The offensive cybersecurity industry — trends and updates

35 min readJun 20, 2023

–

Introduction

In 2019, I had the opportunity to talk at BlackHat USA¹ — where I tried to answer the question “How can researchers interact with the offensive cybersecurity industry?”.

Four years later, the offensive cybersecurity industry went through significant changes that reshaped the industry. I think it’s about time to talk about the trends and events that led us to where we are today.

In this article, I will analyze the changing business case for the offensive cybersecurity industry over time.

If you are less interested in learning about the history of the offensive cybersecurity industry and would like to know the current trends and events, feel free to skip to The adjust (2022+) — The rise of the “Clearing houses” and the reshaping of the industry supply chain.

*It’s worth mentioning that this article reflects my own experience in the industry. Based on conversations with fellow industry colleagues and people who are part of the industry, they had similar experiences.

**If you are a government agent, researcher, or part of a government organization, please pay special attention to the “Call for action” section.

About me

I’ve been part of the offensive cyber industry for more than 7 years now (side note, the offensive cyber industry is ~20 years old). My roles have included helping researchers, companies, research groups, brokers, and governments to navigate the offensive cyber industry from a supply-chain (vulnerabilities/researchers) standpoint.

Twitter: https://twitter.com/malltos92

Table of content

• Framework
• The vendors
• The transition from community to industry
• The boom (2017–2019) — ‘Everyone is a genius in a bull market’
• The bust (2020–2021) — “It’s only when the tide goes out that you learn who’s been swimming naked.”
• The adjust (2022+) — The rise of the “Clearing houses” and the reshaping of the industry supply chain
• Call for action
• Conclusion
• Footnotes

Framework

We can divide the timeline of the offensive cybersecurity industry into three main phases, based on the events and trends that the industry experienced:

Press enter or click to view image in full size

In each phase, I will analyze how each one of the following entities influenced the others:

• Supply chain: researchers, research groups, and vulnerabilities.
• End-to-end companies: companies that provide the ability to infect (i.e. vulnerabilities) a target and install an agent (i.e. malware) to collect data of selected devices.
• Brokers: an intermediary between buyers, end-to-end companies, governments, clearing houses, and sellers.
• Clearing houses: will explain this later in this article.
• Governments: any government organization that operates offensive cyber capability. But before we dive into the different phases, there is one major force that drove the changes — the vendors.

The vendors

Over the years, vendors (i.e. Apple, Google, Microsoft, etc) spent significant resources to make their products more secure. By introducing new mitigations, chipsets, patch vulnerabilities, hiring the best-in-class security researchers, creating bug bounty programs, and more.

For people who are not familiar with the offensive cybersecurity industry, it is worth mentioning that governments and end-to-end companies’ favorite infection vector is from the browser, using Remote Code Execution (RCE) and combine it with Local Privilege Escalation (LPE) to take control over the device itself. This trend was particularly prevalent before 2017.

One of the main reasons that the favorite infection vector is from the browser is that it’s easier to get approval to access data on the target device than to illicitly access a server that belongs to a third party that is not directly the target.

One good example of how vendors invest in their security is Apple. Apple implemented a “defense in depth strategy”, where they understand that vulnerabilities will be present in the product/software as long as there is code.

As a result, Apple decided to create layers (i.e. “defense in depth”) of mitigations and defense measures to make the exploitation phase harder. This forces the attacker to find multiple vulnerabilities and chain them together while Apple is constantly changing the code making the vulnerability irrelevant.

Apple introduces new mitigations over time, narrowing the attack surface available from the browser. They created a strong sandbox environment, allocated functionalities to new chipsets and more².

At first, those new mitigations were not considered a significant barrier for vulnerability researchers. But over time, as the technology matured and the security teams learned and improved those mitigations and technology, things started to get more complicated on the vulnerability research side.

Here we can see a rough timeline of the new mitigations that Apple (iOS) introduced and when they became an issue (Filled shape) researchers had to find new vulnerabilities or techniques to overcome them.

Press enter or click to view image in full size

In addition to implementing new mitigations, it is getting harder and harder to chain (glue) the different vulnerabilities together to get a “full chain” (i.e. a complete vector that allows the attacker to infect a targeted machine in elevated privileges).

The end result of these efforts lead us from two vulnerabilities needed to gain control over the target device to a chain of many vulnerabilities and exploit techniques chained together into a vector.

Press enter or click to view image in full size

Android has implemented similar security measures like the ones that exist in iOS. There are some differences between the two that are worth mentioning. The main one is that Android is a fragmented market (OEMs) and therefore harder to control on the Kernel side of the device (i.e. upstream LPEs or chip-specific LPEs).

