‘We dream to be Nepal’s first billion-dollar IT company’How a group of like-minded people came together to start the cyber security firm Nassec, and how they’re now developing their most important project till date: ReconwithMe, a vulnerability assessment tool.
In the spring of 2019, in a small apartment in Lazimpat, four bright-eyed, hopeful college students come together. Two Development Finance students from National College, on the cusp of graduating and itching for their next business project, and two Information Technology students from Islington College with a penchant for ethical hacking and software development.
Back then, Subash Gautam, 25, and Nischal Narsingh Rana, 25, were planning on opening a management consulting firm with focus on IT. At the same time, Subash was also working on a digital information platform that connected potential students with representatives from international educational institutions called AbroadSanjal with Ajay Gautam and Shishir Shrestha. Ajay Gautam, 22, was bounty hunting for bug and security vulnerabilities in many international services, having already found and reported security flaws in web services like Facebook, Microsoft, Sony, and Etsy. Ajay was supported by his high-school friend, Shishir Shrestha, 21, a front-end developer.
Living in the same hostel, the four had been in close contact with each other and would occasionally discuss their projects. Subash, Ajay and Shishir were struggling to get AboardSanjal off the ground and with more hurdles and hassles, the trio was looking to branch out of the business as confidence in the product dwindled. Nischal, at this time, was working as a Field supervisor at a local NGO. It was at one of these informal meetings that the friends decided to work together to form a company. They figured that the business acumen and technical expertise they all shared would go hand-in-hand. Subash and Nischal would look after the business and operations, with Subash as co-founder/CEO and Nischal as chief financial officer, and Ajay and Shishir would look after the technical side, with Ajay as co-founder/CTO and and Shishir as developer. Capitalising on Ajay's fame in cyber security circles they decided to form a company together focusing on cyber security.
With the team together, the quartet registered the National Agency Security System Pvt Ltd (Nassec) as a cyber security company and rented a small office space in Lazimpat. While trying to find a market for themselves locally in April of 2019, Ajay, for his efforts in identifying and reporting potential security flaws in Facebook, was invited to the social media company’s BountyCon 2019 that happened in Singapore. Along with Ajay, Subash tagged along on the trip hoping to find potential business partners for Nassec and it was here that the company found one of its first cyber security contracts. Subash met representatives from AntiHack, a Singapore-based cyber security firm, who agreed to outsource some of their projects to Nassec.
After building ties with AntiHack, Nassec had a major international client but to scale up their business, Subash and Nischal started looking to expand into local markets. While they worked with a few clients like XcelTrip, a travel and tourism website, and local ecommerce site Gyapu, the local market proved to be too immature.
“Nepali businesses and startups still don’t understand the need for cyber security. Instead of treating VAPT (Vulnerability Assessment and Penetration Testing) as a necessity, many local businesses still consider cyber security as added cost. This lack of awareness made it extremely difficult for us to find local clients,” says Subash. “We’ve built tools that show Nepali business owners the vulnerabilities in their system security and even though they know that the problem exists, they’re hesitant to even pay Rs 50,000 to get it fixed. But regardless, we were still getting offshore clients like blockchain technology companies iBriz.ai and Bitsbeat.”
Regardless of the immaturity of the local market, the people at Nassec continued their efforts into educating and spreading awareness about cyber security through blog posts and their YouTube channel ‘Infosec Daily’. And slowly, the quartet at Nassec had grown into a business with multiple departments with 18 employees in the span of two years. The pandemic lockdowns marked the point of most growth for the company, with a drastic change in direction from a service-based to a product-based business.
“It was a drastic change for sure, but I always wondered how long we’d keep functioning as a service-based business, working for others,” says Ajay. “I wanted to build something for myself and that was when I suggested creating a tool that automated parts of the identification process during vulnerability assessment, and that is how ReconwithMe was born.”
Vulnerability assessment tools are automatic scanners that help cyber security professionals identify potential security risks in a target asset; be it web applications, networks or databases. These tools work off of a database of known vulnerabilities, and attack the target systems with these vulnerabilities to check if a system breach can occur via any of those means. Ajay had already built a command-line version of the tool that he used personally during his own security assessment tasks, and all cyber security personnel use some form of an assessment tool to aid them during the identification phase.
“Many cyber security professionals in Nepal use expensive tools like Acunetix, Rapid7, and Nessus for security audits in Nepal,” says Subash. “While these tools are widely used across the cyber security industry, they’re also very expensive which drives up security audits costs. Ajay already had a prototype of the product, all we needed to do was build on it.”
The move to the development of ReconwithMe was when Nassec experienced the most growth. Front-End Developer Srijan Katuwal, 21; Product Designer Siddhartha Neupane, 20, and Business Development Executive Yash Rana, 25, reinforced the Nassec team and work on ReconwithMe started in August, 2020.
Nassec’s vulnerability assessment tool is far from perfect: it currently only scans web applications and although it has a host of features like OWASP vulnerability checks and common vulnerabilities and exposures (CVEs) checks. The team at Nassec is confident that ReconwithMe can outperform tools like Rapid7, which only perform CVE scans, whereas ReconwithMe, in comparison, offers more features and can detect up to 6000+ vulnerabilities as of now and will scan for all publicly available vulnerabilities in the future. While the tools still can’t compete with more robust tools like Acunetix, Subash assures us that the tool is just in its early adoption phase right now and while it is a minimum viable product right now, they’ve already planned on a roadmap for the features like network scans, app scanning, block-chain security, and code-checking to be implemented in the near future.
“Our tool is quite compressive. You can schedule scans, prepare reports and even request for help from cyber security professionals at Nassec directly from the tool,” says Subash. “There are still many hurdles to overcome for us to properly market this product. We see a market for this more in the international sphere than locally. But due to the current financial state of Nepal, accessing international payment gateways can be very difficult.”
“But we are very confident in our product and we’re going to make it work. We want to make cyber security accessible to everyone, especially to the many budding startups all across the world. By offering a reliable vulnerability assessment tool at an affordable price, we believe, businesses, organisations and institutions will be able to access and monitor their security at a reasonable cost,” says Subash.
Rapid7’s Security Information and Event Management tool costs USD52 per asset/annual, Nessus is USD2990 for an annual subscription; Acunetix costs USD4500 for the standard and USD7000 for premium for use on one website. ReconwithMe hopes to challenge all of these international players through cutthroat pricing at USD225/annual for the basic plan (2 targets), and USD360/annual for the Startup plan (5 targets).
“ReconwithMe is a very viable product, but finding a market internationally and competing with international competitors is not going to be easy,” says Subash. “We hope that through ReconwithMe, we will be able to inspire the next generation of youth to develop, market and compete in the international market while working from Nepal. But for now, we dream to be Nepal’s first billion-dollar IT company.”