Cybersecurity-as-a-Service firm Chaleit didn’t want to compromise on their exacting standards. Fortunately, thanks to collaboration with the Runn team, they didn’t have to.
It has never been so vital for companies to detect vulnerabilities in their systems - it’s practically a race to get there before bad actors do.
Ten years ago, the average cost of a data breach was $5.4 million. In today’s world, that figure has almost doubled. US-based companies can now expect to lose an average of nearly $10 million as a result of a data breach.
For a business to operate in confidence, it’s essential that they anticipate the next threat and get familiar with the tactics that cybercriminals deploy. And Chaleit’s founding team knows this better than anyone.
Established in 2021 with decades of experience under their belt, Chaleit’s team has lived and breathed the changes in the cybersecurity landscape as it has evolved. They understand that staying out in front requires agility and constant vigilance.
And one of the best ways you can prepare for an attack? Simulate an attack yourself.
Penetration testing - so-called because it involves attempting to hack into a system - is a tried-and-true method of finding vulnerabilities in your code. In the context of SaaS, this usually involves bringing in an outside agency of ‘ethical hackers’ to try to break in - as if they were malicious actors intent on causing mayhem.
They conduct a hacking test, observe what they can discover, and report back to the client’s information security team.
But, as Dan Haagman, co-founder and CEO of Chaleit, explains, this conventional penetration testing model as it stands can stir up feelings of negativity:
“From the perspective of the client, it can feel like a slightly adversarial type of relationship. But it doesn’t have to be like that,” reflects Dan, “After all, the nature of SaaS is that there will always be bugs and issues. And it’s okay for issues to come up - so long as there are processes in place to find them and address them.”
Even though it’s undoubtedly useful to have a team of hacking experts throw the kitchen sink at your code, where do you go from there? Conventional pen-testing services don’t help their clients remediate the issues or create much-needed processes to stop problems from arising. It’s just not part of their offering:
“Usually, pen-testers just deliver hacking tests for their clients and then follow up with a report. But clients often struggle with what to do after this point - particularly because pen-testing often surfaces some pretty obscure vulnerabilities. For the client, there’s no guidance or context on how to solve the issues found.”
As Dan sensed, this model was clearly not the best path to quality outcomes for clients. Revealing security vulnerabilities is only step one in a process that requires a wealth of specialist input and knowledge - knowledge that seasoned cybersecurity professionals are best placed to deliver.
There was a clear opportunity to push the envelope and build something more comprehensive. Rather than ending their engagement with a client once the pen-test report was issued, they could remain in partnership with their clients - offering expert guidance on how to fix vulnerabilities and future-proof their infosec processes.
“We decided that this was the best way to bring value to clients. We could journey with them through the complex repairing or remediation phase.”
As Dan describes this norm-challenging model, his enthusiasm is infectious:
“This was about moving beyond project-based pen-testing into service-based, collaborative cybersecurity transformation.”
And thus, the concept of Chaleit was formed.
Dan and his team realized that they had a chance to carve out something truly new, so long as they built from the ground up - putting the right infrastructure in place from the very beginning.
“We asked ourselves, how do we avoid taking the legacy assumptions about this sector and rethink the use-case? How can we become a company that’s thinking into the future, rather than one that is nestled in the past?
Rigorously planning and researching the decisions that would shape their organization, they naturally set the bar high for security and compliance from day one. They also wanted to be fully international right from the word go - equipped to serve clients the world over and to be completely remote and location-agnostic in their hiring.
“Before we even started building the company, we put a lot of time into researching how to be a truly remote organization, truly international - both for our clients and for our people.”
To achieve this, they would need to curate a unique tech stack that suited their needs. Not only would any tools have to meet their stringent requirements for security and compliance - they would also need to do it without bogging the team down with unnecessary complexity. To support a work-from-anywhere culture, enabling seamless collaboration was a must.
“The client might be in one timezone, and the team working on their project might be spread across several other timezones. To manage this with the flexibility and agility we wanted, we had to build an infrastructure that was collaboration-orientated, workflow-orientated - and super fast.”
Building a stack to support these standards was going to be no mean feat - and Runn was one of the final pieces of this puzzle. But it took nearly two years of searching, trialing, and testing to find the platforms that met the team’s needs.
A well-designed UI and pleasant user experience might win over a general audience. But, as Dan explains, if you work in security, the appearance of good design alone isn’t enough: you have to take a look at what’s happening under the hood.
“There are certain questions you have to ask: Where is the data residency? Under what privacy laws is it built? Has it been pen-tested? How are they looking after their code?”
As a result, Dan and his team often ended up having to explore more established, enterprise products. And though these came with a hefty price tag, they were frequently the best bet from a reliability and security standpoint.
“We ended up with a lot of platforms that most startups wouldn’t even think of buying!” laughs Dan, “Which was fine for some functions.”
But when it came to project and resource management, it was a problem.
“The enterprise project management products out there almost do too much - and to make them lean, to get them to integrate neatly with the other specialist platforms we’re using, is almost impossible.”