As a result, Google understands that they mainly need to focus on OEM relationships — making vendors such as Samsung implement and release security updates as soon as possible and securing Chrome.

Footnote³

The transition from community to industry

In this section, I would like to give some background on how the transition from community to industry happened and what challenges the community had to face.

Regulation and Media (news) coverage

Regulation: There were little to no regulations about exporting vulnerabilities. Some countries like Israel included vulnerabilities under the export control laws of “exporting knowledge” — But most countries just started the discussion on “intrusion software”⁵ (i.e. malware) and not vulnerabilities.

Media (news) coverage: little to no news articles on offensive cybersecurity, what it is, what it can do etc.

Supply chain

In the previous article I posted⁴, talking about events and trends in the industry, I mentioned that generally speaking, there are four types of researchers in the offensive cyber industry:

• Tier 1: Researchers that are capable of finding and exploiting 0-day vulnerabilities.
• Tier 2: Researchers that can either find 0-day vulnerabilities or exploit a bug.
• Tier 3: Researchers that can do maintenance work on existing exploits.
• Tier 4: A gamble. All researchers are born equal(?)

The supply chain had a major role as the industry started to develop. In the beginning, vulnerability researchers were considered a scarce commodity and any researcher who had an experience in this field was considered as a Tier 1 researcher.

The industry simply didn’t know how to rank those researchers. The reason for that was that the industry didn’t know better. It was a new industry and just a handful of people knew what it mean to be a vulnerability researcher.

Although in an early septages (i.e. 2008–2009) of the industry there were researchers that focused on specific targets and been considered as “browser folks” or “kernel folks” etc, the demand for researchers was high and it didn’t matter if this person had experience in web, OS, or browsers.

It was believed that if you have experience in one domain, you could pivot to other targets easily. In reality, it was possible to pivot, but it took quite a lot of time (from 6 months to years) to ramp-up the research capabilities and in this time period the researcher was not productive in the sense of finding vulnerabilities to exploiting bugs.

Another reason was “street credit”. Which translated to something along the lines of “I served in unit X”, “I found vulnerabilities here and there”, “I played CTFs here and there”, and “I know this person and that person, we used to hack XYZ”.

Selling vulnerabilities

One of the many problems researchers had to face is to find how and to whom they can sell the vulnerabilities they found. Both the client side (i.e. governments and end-to-end companies) and the supply side (i.e. researchers) didn’t want to be known for doing such business. Questions like “How do I know that I can trust you?” or “How can I know that you are who you say you are?” were common.

The majority of vulnerabilities and exploits that have been sold (till today) are in Proof of Concept (PoC) form. The researchers provide the code which allows the bug to be triggered and usually the PoC exploit has a questionable reliability and the PoC is for a particular OS version/device.

The client for such items needs to spend a significant amount of time and resources to develop the PoC to a production ready exploit. In some cases, the vulnerability being sold gives you only certain types of primitives and from there the client needs to continue the research in order to achieve the end goal (i.e. code execution).

What does it mean to have a production ready exploit?

I will quote Mark Dowd from Vigilant Labs during the BlueHat 2023 event:

• It has to work, and work reliably
• Should work in the face of adverse conditions
• No noticeable side effects (Locking up device, visual artifacts, etc)¹⁹
• Execution needs to continue as if nothing happened In addition, capabilities (i.e. vulnerabilities, techniques, primitives, etc) often get patched during the time of development due to the vendor being made aware of it (either internally or publicly).

Another problem researchers had to face with is evaluating the fair market price of their findings and structuring payment agreements (things I covered in the 2019 BlackHat USA talk).

The brokers

The brokers had an important role in the developing industry as facilitators of deals (transactions). Brokers knew the client side (or at least were actively looking for one) and they had a network of researchers that wanted to sell their vulnerabilities.

The brokers had to build close and personal relationships based on trust with both the client and the researchers. This relationship was (and still is) critical because of the nature of how transactions are made.

Simply put, after agreeing to the terms and conditions, and signing a contract the researcher needs to send the vulnerability to the broker, which in turn sends it to the client for validation. Only after the validation process does the researcher get paid.

So as you can imagine, you need to trust the broker when you send him a vulnerability worth hundreds of thousands of dollars.

From the brokers’ side, they enjoy being gatekeepers as they could take a cut in the transaction without the need to find the vulnerability by themselves and keep both the client and the researchers isolated. The client didn’t know the source of the vulnerability and the researcher didn’t know the identity of the client.

End to end companies

In the beginning, there were just a few known companies and most of them interacted with the market to hire researchers, to know what vulnerabilities were out there. Only a small subset of the companies bought vulnerabilities from the market.

