AttackIQ Inc. is a seven-month-old Internet-security startup with offices in Sorrento Valley and  downtown San Diego. President and CEO Stephan Chenette and his business partner started AttackIQ after more than 15 years in Internet security, including positions at eEye Digital Security, SAICWebsense and IOActive. He took time from meetings with potential investors and customers to answer five questions for Times of San Diego.

What is AttackIQ?

AttackIQ is an Internet security start-up that finds security weaknesses in an organization’s inner network before attackers can exploit them. Our challenge is directed at large enterprises that have invested in defending against Internet attacks: “After spending millions of dollars on Internet security products, how are you measuring your security posture?” AttackIQ runs scenarios based on real attacks, which duplicate what an attacker would do once they have compromised a system on a company’s network. Unlike traditional cyber security products, such as firewalls, web filtering, and predictive analytics, AttackIQ’s FireDrill product proactively measures and validates a company’s layered defense, so that its weaknesses can be fixed before being exploited. Our goal is to help companies in all industries avoid costly cyber attacks, such as the data breaches at Target and eBay.

Stephan Chenette, president and CEO of Internet security startup AttackIQ.

Why focus on Internet security?

The Lloyd’s Risk Index — a survey of more than 500 of the world’s senior business leaders — noted that cyber security is firmly at the top of the agenda for global enterprises, third only to the risks posed by high taxation and the loss of customers. Data breaches have affected all industries and most companies are spending money on security products they either do not understand or do not know how to fit into their layered defense strategy. In many cases, security software is treated as a commodity, so companies buy one of everything: one firewall, one web filtering product, one desktop anti-virus product, and so on. Buying products that do not have an immediate and exact fit into an organization’s security architecture creates a false sense of security. Instead, companies need to first holistically understand their current security architecture, including the products, processes and polices already in place. They need to understand where their critical assets are, and how their security architecture measures up against real-world attacks.

What is FireDrill?

When a company is under a cyber attack, most attackers are able to stay inside a network undetected for months. We have built a product called FireDrill to help organizations measure their security posture and how well it would hold up if an attacker was able to get into their networks. We have assembled a team of security experts in research and development to accomplish this mission. Our patent-pending innovation enables us to measure a company’s holistic security posture. We can recreate attacks that have happened to other companies, such as the data breach at Target, and by recreating the attack in a controlled manner, test the actual security environment of an organization and find the gaps. If an organization knows its weaknesses, it can prioritize where to strengthen the internal network. By being proactive in fixing the holes in a network and making it more difficult for an attacker once they have gained access to a network, a company can limit the attacker’s ability to gain any further information and cause any further damage. This will keep companies out of the headlines, limit their liability and lessen their chances of confidential information and intellectual property being stolen. The ability for a company to react to an ongoing attack is now as important as a company’s ability to protect themselves from an initial breach.

Why San Diego?

San Diego has a great community for startups because of the prevailing attitude of helping others become successful. There is a large number of organizations, incubators and accelerators ready to help startups, including the MIT Enterprise ForumCONNECTEvoNexus, and CyberTECH. Once an individual or group enters into the startup world, they are inundated with support. Various other cities have their strengths, but San Diego also offers a work-life balance that cannot be found in other locations.

What’s the long-term potential for AttackIQ?

Last year organizations across the globe spent nearly $68 billion on security hardware and software, according to industry analyst Gartner, and that amount is increasing annually. At the same time, over 95 percent of U.S. corporations have had their networks compromised. Companies need to know how their people, processes and tools are matched against today’s attackers. AttackIQ can help companies defend themselves while ensuring a better return on their security defense investment.

For more information about AttackIQ, please visit or send an email to

Times of San Diego, a startup itself, regularly writes about startups in technology, biotech and other sectors of local business. If you are a startup in the San Diego area and want to tell your story, please contact

Show comments

Chris Jennewein

Chris Jennewein is Editor & Publisher of Times of San Diego.