Skip to main content
Right of Boom
January 30, 2025

How AI and ChatGPT Will Change how Threat Actors Exploit Vulnerabilities

In this video, the speakers discuss vulnerability management and the evolving landscape of cyber threats. They delve into how AI and tools like ChatGPT are transforming both defensive and offensive cyber capabilities, highlighting the increasing role of vulnerability exploitation. Additionally, the conversation explores the challenges and opportunities MSPs face in improving their security processes and adapting to new cyber insurance requirements.<ul><li>Vulnerability management becomes increasingly complex as businesses grow, requiring more sophisticated tools and strategies to identify and address vulnerabilities in various systems such as custom code, cloud infrastructure, and IoT devices.</li><li>The webinar emphasizes the importance of having a well-documented vulnerability management plan, which includes defining roles and responsibilities, decision-making processes, and continuous adaptation to changing security landscapes.</li><li>Automation and AI are becoming critical in vulnerability management, enabling both vendors and threat actors to efficiently scan and identify vulnerabilities at scale, which leads to a faster discovery process that can potentially reduce the lifespan of vulnerabilities.</li></ul>

Guests

Andrew Morgan

Video Transcript

Welcome everybody. Monday episode 1 29 here on the cyber call. We have a great one today. I, I, you know, we were talking backstage, we almost got carried away, Gary, uh, all of a sudden we realized we're having this great conversation. At least we thought it was great. Yeah. I'm Like, let's just have this conversation live. We did bring up a great question. We're gonna bring it up and maybe we'll do, I think we do a poll on it too, Gary. It's probably a great one, uh, when we get to it.

But, um, okay. Just a few quick things. There's, um, uh, one of your favorites, uh, Gary, we've got, um, a webinar with, uh, Jim Lippes company coming up on the 28th. It's, um, actually what's really cool about this is it's the former director, like the guy that ran identity and access management for hp, um, with, uh, SAS alerts, uh, CTO chip Buck. And, um, if you guys haven't heard, first of all, if you haven't heard Chip Buck, that guy is brilliant.

Um, but this is gonna be a really interesting one as we look about, look at obviously one of the most, uh, uh, uh, initial access ways in which, um, uh, uh, threat actors are, are compromising networks. Um, so I don't think we could get somebody better. Well, I'm sure we could get somebody better, but someone that certainly knows there's stuff that ran HP's identity and access is gonna be pretty good. Um, Yeah, absolutely. They're doing SaaS alerts.

I mean, look, I feel like their success right now in the marketplace really is more of a outcome of what we're, of where the landscape is. Yeah. Right. It's really where the landscape, it's what it tells us. Yeah, it does. It does. Um, okay, so that's, that's just one announcement too, if you're coming to write a boom. Um, and we'll look for, I'm coming. I think all you guys are coming. Um, and, uh, we'll see you all very soon. Can't wait to see everybody.

Um, we've got a big, pretty big crowd, uh, descending, uh, at the Gaylord in, um, in Dallas. Okay. Andrew, it's so great that I, I upstaged you by doing the cyber call live at sch nifa. I know. Kind your Own event, which was the coolest thing ever. That Was, that was, that was a lot of Fun. Yeah, I beat you to the punch. Um, okay, so lemme just set the stage here and I will put a poll question.

I forgot to do that, but, um, uh, it actually is around vulnerability management, Gary, and you were kind of like, uh, talking about the nebulousness of this, but, you know, we, we had rich stru on last week, which was, or I, you know, again, if you weren't here, I highly recommend you watch. And it's really interesting, man, that obviously he was the creator of MIT's threatened form defense.

Um, but, um, in speaking with Steve, uh, over the past week, it was kind of, you know, serendipitous that, you know, we were talking about vulnerability, exploitation, and, you know, certainly if you're gonna have a threat informed defense, um, that's a, that's a pretty big piece, right, Steve?

Um, and, um, I, I was noticed that he had done a podcast on chat GPT and AI that was very different from what we know typically think about with AI and chat GPT, which would immediately go to phishing, which would make sense. Um, so, um, I wanted to have Steve on and really grateful for, uh, for his friendship. He's been on multiple times. Um, he knows a thing or two about this space, uh, um, was worked in the DOD on this way up. And, and so Steve, welcome back.

Tell us a little about yourself, nucleus, and we'll get on into it. Awesome. Awesome. Thanks for having me back, guys. Happy to be here. Looking forward to ride a boom flying out tomorrow. So, so, yeah, I'm, uh, I'm the CEO and Co-founder and the co-founder at, at nucleus Security. And if you're not familiar with Nucleus, we're, uh, what we call risk-based vulnerability management platform, which is basically software just to aggregate any source of vulnerability information you might have.

So, scanning tools, vulnerability scanning tools primarily, but also results from, you know, third party pen tests from bug bounties, um, attack service management tools, things like that. And then, so we bring all that data into one place and help you automize, uh, sorry, automize. Automize. It's fine. Alright. Yeah, automate, I like that word. Automate all of the, the really dozens of workflows that are associated with vulnerability management.

So everything from just the, the vulnerability analysis, right? Of all the, all the data that you're scanning, tools and other tools of producing, uh, the triage, the prioritization of vulnerabilities, the ticketing and instant response and so on. So we're primarily, primarily popular, I guess, with, uh, in the enterprise space, but we also operate, uh, and work a lot with MSPs and MSPs as well. Yeah, yeah, yeah. Some that have been on this show many times.

So, uh, um, and we're starting to see you guys come down market in, in that area, Steve, so it's gonna be really interesting as you know, more and more, um, you know, cri, CRI, or I shouldn't say criticality, but more scrutiny, right? From things, whether it's regulation or cyber insurance, get put on vulnerability management, internal external scanning, et cetera. So Wes, you know, a thing or two about that, Gary, I'm gonna let the floor go to you.

And, and Gary, if maybe when you get towards, you know, the latter part of your questions, bring those in, because again, we had Phyllis, um, we'll have to give her a little bit of grief. I, I, I already did offline that it's a, it's a federal holiday. I don't know about you guys, but I'm working. Um, I, I'm off today. This is a paid holiday for me. Oh, okay. You'll get an overtime bill from me. Alright, well I appreciate you. What's, what's one and a half times zero? That's the problem.

That's always the problem. That's The problem we have in here. Yeah. Yeah. Mr. Blue car Denominator Too funny. Know the feeling. So Mr. Pika, you are on up. Cool. Awesome. Well, it's great to have you, Steve. Yeah, great to be here. Um, so let, let me start at kind of a high level, um, like maybe set the stage around this vulnerability management tends to be something that's very challenging for companies of all sizes.