One of the reasons companies didn’t buy vulnerabilities from the market was that it wasn’t extremely hard for the internal research team to find and maintain a full chain. When an internal research team came up short on a particular target, the company would interact with the market and try to fill the gap in the chain.

Some companies started to buy vulnerabilities and exploits from the market only in a later stage and they had to catch up with the market players, procedures, and prices.

Governments

In ~2017, only a handful of governments were active in the market as buyers, usually as shell companies for the purpose of monitoring the market for trends and vulnerabilities and exploits on the market.

Conferences

Conferences were one of the accelerators of the transition from community to industry. Conferences were the place where researchers, brokers, end-to-end companies, and government representatives met and created relationships.

The boom (2017–2019) — ‘Everyone is a genius in a bull market’

The main characteristic of this phase is growth. From an extremely secretive community to billions of dollars industry.

End to end companies

The main force for the growth was the end-to-end companies. The end-to-end companies did a great job educating governments on offensive cybersecurity capabilities and why it’s so important to have such tools at their disposal. In addition, end-to-end companies expanded the total-addressable-market by including countries that were previously had no access to such technology.

As the concept of offensive cybersecurity became common knowledge, governments were interested in such products and services, especially governments that couldn’t develop such capabilities in-house. As a result, end-to-end companies started to pop up everywhere.

“Ten years ago, there were just a few companies. Now there are 20 or more, aggressively pitching their stuff at trade shows around the world.” Eric Kind, director of AWO, a London-based data rights law firm and consulting agency

There was a wide range of new companies offering different vectors to infect the targeted device — from servers, PC, IoT, Mobile, browsers only, and more.

As more companies stepped into the industry, high sums of money flowed in as well (from investments, loans, etc). From the companies perspective, the core of any end-to-end company is the vulnerabilities that enable the business — and as a result, the researchers.

Competition for researchers (a scarce commodity) heated up, and companies tried to hire researchers for internal research teams, buy vulnerabilities and exploits from the market, and work with the supply chain (i.e. researchers and research groups) in a paid R&D or exclusivity format.

Hiring researchers to the internal research team: Companies offered high compensation in a base salary, bonuses, and basically whatever the researchers wanted (including renting an office closer to their homes, vacations, concerts, etc)-just to work for them.

Companies hired researchers with a wide range of proficiency (Tier 1–4) and assumed the more researchers they hired the more likely they are to strike gold.

Supply chain: Interacting with the industry, especially buying vulnerabilities from the market, became easier as companies, researchers, and brokers started to work in the open (unlike in the “The transition from community to industry” phase).

End-to-end companies allocated an “Unlimited“ budget to buy vulnerabilities from the market and hire researchers. Another characteristic of the boom phase was that it was relatively easy for companies to fulfill the Service Level Agreements (SLAs).

Service Level Agreement (SLA)-side note

An SLA sets out the terms and conditions for the delivery of the service period, including among other things: quality of service, availability of the service, response times for support requests, and other relevant factors.

Press enter or click to view image in full size

Footnote¹³ In the offensive cyber industry, SLA means that the company has the ability to infect and install the agent on the target device.

In case one of the capabilities (i.e a chain of vulnerabilities that allows to infect of the target and install the agent) is offline (i.e the vulnerability got patched, the vendor changed the code which made the exploit broken, the vendor released a new version and the company needs to adjust the exploit to the new version) — the SLA states that the company has a certain permissible amount of time to restore the vulnerability’s functionality (usually a few months).

Press enter or click to view image in full size

Footnote¹³

To my knowledge, end-to-end companies had high-profit margins as there were barely any regulations on exporting offensive cyber, and in some cases end to end companies were used as a strategic tool in the geo-political arena.

Traditional sub-contractors (i.e weapon manufacturers) were offering offensive cybersecurity capabilities as early as the mid-2000s, with varying degrees of success, and only focused on their 1–2 most important customers to which they sold this technology exclusively.

At some point in time, traditional sub-contractors understood that they need to step into this industry as well (i.e. compete with end-to-end companies) and offer similar capabilities on a commercial scale — for two main reasons:

• offensive cyber is the next big thing - demand from the client side.
• Sub-contractors were not part of the growing industry and they let the competition (i.e. end-to-end companies) dominate the market (which is government and intelligence related — the main business for some of those sub-contractors). Press enter or click to view image in full size

Footnote⁶ As more companies entered into the offensive cybersecurity industry and stories of the untapped market with high-profit margins were circling around, it attracted people that tried to take part with little to no resources available at their disposal — the “One time-companies (one chain)”.

