How Shearwater's latest acquisition secured a deal valued at one third of its total turnover

Pentest MD reveals the key elements to building up a long-lasting client partnership and what to expect form it under its new owners

UK-based cybersecurity firm Pentest is celebrating one of the largest deals in its history, winning a one-year, £1m contract with a global technology company.

Pentest is a penetration testing firm that operates in a manner similar to the way hackers do, using the same techniques and tactics to attack businesses in order to discover their security vulnerabilities.

Shearwater group purchased the company from testing firm Secarma for £7.4m in April this year, renaming its new addition as Pentest. Prior to its acquisition, Pentest had generated unaudited revenue of £3.7m for the 12 months ending 31 May 2018.

Paul Harris, Pentest MD (pictured right), couldn't disclose the name of the customer, but said that the $1m (£803,550) contract will see Pentest perform an in-depth investigation into the organisation's resilience with the aim of uncovering any IT security vulnerabilities, as well as delivering a framework for the provision of vulnerability assessment and penetration testing services to the client.

We caught up with the MD to find out how its relationship with the customer started with a small contract 10 years ago to its recent $1m win.

Where does this contract sit among your biggest deals?

It is one of our largest. Given what we do, the type of business that we operate with tends to be medium and very large organisations; they are the ones that are security mature, and have teams of security people and security budgets - they know they need us and have the budget to deal with us. Though we do have some very small clients who are also very security mature.

So we have a number of very large clients, of which this is one. We have others who are a similar size, but in terms of the amount of work we get off this client, it does make them one of our largest.

We do operate globally; we have to have teams of people in various countries, and our clients are all over the world and we do significant amounts in the US.

What will this contract entail?

Typically what we're testing for our clients is the infrastructure, and this one is no different. So as an attacker what you can see from outside of a business and other ways of exploiting it.

That will include things like web applications, cloud security services and then from there the products and services software, into the internal network and structure of the business to find out if we can find the vulnerability in a piece of software, an exploit that, can we get from there onto the network and start stealing data or doing other sorts of criminal activities. So it's testing a whole portfolio of applications and infrastructure services.

Can you talk us through how Pentest developed its relationship with the client?

It's a fairly common story for us to get one foot in the door with a very small project, which allows the company to sort of test you out and see whether you're any good.

Rather than trying to make a quick buck and sort of short-term financial gain, we've always been a business that has looked at the long-term and tried to do what's right for the client. That means being flexible and work around our clients, understand their requirements and, if necessary, develop new ways of working that suit them and develop new service lines that fit with their challenges.

It's important to us to develop that sort of trust, discretion and integrity over that relationship, and that builds up over time - you can't do that quickly.

By focusing on these things over a very long period of time and making sure that we are meeting what the customer wants and being flexible and adapting, I think it's just built trust and confidence and the account has grown and grown as a result.

Was there a bidding process with this?

No, it wasn't competitive. This is an easy way for the client to work when they're giving such a significant amount of work out, as these large companies do. Our average order value is probably in the region of about £6,000.

If you're raising purchase orders for every single job, that's very bureaucratic on an organisation. This is basically a commitment from them to give us $1m worth of business going forward rather than having to raise lots and lots of small POs - again, it's us working in a way that the client wants to work.

What can we expect from Pentest under Shearwater?

We're fortunate enough to be in a booming industry - what's bad for the world, unfortunately, is good for us. Cybercrime is definitely increasing; the more that we put on the internet, the more things going to cloud, more IoT devices provide opportunity.

We're also a very niche part of that industry. There are very few people who are the elite hackers that we employ, who are a very scarce resource. So we have something that's very valuable in a market that's booming.

In joining the Shearwater group, we now have a number of partners companies within the group that offer services that are very much aligned to ours. It's very early days for us but there has already been really good evidence that the collaboration across the group is going to be really good for us.