Why is this, based on your experience spending all your time on this, why is it so cha and am I correct that it's challenging? I, You know, I don't, I'm not sure that all companies would agree with that, you know, and I think that it really depends on like how big of a challenge it is, is might be correlated just to the size of the business, right?

Because yeah, this is kind of the conversation we're having a little bit, a little bit earlier backstage, but I think that a, for a lot of smaller companies, and maybe the customers have Ms. MSPs, right? That again, they still think of vulnerability management as just patch management. And the truth is, if you're a tiny company and you're doing a good job of, of keeping your end points updated, right?

And just doing, just doing the basics, then that might be all that that you need to do to protect yourself as a small company. And then, you know, I think, um, so, so maybe those companies wouldn't find it very challenging, but I think as, as the companies grow, it just becomes more and more challenging.

So as a business gets bigger, as they start to deploy cloud infrastructure, deploy custom code and software that they're writing for the business, now suddenly things suddenly have a lot more problems to deal with, right? How am I gonna identify vulnerabilities in my code? How am I going to identify cloud security vulnerabilities, right? So the challenges kind of keep piling up and it does become just more and more difficult as the business grows.

That's at least been, you know, my observation on things. Can I say one thing though, Gar here to, and Steve, what's really interesting though is, um, yeah, in theory I can, I can see why you'd say that, but when you talk to the IR firms, man, MSPs and SMBs on the aggregate got clobbered with the Fortinet Pulse secure and SonicWall vulnerabilities, Like all the stuff where the RMM doesn't live. Yes. Yeah.

And here, here comes one of the big problems that people feel safe and secure when it comes to vulnerability management because they run whatever scanner Azure is, and they go after the typical policy of high mediums, lows. We're gonna fix highs, mediums may be lows, who cares? And, and, and who knows what you're not seeing. Mm-Hmm.

There's so often you're in, in fact, we all know when a new MSP comes in to supplant you, they first thing they do is run some scan to find all this stuff that you haven't found just to scare the client. Right? This is a big problem. Yeah, that's Right. Yeah. And, and you know, that's honestly, I mean, you guys probably are paying way more attention to that than I am, but, but it sounds, I'm curious, you know, when you in the MSP space, what does the, what does the tooling look like, right?

Are there good, um, I know attack service management tools, for instance, uh, very popular in enterprise space. Almost every, every mid large size enterprise has one. But, but is there a good attack service management option for MSPs that can identify all that externally exposed attack service and, right, right. So that's a big, that's a big gap, right? But, but, but, but Wes, isn't it harder With 50 customers, Five 50. 500, 500 Customers? Yeah. I mean, I had 180 customers at my first MSP.

Yeah. And Gary get Wes hit on it too. I mean, again, the, the fud, right? fud, Hey, I'm gonna supplant your old MSP because they're not doing this. I'm gonna need, here's this ream of CDEs that they're not addressing. First of all, as we all know, you can have a ream of CDEs if they're not being actively exploited, who cares? Second of all, um, on the, it's really the, a lot of the external and, you know, the iot stuff that the MS like, again, we're missing.

Um, and again, a lot of it, Wes, I'd love your take on this real quick. The, you know, from a cyber insurance side, well, we're not getting paid for it. And, and, and lastly, you know, I would, you know, challenge MSPs especially, um, what about what your website, like I've seen so many websites, we do network security, their MS a say we need network security. Like are they setting themselves up here? Potentially, Wes You mean the MSP or, or cyber insurance?

Uh, well, first the MSP, if they're, if they're saying they do it in their MSAs in their website literature, because the first thing a breach attorney, by the way does, is goes and looks at a website Yeah. If MSP is involved. Yeah, no, that's, yeah. I mean, obviously that, that's a huge deal for sure. Um, and I'm not gonna play the lawyer hat, but we all know just how dangerous and egregiously bad a lot of MSAs are by default.

'cause we've swapped 'em around for years and don't really put an eye on it in today's modern cyber landscape. And that's why you go bring Eric Tills on and he'll be like, oh yeah, wow. Yeah, I see so much bad stuff there. And that's a big piece of it, right? If you have this assumption in your agreement, you're taking care of all the patching and vulnerability management, then something slips in. Absolutely. I'm no lawyer, but I think that's grounds for, uh, some kind of negligence, right?

I think that's reasonable to assume that. And I think from the insurance side of the house, they are starting to get into this. And, and Steve, that's what I was gonna mention to you. So here's an example on this is coalition, and I'm not endorsing coalition, but go check that link out because they'll actually do, in this part of their underwriting process, they do, they partner with somebody like a security scorecard, somebody like that. And they'll do a scan of your environment.

They'll even do one for free for you. That gives you a high level piece of information. The problem with this is that it's not the right answer for underwriting because it's only giving you the front of the door, everything behind the business, which for a small business is it, is what is everything. It doesn't have any insights into that at all. And so it typically ends up being a very poor, uh, process for underwriting. Yeah.

So I've heard of coalition, I haven't explored, explored the website, so I'll have to check, check them out more. But yeah, I mean the, I mean the attack service management stuff, I, I will say it. I, I think there's value to it for sure. I think that MSPs like that, if, if they're not offering it today, because when you think about it, right?

I mean endpoint like good endpoint or good RMM, it might, it might take care of the majority, the vast majority of the vulnerabilities that you have, especially if you don't have a lot of infrastructure and custom code and stuff. And so that, that external attack surface is where I am guessing, uh, back to the, the reports about, uh, from incident response teams, I'm guessing it's, it's through something that was externally facing in a lot of mm-Hmm.

Obviously you still have the phishing stuff and everything as well, but, um, yeah, the, the attack surface piece I think is really important. But to your point, yeah. My biggest complaint about those, one of the biggest complaints is that while it can identify things, there's only so much you can learn from the outside as well.

And so for, for instance, if you do have something that, that, um, is publicly facing, there's a hole in your firewall through to it, um, a attack service could maybe find that, but can't really glean a lot of information all the time. You, what you need is an authenticated scan. In a lot of cases. You need that visibility that like an endpoint agent or something would have to really know, uh, what the vulnerabilities are. So yeah.

Kind of limited value, I think I agree with you there, for sure. Yeah. Alright, Senator. I mean, uh, Andrew, how often do we talk to people, whether it's, you know, Jim from SaaS alerts or John Murchison from Black Point, or I'm friends with, you know, Billy and Carl from Rocket Cyber. And the one consistent thing is how often they get a new customer and that MSP, um, if not their environment, they start to um, you know, they start to roll these tools out.

