[andrei]

Thanks for the heads up! I haven't heard of Security Innovation, so definitely going to look more into what happened there.

I think the key difference though, is that we don't do any consulting/training/manual pentesting. We're more of a dev tool company than a security company in that we don't aim to replace security engineers but to make their lives easier.

[souprock]

The training and pentesting came later, saving the company.

The company was created starting from early fuzzing research at Florida Institute of Technology. The whole point of the company was to fuzz things for software companies. That mostly didn't work out.

That all might not be your fate, but consider it a warning. You could do a better job of making things accessible, or you could offer a more acceptable price point, or you could advertise better, or maybe 2019 is different enough from 2002 that such a business is more viable.

[tptacek]

Yes, software security in 2019 is markedly different from software security 17 years ago. 2002 predates the "Summer of Worms" and the Microsoft SDLC (for what it's worth, from 2004-2006, many of the world's software security firms were basically parked almost full-time in Redmond). It would be weird today to see an established company with a "shipping" product or SaaS service that couldn't provide a pentest attestation; back in 2002, it would be weird to see one that could.

For some perspective: the first published "integer overflow" attacks were from 2002 (the attack pattern was known but not published as such before then).