25 Years of SySS – We Are Celebrating Our Anniversary!

13.06.2023 – News Building SySS

A look back at the company's history, challenges, changes and constants

From innovator to market leader

It has been a quarter of a century since Managing Director Sebastian Schreiber founded SySS GmbH in Tübingen in June 1998 – it is definitely worth looking back at an eventful 25 years!

But first back to the beginning: In the midst of studying computer science at Eberhard Karls University Tübingen, Sebastian Schreiber had already laid the foundations for his company. As an independent IT consultant, he worked for HP, IBM and Wüstenrot-Bausparkasse and, in addition to other IT activities, carried out the first penetration tests (in short: pentests) in the company's history on his own – but not for long. Even before successfully completing his studies as a computer scientist, he hired the first SySS employees: among others support for invoice management and, in 2002, one of the first IT security experts – Senior Expert IT Security Consultant Micha Borrmann, who still works at SySS today and carries out pentests.

In addition to penetration tests, for which there was hardly any demand at first, SySS primarily offered system administrator services in its first years. While the IT landscape had not yet been familiar with this form of security checks back then, there was a high demand for the transfer of IT expertise. Sebastian Schreiber recognized this early on and created hacking training courses, which have been very popular ever since. Even at this time, the workshops were characterized by the practice-oriented transfer of inside knowledge to employees of various companies. However, the initial reluctance of the market with regard to penetration testing should change significantly over time and penetration testing became increasingly established as an independent service, by 2002 at the latest. Simulated cyberattacks grew – and are growing – together with pentest market leader SySS. “I hope that we can continue to create value with our employees and our customers, prevent threats and make the world a bit more secure”, says Sebastian Schreiber.

While many things in the (IT) world have changed – sometimes rapidly – since 1998, SySS is constantly adapting, keeping its finger on the pulse of the time and yet always true to itself. Even today, SySS, as its main business, still primarily performs pentests of the highest quality. Moreover, penetration tests are probably more existentially important today than ever before! In addition to simulated hacker attacks and training, SySS also offers other security-related services, such as red teaming, digital forensics and incident response, technical consulting and live hacking. It thus covers the largest possible area of cybersecurity for its customers and offers professional advice in all IT security situations where IT security experts have had the opportunity to draw on an enormous wealth of experience for at least 25 years.

As of June 2023, SySS currently employs over 160 people. The company's headquarters have always been located in Tübingen. They have already been at various locations there, and since 2017 SySS is situated at Schaffhausenstraße 77. However, it is not only the liver that grows according to her challenges, but also SySS: Sebastian Schreiber founded the subsidiary SySS Cyber Security in Vienna in 2018 and opened the first of the two branches in Frankfurt on the Main. A year later, he founded the Munich SySS branch, just in time for the beginning of Oktoberfest, which is traditionally a festive time in the Bavarian state capital.

Further details on the spatial and personnel development of SySS can be found in our blog article on the 20^th anniversary; and for those who love numbers, here are some hard but no less exciting facts and statistics in compact form.

SySS in numbers

Oct. 2017: 100 SySS employees
Sept. 2022: 150 SySS employees
7 SySS focus teams: SAP, Windows, Digital Forensics and Incident Response, Hardware, Cloud, Red Teaming, and Mobile
Number of projects carried out:
- Pentests: > 8.500
- Digital forensics and incident response: > 600
- Red teaming: > 200
- Technical consulting: > 150
Published advisories: > 250
Events/fairs/conferences: > 70 appearances
Media appearances: countless interviews, articles and expert surveys in print, radio and television

Challenges and SySS solutions

SySS is always “right in the center, not just on the outskirts” – even in the turbulent last few years when there has been a constantly growing threat to the IT security situation. On the one hand, SySS provides timely information about relevant events in the IT world, and on the other hand, it provides advice, expert opinions and suggestions for mitigating vulnerabilities that are regularly and (too often) successfully exploited by malicious hackers. In the following, you will both get an insight into specific incidents that happened in the recent past and into the way SySS has implemented many dynamic ideas to somewhat improve the IT world as well as the non-IT world.

In 2020, among other things, there were a number of attacks on the healthcare sector and data leaks (disclosure of sensitive intimate data) with ransom demands. In addition to more frequent cyberattacks on large tech companies, the annual losses from hacker attacks would exceed the 220 billion Euro mark by 2021 at the latest. In the same year, the two critical security vulnerabilities “Hafnium” and “Log4Shell” also occurred. SySS responded promptly to the former, a critical security vulnerability in Microsoft's Exchange Server, with a detailed situation report and recommendations for mitigation. In its context tens of thousands of systems worldwide were hacked. In addition, the IT security experts offered a Hafnium consultation where customers could have their individual questions answered. Log4Shell has affected the widely used Java library “Log4j”, whereupon SySS offered concerned users a free Q&A via Zoom with several consultants who had worked through the most important technical details and provided specific recommendations to offer direct assistance.