And how often do they find that there's already a breach? Oh, they're already right. A boom and didn't know it. Yeah. So if anybody came into a customer, there's a chance for any MSP, they're gonna find something. Yeah. Yeah, yeah. Right. Well, I mean, that's why onboarding is getting, so I, I would argue very different than it used to be. Right? Especially if they're, you know, you've signed a con a contract and they're in your backlog.

I mean, the good news, Gary, is still, a lot of MSPs are really busy, but you signed an agreement, they're in your backlog. And, you know, being able to, and Wes you went through this with, with Perch, why did you know some of the biggest of big hire you for m and a, right? Yeah, they Right. Lack of visibility. Yeah. At the end of the day, Right? Yeah. So, So when MSPs onboard, do most of them come in? I, I, I'm, I'm just putting myself in their shoes. Like, I would want that full inventory.

I mean, we can get into asset management and asset inventory and the importance of that, but like, that seems to be key. If you're taking ownership and responsibility for security of an organization. Like, I need to know everything that you have. And Here's the reality. Yeah. You get, you get this new customer, you may or may not have charged an upfront fee. It may, may or may not be enough to cover the work you have to do. You have to decide, am I gonna use, what team am I gonna use?

Some people will use their, you know, project team now it's really expensive 'cause they're backed up on projects and they gotta build those projects this month. Like, just the reality of getting to it, anything that is not responding to a ticket or billing an hour is really hard to do consistently. You know? And if you run an MSP that runs below 15 or 20% true net profit, like after owner salary, you're not doing it consistently. You can't, there's just no way I, I get to look at 300 of 'em.

Like, I get to see every quarter who's naughty and nice. Right? Right. But Steve, you bring up an awesome point. I mean, the first thing you said, you know, for you it's like inherent and intuitive that we're gonna go right to inventory. And obviously all the con frameworks, we always talk about inventory, but it, as Gary said, it's, it, it's, it's tough especially, you know, if, you know, you don't have a role assigned to it.

And, you know, makes me think knowing, write a booms right around the corner. Gary, I play, I I was watching the Robert and Eric, um, uh, uh, uh, back to Warren back that you moderated. And, and I'm gonna paraphrase you that it was something to the fact that if you don't have, if you, if you only have people assigned to projects, tickets, and you know something else, Gary, you're not secure.

Why you do, you know, do you remember that you're Not secure if you, if you don't have roles dedicated to these things? 'cause it's not just the onboarding, but it's the drift over time. And that's not gonna get caught by support. It's not going to get caught by A-V-C-I-O at that level. That's not what they do. It's not gonna get caught by the project people. Like, unless you have a truly proactive team, you're not your customers and you're, and you're not, you can't be secure by definition.

If there's one thing that we've learned over a hundred and was it 29, uh, episodes, is that this is a lot of a, a process. And that kind of maybe leads to the next question, Steve, and maybe this is where, like you're saying, not just scale, but maturity comes into, you know, comes into play. But let's start with some of the core things around vulnerability management and like, can you tell us some of the minimum policies? Like if I'm starting what step one through three?

Yeah, I mean, uh, starting as a MSP you mean like within Yeah, yeah. As in terms of if I'm gonna start to establish vulnerability management policies. And by the way, Steve, uh, even though again, only like a 3% of all attendees answer a poll.

I don't know why, but at least Gary, it's interesting if you look at the poll, um, Yeah, It, it, you know, if you look percentages wise, like this is, this is, and this is really important I think for of you to touch on Steve and for MSPs to take note, because Wes, this is where people get themselves into trouble without one. I feel like this is where we were with polls like a year and a half ago when we asked about the, you talked to your customers about cyber insurance, remember? Yeah.

That's what that poll looked like. We've moved it a long way. Yeah. It sounds like we have to start moving another poll, uh, uh, forward, uh, over the next year. Yeah. And, and I'd even like to know, like, where are you at on the journey? Do you have a, do you have a, a policy for yourself? Do you have it rolled out for some clients? Like, because a lot of the nos, I'd love to know what the breakout there is in that, that group of nos. And, and I'd like to know the why.

It's like, have I not done it because there aren't, there isn't good technology that's at the right price point to do this or that it's too hard or there aren't, you know, like what's the, what's the perceived why, Or is it capability too, right? Is it capability? Like this is again, we're, you know, one of the things, I'll talk about it, right?

A boom in the opening though, Gar and, and Wes, um, is look, we're again, we're con trying to, Steve, we're trying to condense 20 years of cybersecurity enterprise cybersecurity, right? Which is ubiquitous in the enterprise in the last five years, right? Yeah. A hundred percent Across 50 or 500 different customers, right? Not an enterprise where we control everything, including the budget. And anyway, you were starting, like from a policy Go back to your Yeah.

From a policy standpoint, like what's your logic on this and where people start and what the, what that maturation looks like? Yeah, I mean, let's see. Just, just getting started. I mean, I would say kind of what I was alluding to before that, I mean, just step one coming in the door if I'm an MSP, is I've got some kind of process in place to identify every asset. If I'm responsible for security, the organization, I want to know about everything.

I wanna know about the Fortinet devices, the, you know, everything that you've got that, uh, both internal and external. And so I need a way to do that. Um, and that's where I was asking, you know, is there a, is there a good way to do that today? And do it continuously to, to your point earlier, right? Because there is drift and things are always coming online. And then it's like, okay, well you've got that. Now.

What's, what's the plan to continuously keep these things patched and monitor them for vulnerabilities, right? If it's might mean monitoring, uh, vendor websites and security advisories. Hopefully not, but, but that's, uh, you know, that's a possibility and on a really small scale, but then how do we keep all of these devices up to date, right? So RMM is gonna do a lot of that for you, but it's not gonna do everything, I think, which was the point you guys were making earlier.

There are things that kind of fall outside, outside the bounds there. And so a so yeah, a plan to monitor for vulnerabilities and continuously patch vulnerabilities, but then to the policy point, I think you do want some, you know, basic SLAs to start with that say, when these conditions are met and these types of vulnerabilities are discovered, we're gonna take this response and, and then in, in this specific timeframe.

And so it's just a matter of defining what that criteria is, and it's really gonna be different for every organization, right? So at the, at the most basic level, the things you guys were talking about earlier, is this a vulnerability that impacts a public facing asset? Or is this a device or application publicly exposed? Okay, that might be one condition. And then, uh, yeah. Is it something that's remotely exploitable that there, that a public exploit exists for?

