Skip to main content
Right of Boom
January 30, 2025

July 27th, 2020

In this video, Wes and Kyle discuss the importance of ethical hacking and building a culture of security within organizations. They highlight the significance of understanding core IT concepts and adopting an ethical hacking mindset to better protect networks from vulnerabilities. The conversation also touches on how MSPs can effectively communicate value to clients and transition from focusing solely on technology to addressing business needs and security concerns.<ul><li>The webinar discussed the importance of ethical hacking, emphasizing that it's not just a technical skill but a psychological mindset that helps in understanding potential vulnerabilities from a hacker's perspective.</li><li>Building a security culture within an organization is crucial. It starts from the top-down, with executives needing to care about security to effectively implement changes.</li><li>MSPs should focus on understanding and owning their security processes, as they are ultimately responsible for any breaches or compromises, not the vendors.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right. Going live, and we are live. Welcome everybody for week 12. Wes, can you believe it? Week 12 already. I can't believe it. When you first told me we were gonna do this, I'm like, I think he's crazy Every single week. Uh, it's been awesome. Yeah. And look at the numbers. 1890. Wow. Yeah, yeah, yeah. It keeps creeping up. Kyle, thanks again for all the support. Week 12. I know you, uh, you, you were great in, you know, in, in kindly grilling me about, Hey, how is this all gonna work?

And, and everything. And so I appreciate your guys, your continued, uh, um, uh, support of the, uh, project. So, For sure, man, and if you see the community right now, they're asking questions about, you know, who's rocking a mask at this moment? I can't tell if they're talking about like from Covid or if they were thinking something a little bit more shady. So, uh, Uh, alright, well, we, we've got a bunch of people coming in still.

Um, we're gonna kick things off today with, um, just one or two quick things in terms of announcements. I put it way up in chat, I'm gonna put it again. But, um, we, um, are doing a, um, actually, I thought I had cut and paste it. Let me, let me go copy and paste it one more time. But we are doing a, um, cyber event with, uh, the folks from Perch Huntress, and ID agent, I put it in there again, August 11th through 13th. That's awesome. We now, um, you, you, you may be all webinars out.

It's completely understandable, and we are paying attention to that. That's why each day there's only one session. It's, that's it. But simultaneously going on for your technical folks is a three day capture the flag competition. We're gonna be talking a little bit about capture the flag today, because it lends itself in today's, into today's conversation.

We're gonna talk today about, if you've never done capture the flag, but what I would ask, um, of all of you, if you could spread the word, um, because we've got three excellent thought leadership sessions, as well as a great collaborative effort between the PERT soc, the Hunter soc, and the ID Agent Threat team. So this is gonna be a lot of fun, and, um, and you're gonna learn a ton. So let me get into the wood here today.

And first off, introduce, uh, my good friend, uh, SVP of Global for EC Council, Steve Graham. Steve, thanks for joining us today. Yeah, Thanks for having me, Andrew. Happy to be here. Yeah. Yeah. How, so Steve, um, I'm just gonna give just a real brief background.

You could do it probably far better than I could on the history of ethical hacking, but kind of just to set the stage for everybody, um, it was interesting doing the research, and, you know, I've seen a lot through your eyes in the past three and a half years that, you know, we've been talking and looking how to bring training, uh, and certifications to the MSP and MSSP community.

But it's really interesting that the term ethical hacking it, uh, from my understanding, came around in 1995 by a guy named John Patrick from IBM. But even before then, it, its origins come from the 1960s when ha the term hacking, which is misuse, or, you know, rather the seen as a really bad thing today. It was actually a good thing in the sixties by a group of MIT, um, engineers who were looking to optimize systems. Um, so just, uh, in terms of the, of the, uh, lineages.

And then, um, and I kind of remember this, it was in the seventies where it flipped from, you know, the white hat meaning a good thing to kind of a bad thing when people, I don't know if you guys, you're probably too young, but there was all this buzz out there about people, um, basically getting phone lines, uh, hacking into phone lines to make international calls because they were so expensive back then. Right. Kyle, what was, what were you reading all about?

Freaking, freaking, yeah, it was this term freaking, and, and I remember these things, like party lines growing up and all this crazy stuff. But, um, that's, that was the genesis for it to flip to kind of this, you know, bad if you will, um, uh, uh, uh, view. So, um, you know, uh, what I was gonna just kind of in, in, in segueing over to you, Steve, for the first, you know, uh, kind of question. You know, we hear about all these, you know, I don't have to bring up the horrific stats.

