SANTA CLARA, CALIF. — December 8, 2003 — Sanctum, Inc., the leader in automated Web application security firewall and testing solutions, today announced the general availability of AppScan� QA 4.0 for Mercury TestDirector 8.0 through a technology partnership with Mercury Interactive Corporation (Nasdaq: MERQ). AppScan QA for Mercury TestDirector delivers an integrated testing platform to QA organizations to make Web application security testing an easy part of the daily QA process. Integrating AppScan QA with TestDirector provides QA engineers the ability to centrally manage and run all aspects of Web application testing-functionality, load and security-from a single environment, providing customers with a lower total cost of operation, reduced business risk and accelerated delivery of secure applications.

"The most effective way for enterprises to become more secure is to buy and build software that is more secure. Integrating security testing into development, QA and testing needs to be considered standard due diligence to prevent identity theft, cyber crime and business system downtime," said John Pescatore, vice president and research fellow at Gartner, Inc.

"Integrating AppScan QA with the leading global test management solution follows through on Sanctum's ongoing commitment to building alliances that deliver comprehensive integrated security testing within familiar application development and testing environments," said Peggy Weigle, CEO of Sanctum, Inc. "AppScan QA for Mercury TestDirector enables c-level executives to mandate faster time-to-market of highly secure applications by making security a priority for QA teams. Through this partnership, Sanctum and Mercury Interactive are taking the initiative of arming their users with the tools needed to reduce the cost and time to fix security-related defects."

Features of AppScan QA for Mercury TestDirector include:

• Intelligent Testing—AppScan's intelligent testing engine provides automatic test creation, modification and maintenance processes needed to test and act on remediation of security defects including common Web vulnerabilities, application specific defects and any Web-based XML/SOAP application.
• Seamless Integration—Within the familiar testing hosts of the TestDirector environment, users can create and execute security tests for their Web application test plans, store and share configurations and sessions; keep information on past runs; and monitor progress along all as part of the normal QA run.
• Defect Management—Security defects are easily identified alongside typical feature, functionality and performance defects, within the TestDirector defect tracking and analysis system providing centralized control, distributed workload and low maintenance.
• Bug Fixes—Users are given comprehensive security advisories suitable for any audience, translating technical details into business terms and providing detailed fix recommendations and views of the test and response, empowering QA personnel to more efficiently communicate with developers for the resolution of defects.

About AppScan QA
Available as a standalone tool, or integrated with Mercury TestDirector, AppScan QA Edition is the only available tool for security testing during the QA phase. With its patented intelligent validation engine, AppScan QA covers the widest array of attack variants to test both new and existing infrastructures, including emerging Web services technologies containing XML and SOAP vulnerabilities. AppScan QA Edition delivers seamless integration into existing test systems, automation to deliver predictive, reproducible results and the ability to output detailed defect analysis results to all standard tracking and analysis systems. In compliance with the Capability Maturity Model (CMM) outlined by the Software Engineering Institute (SEI), AppScan supports software QA and quality management standards, a critical element of delivering quality software to the market.

About Sanctum, Inc.
Founded in 1997 and headquartered in Santa Clara, Calif., Sanctum, Inc. is the recognized leader for Web application security solutions. Sanctum software solutions provide automatic enforcement of intended business processes, ensuring the protection of core information and data. By detecting and defending against any unauthorized behavior, Sanctum protects customers against malicious cybercriminal activity—from theft of intellectual property and customer data, to e-commerce fraud and Web site defacement—even if a site has unknown security holes or flaws. Sanctum's solutions complete a company's security infrastructure, assure regulatory compliance and create sustainable ROI. Sanctum's customers include industry leaders in finance, retailing, healthcare, government and telecommunications. Privately held, Sanctum is funded by blue-chip venture capital firms and industry leaders including Sprout Group, Dell, Gemini Israel Funds, Fidelity Ventures, Wachovia Strategic Ventures Group, Mofet Israel Technology Fund and Walden Israel. For more information, visit www.SanctumInc.com or contact the Company directly at (408) 352-2000.

AppScan is a trademark of Sanctum, Inc. Mercury and Mercury Interactive are trademarks or registered trademarks of Mercury Interactive Corporation or its subsidiaries in the United States and/or other countries. All other product names referenced are the property of their respective owners and are hereby acknowledged.

For Immediate Release

Contact:

Diane Fraiman
Sanctum, Inc.
(408) 352-2000
[email protected]

Schwartz Communications, Inc.
Sarah Thornton or Tara Dugan
(415) 512-0770
[email protected]