Taking the leap: A cybersecurity founder’s journey

Imran Parray (Founder and CEO at Snapsec) is an application security expert, with a focus on testing and holistic security that enables organisations to defend their critical networks. In 2019, he founded his own cybersecurity startup – and over the last five years that startup has provided reports on over 800 security vulnerabilities to more than 60 companies. 

We asked Parray why he decided to launch his own business in the cybersecurity sector, and what he’s learnt from the journey so far. Here’s what he told us.

What's the story behind Snapsec – why did you decide to take the leap and found your own company? 

“I have over seven years of experience in application security, and for the past five years, I've been deeply involved in bug bounty programs, industry reporting, and identifying hundreds of vulnerabilities for various companies. During this time, I got to explore almost all the OffSec SaaS solutions in the industry – and I noticed that while there are many SaaS solutions available, they tend to be fragmented and focused on specific use cases.

“For companies, fragmented solutions create inefficiencies by requiring them to manage multiple tools separately, which increases complexity and consumes more time. Additionally, these fragmented systems prevent effective data correlation, making it challenging to gain a comprehensive view of security threats. So I felt a strong need for the centralisation of security products.

“Additionally, There wasn't a single company offering centralised cybersecurity solutions that integrated all the essential tools like attack surface management, vulnerability management, phishing simulators, secret scanners, and more – all under one dashboard. I saw a great opportunity to build such a suite, which would not only provide these tools in one place, but also allow for better correlation of the data collected by them. The idea fascinated me then and continues to excite me, so I decided to build a company around this vision.” 

What have you learnt from your founder journey so far – and if you were going to start all over again, is there anything you'd do differently? 

“Being a startup founder has been a challenging yet rewarding experience, especially for someone like me who comes from a technical background and has a strong passion for technical work. 

“As a founder, I had to explore other fields in the industry, such as marketing and sales; and I had to deal directly with customers. Initially, this brought a lot of chaos to my life because it pushed me out of my comfort zone into areas I wasn't ready to explore. However, I'm glad I did it because it allowed me to gain a broader perspective on the business.

“If I were to start over, I would focus more on the business side from the beginning. Tech founders often underestimate the importance of the business aspects of running a company, concentrating too much on the technical side. Even if you have the best product, if you don't have the ability to market it effectively and bring it to the market, no one will use it. Balancing technical excellence with strong business strategies is crucial for success.”

How do you see the relationship between pen testing and continuous security; how do these two aspects of security play into each other or support each other, and can one exist effectively without the other?

“Penetration testing is a security exercise that allows companies to simulate different attacks on their critical systems to see if they can withstand these attacks. It's like a controlled, strategic way to find and fix vulnerabilities before real attackers can exploit them.

“Continuous security, on the other hand, involves performing various security operations on an ongoing basis. It takes a more holistic approach, addressing all aspects of your company's security, including exposed infrastructure, personnel, and critical applications.

“Both are essential and complement each other. Pen testing provides a snapshot of your security posture at a given time, identifying specific weaknesses. Continuous security ensures that you maintain a strong security posture over time, addressing new vulnerabilities as they arise and adapting to changing threats. While pen testing alone can highlight vulnerabilities, without continuous security measures, those vulnerabilities can quickly reappear or new ones can emerge, leaving the company at risk.”

What was the first thing you ever hacked?

“The first thing I hacked was a well-known cloud communication company. While searching for bugs on their platform, I discovered that their audio recordings and customer support chat logs were somehow archived by the Wayback Machine and were freely accessible. 

“By simply visiting these URLs, I gained access to hundreds of thousands of their customer chat logs. Some of these logs contained very sensitive information, including credit card details. I later found that I could iterate through the chat IDs and access all of their customers' chat logs, revealing a significant security vulnerability. I immediately reported this issue to the company and helped them verify the fix.”

Finally, can you describe your favourite experience at Black Hat MEA 2023?

“One of the most memorable experiences at Black Hat MEA 2023 was the opportunity to connect with our significant customer base in Saudi Arabia. Around 80 to 90% of the companies we work with are based there, so attending the event was a fantastic chance to meet our clients in person and strengthen our relationships with them on a personal level. 

“Physically meeting people who have been our customers for several years was incredibly exciting. It allowed us to deepen our connections and foster trust, which is essential in our line of work.” 

Thanks to Imran Parray at Snapsec. Immerse yourself in the global cybersecurity – register now to attend Black Hat MEA 2024.