The “one-time companies” were companies that had a chain, let’s say for Android, and bootstrapped a company around that chain. There are a few characteristics of those companies:

• A very small team, There was no internal research team or a very small team.
• The founders could have been a few researchers, a broker, or someone that wanted to get into the market and manage to secure a chain.
• Offered a minimal agent to be installed, limited targets and with no long term support. The “one-time companies” offered their product, compared to the more established companies, cheaply.

Sale cycle of the end to end companies

The sale cycle for end-to-end companies is long and can take a couple of years from the first meeting. The process involved, among other things, meetings, regulation approval, demos, PoCs, negotiations, deployment, Q&A, contracts, and a Request for Approval (RFA).

The first real valuable step in the sale process, for end-to-end companies, is the contract execution and the RFA. Once the client (governments) sign the contract, they need to execute the contract by making a down payment in the range of 20–40% of the total price. The rest of the payments are paid in defined milestones over the contract lifespan (including the RFA).

RFAs typically involve the client reviewing and verifying the product or service delivered by the vendor to ensure that it meets the agreed-upon specifications and requirements. Once the client is satisfied and approves the product, they give the go-ahead or provide their acceptance, allowing additional payments to the end-to-end company.

In most cases, the deal goes through with the help of a local agent (usually an ex-general), and their compensation is based on percentages out of the deal.

It is not uncommon that a contract will be signed with one set of people (procurement) and the RFA will be handled by a different group (technical people) within the organization — leading to delays and long periods of time to “finish” the deal.

During the boom phase, I would hear of new companies on a daily basis. The majority were focused on Mobile.

As mentioned earlier, vulnerabilities are the core of any end-to-end company. Each company has a different state of chains and some companies had a gap in RCEs some with LPEs etc.

This difference between the companies’ chain states led them to buy their missing links from the market. By doing so, they provided liquidity to the market. The demand was high and if you had found a vulnerability it was relatively easy to sell it.

The brokers

Facilitators of deals (transactions) had enjoyed being the gatekeepers by keeping both the client and the researchers isolated. As demand for vulnerabilities surged and stories about how much each vulnerability could be sold for spread, it attracted many people who saw an opportunity in this new developing market as brokers.

Brokers don’t need to understand the technical aspects of the vulnerabilities, they don’t need to take responsibility, nor do they need funds to start the business. As a result, a wave of new brokers started to operate in the market (similar to the number of end-to-end companies).

The new brokers came from a wide range of backgrounds:

• Ex-researchers / researchers.
• People with connections to potential buyer.
• People without any prior background in the offensive cyber market or cyber at all. As more brokers started to operate in the market, the competition for researchers got intense and brokers did anything they could to make sure that researchers will work with them and not the competitors. From taking them to dinners, parties, and whatnot.

Brokers tried to “secure” researchers (i.e to make sure researchers first come to them whenever they find a new vulnerability) from a wide range of capabilities — as demand, in the boom phase, was high (OS, Virtualization, Email, Hosting, Mobile, IoT, Websites, etc).

One of the benefits brokers had was access to vulnerabilities and exploits from the market. Some of them, opened end-to-end companies themselves— “one-time companies” as mentioned earlier.

Supply side

Researchers were the focal point. Researchers could choose either to be hired by end-to-end companies or to stay independent and take the risk (and reward) of searching for vulnerabilities by themselves.

Researchers were wooed by brokers, other researchers, and end-to-end companies.

Individual researchers were able to find and sell their vulnerabilities or exploits with relative ease. A small percentage of the researchers grouped. Meaning it was relatively easy to find and sell vulnerabilities for high sums of money.

The researchers offered vulnerabilities in a wide range of products and services, such as OS, Virtualization, Email, Hosting, Mobile, IoT, Websites, etc — and there was a demand for such vulnerabilities and exploits.

Low-tier researchers (in retrospect) hired by end-to-end companies based on “street credit” and researchers with experience in vulnerability research but not in the company focus were hired as well because of the belief that they can pivot quickly to the company’s needs.

Governments

Governments were interacting with the market, mostly through shell companies, end-to-end companies (as they were the regulator), and brokers. High-profile countries with a lot of money stepped into the market as well.

Footnote⁶ The government’s main activity in the industry was focused on three main things

• Purchasing end-to-end solutions: when dealing with end-to-end companies, governments started to realize that on the surface of things, companies had very similar offerings. As a result, the price was the main motivator for governments to move forward with one company and not the other.
• Invest heavily in training: Trying to reduce dependency on the end-to-end companies and developing the capability in-house.
• Purchasing a wide range of vulnerabilities and exploits: Web, Virtualization, Email, Hosting, Mobile, etc.

The bust (2020–2021) — “It’s only when the tide goes out that you learn who’s been swimming naked.”

