Hello guys,
I’d love your feedback on Gauntlet.io (https://gauntlet.io), a security product to identify and manage security vulnerabilities using multiple security scanners. There is a free account for one application, so you may use it to find security vulnerabilities in your product before attackers do.
If you could give me feedback of the website or of the user experience in the application itself, I’d love to hear.
Thank you,
Anderson Dadario
Hey @Anderson_Dadario I think the concept is good, but onboarding needs a big improvement.
I gave your site a try but I gave up after going through several steps that were mysterious to me as a new user, and still not even getting a preview of what I might see. After some minutes and feeling my way through, I finally stopped when I found out I need to fill in an AWS pen test form to continue. I understood the necessity, but I have no idea if after that step there are still going to be several more steps.
A big problem is making a new user have to make several decisions. A new user doesn’t really know how to decide nor what to expect. A new user has no information or experience to help make the decisions. At the very least you should have some one predefined scanner option.
The concept though, is excellent, and I’m certain that people WILL pay good money for this.
Hey @SteveMcLeod,
Thanks a lot for the feedback and sorry for the trouble you’ve been through. Actually your feedback was very informative and I’ll act upon it. It was first designed to solve my need as a security engineer and then I’ve been adapting for others, but as you said it wasn’t enough yet hehe.
And don’t worry, the AWS pen test form is the last step. Well, in some sense those authorizations are important for AWS for example mainly because of the bandwidth consumed from the server perspective, even though you pay for the bandwidth anyways. They explicitly deny it for micro instances. However running 1 scanner at a time, at a low speed for example, will result in a traffic similar to a single user, thus won’t affect the bandwidth in practice. In fact attackers run the very same tools without authorization, so defenders are clearly at disadvantage here.
Such authorization for providers unfortunately aren’t a standard and are hard to control on my end, but the main idea is to inform that scans should not be performed blindly and you should proceed only if you know the consequences of performing a scan.
It’s not explicit, but there are scanners that doesn’t require this form, for example Knock, to enumerate subdomains. It works by consulting the DNS server and trying to find “mysql.yoursite.com”, “admin.yoursite.com”, etc …
Nonetheless thank you Steve, and even the system not being that clear in terms of instructions, you seem to have reached the end of it. I’ll work on improvements for onboarding, thank you very much.