I usually just read but never post but I felt like I had to on this one about this scam/poser of a company called redbot security.

I'm fairly new to my company and recently, my boss had a pentest performed and he searched for a pentesting company on Google and one of the first selections that came up was "redbot security." Never really heard of them and at the time, I didn't have a say in his choice or even knew he was choosing a company for a pentest. I guess at first glance to my boss, Redbot Security seemed like a legitimate pentesting company but what I found out was quite concerning. So the first page on Google had this company but the site was just a blog post about the best / top rated pentest company and of course, it is was Redbot Security's own blog post. (red flag)


How original. Looking at this post I realized that it was just a blog post with every imaginable keyword related to penetration testing, etc etc. For example, "Important Penetration Testing Checklist when searching for the Best Penetration Testing Company for your Project."

I also realized now after getting various Statement of Work (SOW) documents and quotes from other companies that Redbot uses a lot of wording from other companies. For example, when they describe their toolsets, in their "Redbot Security Featured Penetration Testing Services: Internal Penetration Testing", it was a word-for-word copy of Rapid7's wording with what tools they use. Weird? Ok, so looking further in their blog post is about their certifications? Looks like they just listed every type they could find and some aren't even certs. What about their LinkedIn? Well, come to find out, just a few real profiles and for pentesters, ALL FAKE. For example:

Security Solutions Architect at Redbot Security

Sr. Cyber Security Consultant at Redbot Security

Engineering Group - Private-Redbot Security

Pentester Group at Redbot Security

All of the above are "private" but with a little magic with LinkedIn and Google, I can see what their profiles are... bogus.

Yea, these are fake profiles. So then I started using LinkedIn more and got some odd/interesting facts when doing some reverse imaging and searches about these people to include ones that did work for them. Well for one, the only pentester I saw wasn't even an employee with Redbot, he works elsewhere and he seems to only be a contractor for redbot security. There is a female who works at a different company and only seems to be a contractor with them. Odd, because on the phone, they made it sound like they had 20 or 30 people on their pentesting team.

Then, a person called "Amy Speer" who is their salesperson has a name that isn't even real. Why in the world would you hide your real last name. Oh, I see, it's because her last name is "Stearns", which is the same last name of the owner that my boss was on the phone with. So who is Amy Speer? https://www.zoominfo.com/pic/redbot-security/449851128 . Come to find out, her last name is currently Stearns.

Seems that they wanted to hide the fact of how small they are. Then, if that wasn't enough, I thought, "hey maybe we'll get a good pentest still." NOPE. Nothing. They did a web app for us after charging top dollar and guess what they found. N-O-T-H-I-N-G. Well, just a few things you would find if you ran an automated scanner. Apparently, our homemade app using a non-standard framework had no flaws. Who knew? Well, I wasn't impressed and none of this looked right or added up so I told my boss let's use someone else because there is just no way.

Well, thank God we did. We went with a reputable company and it was night/day. They found all sorts of stuff. Deserialization attacks, CSRF issues, Dom-based XSS, multiple different injection issues, upload vulnerabilities, and a few more major things. Then it hit me, these issues are things that vuln scanners typically don't find. Crap. And we were charged top dollar by these clowns.

What a bunch of scammers. I'm itching to just call them up and ask for a copy of all of their certs they listed just to watch them spin in circles over it. And think about this, they say they "specialize" in OT/SCADA networks for energy companies. No wonder they are getting hacked.

[Update from the CEO Messaging Me]

Apparently the owner reached out to me with a personal message:

Philly -We are not going to respond online with you as you blatantly attempt to slander, discredit, defame our company and breach our contracts with a project that is over 2 years old. We have identified your company and will be speaking with your CEO soon. If you'd like to verify our engineering team credentials and certifications please contact us offline and we will look at this as no harm no foul. Like we said in response to your post we would be willing to provide a new test with a new engineer at no cost as our company has grown and our services are recognized as industry leading. The engineer on your company's original, old project is no long with the company. He did have the ICS and certs you inquire about as did his team that he managed. The only miss on our end is that we never got around to updating our website. Its been resolved. That free offer is nearing expiration as our legal team begins its diligence. The linkedin profiles were groups and Amy goes by her maiden name for professional reason. what else? Listing our company on our own SEO- of course.

What a load of ****. The way back machine shows his website updated multiple times and even recently and yet, those same certs were copied and pasted on each update. The "Amy" person excuse is also bull. For "professional reasons". What reason is that, to trick people into thinking this is a bigger company than it is? And the gull of this person to try and threaten me with talking to my CEO while saying his lawyer is involved is absolutely hilarious. Good luck showing slander when everything I said is correct and can be proven. He's lucky we don't sue him into the dirt for fraud after we got compromised. The pentest report they gave me is FULL of false positives and they didn't find anything that mattered which is why we were compromised. Literally, EVERY SINGLE ONE of the findings was not true.