This phase is characterized by downward pressure on the industry as a whole from the vendors, regulation, media coverage and more.

Regulations

As governments increasingly grasped the full potential of offensive cybersecurity, along with the potential for misuse, they began tightening the regulations on exporting such products and knowledge (i.e. vulnerabilities and exploits).

The new regulations limit end-to-end companies from marketing and selling their products in certain regions or countries without the regulator’s approval. Additionally, governments, for the first time, formulated policies and enacted laws around vulnerabilities and exploit export.

Governments identified both brokers and end-to-end companies as risks and subsequently included some of them on their sanctions list.

In addition, the vendors didn’t remain on the sidelines and launched lawsuits against end-to-end companies that violated their terms and conditions calming that some end-to-end companies had to use the company (i.e. the vendors) infrastructure in order to execute the exploit on the targeted device.

Press enter or click to view image in full size

Footnote⁷ Press enter or click to view image in full size

Footnote⁷ Press enter or click to view image in full size

Footnote⁷ Press enter or click to view image in full size

Footnote⁷ Press enter or click to view image in full size

Footnote⁷ Press enter or click to view image in full size

Footnote¹¹ Press enter or click to view image in full size

Footnote¹¹

Media (news) coverage

Journalists did not remain indifferent as governments worldwide began to misuse offensive cybersecurity capabilities. As a result, journalists exposed end-to-end companies, their clients, operations and more.

We will see the consequences later in the article.

Press enter or click to view image in full size

Footnote⁸ Press enter or click to view image in full size

Footnote⁹ Press enter or click to view image in full size

Footnote¹⁰

End to end companies

As end-to-end companies faced tightened regulation, journalists exposing companies and reporting about technology abuse/misuse, lawsuits, sanctions, vendors enhancing their products’ security — the end-to-end companies had to face a few more challenges:

• Bidding war
• Service Level Agreements (SLA)
• Internal research team
• Vulnerabilities getting caught in the wild
• Source of revenue and regulations
• COVID 19’s economic impact
• Increasing vulnerability prices Those challenges led to financial struggles which eventually got companies to go bankrupt or pivot away from offensive cybersecurity.

Bidding war

In the boom phase, I told you that quite a lot of new companies entered the industry and they struggled to differentiate themselves from one another as they eventually offered the same end goal. One of the main tools those companies had at their disposal to convince a client to move forward with them was the price.

Instead of increasing the price of their services to ensure feasibility (later I will cover why their costs increased and their profit margins declined), end-to-end companies maintained prices or even decreased them, over time just to lock in a client. One of the reasons companies could afford this strategy was the low interest-rate environment and the understanding that if they could lock-in clients, over time (while competitors will bankrupt or pivot) they could increase prices.

Service Level Agreement (SLA)

To fulfil the SLA, end-to-end companies should have the ability to infect the target on latest version of the offered vector, for example, Android chain that works on the latest vanilla version (i.e. Chrome RCE, Chrome SBX and Android LPE).

Those chains of vulnerabilities should:

• Work, and work reliably
• Should work in the face of adverse conditions
• No noticeable side effects
• Execution needs to continue as if nothing happened Remember this?

Press enter or click to view image in full size

During the bust phase, the technology and the level of mitigations implemented by vendors reached maturity, resulting in disruptions to the ability of end-to-end companies to uphold the SLA.

Press enter or click to view image in full size

Companies struggling to maintain theirs SLAs led to three main issues:

• Revenue collection: End-to-end companies faced difficulties in collecting payments from clients as their services didn’t allow the clients to infect the most up to date targets.
• Losing clients to competitors: governments didn’t want to delay operations because their current provider didn’t have a working chain, while their competitors had such capability.
• Pressure on the internal research team for solutions: will address later. Internal research team

The majority of vulnerabilities and exploits that have been sold (till today) are in Proof of Concept (PoC) form. Hence, internal research teams had to invest most of their time to develop the PoC to a “production ready” chain which left them with a huge maintenance burden (i.e. adapt to different devices, versions, scenarios, etc)- instead of focusing on vulnerability research.

When the SLA is not fulfilled, the management in the end-to-end companies put a lot of pressure on the internal team and the person/team who is responsible to purchase vulnerabilities from the market. In short, if the internal team can’t provide a solution - the company was not getting paid.

From talks I had with friends and colleagues, which work as researchers in such companies, it is quite common that researchers hold a grudge against the management as researchers try to warn that research takes time and if they are focused to maintenance work — whenever the company will need vulnerabilities, it will take time to start a new research project or will take time for researchers to get up to speed on a research project that the team is already running.

