"We will soon launch the next generation of Continuous Automatic Pentesting technology, using highly effective hackbots to detect and report critical vulnerabilities 24 hours a day, 7 days a week. This technology will be able to understand attack surfaces and how assets are related to each other, as well as exploit complex attack vectors," revealed Jorge Monteiro, CEO of Ethiack.
Cybersecurity is one of the biggest challenges facing the financial sector today. With the entry into force of the European DORA (Digital Operational Resilience Act) regulation, strengthening digital operational resilience is no longer an option but a legal requirement, putting increased pressure on financial institutions and entities in their value chain.
This new legal framework requires organizations to be prepared to identify, mitigate, and report vulnerabilities on an ongoing basis, under penalty of facing serious legal, financial, and reputational implications.
In this new regulatory context, Ethiack positions itself as a strategic ally for companies in the financial sector seeking to comply with DORA requirements without compromising operational efficiency. Currently, the Coimbra-based start-up specializing in cybersecurity and ethical hacking has more than 70 customers in nine countries. Ifthenpay, Lusitânia, and Coverflex were the most recent additions to the company's portfolio.
In an interview with Link to Leaders, Jorge Monteiro, CEO of Ethiack, talks about the impacts of the new legislation, the role that innovation and artificial intelligence play in building a more robust and effective cyber defense, and plans for the future.
With the entry into force of the European DORA regulation, how have cybersecurity requirements for the financial sector changed, and what specific challenges does this new reality pose for companies?
The entry into force of the European DORA (Digital Operational Resilience Act) regulation marked a turning point in how companies operating in the financial ecosystem have to approach cybersecurity. In an industry that deals with massive volumes of sensitive data daily, resilience against cyber threats is no longer just a concern but a regulatory requirement.
How does your solution meet the requirements of the new European DORA directive?
Ethiack's solution supports companies in the financial sector in achieving DORA compliance, particularly in identifying and continuously managing vulnerabilities in their digital perimeter, including their supply chain, i.e., their suppliers, which is a very important element in the new DORA legislation.
At the same time, it enables them to strengthen their defenses without compromising operational efficiency. This approach consists of autonomous ethical hacking that is powered by a combination of AI pentesting agents and human intelligence to ensure continuous and comprehensive testing for exploitable vulnerabilities across the entire attack surface. The 24/7 testing, validation, and reporting capabilities serve compliance objectives while reducing the risks associated with the financial and reputational damage that can result from successful attacks.
The entry into force of DORA has also raised concerns among companies.
Do you feel that financial institutions are prepared?
Yes, institutions are prepared because the compliance requirements in the sector are very high. Perhaps a change in mindset is needed, to move from annual tests, required by DORA, to continuous testing. However, I believe that this evolution will be rapid, thanks to autonomous hacking solutions. It is an effective way for financial companies to increase their level of digital security and gain the trust of their stakeholders.
What impact has this expansion had on your turnover, and how are you preparing to reach the €3 million target?
An important part of Ethiack's strategy is to grow in Europe and position itself as a “Made in Europe” solution and innovation. We will soon launch the next generation of Continuous Automatic Pentesting technology, using highly effective hackbots to detect and report critical vulnerabilities 24 hours a day, 7 days a week. This technology will be able to understand attack surfaces and how assets are related to each other, as well as exploit complex attack vectors.
In practice, it is a technology that simulates the approach of an Ethical Hacker who will test digital assets, capable of protecting the Internet on a large scale. These hackbots are the result of intense R&D work that we have been developing.
Ethiack is committed to an approach that combines Ethical Hacking with AI.
What technically distinguishes your platform from other solutions on the market?
Ethiack has a number of distinctive features, three of which I would highlight. The first distinctive feature is continuity, as our platform offers users a comprehensive, real-time view of their entire digital infrastructure, including suppliers (supply chain) and associated risks. In addition, the Ethiack platform continuously learns thanks to contributions from Ethiack's ethical hackers and discoveries made by AI hackbots, which makes the platform increasingly powerful and capable of offering more robust security.
Secondly, the Ethiack platform stands out for its speed and scale in terms of prevention capabilities. We can test thousands of digital assets in seconds, and at the same time, we can reduce the detection time of a new vulnerability to a minimum. We must always be one step ahead of the attacker.
Thirdly, we are highly accurate and impactful in identifying risk and providing mitigation guides that enable customers to optimize resources, prioritize risk, and, of course, reduce costs because they can act quickly to correct the risk.
How does the continuous vulnerability detection process work in practice? Can you give us an example?
