Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Ankur Chowdhary to Present at DEF CON 28 Red Team Village

Past Event
Virtual Conference
Def con 28 card

We are proud to announce that Bishop Fox security consultant Ankur Chowdhary will be presenting Autonomous Security Analysis and Penetration Testing (ASAP) at the DEF CON 28 Safe Mode Red Team Village.

Autonomous Security Analysis and Penetration Testing (ASAP)


Penetration Testing (pentesting) involves skilled cybersecurity professionals generating a plan of attack for finding and exploiting vulnerabilities in networks, and applications. The current procedure used in pentesting is semi-automated at best and requires significant human effort. Moreover, the plan of attack followed by pentesters may not yield best outcomes in terms of exploiting vulnerabilities in the provided time.

Autonomous Security Analysis and Penetration Testing (ASAP) utilizes software vulnerabilities and network topology information to provide an artificial intelligence-based automated attack plan. Our framework Autonomous Security Analysis and Penetration Testing (ASAP) utilizes the reachability information between different network hosts and software vulnerabilities to generate a state transition graph known as attack graph. Each state in the attack graph represents the current privilege of the attacker. The attack graph also encodes information about the possible next state transitions in the network. In effect attack graph maps all possible exploits and privilege escalations possible in a network. This information is provided to an artificial intelligence (AI) module. The AI module utilizes a popular framework known as Partially Observable Markov Decision Process (POMDP) to encode uncertainty over different state transitions, and reward obtained by attackers on achieving different privilege levels. The output generated by the AI module - Attack Policy provides the best course of action for a penetration tester/ red team member in the current network setup.

The attack policy generated by the ASAP framework can be deployed on target enterprise networks using automated exploitation tools such as Metasploit. Based on our experimental evaluation in a cloud network setup, the attack policy generated by our framework does significantly better than human penetration testers in terms of finding and exploiting vulnerabilities in a network.

Ankur chowdhary

About the speaker, Ankur Chowdhary

Security Consultant

Ankur is a Bishop Fox Alumnus who was a Security Consultant at Bishop Fox and PhD candidate at Arizona State University (ASU). His research interests include Cloud Security, Software Defined Networks, and application of Artificial Intelligence and Machine Learning in the field of cybersecurity. Ankur has co-authored over 25 research papers and one textbook in the field of cybersecurity. He has been quite active in cybersecurity education. Ankur co-founded hacking club DevilSec in 2019 to teach offensive and defensive security to students at ASU. More details on Ankur's research, work and current activities can be found on his website

More by Ankur

Ready to get started? We can help.

Contact Us

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.