There are two interesting outcomes for such pressure:

Deliverables VS technical skills reputation (aka “street credit”): End-to-end companies used to hire a wide range of researchers (i.e. tier 3–4 researchers) with a belief that the more researchers are there, the greater the output will be (i.e. finding new vulnerabilities).

In reality, companies found out that only a small percentage of their research team is capable of finding new vulnerabilities and exploiting them. The “street credit” was no longer a factor and researchers that struggle in maintenance work or couldn’t find new vulnerabilities were fired.

Researchers leaving end-to-end companies: capable researchers who felt burdened with carrying the company on their shoulders, coupled with the added pressure from management, decided to depart from end-to-end companies.

During that period, the entire industry was open to them, with competitors, brokers, and others enticing them by offering opportunities to establish their own companies and leverage their valuable experience by focusing on finding vulnerabilities and selling them.

Another interesting point worth mentioning is that end-to-end companies stopped hiring the new generation of researchers —the resources were allocated to bring senior researchers which were capable to find vulnerabilities and to fulfil the SLA.

Vulnerabilities getting caught in the wild

In the bust phase, there were quite a lot of vulnerabilities that got caught in the wild. There were a two main consequences to such events:

• It was quite common that end-to-end companies were using (without knowing so) the same vulnerabilities (wether because they bought the same vulnerability or it was a duplication — the same vulnerability was found by two different teams). So if one company got caught it affected the other companies as well.
• The vendors were auditing the attack surface and patched variants that other end-to-end companies were using or completely invalidated an attack surface. Source of revenue and regulations

New regulations limit end-to-end companies from marketing and selling their products in certain regions or countries without the regulator’s approval.

In my experience, there are a few different types of end-to-end companies:

• Companies that sell to the five-eyes (Australia, Canada, New Zealand, the United Kingdom, and the US).
• Companies that sell to five-eyes and Schengen (23 EU countries).
• Companies who sell to “Western countries”.
• Companies who sell to countries that are not part of the US sanction list. There are only a few companies that sell only to the five-eyes, the majority of the end-to-end companies are under the last two categories from the list above.

It means that the end-to-end companies’ core revenue stream is based on countries that are not part of the US sanction list (i.e. non-western governments). Governments that don’t have the ability to develop such capabilities in-house.

Western governments possess internal research capabilities while also procuring end-to-end solutions. The distinction between non-Western and Western governments lies in the perception that Western governments are considered the “good guys” and are aware that numerous companies would eagerly seek them as clients. Consequently, Western governments exploit this advantage to negotiate the terms, including the price, to the bare minimum. Conversely, end-to-end companies can assert their collaboration with the “good guys.”.

The point is, due to regulation companies lost revenue streams from non-Western countries which was and still is their main source of revenue.

COVID 19’s economic impact

At the beginning of 2020, COVID-19 became an international concern. Governments held budgets and diverted resources to handle the outbreak which quickly spread worldwide.

Because of uncertain times ahead, governments froze procurement of offensive cybersecurity capabilities and in some cases held payments for end-to-end companies.

In turn, end-to-end companies were uncertain about the situation as well, held budgets, and didn’t buy vulnerabilities from the market unless they had to keep SLAs for existing clients.

Increasing vulnerability prices

The true cost of chains increased dramatically for two main reasons:

• The number of vulnerabilities needed to create a working chain increased (i.e. from RCE and LPE to a combination of multiple vulnerabilities and techniques).
• Finding vulnerabilities and exploiting them got harder and harder. Press enter or click to view image in full size

Another point of consideration was that due to regulations and vulnerability export control laws, end-to-end companies had to open entities in many countries to accommodate the transactions with researchers leading to additional costs on the end-to-end companies.

Bankruptcy and pivoting

End-to-end companies encountered numerous challenges, including escalating costs, declining revenue, increased regulations, and more. Unfortunately, some of them struggled to cope with these difficulties and were unable to effectively manage the financial strain.

Press enter or click to view image in full size

Which led to bankruptcy and companies pivoting from the offensive cybersecurity industry:

Press enter or click to view image in full size

Footnote¹⁴ Press enter or click to view image in full size

Footnote¹⁵ Press enter or click to view image in full size

Footnote¹⁶ Press enter or click to view image in full size

Footnote¹⁷ The end-to-end market experienced a contraction for the first time. This will have a major market impact and we will cover it next.

Supply Chain

The supply chain had to face the general downward pressure (i.e. regulations and media coverage) and unique challenges as well.

Regulation

Tightened regulations around vulnerability/exploit export-led some researchers to pivot away from the industry as they don’t want to or can’t handle the export control license process. In some cases exporting became illegal altogether. Naturally, there are not a lot of researchers capable of finding vulnerabilities on targets in demand, losing even a few due to regulation, shaked up the supply side quite a bit.