The team was at a crossroads. Legacy systems did meet Chaleit’s security and compliance requirements. But they were also slow and unwieldy, with almost more functionality than needed - and much of it hidden in infinite dropdowns and unintuitive UIs that are stuck in the early 2000s.
Ultimately - and understandably - Dan didn’t want to compromise on something that would have such a fundamental impact on the way Chaleit worked and managed projects.
We wanted something that was powerful, highly visual, and simple. I kept coming back to the manufacturing concept of the ‘visual factory’ - we needed a visual factory for our time, so we can clearly see what all our resources are doing.
Enterprise project management systems weren’t cutting it - so it was time to cast the net wider.
Dan started looking into younger SaaS products, which put many more options on the table. But, though many platforms performed well functionally, their dashboards and visualizations often left a lot to be desired.
By the time Dan discovered Runn, he’d already trialed two different SaaS project resource management platforms - and been let down in crucial ways that meant he could not progress with them.
After this disappointment, finding Runn was like a breath of fresh air.
Runn’s visual UX really stood out to us - and we’d been looking at a lot of different project management systems. Honestly, it’s one of the best UXs I’ve seen for this use case.
Not only did Runn promise the agile ‘visual factory’ that Dan had been looking for: he could also immediately see how Runn was built to work with a fully remote, internationally-distributed team - just like Chaleit’s team.
“Even on some really big SaaS platforms, you’re only just starting to see international holidays truly reflected. But Runn is already on top of that - international holidays are already there in the system.”
Did this mean their search was complete? Well, not so fast. These features made Runn an appealing contender - but this alone wouldn’t be enough.
If Chaleit was going to adopt Runn, Runn would have to be robustly secure, up to the standard that Dan would expect. And the best way to check if Runn made the cut? Chaleit was going to try to hack Runn themselves.
“I wanted my team to take it on,” says Dan, “We wanted to see if anything could be improved. So, I asked if I could talk directly to Tim [Copeland, Runn CEO] to see what we could hash out, founder to founder.”
This wouldn’t be the first time that Runn had been pen-tested. But it would be the first time it was pen-tested by a potential customer.
As is always the way with pen-testing, openness, transparency, and trust are key to a good outcome. The team whose code is being tested has to buy into the process and see the value in this kind of preemptive preparation for the worst-case scenario. And for the Runn team, this test was high-stakes in more than one way. But they embraced the opportunity.
By giving Chaleit access to everything they needed, such as prior test reports, Runn made it possible for Dan and his team to investigate rigorously and ensure that the platform met their expectations.
The Runn team was really easy to work with. Really open, and authentic. They formed a real security trust relationship with us. And as a result, we really got what we needed in terms of our supplier due diligence.
Thanks to this openness and collaboration, a mutually beneficial relationship was hatched. The pen-test process was valuable in more ways than one. Not only was Chaleit able to satisfy their stringent security requirements, but they also helped the Runn team find something in their code that could be tightened up.
“And once we flagged it, it was repaired super fast,” says Dan, “Fixed very cleanly, and validated very well.”
And with these fixes complete, Runn and Chaleit were ready to rock and roll.
Now the hard part was over, it was plain sailing for implementation. Chaleit’s team found Runn easy to adopt, simple to learn - and a great fit for their agile development process.
As Chaleit engages with a broad, diverse base of clients across the globe - from Silicon Valley tech companies to energy and utility providers - the team has to move fast and flexibly to fit in with often very different cadences and schedules. But, with Runn, this is made significantly simpler.
“Often it’s less about when we are available to do something for our client than it is about when the client needs us to do certain things. This means we need the ability to move things around really quickly - to bring real elasticity and flexibility within our sprints. Runn helps us do this.”
Runn has come to take a vital place at the heart of Chaleit’s project and resource management operations. In a fully-remote team, it is essential to have a unified, bird’s-eye view of the work that is ongoing, to keep track of what everyone is working on. This helps Dan understand the team’s capacity - both at present, and in the future.
I find myself using Runn all day, every day, it’s a source of truth for our live projects, and it’s also very helpful as a scenario planning tool.
Runn’s collaboration with Chaleit has been a real success story, with great benefits on both sides. Chaleit got the highly-visual and agile project and resource management platform that they were searching for, and we got to put our security through its paces - getting our most rigorous test yet, and making some incredibly valuable improvements along the way.
Chaleit is a business that puts sky-high standards front and center. Their entire service model is predicated on the belief that people can learn and improve, iterating continually to meet new cybersecurity threats head-on.
For this reason, Runn’s partnership with Chaleit just made sense. We also aspire always to raise the bar - to keep improving and pushing ourselves.
We are proud to be a trusted partner of Chaleit, and we look forward to continued collaboration with them - delivering security standards that stand head-and-shoulders above what users may expect from a platform as young as Runn:
“It’s clear that Runn has a busy development roadmap, but the team is still making time to do things right. They clearly take cybersecurity very seriously.”