And so you can start stringing together some of this logic and then just have basic, some basic SLAs to respond to those things and, and, you know, realistic timeframes. Um, but so it's not, I, I guess I look at, I say, you know, it's not very complicated, it's just, I'm not sure all the, all the tooling is is there today. I know that, you know, for a long time, Andrew, you were telling me about, um, you know, the lack of like vulnerability scanning capabilities in the MSP space.

And, and so maybe, maybe there are some gaps there that, that are part of the reason, but I really am Inexpensive and complex, right? Right. And not really multi-tenant. Right? Right. So that, that makes sense. Um, but then, you know, beyond that, right? So, so it seems like a, a great opportunity for MSPs, uh, you know, to offer something new. And maybe, maybe it's not there yet, right?

With the, with the tech, but, um, but if I'm an MSP, like I am, I'm also thinking about just how do you continuously assess, uh, your customers and how are you able to identify as they grow, what else they need to do? Because I think that's really what we're talking about is this spectrum where the smallest companies in the world don't have to do much, right? Again, they don't have infrastructure, maybe they don't even have cloud, they just have some end points.

They don't really have to do much. But as they grow and become more complex, the vulnerability management challenges just begin to pile on because there's more and more they have to start thinking about and doing. So as a MSP, how am I tracking with my customer's growth and helping them to implement those things that they need so they don't get, get breached.

So also just what you just kind of described, um, uh, of just thinking things through, and you just, in your head, you just kind of list it. This is, uh, something that's customer facing, like this is something that's public facing. What would we do? How did I, I'm gonna guess that very, very few MSPs have had that simple high level conversation around expectations, um, with their customers. Like is even a step one, Wes, would you agree?

Uh, I've gotta be, I mean, I don't have the data for that. You probably, but a hundred percent it's gotta be. Yep. And one thing I was gonna come back to, um, David mentioned this in chat a little bit further up, I'll see if I can quickly find it. He was, he said, this is the problem that everybody has there it is. I've not found a good way to get all assets reliably into one place and updated. There are pieces out there, RMM to documentation platforms get you started, but misses plenty.

Exactly. And I think one encouragement for everyone is I'll just channel my inner or Ryan Weeks for a minute. If you've done good inventory, that will go a really long way to go to what Steve was saying about establishing critical assets and knowing them and then putting your attention and resources into those things to say, I don't know that we're scanning everything.

I don't know that we're able to see everything that's here and that, that, I know it's hard to do, but that takes you a really long way down the direction to go back to the e we can always learn from previous breaches. Look at Equifax, I think it was, no, it was F-I-S-F-I-S had a massive breach like way back in 20 13, 14, something like that. And they had, the reason for it was they had networks like, like class C networks, hundreds of class C networks that had never been scanned.

The security team did not know about, there was never security controls patching anything applied to them. And it's just like, what? And the, and the security team is the one that took all the heat, but the security team came back and said, look, how is this supposed to be our fault? And we had no access to this and didn't even know they exist. They, this is the problem that we have. And so going back to controls one and two can really help address that. Yeah. Yeah.

Steve, so I wanna just, I wanna touch on the conversation, um, that we were having in the green room, which is trying to figure out, like we're starting to talk about what kind of conversations maybe MSPs need to start having with their customers, but how do they go to market? Like what, like what, this is more of kind of an approach and a concept, right?

Like, we're good at tools, we're good at projects, like we like everything with a really tight box around it, and then just kind of hand it to a, a customer and then discount it, uh, and go from there. And so, yeah. I was just gonna say, Karen, and too, to your point is like, you know, let's use EDR, it's per endpoint, right? And we put margin on it, and then we could have maybe a third party soc, like a Sentinel one or CrowdStrike, let's just say here.

It's like, okay, are we doing it per endpoint? How do we have the Brian Blakely conversation around how do you make money? Like, so we find out what those most critical things are that drive business Roles process. Like how, what do we have to do and how do we match up those costs, however, we're billing, whether it's, you know, per whatever or monthly or, or non-recurring, like, I don't know, it's a big ball of, I'm, I'm dropping a big ball Yeah. In your lap. Big ball of wax.

But I'm glad you brought it up. Steve. Can may, maybe an idea though, Steve, 'cause you know, to put that on you. Hey, tell us as an MSP what we should do. But can you maybe give us a sense of if you're a mid-market or enterprise, like who are the roles there? Pretend there is no budget issue, you gotta take care of this problem. What are the roles there just, and how do they approach it? Yeah, so the roles in a, in an enterprise, right?

It's gonna obviously be, be totally different, but like for example, usually the first people that we speak with in an organization are security architects and security engineers who have been tasked with figuring out how to modernize and rethink the way the organization's doing vulnerability management, right? So it's a project for them. And, and a lot of cases it's, um, it's a project that was created as a result of a breach, right? Mm-Hmm.

'cause to some of the statistics and stuff we were talking about where some incident happened, uh, they went through IR and they look back, um, and Mandiant or whoever says, you know, the root cause of this was, you know, this specific, you know, the entry point was this specific, the exploitation of this specific vulnerability and yeah. That was sitting on your network for so long. And, uh, as we looked at your processes for managing vulnerabilities, like this is where the weakness is.

You have to be able to respond to these things faster. So, so we kind of start there, but I mean, it, it goes, you know, the CISO's involved, uh, for sure. And where we see the most success is actually where the ciso, um, really is the one kind of, you know, driving the re-imagining of the whole vulnerability management program. But, um, but yeah, it's, it's, it's ciso, it's your IT directors and IT security folks, uh, that are involved.

Um, we spend a lot of time with product security because in pretty much all of these enterprises, they have lots and lots of different product teams that are building custom, you know, custom business apps for the organization. And so everyone in the product security team has to be bought in. And so, so yeah, we see this governance, uh, layer kind of coming from the top and, and lots and lots of different roles and stakeholders.

So I'm trying to kind of think through, you know, how how you might do things in, uh, you know, in MSP, in the MSP context, MSP environment where you don't have all of those roles and the MSP is really serving as the one driving all of this, right? That's, that's the, that's the challenge, I think.

But I think you brought up a good point, and where I've seen like Carl Bickmore do this pretty, pretty well, Gary and Wes from an MSP's perspective, and, and Steve just said the word project, like Carl literally will articulate to them, look, if, if we're not gonna bake in this new role, right? And we are gonna manage all of this for you, and these are upfront conversations he has, you know, like he's got a pretty thorough assessment process, it's projects.