Everybody knows them about hacking today, but, you know, the intent of white hacking and, uh, a white hackers to do the, the bad things, right? That a black hat hacker would do a bad, and we'll talk about those terms with the intent to protect an organization. So, Steve, could you share with us a little bit of background, maybe just starting off with EC council and a little bit of just, I think it would be helpful for people to understand how this all came about Certified Ethical Hacker.

Um, and you've been part of the MSPs. I've kind of brought you into the foray of a lot of these, uh, several peer groups and talking to these, these folks. And, um, why do you feel MSPs should care today? So that's probably a lot at you, but I hope that's okay. Yeah. We'll see if I can remember the question. Yeah, I can, I can give them to you one at a time if you'd like. Yeah.

I've got, uh, you know, over the last, I don't know, I, I started with EC council back in 2004, um, and really started the North American division, um, of the company then. And, and I've got, I've got horror stories and jokes I can tell, you know, all along the way. Um, but I'll tell you, you, you know, you, you kind of referenced the history of ethical hacking and how some of these things evolved.

What's, what I think has been most interesting is having, you know, the purview that I think we've had at EC council, you know, our background is in really building education and certification programs, and there's a lot of, I I think there's mixed opinions on, you know, what does certification brings as far as does that really make me a professional? Um, and you know, it, it, it certainly gives you a bump up in the right direction when you're, when you're, when you're moving that way.

But if you look at how ethical hacking in the industry has evolved, you know, Wes, I think accurately noted the Captain Crunch whistles, right? So the idea there was, you know, those phone systems originally worked with, uh, you know, worked with tone signals, they would listen for certain tones, and then that's how they would perform their call routing. So Captain Crunch whistles just hit those tones perfectly, and you could start to bill your long distance calls to somebody else.

Um, that was just an example of using a system in a way that, you know, it, it's taking an input that it expects, but you're using it to get some kind of a different result, right? Um, so I remember kind of going back to, you know, 2003, 2004, um, when, you know, I took this crazy job, um, with a program that was, you know, it was a, a international group that was doing this hacking program, and they said, we're gonna change.

The objective then was, we're gonna change the world and we're gonna teach 'em the standards in ethical hacking and what that means. I remember my first, probably, honestly, my first seven years, uh, with EC council was getting hung up on, um, having people yell at me like, how are you calling me as a hacker? Don't ever say hacker over my phone line. And I mean, people were just allergic to the word hacker to begin with as soon as you said hacker.

Um, we started business a long time ago with the government that I think was, uh, very forward thinking in the way they would approach information security. And quite honestly, the procurement officers hated the word hacking so much that we had to come out with a different brand name just to allow it to go through procurement.

Um, so we actually created a certified network defense architect, um, and that was the certified ethical hacker, just the different names so that we could get it through procurement. But what we've seen evolve over that time is people started to harness what ethical hacking really means. So, you know, one of the taglines that we have is to be a hacker, you have to think like a hacker.

And that kind of plays into where I think a lot of the value, you know, the MSP conversations that I've been in, um, and just seeing what, you know, kind of the, what the marketing messages around MSPs, um, or just around technology in general. Uh, so many vendors will, you know, they spin up a marketing document and that marketing document says, you know, this solution is gonna make you absolutely secure. Um, that's how it's intended.

But we all know that once you deploy something on a network, the, the thing that really gets you are the configurations and the exceptions. So you've got your, you know, your shrink wrap box that says, this product is gonna do X for me, and then once you actually install it, and there's one other application that you've gotta open one additional port for that thing to call home and get its software updates, you know, you're ultimately opening a hole in the network.

And there may be some unintended consequences that aren't there in your instruction manual. And that's where ethical hacking really starts to play in. So when you've got a technical manual that says, this is how you're supposed to configure something, and not naming any specific vendors, but let's, let's just say one of the big operating system vendors that tends to release a lot of security updates after a product goes out.

Um, those, those are indications of, you know, not everything's perfect when we first roll it out. And we learn along the way as the world kind of tests our products, right? That there are certain configuration changes we have to make to stay secure. Um, but when you deploy a methodology for ethical hacking internally, you're throwing all that marketing aside. And it's not a technical acumen per se.

There are a lot of technical, technical acumens that are there, but the shift happens when you realize that ethical hacking is a psychological mindset, right? It is. I'm now looking at my network and I'm saying, if a hacker's gonna come in, they're gonna find the weakest link. It doesn't matter where the weakest link is.

