InRed Labs: Nepali Startup Strengthening Security by Simulating Cyber Attacks

Kathmandu: Cyber attacks are on the rise globally. In some countries, they emerge internally, while in others their impact is tied to conflicts between nations. Such attacks have become common in disputes like Russia–Ukraine, India–Pakistan, and Israel–Palestine.

Nepal, too, faces high cyber risk. As the digital landscape expands rapidly, the debate around cybersecurity has grown equally complex. Every year, banks, financial institutions, government agencies, and private companies spend millions on audits and security testing. Yet, incidents of data theft and hacking continue.

In response to this reality, a company called InRed Labs has entered the Nepali market with a new idea, challenging the traditional concept of security. With the motto “Defense by Offense”, it aims to establish its own identity.

The company’s co-founder and CEO, Sushil Phuyal, calls the traditional approach to security “reactive.” “When something is stolen and you search CCTV footage and investigate, that is reactive security, it’s only a response after the incident,” he explained. “We believe in proactive security. That means identifying all possible ways an item could be stolen and closing those weaknesses in advance. InRed Labs is a ‘proactive defense’ company built on this principle.”

In cybersecurity, the word “red” refers to red teaming, the offensive side of security. Phuyal says the company was named InRed Labs to reflect its focus on this approach in Nepal.

How was InRed Labs born?

Many companies are already active in Nepal’s cybersecurity market, mostly offering Vulnerability Assessment and Penetration Testing (VAPT) and IS Audits. But despite these services, frequent hacking incidents persist. According to Phuyal, InRed Labs was born while searching for an answer to this gap.

“We saw a big gap in the market. Everyone was auditing only technology and process,” he recalled. “But the weakest and most common entry point for hackers is people and that was being ignored.”

He added, “No matter how strong your technology is, if an employee clicks on a phishing email, the whole system is at risk. We started InRed Labs to integrate testing of people, processes, and technology together.”

A real hacker doesn’t follow rules or limited scopes. Attacks don’t always come through software; they can involve deceiving employees, using social engineering, or even physically entering an office.

“Imagine if I walked into a bank branch and took away a computer by simply saying, ‘I came from the head office to repair it.’ Isn’t that a hack?” Phuyal asked. “Traditional testing never evaluates such risks. Our Red Team service simulates these real-life scenarios, which very few firms in Nepal currently do.”

Challenging the traditional process

According to Phuyal, InRed Labs has not only changed the security approach but also the working process. Traditionally, after a test, firms prepare a detailed report and submit it to the client. The client then spends months fixing vulnerabilities before re-testing, making it a long and costly cycle.

“We don’t believe in this old reporting concept,” said Phuyal. “If we find a vulnerability today, we report it today through a platform like GitLab. That way, the client’s development team can start fixing the problem even before our testing is complete. This streamlined process saves clients up to 50 percent of their time and costs.”

Desire to build a culture of cybersecurity

Phuyal says InRed Labs is not just a service provider, it’s also campaigning to build a culture of cybersecurity in Nepal. “Cybersecurity is often made to seem scary and complicated, which makes people avoid it,” he explained. “We want to break that perception. From our website to the podcasts we produce, we’ve made everything simple and engaging, so even non-technical people can understand its importance.”

The company recently launched Nepal’s first cybersecurity-focused podcast, bringing together government officials, police, researchers, hackers, and bankers to discuss problems and solutions. “When a system is hacked, the hacker’s perspective is rarely considered,” Phuyal said. “We want to uncover why the hack happened, what the goal was, and share that side too.”

InRed Labs also plans to use short, creative videos to explain technical topics like VPNs and public WiFi in simple, everyday language featuring ordinary people rather than experts. “This helps common people see their own problems reflected and find solutions,” he added.

What services does InRed Labs provide?

InRed Labs provides a range of services to secure the digital assets of private companies, government agencies, and other organizations.

