Today we’re chatting with Santiago Rosenblatt, CEO and founder of Strike, a platform that’s shaking up penetration testing (pentesting) and transforming how companies detect and fix security vulnerabilities. Santiago’s curiosity for hacking started when he was just six, as he discovered vulnerabilities in video games and online platforms. At fourteen, he made a discovery that made him think deeply: a glitch in a marketplace allowed him to purchase electronic devices by only paying the shipping cost. Finding this glitch was a turning point that led Santiago to pursue ethical cybersecurity, and since then he has built ways to protect rather than exploit.
He moved into professional cybersecurity, working with big companies across Europe and Latin America before becoming the first cybersecurity specialist at PedidosYa, South America’s largest delivery platform. At PedidosYa, Santiago was essential in building a cybersecurity culture from scratch, safeguarding the data of 30 million users across 15 countries. With this experience and vision, he now leads Strike, a platform revolutionizing pentesting (a penetration test that assesses potential cybersecurity vulnerabilities in a system and determines the extent of those vulnerabilities) so companies can detect and fix vulnerabilities faster and more efficiently.
How did you come up with the idea for Strike, and what specific cybersecurity problems were you trying to solve?
When I returned to Uruguay in the middle of the pandemic after getting offers from Amazon and Facebook, I noticed a major problem in Silicon Valley, Europe, and Latin American companies: they were investing in offensive cybersecurity but not achieving the expected protection. Attack speeds were outpacing company response times, and cybercriminals were exploiting vulnerabilities before companies even knew they existed.
This pushed me to find a better solution. Between 2020 and 2021, I met weekly with CISOs and CTOs to understand their challenges. I confirmed that traditional pentesting was costly, slow, and inefficient: a single analysis could cost $30,000 USD and take up to three months to report vulnerabilities, leaving companies exposed. We created Strike to change that, accelerating vulnerability detection, making it continuous, delivering faster results, and providing clear, real-time communication.
Why is cybersecurity so crucial today, and what’s the state of the industry in Latin America? What challenges and opportunities do you see in the region?
The pandemic accelerated the digitalization of many companies, exposing them to cybersecurity risks they weren’t always ready to handle. Today, any company, large or small, can be a target for cyberattacks—60% of SMBs in the US had incidents last year—and security incidents have increased by up to 600% since the pandemic. Cybersecurity isn’t just for big corporations anymore; any business operating online needs to secure its systems to protect its continuity and build user trust.
In regulated sectors like finance and healthcare, security requirements are even stricter and require constant audits, like PCI in finance and HIPAA in health, as well as certifications like SOC 2 or ISO 27001 in the US and European markets.
Companies that handle sensitive data or constantly roll out new features and products also need protection to prevent breaches. A cybersecurity incident can lead to not only legal penalties but also a loss of user trust, and customers will often move to safer platforms after an incident. In Latin America, while cybersecurity is growing, the sector still faces challenges like lack of awareness and talent shortages. However, these challenges present a big opportunity for solutions like Strike to raise security standards and help companies reduce vulnerabilities.
What’s the market size for cybersecurity, and who are your ideal clients?
We estimate a $25 billion market that could quadruple by the end of the decade, reaching $94 billion. While Strike is industry-agnostic, we focus on highly regulated sectors—tech, finance, and healthcare companies that employ between 500 and 5,000 people. In the United States alone, at least 132,000 companies could benefit from our solution, and that’s just within our “sweet spot.” We also work with companies outside this profile, like Telefónica and Johnstone Supply, who’ve had excellent results with our solution.
Our clients include companies like Mercado Libre, Delivery Hero, and OLX in tech; Banco Santander, Clip, and AstroPay in finance; and Planned Parenthood and Thirty Madison in healthcare. About 70% of our clients come from the financial sector. The main users of our platform are Heads of Application Security, Offensive Security Leads, Principal/Senior Security Engineers, and CISOs, the security team leaders within these financial institutions. With Strike, we speed up pentesting, reducing detection time for vulnerabilities from weeks to seconds, with three times more critical findings, providing a robust and effective solution at a fraction of the traditional cost.