Higher barrier to enter the field of vulnerability research

With vendors enhancing their security measures, such as implementing additional mitigation techniques and narrowing the potential attack surface, aspiring researchers now encounter a higher bar to enter the field of vulnerability research. For example:

• Cost of devices
• IDA (Interactive Disassembler (IDA), a popular disassembler and debugger used for reverse engineering binary executables.)
• Emulation (Corellium for example)
• Limited scope of research: without certain capabilities (i.e. vulnerabilities), researchers can’t search for the next part in the chain. Demand

The main force for buying vulnerabilities from the market was end-to-end companies. Now that fewer companies are competing, the demand in general for vulnerabilities declined.

In addition, clients, in some cases, will not buy parts of the chain unless they have the rest of the pieces or they are confident enough that they can buy/find them in a short period. Modern chains are complicated and have many pieces that can break down. As a result, clients will not risk the capital if they are not sure they can utilize the pieces quickly.

The same goes for time to market, if there is a researcher that finds a vulnerability that clients were looking for that fills the customer need, a researcher that found a similar vulnerability will have a hard time selling their new finding as companies do not hoard vulnerabilities.

If in the boom phase, researchers could sell a wide range of vulnerabilities and exploits (IoT, web, etc). In the new environment, where companies use budget cautiously, the products that are in demand were prioritized to the main vectors which are mobile and the rest of the demand is custom requests.

Media coverage

While journalists exposed end-to-end companies, their clients, operations and misuse — the image of the offensive cybersecurity industry was along the lines of terrorists. This bad PR pushed away researchers from the industry and some of them pivoted to other industries.

Another interesting trend I was witnessing is that researchers tried to limit the use of their vulnerabilities and exploits by companies. This alters the power dynamic between researchers and the companies that buy their output.

Deliverables VS technical skills reputation

Because demand for mobile vulnerabilities was high and everything else was in decline, some researchers tried to pivot to mobile without success and ended up leaving the industry.

Furthermore, as vendors made advancements in their technologies, some researchers who were previously adept at finding vulnerabilities found themselves unable to keep pace with the evolving landscape. Consequently, leaving the industry.

Remember this?

Press enter or click to view image in full size

Individual researchers are no longer able to achieve the same level of output as they did in the past. This circumstance has led them to either form collaborative teams with other researchers or opted to exit the industry altogether.

Brokers

Most brokers lost the advantage of being a gatekeeper as end-to-end companies and governments started to work openly in the industry. For example, end-to-end companies and governments participated in conferences, started to work directly with researchers or it became relatively easy to get in touch with them to explore collaborations.

In the boom phase I mentioned that the industry attracted many people who had little to no connections to the offensive cybersecurity which tried to find a way to fit in the new emerging industry — being a broker was a relatively easy way in.

Over time, certain brokers succumbed to greed and excessively marked up the prices of vulnerabilities and exploits they successfully secured. Some other brokers misled researchers by claiming to have sold the item only once, when in reality, they sold it multiple times without informing the researchers. As a result, the brokers failed to compensate the researchers appropriately.

Moreover, clients raised objections to the vulnerabilities or exploits for various reasons, leaving the brokers unsure of how to proceed and in most cases the broker accepted the item unacceptance. Consequently, the researchers suffered a loss in revenue. Additionally, brokers convinced researchers to send the item before securing a client for it, under the pretext of conducting demonstrations or PoCs.

With an increasing number of researchers engaging directly with clients, brokers found themselves with a limited pool of vulnerabilities and exploits that circulated among a wide range of brokers. This repetitive cycle led to clients receiving identical specifications (i.e., information about the vulnerability being offered for sale) from multiple sources. Consequently, clients became hesitant to purchase these vulnerabilities and exploits, perceiving them to have a short lifespan, even though, in reality, no one had acquired the vulnerabilities or exploits.

Press enter or click to view image in full size

An example of “spec”

Governments

Similar to the end-to-end companies, governments were also affected when vulnerabilities were caught in the wild, shared the same view on specs they received from multiple sources and more.

The unique issues that governments had to face with in the bust phase are:

• Realization that you can train your people as much as you want but it won’t turn them into vulnerability researchers that are capable of finding vulnerabilities in the core vectors.
• COVID-19 (as mentioned in the “end-to-end companies part”.
• Learned how to better leverage end-to-end companies and demand better terms and SLAs.

The adjust (2022+) — The rise of the “Clearing houses” and the reshaping of the industry supply chain

The adaptation to the new environment primarily originated from the supply side, focusing on how it engages with governments and end-to-end clients.