And he is like, okay, for we're gonna remediate. So that to your point, Gary, this is something that we're going to put these resources on to handle these things because it's not part of, and we can't have it part of your agreement if you're not gonna Right. And you're hitting on now, I mean, Steve, you're hitting on why we are as MSE when I say we as MSPs, why we are where we are when you right from the starting point, you like your CISO's re-imagining, ah, I don't have a ciso, Right? Yeah.

And even if I do, there might not really be a ciso by your definition. Like if an enterprise ciso, so already step one, eh, okay, I haven't even gotten to step two now I have to also understand that that, 'cause that's the first step. Look, this, what you're talking about is a lot around roles and process. Mm-Hmm. So I have to know who do I need? How many customers can they manage with this? What will be the process they will use?

How do I put a firewall around them from all the other reactive stuff? Then how do I take that now that I start to understand my cost and how do I go to market? And you probably gotta go to market pretty aggressively, right?

Because you need to cover those costs once you start building out roles and process, which by the way, that's what I'm describing, the best MSPs that I know that are most secure and or most mature, uh, in terms of their, uh, security posture, that's exactly what they've done. They've had to, the only way to do it, they had to jump over that chasm where they just needed an extra 40, 50 bucks a seat in order to do this for all their customers.

And they had to be super aggressive or else they couldn't fund the roles without the roles. They can't deliver it. And you're stuck. Yeah. You guys are making me want to now go and interview some of my customers, right? Because I know we've got some, some MSPs, um, MSPs using Nucleus, and I'm, I'm curious what, what the, what the model looks like there. And I don't, I don't know. You know, just to be Honest. Yeah, if you do, you can come back on Yeah.

And bring and, and, and with some notes and bring one, because I'm gonna guess what you're gonna find is they probably came to solve a specific issue, and I don't think you're gonna find one similar box of go to market, but, um, I hope I'm wrong. Like, it would be good if I was wrong. Um, unfortunately, I'm not wrong that often, at least about Yeah. My wife would say I'm wrong about most everything. Yeah. Yeah.

But I could, I could see, uh, you know, I guess a pathway where there's, you know, some kind of very simple and affordable option for smaller companies. Um, and it just kind of evolves, you know, to to, to more advanced and more mature and more expensive, uh, offering as the companies grow.

And I think that's honestly where even a lot of the customers that find us get in a lot of trouble is that they, that what their, their program is basically the same as it was three years ago or five years ago. And, and any kind of company that's growing quickly, um, that falls over pretty quick, right? Because you do have all these additional things that you have to do. The, the challenges just continue to grow and grow as the business grows.

And so people like to think, oh, I've got vulnerability management covered. I did this thing, I hired this company. They stood up this tool or this process. But it is something you have to look at, uh, you know, at least once every six months or a year if you're a a, a fast growing business, if you're not growing that fast, I think, you know, it's probably, probably mostly pretty static. But, um, yeah. Yeah. So I can take that as an action, Gary. And, and, uh, that'll be my take back The show.

Definitely, definitely do that. And I guess Wes and I are announcing a new startup we're doing together right now, Wes, Right? Everyone's gonna buy it. It comes with your own trunk. You can slam. Yeah, That's good. And then I have one, one last question. Can you talk a little about maybe everyone's not familiar with the Center for Threatening Defense? Oh, that's my bad. We, uh, Gary, I apologize. That was from week, that was from the week you were off, and I forgot to cut it out. Okay.

My apologies. Um, We can talk about, we can talk about CT IDI mean, we, we, a lot of our customers, um, you know, are, are very familiar with IT and Mitre Tech and all that good stuff. So, um, Anyway, but I, but I do like the question in there about Wes, maybe you could take that one about, um, cyber insurance. Do you see it there? Um, yeah, it's changing because I That's an important one. That's an easy one. Steve, what are you seeing on the cyber insurance side?

What are your clients saying to you? Are they looking at Nucleus to solve some cyber insurance burdens? Any thoughts there? Um, I'm gonna be honest, I'm probably not the best person, uh, for this question 'cause I don't follow the cyber Yeah. Insurance requirements too closely. But what I can say is that from, at least everything I've seen, the bar was, and has historically been super low from a vulnerability management perspective.

And that's because when you look at the way they word things, it's just very kind of high level and, and 10,000 foot view, or do you have a vulnerability management program? Can you, can you patch things within a certain amount of time and, and stuff like that. And so because of that, I think it's been pretty easy, kind of like some compliance requirements and regulatory compliance stuff.

It's pretty easy to check some boxes and say, okay, well we're doing this thing over here, so Yeah, I'm gonna check that. Yes, yes, yes. Um, but I have heard that, that, um, insurance policy or cyber insurance companies are starting to ask for, this is just anecdotally starting to ask for more and more on the VUL management side. I just don't have like, specific examples of, of what that is. Right?

I know, uh, in one case, like we have some cyber insurance companies that are starting to, uh, that we're working with as prospects that are, um, thinking of rolling a vulnerability management service out to all of their customers, or at least offering it, uh, maybe in some cases mandating it depending on the type of business. But, um, but I do think, again, it's all anecdotal, but, but there's more scrutiny there.

So they're, they're now like, starting to put in more language around like, okay, if you have, uh, custom software and you have web applications that you've deployed, you all, you know, you have to have a, a plan and a program to make sure that you're monitoring those for vulnerabilities and, and patching code and things like that, that, that you're maintaining yourself.

So it sounds like it's, it's starting to maybe develop some teeth, but, you know, it's, I don't really have much more than that, I guess. No, you're, you're right. That that's what's happening. And Dustin even mentioned this in chat. He said vulnerability management is, it's a side, it's a light requirement. It's becoming more, um, that that's exactly right at fifth wall, like, here's the link. I'll just put it in chat for everybody.

Um, the five requirements that you could have, and there's really a six one that is really appeared, and it is vulnerability management. You're gonna have a hard time in 2023 if you're not doing at least what they call the basics of like scanning and remediating highs within 30 days. Like, that's the bare minimum. And I don't think anyone would argue that that's good, but they're finally at the stage where they're like, okay, we've seen enough data to know that could have stopped some claims.

So we're gonna at least mandate that. But yeah, I think that future age is coming where it's built into continuous underwriting where they're gonna come back and they're gonna say, look, you know, the next time a, you know, a log four J type of thing comes out, you're gonna, everyone's gonna share and prove to us what your stance is and where you're at with something like that, that that day's coming. I think that's reasonable, but Yeah. Yeah.

And I, I mean, I think about that and it's like, in my mind, it, it will be the, the SMBs that are impacted the most by this stuff. Because when you look at the larger enterprises, there's the ones that have, you know, just a, a another level of maturity and, and they've, they've been thinking through, they've been reimagining vulnerability management, so they'll probably pretty easily check most of these boxes.

