Home  »  News 2025  »  Venky on Cybernews: Zero-Day Threats and the Dev Gap
Cyber News Indusface

Venky on Cybernews: Zero-Day Threats and the Dev Gap

Keeping sensitive data safe is tougher than ever, especially with businesses jumping into the digital world so quickly. Lots of companies find it hard to keep up with the latest threats and don’t always have the right people on hand to respond fast and effectively.

Automated security tools alone can’t address today’s complex risks. Companies need a mix of advanced tech and real expert help to keep their web apps, APIs, and cloud assets safe.

Today, we speak with Venkatesh Sundar, Founder & President, Americas at Indusface. He shares his perspective on the latest cybersecurity challenges and how businesses can stay ahead of emerging threats.

How did Indusface get started? What motivated you to build a cybersecurity company?

Indusface began with a dynamic application security testing (DAST) scanner that was later acquired by Trend Micro. While using that scanner, we kept finding application vulnerabilities such as SQL injection and cross-site scripting even after traffic had passed through a Web Application Firewall. The tools were sound; the workflow was broken. Scanner findings seldom became virtual patches, and many WAFs were set to “log only” to avoid false positives, so the same vulnerabilities stayed open.

Another major hurdle was the lack of in-house security talent. Many organizations simply didn’t have the expertise to tune WAFs, enable block mode safely, or create virtual patches without disrupting production traffic. Best practices existed, but teams struggled to implement them.

This gap led us to launch AppTrana in 2016 with a simple but powerful vision: enable risk-based protection without burdening internal teams. Every application goes into full block mode from day one. We layer continuous scanning, virtual patching, and origin-server protection guidance – backed by a fully managed service to handle all tuning and triage.

Several vendors have started offering parts of this model in recent years, yet most still make block mode optional, limiting real-world security. Our focus is unchanged – detect the risk, patch it at once, and prove the protection.

Can you explain, in simple terms, what Indusface does and who it helps?

Indusface is an application security company that protects critical web, mobile, and API applications for over 5,000 customers worldwide. We offer an AI-powered, fully managed application security platform called AppTrana that brings together attack surface management, vulnerability scanning, Web Application and API Protection, bot mitigation, DDoS protection, and real-time monitoring in one solution. What sets us apart is how we address the growing gap between rapid digital adoption and the ability to secure those assets.

Most organizations today are shipping code faster than ever before, integrating third-party APIs, and going cloud-first. However, security often struggles to keep up, as all of these create vulnerabilities from which hackers can break in. In our AppSec platform, we help our customers map the attack surface, scan for vulnerabilities, remediate vulnerabilities, and protect against DDoS & bot attacks in a single platform. As per our 2025 State of Application Security, we analyzed ~8 billion attacks on web and API apps globally. On average, each site in the sample saw nearly 7 million attacks. APIs face

d 30% more attacks than websites, and bot attacks surged by 48%. We help our customers respond to this complexity with a model that combines AI-powered insights with human verified accuracy.

Why do hackers target websites and apps, and how can Indusface help stop them?

Websites and applications are the most exposed parts of any business today. They are where customers log in, make transactions, and interact with digital services. That also makes them a prime target for attackers who want to steal data, disrupt services, commit fraud, or even just make a statement.

What makes this more complex is that the nature of attacks is constantly evolving. They go after misconfigured APIs, attempt credential stuffing with stolen passwords, use bots to bypass traditional defenses, and exploit vulnerabilities including zero-days. In fact, studies found that 60% breaches happen through vulnerabilities for which patches exist.

At Indusface, we help businesses stay ahead of these threats by providing 24/7 protection. Our platform constantly scans for vulnerabilities, applies instant virtual patches, monitors traffic patterns, and blocks suspicious activity in real time. And because we combine machine intelligence with expert human oversight, our customers get protection that is accurate, adaptive, and always on.

Have you seen any new types of cyber threats recently that people should know about?

Yes, absolutely. One of the most significant shifts we have seen is the dramatic rise in attacks on APIs. As businesses rely more on APIs to power their apps and services, attackers are following suit. In fact, APIs are now facing more attacks than traditional websites in many cases.

Another trend is the rise of highly sophisticated bots. These bots are no longer basic scripts. They can mimic human behavior, bypass CAPTCHA, and operate across distributed networks to avoid detection. We’ve seen them being used for credential stuffing, scraping, and other brute-force attacks.

And, of course, zero-day vulnerabilities continue to be a major concern. Threat actors are exploiting them faster than ever before. In fact, for a zero-day vulnerability disclosed late May 2025, we saw and blocked 46,000+ exploit attempts just in June on our platform. This makes virtual patching and real-time threat detection critical because waiting for a fix from the development team could take days or even weeks.