Despite the reduced number of end-to-end companies, they continue to compete with each other in the market and are having a hard time keeping their SLA.

Supply chain

The supply chain had to face multiple challenges and as I mentioned in the bust phase, the main ones were:

• Declining number of potential clients (i.e. end-to-end companies that went bankrupt).
• Some brokers took advantage of researchers.
• Higher threshold to enter the field of vulnerability research
• Researchers shifted their focus and pivoted from the field of vulnerability discovery due to factors such as regulations, extensive media coverage, and the inherent difficulty of finding vulnerabilities. The significant technological and security advancements made by vendors had a profound impact on the supply side. Finding vulnerabilities became increasingly challenging, prompting several researchers to form collaborative groups to enhance their chances of success. Based on my experience, researchers who previously discovered vulnerabilities once every three months now required a team and six months to achieve the same outcome.

This led to two main things:

• Control over transaction: Due to the increasing difficulty of finding vulnerabilities in primary vectors like browsers and mobile operating systems, coupled with the shorter lifespan of vulnerabilities (caused by their detection in the wild or vendor code changes), researchers sought greater control over their transactions with end clients — forcing the brokers to pivot from the traditional role of gatekeepers to agents.
• The role of the agent is to represent the seller side (i.e. researchers), negotiate the deal and eventually the contract will be signed between the researchers and the end client. As compensation for their services, agents receive a commission, which can be either a fixed amount or a percentage of the transaction value.
• Paid R&D: The newly established research group found themselves in need of self-sponsorship for an extended period before discovering a sellable vulnerability. In an industry already characterized by high risks and rewards, research teams sought to mitigate their risks by pursuing paid R&D projects. Under this arrangement, potential clients would offer a base salary along with a success bonus.
• From the client’s perspective, they assume a relatively small capital risk throughout the project’s duration. In return, if the research team successfully identifies and exploits a vulnerability, the client gains exclusive access to it. This mutually beneficial arrangement allows the client to minimize financial exposure while potentially reaping the rewards of the team’s findings. From my experience, only a small percentage of researchers today are still independent researchers. The majority of researchers work at research groups or part of “Clearing houses” (which I will cover shortly).

What are the magnitude of such research groups?

Small research groups are usually in the magnitude of up to 8 researchers with a revenue of a few million USD a year.

Press enter or click to view image in full size

Screenshot of an accounts statement for 2022 from one of the research groups (public information)

The rise of the “Clearing houses”

Clearing houses are a new type of entity focusing only on vulnerability research. Their unique characteristics enable them to expand quickly while the end-to-end companies are in decline.

So what are clearing houses?

• Clearing houses are companies with a strong brand name within the industry.
• They have their own internal research team where they hire high-end or capable researchers to work exclusively for them and exclusively on vulnerability research.
• They secure an exclusive supply-chain of researchers work and vulnerabilities or exploits by investing in paid R&D projects.
• The clearing houses buys vulnerability from the market exclusively and improve them to be “production ready”.
• They share infrastructure, vulnerabilities, exploitation techniques and more with the researchers within the company and researchers that work exclusively with the company (i.e. independent researchers or research groups).
• The clearing houses compensate researchers and their supply chain, mostly based on success bonuses which are significantly higher than market rates and relatively low base salary (compared to end-to-end companies).
• Similar to end-to-end companies, clearing houses don’t/can’t train a new generation of researchers.
• The main clients of such entities are government organizations (in some cases clearing houses will sell to end-to-end companies as well). These government clients typically compensate the clearing houses through transaction-based payments and paid R&D projects. Operating such businesses is capital intensive, therefore, clearing houses have to work with multiple governments.
• Unlike end-to-end companies, clearing houses don’t need to maintain SLA and they are only providing vulnerabilities to their clients. In some cases, clearing houses sell the same vulnerabilities to multiple clients in order to cover the costs.
• Given the strong relationships between clearing houses and government clients, the clearing houses prioritize fulfilling the specific needs of these clients which is often revolves around mobile chains. Clearing houses have caused disruption in the supply chain by operating within a complex network of collaborations and replacing some of the end-to-end liquidity in the market. Consequently, end-to-end companies face additional challenges, as clearing houses primarily serve governments, becoming the main clients for these companies. This dynamic adds a layer of complexity to the operations of end-to-end companies.

From here:

Press enter or click to view image in full size

To here:

Press enter or click to view image in full size

An intriguing aspect of clearing houses is their prioritization of capabilities (such as vulnerabilities or exploit chains) over maximizing profits. They recognize that selling to inexperienced clients who mishandle these capabilities can have detrimental effects not only on the specific client but also on their other c