But if I'm an SMB that's just starting to grow, uh, in a lot of cases, I just haven't reached that level of maturity yet where I'm even really thinking about some of this stuff. Mm-Hmm. Or, or haven't figured it out yet. So I could definitely see, again, it's it's opportunity for, for MSPs though, right? Mm-Hmm. Yeah. Yeah, yeah.

I, again, this is commercial insights to me one on one where, you know, if you can lead, you know, guys like Dustin out there that are, you know, knee deep in this, I, I think it's a great thing. Steve, I saw you on a, um, in an interview and that I, I, I have to ask you this. So, you know, when you look at the Microsoft, you know, their threat data, you know, it's always about, I, you know, identity based attacks, right? Number one by far, blah, blah, blah.

Now granted, they're looking at, you know, quite a few endpoints that they can, um, but you know, you, because you play up market and, you know, have a relationship with MANIAN and et cetera. You, one of the things you said was in 2021 was the first time vulnerability, exploitation, overtook credential and identity type attacks. So I, I'm scratching my head here. Can you help us with that? And is it possible it's based on size of organizations and, you know, type of thing? Yeah, yeah.

I mean, I think that, I think that that's accurate that any, any vendor that's doing research around this is gonna be, you know, looking at a different set of data. So in the case of Mandiant, I believe they're primarily looking at data from their incident response engagements where they were actively doing investigations. And so their findings are gonna be their findings from, from that set of data.

And then Microsoft, uh, and their findings are gonna be, you know, a lot from the, the findings from their endpoint and all their other sources and sensors and things like that.

And so it, it probably, I think it probably could be correlated to, to the, the business organization size, because I would expect that, you know, the smaller, the smaller organizations probably are, uh, more especially organizations that don't have that, that bigger footprint of infrastructure and custom services and applications than, than what you'll probably see is more of the phishing stuff and credential reuse and all that.

But I can say, at least for Mandy, and yeah, it's based on their, their investigations and they found vulnerability management was number one. And I think it, I think phishing was probably second and then credential, credential reuse, and, and the, the standard ones fell after that. But there also were at least three other reports, other research reports from different, different vendors last year that confirmed that that order with different percentages.

But it, it looks like, you know, there, there is some consensus around that. And, and yeah, my guess is it's probably you're Depressing me larger, you're depressing me right now. It's a change, right? But it, it really is, uh, it wasn't even mentioned. The funny thing is vulnerability, vulnerability exploitation wasn't even really mentioned as, as the initial, as as an initial access vector three or four years ago.

So there's like a pie chart, right, where it shows the percentages of each of these, uh, techniques. And it wasn't even on the chart four or five years ago, 3, 4, 5 years ago. And so it's gone from there to, to number one, right? And a lot of that has to do with supply chain and open source libraries, and there's a lot of reasons for it. But, uh, but it is, yeah, that the, the tax service and, and, uh, threat landscape has changed quite a bit.

You know, whenever we talk about these things, Andrew, it's like, it's almost in my mind I have this running reel of the hundreds and thousands of MSPs I've dealt with. You know what I mean? I can almost see their faces and I run through it, and I can just run through that reel when we talk about something and know kind of what percentage of them I, I know we're gonna, for business reasons are gonna find this tough. I had this crazy idea, right?

Is that like if I owned an MSP and I was struggling, like most are, they changed their relationship with their customer. And I think that's where it starts. You know, some of them, we try to push 'em to go out and get new customers with the right relationship in order to change their belief system to make it easier. But at some point that has to happen.

And I was thinking if I'm an MSP, I think I might just open up a competitive MSP to go after my own customer list and go in there and explain to 'em from a new perspective why the price had to be 40% higher. I would steal some of them from myself, or they would maybe make it easier for me to change the relationship. What do you think?

I, I mean, but it's, it's, it's interesting, Gary, um, again, we're at this point I, where I think there's never been greater opportunity and, and you're starting to see, you know, fortunately and unfortunately the separation of companies, these MSPs that really have been at it for 5, 6, 7, 8 years that are now doing the 2 75, 3 50 a seat to do what we're talking about. Um, yeah, I'm already at 400 bucks. I made the announcement, Right?

But, but, but did we ever think we would be talking those numbers? But based on, you know, when you start to think about collapsing what the historic MSP had to do on it than if they were quote unquote outsourcing security to an MS SP, let's just say an SMB said, no problem, we have to pay, we understand these are costs of doing business. It would be three 50 a seat for hundred a seat, And they would pay it and they are paying it. You, you, you know what I mean?

It's just like we just have to keep, um, we just have to keep this up. Yeah. And we gotta keep changing people's about the future. 'cause a lot of other things outside of security, right, are gonna to be changing right now in, in what we do support is changing. Projects are changing a lot of other things that are the core foundation of what we do, right?

And so, uh, yeah, we, we gotta stay at this, but these kind of conversations we're having with, with Steve, these are a big part of it kind of laying out. Like we always have to look and see, well, what other things have been done are being done differently in the enterprise? And why? And how do we bring that down? 'cause we have the same risks. Oh yeah, yeah, yeah. Yeah. Steve, I'm gonna ask you one more question.

I wanted to give it to Wes, but this is the part that I loved or just fascinated about, you know, AI and chat GPT where again, you know, people, his, you know, the, a lot of the buzz out there is, oh, what are threat actors going to, how would they use it for phishing? But you have a completely different thought process on this of how threat actors are gonna use this. Yeah, yeah. I mean, for starters, I'm the furthest thing from an AI expert. Uh, I do have a point of view the, there He is.

Don't worry about it. All right. Um, yeah, I mean, so in the context of vulnerability management especially, right? This has been a topic of conversation just internally, uh, we talk a lot about it, but so AI scanning vendors have been using AI for a long time to help help, you know, it's proprietary, but to help them detect vulnerabilities and custom code, for example. So you've got like static code analysis tools out there that will scan your code repo and find vulnerabilities.

And a lot of those vendors are, are already using technology kind of like chat GPT, right? Chat, GPT, you can literally paste code into, and it will tell you on line 17, you've got a SQL injection vulnerability or whatever, right? So vendors have been using this, uh, security vendors, vulnerability scanning vendors, and then, um, not, not just, uh, not just for that use case, but, um, let's see, where was I going with that?

Yeah, so, okay, so if you look at like threat actors, where my mind goes to is like, you know, when you think about, when you think about like static code analysis, for example, which is one area AI helps a lot and the fact that it's now available widely and, and it's pretty economical and, and, you know, now technically feasible to scan massive emo massive amounts of software of code at scale, right?