Naturally, Ethiack's technology works end-to-end and behaves like an attacker without privileged access. To test an organization, all we need is authorization and knowledge of its web domain. The first step is to understand the attack surface, i.e., an in-depth analysis to discover the organization's entire exposed digital infrastructure, including subdomains, ports, technologies, products, etc. Next, we run a series of penetration tests to identify vulnerabilities. This process is repeated cyclically. Additionally, it is possible to observe changes in the organization's infrastructure and perform specific, in-depth tests, as well as run new tests based on new learnings.
Your accuracy rate is 99.5%. How did you achieve this level, and what role do your ethical hackers play in this process?
The 99.5% accuracy rate is only for the automatic component; it does not directly involve ethical hackers. This is one of Ethiack's most important secrets. We have developed a technology from scratch that allows us to exploit vulnerabilities in production environments without harming their development. We call it “Proof-of-Exploit.” Most scanners on the market can only identify a risk with a certain degree of probability that it exists, but cannot validate it.
You have been recognized in several international initiatives, including Google for Startups and the World Summit Awards. What impact have these distinctions had on your visibility and growth?
These national and international distinctions are very important because they serve as a demonstration of the robustness of our solution and our company. They are therefore an important tool for accelerating Ethiack's growth and an opportunity to increase the impact of our cybersecurity solution. On the other hand, it is a source of pride to be recognized for the quality of our work and for our pioneering use of AI to help companies, organizations, and individuals stay safe in an increasingly complex digital environment.
How can a start-up born in Coimbra compete globally in such a competitive sector?
If we look at the Coimbra ecosystem, we see that there have been other companies that have had tremendous success on a global scale, and that has served as inspiration and motivation. However, the secret lies in the quality of the solution we have developed. On the other hand, we have a fantastic team, led by André Baptista, CTO and co-founder of Ethiack, who has twice won the title of Most Valuable Hacker and is now part of a select group of five hackers in the world who can boast of having won this title twice. The first time was in 2018, which earned him the title of “Cristiano Ronaldo of cybersecurity.”
What are the next markets you are exploring?
Are you considering new sectors beyond finance?
Ethiack is accelerating its expansion into new markets, starting with the UK and Europe, but always with an eye on the US and the Middle East. And yes, we are already working with several other sectors, because threats cut across the economy and society, and the work of strengthening cybersecurity is ongoing. Cybersecurity is like democracy. We have to fight hard every day to preserve it.
What role do you hope Ethiack will play in the European cybersecurity ecosystem in the coming years?
Cybersecurity is, first and foremost, a matter of political sovereignty, which Europe must address pragmatically, especially in the current geopolitical context, because threats are no longer just “economic.” They are increasingly threats to political and institutional integrity, and cybersecurity is a pillar for ensuring Europe's technological independence and regional integrity concerning other regional blocs.
Europe needs to take a step forward. We cannot leave innovative solutions solely to the whims of the market. Instead, we need a new public-private ecosystem that also includes universities. This ecosystem will enable us to build a strong European innovation capacity, helping us to develop real-time responses to growing threats. It will also ensure that these crucial solutions reach everyone in society efficiently and economically.
In practice, just as Europe was able to create a consortium for aviation, such as Airbus, a model that the European automotive industry has also recently suggested for itself, it should also create an industrial cluster for cybersecurity. This model is particularly relevant given the exponential development of Artificial Intelligence, which is advancing faster on the threat side than on the security side.
And it is in this European ecosystem that we see Ethiack progressing.
In a scenario of growing digital threats, what is the most urgent change organizations need to make to better protect themselves?
Cybersecurity depends on one thing: agility, because threats, attacks, and vulnerability exploitation are accelerating much faster than our defenses. The reality is stark: 4 out of 5 data breaches originate from new vulnerabilities, more than 80 new public vulnerabilities emerge daily, and 80% are exploitable even before public disclosure. Worse still, criminals can start exploiting these new flaws within 15 minutes of discovery. With automation and AI, the speed and scale of these attacks are increasing exponentially.
In this demanding environment, we must ensure that the vast majority of companies can implement robust security measures. More than 90% of companies in the EU are SMEs and, quite simply, do not have the resources necessary for large investments in cybersecurity. This creates a significant “digital divide,” leaving smaller companies with the greatest vulnerabilities. This is a high-risk problem, as many of these SMEs are digitally connected to the government and large companies, some of which manage critical infrastructure.
And finally, what advice would you give to other start-ups that are now trying to enter highly regulated sectors such as finance?
My best advice to start-ups entering regulated sectors such as finance is to abandon any notion of overnight success. It's a marathon, not a sprint. Cultivating meaningful relationships is key. Understand the market's weaknesses deeply and position yourself strategically within a specific need. It sounds simple, but consistent execution and accepting failure as a learning tool are what really drive progress.
The original article was published in Portuguese at Link to Leaders. You can find it here.