Company Information

Mission Statement

Provide threat modeling tools and processes that allow organizations to

Corporate Overview

Amenaza Technologies is a privately held Canadian company. Incorporated in 2001, Amenaza Technologies Limited has developed the world's most advanced attack tree-based threat risk assessment tool, SecurITree®. When used with Amenaza's methodology and attack tree libraries, SecurITree allows enterprises to discover which weaknesses are most likely to be used against them by attackers. SecurITree is the solution used by Fortune 1000 companies, infrastructure providers and government agencies that have security concerns but finite resources. SecurITree provides the results needed to justify security choices to the CEO, the CFO and security practitioners. The product is equally applicable to information technology and physical security.

Executive

President - Terrance R. Ingoldsby.
VP Product Development - Christine McLellan.
VP Finance - Pat Woo.

Trustworthiness

Key Amenaza personnel have the appropriate credentials to work in many high security environments. Please contact Amenaza for more information if this is a requirement.

Amenaza: What does it mean?

"Amenaza" means "threat" or "menace" in Spanish.

History

Amenaza Technologies Limited is the result of a project to solve a problem. In 1997, an information security practitioner in Calgary, Canada had been called on to perform a threat risk assessment for a client. As with previous assignments, the analyst inspected the site, gathered information through interviews and used his experience to write a report detailing areas of concern and making recommendations for improvements. Also as in previous cases, the analyst realized that the reasoning process used to reach conclusions was not well defined and would be difficult to explain or defend. There had to be something better.

In late 1997, the security analyst, Terrance Ingoldsby, began to seriously research the methodologies and approaches used to evaluate risk. Terrance attended a presentation given by Bruce Schneier, the well known security expert, at the 1997 Computer Security Institute conference. Schneier described a novel approach for understanding threats to systems which he called "attack trees"†. It quickly became obvious that attack trees were a quantum leap ahead of traditional approaches. Unfortunately, there appeared to be no software tools available to support the modeling technique described by Schneier. Trying to build and manipulate the models manually would be a hopeless task. Disappointed, Ingoldsby returned from the conference determined to adopt the technique as soon as tools emerged.

In late 1998, Ingoldsby attended another security conference and again heard Schneier speak about attack trees. This time, Schneier also issued a plea for people to come forward and develop tools to support his idea. Not content to wait any longer, Ingoldsby organized a team of trusted specialists to do the necessary research and development to create an attack tree-based modeling tool. In late 1999, Christine McLellan joined the team and took charge of software development activities.

Although Schneier's presentations had provided a basic understanding of attack trees, many details and issues needed to be resolved. Much of the research about attack trees had taken place in classified environments (see Where did attack trees come from?). Resolving the myriad of details and issues required to build a practical attack tree analysis tool required a great deal of research on the part of the team. The first experimental version of the attack tree analysis software arrived in 2000.

Buoyed by support from a major Calgary-based energy company, in January 2001 the project members formed Amenaza Technologies Limited. Forged in the crucible of real world consulting engagements, Amenaza's product, SecurITree, is the most advanced attack tree-based risk modeling tool available today.

Amenaza Technologies Limited was incorporated in January, 2001


† Pioneering work on attack trees was done in the 1980s by the National Security Agency. One of the earliest unclassified references to attack trees is found in Edward Amoroso's 1994 book, Fundamentals of Computer Security Technology. The noted security researcher, Bruce Schneier, was involved in early attack tree research and was arguably the key player who publicized the concept and brought it out of its intelligence agency origins. One of Schneier's articles on the subject can be found at https://www.schneier.com/academic/archives/1999/12/attack_trees.html