At a reasonable price where, you know, if I wanted to let's say scan every code repository that's public on, on GitHub, I would have, I would need to have, you know, hundreds of millions of dollars to pay like a Veracode or something, right? And now I, you know, tools like, like chat, GPT and, and, and other AI tech I think are just kind of democratizing that. And so they're making that all, you know, they're making things like that feasible.

And so to me, all that translates to we're gonna see just an accelerated vulnerability discovery process where in the past it, you know, it might have taken months. I mean, as you guys know, sometimes vulnerabilities exist for years in some products before they're discovered even open source. So you're saying not only can vendors use it, but bad guys can use it. Yes. The same kind of concept. Yeah, exactly.

And you can look over a lot more environments, a lot more code in ways that weren't financially feasible because of the level of detail involved, right? But now that you can provide some level of automation, they can be more efficient. Yes. And I think they'll be able to do it at scale. So I think you'll see more vulnerabilities discovered faster. I don't think, I think you'll see less and less of the, hey, this was a vulnerability in, uh, Apache HTBD that's been there for eight years.

I think you're gonna see more of this continuous scanning at scale to identify vulnerabilities both by security researchers and good guys, but also by bad guys. Wes, um, makes, as I turn it over to you, makes me think of what we did show at, uh, the live cyber call, the, um, in, out through where we, uh, had that image of the roles of threat actors. And you know, based on what Steve just said, I'm like, oh man, Gary, you talk about having roles and responsibilities.

I could see a, a new one coming in for threat actors, uh, monetizing this whole piece of the equation. Yeah. Yes, indeed. Because what is AI good at? It's good at iterating through millions and billions of processes to get something right, or to get something that looks good. It's how deep fakes work. That's how, uh, that's how platforms like SIT A one and CrowdStrike work.

Um, and so you'll see that same approach for malicious actors using the same thing, even though chat GT's language model is based on like 2021 or 2022, it won't take long for that to continue to be fed and updated and leveraged. And if it's not chat GT it'll be something else that you're exactly right. It's pretty scary to me to think you could throw something, some kind of AI model at a ton of open source GitHub projects and then have it iterate through and go find things like that.

That's a real outcome that could happen. And it's definitely scary stuff that's like state le you know, threat. It's like state threat actor level stuff, but it's in the realm of possibility right now. Right? Yeah. And I mean, I would say it probably was like, you know, state level before, and maybe it's bringing it down to, you know, even less sophisticated and less, uh, less funded groups, uh, and threat actors. So yeah, it's, it is, it's interesting. Yep.

So I want to change gears just a bit, Steve. I wanna talk about co-management. So we have a lot of MSPs that are getting into these co-managed opportunities where they're like taking a piece of the pie from a larger company that maybe struggles with something. So let's take vulnerability management.

How does an MSP go about making sure the lines of delineation have been drawn up, that the expectations are set between What I do is MA, is as a co-managed IT provider and what you do as the client with some amount of in-house, it, any thoughts and wisdom on that? Yeah, I mean, I'll give a a, uh, a very kind of basic standard answer, which is, um, you know, it's, it really goes back to having a vulnerability management, a well-documented vulnerability management plan.

You know, it's documentation and, and, uh, and it's not just the plan, obviously, but the buy-in with all of the stakeholders in the plan and, you know, some, some top level support if possible. But, but really, I mean, what, what we found is very few organizations get that part right, uh, in terms of really defining who owns what, who's responsible for what, and what their processes and decision making looks like. And the ones that do vulnerability management, the ve the best do that.

And so when I think about like a co-managed situation where you've got, you know, another organization coming in, it's gonna inject itself in these specific processes. Documenting documentation of that becomes like more important than ever. And then, and then, you know, and then it's a collaboration, right? It's a, it's not something obviously written in a vacuum, but, but a collaboration and, and buy-in from everyone. So that's, uh, that's, that's my 2 cents on that. I think you're right.

I think it does begin with level setting those expectations and making sure they're discussed, then making sure they are documented. We've talked for years, you know, about these shared responsibility matrix, you know, and using those kinds of things to explain and communicate. But ultimately, yeah, you've gotta have that well documented a policy, make sure the client has seen it, they've signed it, they're aware of it, that it's, you've had legal review it, you know, all of these things.

Because as awesome as co-management is, I think it really compounds that issue of vulnerability management and how that, that works. So you gave that example of like communicating, I suppose is a sign of like, doing it. Well, what other examples could you point to that you would say this company has really has a mature vulnerability management process? Anything else you would point to? Let's see.

So, so having a good, well-documented, well-defined plan, um, having, oh man, I mean it really all goes back to, um, really the details in those plans. And so when I say, when I say a vulnerability management plan, that's probably gonna mean something different.

To everyone, but like, we've got a template, uh, I think I've told you about before, Andrew probably meant to send it to you, but like we've got an example of like what a good vulnerability management plan is, and there's a lot of, of details and a plan like that about roles and responsibilities, about how decisions are made for triaging vulnerabilities and prioritizing vulnerabilities and things like that. Um, so I would say that that's, uh, a massive part of it.

Um, and then the best programs that we've seen really are, are driven by people that, that realize, uh, that, that have flexibility and are always optimizing and open to change because they realize that their business is changing and growing all the time. And so it's the ones where you come in and, and they say, okay, well this is kind of how we do things and this is what it is. Those that, that, those are the bad signs.

It's the ones that come in that are open-minded and have more of a collaborative attitude towards the whole thing because it is something that, that needs to be adaptable. Right?

I mean, going, going back to my point, that's the biggest risk is that you institute something today and, and your program looks the same in three years, that's usually a really, really bad sign if your business is doing well, it, you know, because you're, especially in the enterprise space, you're acquiring companies, you're creating business units, you're creating products and your, your program has to grow and evolve continuously.

And so that's kind of what I look for, uh, in a, in a good program. I, I think that's well said. And you know, you look at Take, we talked about Log four JA little bit. Use that as the example of what you just said. If you have a hard finite vulnerability management process that has a list of things you can do and a process that must be followed no matter what, then you get assaulted with, wait, what about all these libraries of these things that you're using that you had no idea even existed?

What are you gonna do about that? That's when people scramble and they're like, wait a second, we're not ready for this. We don't know what to do, Gary. It's going back and forth on my video fees. It just me. Yeah. I don't know what's going on. That's bizarre. But anyway, that's, sure.

