We received a request directly from Dave Aitel to review his company, Immunity. We thought that this request was a bit odd as Immunity appears to be a Software Provider and not a Consultancy. We normally only review Professional Security Service Providers. At any rate, we decided to make good on the request and as such reviewed the Immunity website and placed a call into Immunity and spoke with Dave's wife (very nice, polite woman). Here's how we feel about Immunity.
Immunity is for all intents and purposes a Security Software company. They sell a very powerful tool called CANVAS, which is an advanced framework for penetration testing. CANVAS is particularly useful for Professional Security Service Providers (consultants) who perform penetration testing services. Other companies like Core Security compete with CANVAS. Core Security has another very powerful tool called Core Impact.
Immunity does have a software research and development team, or at least that is what we were told. The team does not release any advisories for any of the issues that they discover, and they only add the issues to CANVAS if they are discovered by a third party first. If not, it is our understanding that the issues remain 0-day and held by Immunity (or potentially sold to legitimate exploit brokers, but we don't know that for a fact.) We do know that Immunity will purchase vulnerability information from brokers. This information is mostly incorporated into CANVAS from what we understand.
One thing that we are fairly certain of is that Dave Aitel is a high talent individual. As a result we automagically assume that he surrounds himself with other high talent people. We couldn't picture Dave surrounded by idiots, it would drive him nuts. Anyway, we feel that its safe to say that Immunity has a very capable team with very advanced skills that could be very useful for performing Professional Security Services. Having said that, they really don't offer much in the way of Professional Security Services on their website... and we think we know why.
While talking to Dave's wife we secretly realized that it would be a conflict of interest for Immunity to offer Professional Security Services in conjunction with selling software used by Professional Security Service Providers. In short, if they offer Professional Security Services then most providers wouldn't buy their Professional Security Service testing software (CANVAS). On the other hand, if they sell the software and do not fully flaunt their services, then they'll probably make a good buck.
We think that is why the Immunity website is so focused on CANVAS and not on the offering of Consulting Services. There is a tab on their website that talks about their service offerings, but it is very, very, very, lame. The entire services page is literally one paragraph long. You can check it out here. With that said, we are certain that Dave has an A+ team that is very capable of offering seriously hardcore services... but we can't give them an A+.
One reason why we can't give them an A+ is because they are a software vendor and are not focused strictly on the offering of services. The other reason is because of the aforementioned conflict of interest, their technology is purchased by Service Providers. In conjunction with that they do not release advisories to the public, and their core focus is not protecting their customer networks, but instead is building CANVAS.
So, our opinion is that while we have a great amount of respect for Dave Aitel and the folks at Immunity, we need to be honest and give them a B. We think that their software is totally kick ass, we love reading Daily Dave, and we know that Dave could probably crack anything... but we just can't give Immunity an A.
Oh and hey... GO BUY CANVAS!!! We did and we love it!!
Score Card ( Click to Enlarge)