What are some basic things companies can do right now to stay safer online?

Here are a few essential steps that every business, regardless of size, should consider:

  • Gain full visibility into your attack surfaceStart by identifying all the web applications, APIs, cloud services, and third-party integrations that are exposed to the internet. You can’t secure what you don’t know exists.
  • Make vulnerability scanning a continuous processWith fast-paced development cycles, annual or quarterly security assessments are no longer enough. Integrate scanning into your DevOps workflow to catch vulnerabilities early.
  • Use virtual patching for immediate protectionIf a vulnerability is discovered, don’t wait for development cycles to fix it. Virtual patching can shield the application instantly until a permanent patch is deployed.
  • Implement bot mitigation and DDoS protectionThese are some of the most common attack types today. Without proper defenses, your applications could be overwhelmed or exploited by malicious automation.
  • Partner with a managed security service providerPerhaps most importantly, don’t try to do everything in-house. A trusted security partner can bring the expertise, monitoring, and rapid response that internal teams may lack, especially during an active threat.

Many businesses are moving to the cloud. What security risks come with that move?

The move to the cloud brings a lot of flexibility and scalability, but it also introduces new risks. One common issue is misconfigured cloud services, which can leave sensitive data exposed to the internet without anyone realizing it. Another one we recently found is that developers hardcode secrets such as API keys and tokens. These provide a red-carpet welcome for hackers to infiltrate into the whole network.

There’s also a tendency to assume that the cloud provider is taking care of security, which isn’t always the case. While providers secure the infrastructure, application-level security is still the responsibility of the business.

At Indusface, we help by providing protection at the application layer, regardless of where it is hosted. Our platform monitors and protects cloud-native applications and APIs continuously, applying security policies, blocking malicious traffic, and giving customers a clear view of what’s happening in real time.

What common mistakes do companies make when trying to protect customer data?

One of the biggest mistakes is treating compliance as a checkbox rather than a security baseline. Just being compliant doesn’t mean you’re secure. Another common issue is delayed patching. We see that almost one-third of critical CVSS vulnerabilities remain unpatched for 6+ months, creating an open door for attackers.

Companies also tend to underestimate the complexity of their digital environments. With so many APIs, integrations, and third-party tools in use, it becomes difficult to track what’s exposed and what needs protection.

At Indusface, we help customers avoid these pitfalls by offering automated discovery of exposed assets, continuous vulnerability scanning and PTaaS, virtual patching, and a 24/7 AppSec SOC. We also work closely with their internal teams right from onboarding, where we tweak policies as per their app configuration to false positive testing and removal during ongoing maintenance.

How important are API and third-party security, and how does Indusface help with that?

API security is critical today. APIs power modern applications, but they are also often the least understood and least protected. Many organizations don’t even have a complete inventory of their APIs, let alone the visibility to monitor them in real time.

Third-party services, whether they’re embedded widgets, analytics tools, or SaaS integrations, also introduce risks. If one of those gets compromised, it could become a backdoor into your system.

Indusface addresses this in several ways. For JavaScript libraries that are included in the code base, we offer client-side protection to ensure that only trusted JS files run in the browser. Any malicious tampering to the JavaScript files is blocked automatically by preventing them from running. For third-party components such as open-source modules, our DAST scanners look for vulnerabilities. Coming to APIs, we offer the full range from discovery to scanning to protection in one platform. All of this is backed by 24/7 monitoring from our security experts.

And finally, what’s next for Indusface? Are you working on anything exciting for the future?

Our focus is on scaling responsibly without losing the agility or depth that customers value. We are expanding our global footprint, particularly in North America and the Middle East, where demand for managed security is rising sharply. We are also investing heavily in improving and extending AI across the platform, enhancing capabilities such as vulnerability scanning, crawling, threat intelligence, zero-day research, behavioral and anomaly modeling, and false-positive monitoring.

We already collaborate with more than 200 partners worldwide, including systems integrators (SIs), value-added resellers (VARs), managed security service providers (MSSPs), and managed service providers (MSPs). We continue to invest in growing this network. This allows us to deliver support locally, while maintaining centralized efficiency. Our managed-first model also scales well. The more we automate intelligently, the more customers we can support without compromising quality.

Read More…

Indusface
Indusface

Indusface is a leading application security SaaS company that secures critical Web, Mobile, and API applications of 5000+ global customers using its award-winning fully managed platform that integrates web application scanner, web application firewall, DDoS & BOT Mitigation, CDN, and threat intelligence engine.

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.