My point is, that's really, really well said, Steven and I, I really think that is something we have to think about as like intentionally build, um, flexibility into this process and know it's gonna adapt, come back, revisit what's working well, what's not, what can we address to make things smoother. Um, it's really, really well Said. Yeah. And I think that, that, you know, I ideally, I think, wow, lemme turn my camera off. Um, okay.

That, like, that, that ultimately I think in a perfect world is, is the role maybe of MSPs, uh, in, you know, in the, in the MSP space and, and kind of taking ownership of the vulnerability management program from that perspective. Now, I don't know if that's realistic, uh, or possible anytime soon, but you know, that's kinda seems like an ideal world. Yeah, Yeah. Yes, indeed.

Well, in interest of time, um, I'm, let me, you wanna just give a quick high snippet, high level snippet of kind of what all you do at Nucleus, because I think there's a lot of interest. People kinda wanna know, well, are you a vulnerability scanner? Are you just like Nessus, but you're not? Can you kind of explain a little bit more what you guys do? Yeah, for sure. So we're not a scanner, uh, I'll start with that. So we don't compete, uh, in that space at all.

We're, we are actually partners with, uh, vulnerability scanning vendors. Um, I mentioned like bug bounty vendors, like Hacker One and Bugcrowd and stuff like that, uh, with pen testing platforms. And the idea is that all of those tools and technologies are discovering vulnerabilities for you, right? And various kinda layers of your, of your tech stack, right? Some in code, some in your cloud, some in containers, some in on your devices operating systems.

And so you don't want all that information in a bunch of different databases and silos because you have to, you have the idea, the goal is to perform repeatable processes with the output from all this data.

So, so the, the concept of Nucleus is to bring it all together and kind of normalize it in one place, and then, um, enrich it with things like threat intelligence and vulnerability intelligence so that you can make decisions on prioritization on, um, you know, who to route remediation to, right?

And especially in complex organizations, it's not always clear when a vulnerability is discovered who actually owns the asset that's impacted, who's responsible for remediating, uh, that specific vulnerability. Usually different people, especially in a large enterprise. And so, so Nucleus kind of helps with all of that by, by pulling the data into one place. And then Nucleus has the con it's context aware, right?

So it understands who owns what, who's responsible for what, and then can automate all of the, the remediation workflows to get those vulnerabilities remedied as quickly as possible. So that's what we do. Right on, Steve, and, and I know we were at the top of the hour just about, I, I'm just gonna put in your, uh, what, what you always call Kev. Yeah. But could you close us out with, you know, just a simple resource MSPs can use. I put it in here for you all to look at Steve.

Really, it comes down to, you know, we can have inordinate amount of vulnerabilities out there, but if it's not being exploited, who care And, and again, air quoting everybody, who cares? Why, why is exploitation so critical? And how do we, is there a better way for MSPs that wouldn't have threat feeds from Mandiant and, and others Yeah. To go about it, Right? Yeah, absolutely.

So in the last, I guess two or three years, there are finally some good open source free and open source options for vulnerability intelligence that really help in this area, right? To your point, not every organization can go out and buy like a, a recorded future or mandian or something. Uh, the three things that, that we, uh, really believe in or believe are very, are very useful and, and would be useful to MSPs. Uh, Kev, as, as you mentioned, Kev is the known exploited vulnerabilities list.

And it's just a, a list of all the CVEs that are actively exploited in the wild. And CSA updates it usually about once a week. Uh, so if you can, if you're scanning your environment, you've got a list of vulnerabilities, you can, you can kind of cross reference against the Csic Kev to see, okay, these are actively being exploited. I should probably fix these first. That's one. Um, something called EPSS is a really good one as well.

And the good news is that actually all of these, um, or at least EPSS and csic kev, they're starting to be integrated into the scanning tools and into your EDR tools and things like that. So when those tools are discovering vulnerabilities, now they're able to, to tag, Hey, this is actually an csic kev, so you could prioritize it higher. Um, I mentioned EPSS that stands for Exploit Prediction Scoring System.

This is actually, we recommend that people use csic Kev in this kind of, in conjunction because EPSS tells you the probability that the vulnerability will be exploited in the next 30 days. CS Kev is kind of like, Hey, exploitation's already happening. You should have done something yesterday. EPSS is probability's high, that vulnerability will be exploited in the next 30 days. And they actually use AI to do that, right?

So they look at ev you know, like 37 different attributes of the vulnerability, everything from the vendor, right? Is it Microsoft, is it Adobe? Is it one of these guys? It's probably, you know, higher probability of exploitation, but they look at that in addition to a bunch of, uh, a bunch of other data to, to form those lists. So those are two really good sources.

And if you're using tools to identify vulnerabilities today, I would encourage those vendors if they aren't already to surface EPSS scores and cic, kev, yes or no, it's just a Boolean along with the vulnerability information they're providing you.

Um, if they don't, if they're not doing it today, I mean, it's not a terribly difficult process in small organizations to just take your list of vulnerabilities and do a cross reference with some, you know, Excel macro, uh, magic, which always hate to steer people into Excel, but that's the, that's the reality. Yeah. Listen, We're gonna be doing all this. Once people come to write a boom, by the time they get back to their office Friday, all their dreams are gonna come true. I like it.

Really good stuff, Steve. Uh, first thanks a million for coming on. Thanks for closing things out with that because so many people focus on CBSS. And again, I'm not saying not to, but there are much better ways of looking at what's important out there. Yes, actually, and I just wanna post a link, uh, since you got me thinking about it. If you go to there, we actually list out all the vulnerabilities in CS kev, uh, as they're announced, they're announced.

Uh, if you have, you have to subscribe to CSA or you could just subscribe to this. Uh, but we, we've overlaid both EPSS and Gray Noise, which are two other sources of Tel, uh, EPSS had just described. So this might be something that it might be useful use or, uh, a useful resource for some of you guys. So I just wanted to, to share that as well. No, y you had great minds to alike. I put it up there, two, two posts above you. Um, Oh yeah, there, it's, sorry. No worries.

Alright, well awesome, Steve. We look forward to seeing you, Gary and Wes in just, uh, 24 hours or so. Can I wait and, uh, look forward to seeing, ready to go back next Monday and we'll give you guys an update and on what we did and what we talked about, uh Right. A boom. Yeah. Make That the show, Andrew. It's, it's, it's the show. Yep. It's gonna be good. We're gonna talk a lot about your recap, Gary, because it's gonna be awesome. Alright, thanks a lot guys for having me.

And uh, thanks Steve. Stay travels. See you there. Take care. Bye.

Related Videos

How AI and ChatGPT Will Change how Threat Actors Exploit Vulnerabilities | Right of Boom