspection | Vulnerabilities related to authentication, such as secure transfer methods of authentication information and password policies |
| Approval inspection | Vulnerabilities related to authorization bypass, etc. |
| Inspect session management | Vulnerabilities such as bypassing session management schemes |
| Data validation checks | Vulnerabilities related to data validation such as SQL injection and cross-site scripting |
| Verifying error control | Vulnerabilities related to error control such as returned error codes |
| Encryption check | Vulnerabilities such as insufficient encryption and padding oracle attacks |
| Inspecting business logic | Vulnerabilities related to business logic such as application processes |
| Client-side inspection | Client-side vulnerabilities such as HTML, CSS injection, and JavaScript exceptions |