Then there was corona ...
... and nothing was the same as before! Even beyond the field of IT security there were major changes and a rethinking of dynamics in the working and private environment. Creative ideas and solutions had to be sought and found! In this way, SySS adapted to the new circumstances after a very short time and introduced new processes to everyday pentesting. In the age of physical distancing, penetration tests were from then on carried out remotely using the so-called pentest box. The pentest box consists of a laptop sent by mail, thus allowing SySS consultants to cover the same scenarios as when performing an on-site test. In addition, video conferencing and home offices were expanded further in order to meet the new challenges. Besides, SySS also offered its customers pentests of their increasingly widespread home office solutions. SySS is also proud that it supported companies and volunteers sustaining public welfare with free pentests and that it offered vaccination appointments through pro-bono campaigns. In Winter 2021 alone, more than 1.500 corona vaccinations were given on the SySS site, where a magician sweetened the waiting time for the little ones and after the jab, following a good old tradition, grill master Sebastian Schreiber himself was at the barbecue.

But back to IT security: The severity of cyberincidents increased significantly in 2022: The district of Bitterfeld-Anhalt spoke about a case of cyberdisaster, and cyberwar is increasingly being discussed (especially in the context of the war against Ukraine). Private individuals were also attacked more frequently than ever before, for example via social engineering fraud attempts in which bank details are obtained, or via Trojans, which are still too often successful for attackers.

In order to even better counteract cybercrime via e-mail phishing, crypto ransomware, etc., SySS has significantly expanded its Red Teaming and Digital Forensics and Incident Response (DFIR) departments in recent years. The red teaming and DFIR specialists help customers not only to take technical security measures, but also to strengthen employee awareness. In addition, the red team simulates targeted attacks against corporate networks from an external perspective and checks the building security of companies. The DFIR team, on the other hand, spontaneously assists affected companies with acute IT security incidents by collecting data that can be used in court and by investigating and recovering these incidents.

At the end of 2022, however, a completely different technological milestone came to pass: Chatbots such as ChatGPT are revolutionizing everyone's perspective when it comes to artificial intelligence (AI). In addition to poetry and historical treatises, ChatGPT can also write program code. Is this new form of AI, with the ability for the first time to recognize and process complex issues and relationships, also able to carry out penetration tests in the future? Sebastian Schreiber is convinced that high-quality pentests will definitely remain in human hands even in the near future. In any case, as before, SySS keeps the ball rolling when it comes to future technical innovations – both in IT security and in other areas of the ever-growing digital world. Not only that, according to the award from the business magazine “brand eins” in collaboration with the statistics portal “statista”, SySS is one of the “Best IT Service Providers 2022" – because when you think of IT security, you think of SySS!

Research and knowledge transfer – SySSyphean work?!

A thirst for knowledge and the urge to explore new things have always been an intrinsic motivation at SySS. Starting with the hacking workshops already mentioned earlier, to today's comprehensive range of training courses, which include different topics, target groups and a wide range of IT security experts. Just as SySS takes on the perspective of a hacker during pentests, so can training participants. As a result, things having been learned in theory immediately become clear in practice. Thus, they do not end in classic Sisyphean work which only concentrates on the constant arms race between (digital) attackers and defenders. The choice of workshops ranges from basic hacking knowledge and tailor-made attacks on web applications or Windows networks to digital forensics, phishing awareness and IT law workshops. It is vitally important for SySS to cover a very wide range of topics, so that people with different backgrounds and levels of knowledge find courses meeting their interest!

In addition, SySS proudly supports young researchers (to be) in projects related to science and technology and is fully committed to the “Jugend forscht” project as a sponsoring company. SySS is also happy to support everybody thirsting for knowledge with the ambition to learn more about IT security. From internships for students via assistance in writing theses to dual studies, SySS is happy to share its many years of knowledge with anyone interested in IT security.

The IT security consultants at SySS are, of course, always on a research course themselves in the ocean of the rapidly developing digital world. Among other things, they regularly publish security advisories on security vulnerabilities in commercial products. In addition, SySS launched the SySS Tech Blog in June 2021 to share the latest findings in IT security and to present new, self-programmed tools to the international tech community. Further technical articles and talks, which were given at various IT security conferences, can be found in the SySS Pentest Library. Moreover, SySS also publishes descriptive videos on its YouTube channel “SySS Pentest TV” about identified vulnerabilities, hacking tools and – most recently – basic IT knowledge.

The internal research drive is supported and promoted by the SySS-internal Research & Development (R&D) department, which was established in 2013, now looking back at ten years of hands-on experience and over 250 projects. In this way, SySS invests in knowledge transfer and research in order to continually and actively contribute to progress in IT security. Thus, SySS is aware of all current topics and anticipates the future development of the industry. However, this is not only useful for increasing quality and efficiency within the company itself, but the expertise gained in this way is often beneficial to the general public. No wonder that Sebastian Schreiber and other SySS consultants are welcome guests on the radio and television as well as in print media when it comes to cybersecurity or IT news.

But now let us say cheers to the next 25 years of SySS!