1. Penetration Testing (VAPT)

This is the process of simulating an attack by a real hacker on a company's system, network, or application to identify vulnerabilities, misconfigurations, and security flaws. After this test, a detailed report is provided along with suggestions on how to fix the vulnerabilities. This includes the following services:

• Web Application VAPT: Testing the client's website or web app according to criteria such as OWASP Top 10 to identify vulnerabilities.

• Mobile Application VAPT: Testing potential attacks on Android and iOS applications.

• Network and System VAPT: Testing the security of servers, computers, firewalls, and other network devices.

• CMS Security Testing: Assessing the security of plugins, themes, and core files of websites running on CMS platforms such as WordPress or Joomla.

• Cloud Security Assessment: Evaluating how secure the client’s data and systems are on cloud platforms such as AWS, Azure, and GCP.

2. Red Teaming

The purpose of Red Teaming is to go a step beyond traditional testing and challenge the company’s overall security system without any rules, simulating the approach of a real hacker. Rather than testing only technology, multi-pronged attacks are executed, such as sending phishing emails to employees, employing social engineering tactics, or physically entering the company to gain access. This exposes hidden weaknesses across the company’s people, processes, and technology.

3. Cyber Security Awareness Training

InRed Labs provides employees, considered the weakest link in any organization, with the knowledge and skills required to withstand cyber attacks. This training includes practical sessions on recognizing phishing emails, understanding the importance of strong passwords, and safe Internet usage. These measures help minimize risks caused by human error, Phuyal says.

4. Source Code Review

Source code review involves identifying hidden security vulnerabilities in the programming code behind any software or application. By examining the code before the software is deployed, major attacks can be prevented in the future. This is one of the key services provided by InRed Labs.

5. Dark Web Monitoring

Dark Web Monitoring is a service that continuously scans the dark web to check if any confidential information, employee or customer data, or passwords of the client company are being sold. If anything is detected, InRed Labs immediately notifies the client and helps prevent potential threats, says CEO Phuyal.

6. Incident Response

‘Incident Response’ is another service offered by InRed Labs. If a cyber attack occurs at a client’s company, the team immediately takes action to minimize damage, stop the attack, and restore the system to a secure state. This service also includes analyzing the incident and providing recommendations to prevent similar attacks in the future.

7. IS Audit

An IS audit examines whether a company’s information technology systems, policies, and procedures comply with national and international standards, such as ISO. This protects clients from regulatory issues while ensuring that systems are secure and manageable.

8. Attack Surface Management

Attack Surface Management involves continuous monitoring of websites, servers, and online devices to identify potential attack surfaces that hackers could exploit. This process also helps detect risks in systems that the company may be unaware of or may have overlooked.

9. ISO 27001 Ready Assessment

An ISO Ready Assessment helps companies prepare for certification to ISO 27001, the global standard for information security. It evaluates the company’s current situation and provides a detailed roadmap outlining the improvements required to meet the standard.

10. Cyber Security Consulting

InRed Labs provides expert guidance and services to develop cybersecurity strategies, conduct risk assessments, and build robust security frameworks tailored to the needs of any business.

All these services collectively help strengthen the overall security of any organization.

Challenges, future plans, and national goals

Currently operating with a team of 15, InRed Labs has already collaborated with platforms like Karobar App, Digital Edge Nepal, and Locomotive. “Manpower shortage is always a challenge, but once people join us, they stay long-term,” said Phuyal. “The bigger challenge is winning customer trust.”

In Nepal, cybersecurity is often seen as an expense rather than an investment. This mindset, Phuyal says, makes awareness crucial. “We’re trying to change that perception through our awareness campaign. Trust takes time to build, but it is growing systematically,” he added.

With its services and campaigns, InRed Labs aims to raise Nepal’s position in the Global Cybersecurity Index. “Strong national cybersecurity is essential for attracting foreign investment and opportunities,” Phuyal emphasized. “Every step we take indirectly contributes to the country’s progress.”

To build trust, the company is even offering free trial services for new customers. “First see our work, understand its effectiveness, then decide,” said Phuyal. Interested companies or individuals can contact 9709191900 to collaborate.

 

पछिल्लो अध्यावधिक: भदौ ४, २०८२ १२:२

टिप्पणीहरू