In this recent SafetyDetectives interview, Kennedy Torkura, Co-Founder and CTO of Mitigant, shares his journey from academic research to creating a cutting-edge cloud security company. With a strong background in cloud security, Kennedy and his team are pushing the boundaries of what’s possible in the industry by incorporating innovative practices like security chaos engineering and adversary emulation. In this discussion, he highlights the unique aspects that set Mitigant apart from other cloud security solutions, including their focus on automating penetration testing and addressing the emerging challenges of generative AI. Kennedy also provides valuable advice for businesses looking to enhance their cloud security posture, making this a must-read for anyone interested in staying ahead of the ever-evolving cybersecurity landscape.
Can you tell us a bit about your background and what inspired you to co-found Mitigant?
I met my co-founders, Dr. Muhammad Ihsan Sukmana and Nils Karn, at the Hasso Plattner Institute in Germany. We were both pursuing our doctorates and were part of the same research team focused on cloud security. We also had the opportunity to work on a research project at Bundesdruckerei, Germany’s federal printing press, on a secure cloud storage project. We then met our fourth founder, Dr. Thomas Fricke, a renowned cloud and Kubernetes expert in Germany
After my academic work, I moved into the industry and realized that some of the research we had done could be applied practically to address real-world issues. I saw gaps in how companies were managing their cloud security posture. My experience as a cloud security engineer convinced me that our research could be turned into a company that helps organizations secure their cloud infrastructures better than ever before.
What sets Mitigant apart from other cloud security solutions on the market?
There are a few things that set Mitigant apart. The cloud security space is competitive, especially in Cloud Security Posture Management (CSPM). While many companies offer basic security checks, we go further by incorporating security chaos engineering. This approach ensures that security mechanisms in the cloud are validated and resilient because even these can be compromised.
Another key differentiator is our use of adversary emulation, which involves emulating attacks on a company’s cloud infrastructure to identify real vulnerabilities before actual attackers can exploit them. We’re also applying our solutions to generative AI, an emerging area with its own security challenges. We’ve published several academic papers and blog articles on these topics, and these combined efforts make Mitigant unique in the market.
What are some common security blind spots in cloud infrastructures that Mitigant helps to identify and mitigate?
We help companies maintain good security hygiene by identifying misconfigurations and ensuring alignment with best practices recommended by cloud service providers and regulatory bodies. For example, AWS has specific security recommendations, and we automate checks to ensure our clients adhere to these.
We also prepare companies for security incidents, whether detecting them in real-time or practicing incident response. Our system allows customers to simulate incident response scenarios, helping them identify gaps in their threat detection and response processes. Additionally, we highlight attack paths—potential routes that attackers could exploit—allowing companies to validate their assumptions and strengthen their defenses.
What are the primary benefits of employing automated cloud penetration testing for businesses?
There are several benefits, starting with cost. Many companies don’t have in-house penetration testing capabilities and must hire external consultants, which can be expensive and infrequent. With automated penetration testing, companies can run tests whenever needed, reducing dependency on external resources and ensuring they have an up-to-date understanding of their security posture.
Another advantage is security ownership. For example, a Chief Information Security Officer (CISO) can confidently report on the current security state without relying upon outdated reports. Automated testing also supports more advanced security testing, like red teaming or purple teaming, without requiring specialized in-house skills.
For business owners new to cloud security, what are the first steps they should take to secure their cloud infrastructure?
The first step is to establish good cyber hygiene. This means starting with the basics and ensuring that your infrastructure aligns with the best practices recommended by cloud providers. Next, align with relevant compliance regulations. For instance, if you’re in the healthcare industry, make sure you comply with HIPAA requirements. This alignment forms the foundation of a strong security posture.
What trends do you foresee in the future of cloud security, and how is Mitigant preparing to address them?
The threat landscape is constantly evolving, influencing trends in cloud security. Currently, generative AI is shaking up the industry, with many companies rushing to adopt it. However, the security aspect is often overlooked, even though it should be a fundamental consideration from the start.
At Mitigant, we’re integrating security testing into cloud security to help companies assess the security of their generative AI infrastructure and large language models, whether they’re private or provided by cloud services. We just released a new feature called Attack Emulation for GenAI Cloud Workloads, which allows companies to emulate various cloud attacks that can happen to the Cloud GenAI workloads to ensure the workloads are secure and aligned with best practices, minimizing the risk of exploitation. The feature also allows companies to implement AI-Red teaming exercises to test security attributes and ensure the GenAI does not produce harmful output.