Defense Department contractors participating in the BHUSA program now have access to the National Security Agency's complimentary cybersecurity services. A total of 1000 contractors will benefit from this initiative.

In a bid to bolster the cybersecurity of US defense contractors, the National Security Agency (NSA) launched the Continuous Autonomous Penetration Testing (CAPT) program in 2024. The program, initially named the Autonomous Penetration Testing program, was developed by Snehal Antani from Horizon3.ai and his team in 2023.

The CAPT program provides free pentesting services to small contractors of the US Department of Defense (DoD). These tests have proven to be invaluable, identifying numerous vulnerabilities and helping to mitigate them. In its first year, the program benefited 200 defense contractors. The aim is to expand this number to 1000 in 2025.

The services are provided through Horizon3.ai's NodeZero solution, which has been integrated with Model Context Protocol (MCP) servers. These servers are planned to be used for future pentesting exercises as part of the CAPT program.

The tests have revealed some alarming findings. Entry-level user accounts were compromised in as little as 52 seconds, while the fastest time to full domain compromise was a mere 77 seconds. The median time to domain compromise was 13 minutes, typically involving five to seven chained attack steps.

However, it's worth noting that compromising an AWS user credential took 89 minutes, potentially suggesting that cloud-native environments are generally more secure due to fewer moving parts. Most credential compromises did not require advanced techniques like CVE exploitation, password spraying, or NTLM hash cracking.

The CAPT program has resulted in 20,000 hours of pentesting, the identification of 50,000 vulnerabilities, and the mitigation of 70% of these vulnerabilities. Moreover, 20% of the initial credentials compromised were domain admin accounts, granting attackers immediate, high-level access.

Chinese nation-state cyber groups pose a significant threat to US defense contractors, with China stealing more corporate data from the US than any other nation in the world. Chinese hackers are getting really good at using AI to find and exploit unpatched vulnerabilities at scale. A research and development company, joining the CAPT program in January 2025, was able to access sensitive information related to nuclear-powered submarines and aircraft carriers in just five minutes using NodeZero.

The US Defense Industrial Base (DIB) includes approximately 300,000 companies, mostly small businesses. Many of these companies, despite being the backbone of the nation, are privately owned and often under-resourced and overwhelmed by malicious cyber activity. The CAPT program aims to level the playing field, providing these companies with the resources they need to protect themselves and the nation.

Horizon3.ai and the NSA are also exploring the use of AI agents to develop the program's pretesting capabilities. This could potentially lead to even more effective testing and the identification of previously undetected vulnerabilities.

The CAPT program is a significant step forward in protecting the US defense industry from cyber threats. With the number of participants set to increase, it is hoped that the program will continue to make a significant impact in the fight against cybercrime. However, with the ever-evolving nature of cyber threats, it is crucial that the program continues to evolve and adapt to stay ahead of the curve.