On the Brinqa of Risk Intelligence

Eight years old, privately funded, and profitable, the Austin-based Brinqa has confidently managed to carve out a slice of the security analytics sector, thanks to their flagship product – the Brinqa Risk Platform.

Brinqa was founded in 2008 by Amad Fida and Hilda Perez. The founders have a track record for launching enterprise infosec products. Amad previously co-founded Vaau – an identity-compliance and role-management software service – which was acquired for an undisclosed sum in 2007 by Sun Microsystems. Hilda held leadership positions at identity management provider Waveset Technologies and later at Sun Microsystems which acquired it in 2003.

At its core, Brinqa’s offering is a data modelling, computation and visualization platform. It can model risk, identify gaps and threats, create remediation workflows, issue alerts, and create reports. Its strength lies in the emphasis it makes on system interoperability, and the way it represents threats.

The Brinqa Risk Platform can connect with a wealth of data sources. These include the usual IDS and IPS products, as well as most vulnerability management and threat intelligence services. It can also interact with Configuration Management Databases (CMDBs) like Service Now, Atrium, as well as Active Directory, WorkDay,  Jira, ServiceNow, and Remedy.

If connectivity for a certain product isn’t available, it can be added through the built-in API.

This strategy means that the Brinqa Risk Platform can work with most enterprise-level security and management systems without the need a significant amount of configuration. There’s no need to change or replace infrastructure, just to use it.

The Brinqa Risk Platform is also highly adept at representing risk. One of the primary applications of the platform is the Brinqa Vulnerability Risk Rating Model, which gives each vulnerability its own risk score. The higher the score, the larger the threat to the organization.

This score is calculated through an algorithm which takes into account a number of factors, including the normalized CVSS score, public and private exploitability factors, business context factors, and more.

Resolving security vulnerabilities in organizations with large IT infrastructure is incredibly taxing on resources, and requires careful management. In addition to allowing organizations to better prioritize the remediation of vulnerabilities, the Brinqa Risk Platform also includes a number of security-oriented project management tools.

The system can consolidate information on the threat from public sources, augmenting vulnerability data with threat intelligence. The Brinqa Risk Platform then offers a path to remediation, by creating tickets and assigning ownership to internal IT assets, which are tracked through KPIs, KRIs, and other metrics.

Brinqa’s pricing model is hardly exotic. It’s based on the sale of annual licenses, with the cost scaling in accordance with the number of tiered assets that are deployed. This allows customers to scale it in accordance with their needs and their budget.

The licenses themselves are sold as annual subscriptions. Both on-site and SAAS deployments cost the same. According to Brinqa, 70% of sales are made directly, with the other 30% being made through channels.

Breaking The Fourth Wall

The Brinqa Risk Platform shows a lot of promise. As the company and the product goes from strength-to-strength, you can guarantee their profile will grow in the increasingly competitive security monitoring market.

The biggest strength of the platform is the emphasis it places on business risk intelligence. Vulnerabilities and threats are related to organizational and business risks, and are presented in a way that’s clear and understandable to both technical and non-technical staff.

We also feel that there’s a potential for Brinqa to pivot and enter the wider security operations, analytics and reporting space. As previously mentioned, the Brinqa Risk Platform collects a wealth of information from other security monitoring systems. It can even interact with IBM’s zOS mainframes.

With this amount of data being collected, there’s a potential for Brinqa to create products that provide monitoring and management of security systems and perform a number of remediation actions using automated processes.

As previously mentioned, Brinqa’s revenue model is based on the sale of licenses. This model can be hard to scale without significant investments in sales and marketing. We believe that the firm could benefit from embarking on partnerships with MSPs and consultancies.

An added bonus is that it would help the firm to differentiate the Brinqa Risk Platform from the other GRC (Governance, risk management, and compliance) and analytics vendors on the market.