How does the Strike platform work, and what makes it different from traditional pentesting?
Our pentesting platform is fully self-service, allowing companies to sign up and, on average, be ready to launch a pentest in about 8 hours. In some cases, it takes just 2 hours. The setup is very flexible: the customer chooses the type of pentest (white, gray, or black box; for web, mobile, infrastructure, etc.) and can add details like credentials or flow diagrams. Once ready, with one click, the pentest begins, and within less than 5 hours, our “Strikers”—ethical hackers worldwide—start reporting vulnerabilities.
The platform lets you manage multiple pentests simultaneously and monitor vulnerabilities, and we have options so you can compare against industry averages for resolution time. It can also centralize vulnerabilities from other sources, like internal teams or external tools, and offers custom PDF reports for compliance. This turns pentesting into a continuous, precise, and fast process, eliminating the delays and high costs of the traditional method.
For companies with between 1 and 100 employees, we offer an automated Scans product designed to scan for vulnerabilities in web, API, and cloud environments. This product is ideal for companies looking for continuous monitoring and compliance with standards like SOC 2, ISO 21001, or HIPAA, providing automated yet effective coverage. The Automated Scans run continuously and generate the necessary reports for compliance audits within just 24 hours, offering a fast and reliable solution to keep our clients’ security up to date.
You offer a 50% money-back guarantee if no vulnerabilities are found within a certain timeframe, right?
That’s right; our promise is simple: if, within the first three months, we don’t find any medium, high, or critical vulnerabilities, we’ll refund 50% of the cost. However, we’ve never had to issue that refund. We always find significant vulnerabilities, especially critical ones, in 98% of the companies we work with, from finance to cybersecurity firms, highlighting the effectiveness of our approach.
We also offer proof-of-concept trials for some strategic clients with a specific scope. The results have been outstanding: around 90% of companies that try our platform end up becoming clients, which speaks to the impact and trust we build in each collaboration.
Strike works with some of the best ethical hackers in the world. How do you recruit and vet these Strikers, and what criteria are essential to ensure service quality?
At Strike, we work with some of the best ethical hackers worldwide, and our selection process is rigorous. We start by verifying that candidates have been recognized in the Hall of Fame of Fortune 500 companies and hold advanced certifications like OSCP and OSCE. We also reach out to our industry contacts for references and conduct a practical cybersecurity skills test. After passing this process, candidates undergo a background check and sign an NDA to officially join the team.
To ensure quality, we use a data-driven monitoring system that evaluates key metrics, such as speed and accuracy in identifying vulnerabilities. This allows us to fine-tune and optimize each Striker’s project assignments, ensuring that our product maintains a high standard of effectiveness and security.
What is your main role as CEO, and which strategic areas do you focus on?
As CEO, my main responsibilities are to make sure the company’s vision is clear for everyone, both in the short and long term and that the entire team understands where we’re headed. I also handle cash availability, either through sales or fundraising, to ensure we have the resources to keep moving forward. Another essential part is the team: without a committed, talented team, you can’t develop the product or drive the company’s vision.
On a personal level, I also make it a point to show the importance of balancing work with time for other meaningful activities. Even though work is demanding, I believe in setting aside time for personal interests, hobbies, or spending time with friends and family, which I usually do between 6 a.m. and 9 a.m. This balance is crucial for staying focused and performing at your best.
What’s next for Strike in the coming 12 months?
Over the next 12 months, we’ll keep evolving and expanding at Strike. We’re currently in the process of fundraising and collaborating with MIT to automate the entire pentesting process. This year, our focus is on automating vulnerability detection and verification, allowing clients to instantly confirm if their implemented fixes work without human intervention. We’re also integrating our system into CI/CD workflows, so any changes in a repository automatically trigger a pentest.
On the expansion side, we’re still committed to LATAM, but we’re betting on the United States as a key market in 2025, with our team establishing roots in New York. The next 12 months will be crucial for solidifying our presence in the US, continuing our growth in LATAM, and constantly innovating our product.
This post is also available in: Español (Spanish)