If they need to use a tool like social engineering, and they need to try to get people to admit information that lets me in, if it's running a network scan and finding, you know, vulnerabilities that have already been classified, and then running an exploit against those things, it's this idea of I'm gonna come at an organization from any angle possible. And what we ultimately did was we built it into a methodology.

So there's these five phases of ethical hacking, and instead of just throwing something at the wall and hoping it sticks, we teach people to follow that methodology every time and thoroughly, right? So it starts with reconnaissance. That reconnaissance is where you spend almost all of your time.

You're planning out, you know, what your avenue of attack is, and the difference from, you know, you, Andrew, you had mentioned, you know, the, the kind of, the evolution of white hat hacking and, and how those things work. So the difference of, you know, a white head hacker versus a black hat, or, you know, a hacker versus an ethical hacker is if, if you're an ethical hacker, you're doing it under contract, right? You don't have nefarious intent.

If you find something that's, you know, absolutely horrible when you dive in, you're not gonna go release that to the market and sell it on the black market. You know, you're gonna, you're gonna let the people in the organization know, listen, you've got a hole in your network, and this is what it means to you. This is the risk that it, that it poses. Let's work together to find out some countermeasures ways that we can plug that hole.

But they're gonna use the same methods that, you know, any hacker would. Um, so the idea there is they're not locked into one specific, uh, one specific approach. They're gonna try social engineering, they're gonna try anything they can find that's open source. They're gonna do network scanning, they're gonna find application vulnerabilities, whatever it is. But in that methodology, it's kind of these five steps, right?

So it's, you know, it's reconnaissance, scanning, gaining access, maintaining access, and then covering your tracks. And as they go through that process in every system in the organization, just imagine if you can successfully set up a backdoor to an organization, completely delete all the log files and hide the fact that you were ever there, but you're still maintaining access and the IT team doesn't know you're there, other people can have that same level of access to your network.

So when you show an organization that this is a hole that you have, it allows them to take those actions. And it's not around a specific technology or a specific solution or a specific vendor. It's when all those things come together and all those exceptions have been made. What, what's the actual, you know, deployed architecture look like, and where do those vulnerabilities exist? And where the real problem comes in is new vulnerabilities crop up every day.

So if you tested yesterday, that doesn't necessarily make your network secure today, because new things do crop up all the time. And that's where, you know, having things like threat intelligence and you know, other things that can help configure and secure that network really, really come into play. But it's a, it's a continuous evolution.

We've seen companies, you know, all over the world over the last 15 years start to adopt that process and understand that, hey, you know, just because I say hacking, it's not necessarily a bad word. This is just a different way that we approach security with a whole different mindset. That, that, that was great. I really appreciate that background, and I think everybody out there probably does. Also, Kyle, this is where I wanted to bring in you. This is your profession.

You get, you know, the duress calls from MSPs, uh, on a regular basis, unfortunately. Um, but you've also, there's been good things with MSPs that have come to you and said, Hey, Kyle, I think, you know, I don't want to take words outta your mouth, but I think you've said, Hey, I think I found something here, Kyle. So why do you feel this skill is critical to MSPs? And can you share some of those stories? Yeah, I'll, I'll try to keep it short here real quick, but directly to the point.

Um, let me, uh, I gotta get more hacker for this conversation. You don't have to keep, by the way, I won't. This is what we're here for. I'll Join you, Kyle. So now that we've got, there we go. We're, we're all hacked up. We're, we're ready to have the conversation.

Um, where I'm going with all this nonsense at the end of the day is like the most beautiful part of what was just shared was, at the end of the day, some of these things, whether it's EC counselor or any of these, it's a lot about being able to determine, like, just because I wear a hoodie and I've got the shady background, I even got like, you know, the cool anonymous flag, right? I'm waving, like, is there anything that makes me good at security? Right?

And those points that we made before about, you know, uh, it's about the way that you think a problem, the way that you approach a problem, the way that you're going to try to say just because the documentation says I can do this. Is there anything that's truly, like, are you doing more than just trusting? Are you actually validating? That whole mindset is a lot what you get? I'm also, like, a lot of people will come to me and say, Kyle, well, what certifications do you hold?

And once upon a time in my life, I held, you know, security plus C-E-H-C-I-S-S-P, et cetera. But I'm at the point in my life now where, for me, personally, the certification doesn't set me apart. It's my accolades and what I do above and beyond.

But for organizations that are getting started and looking for something measurable, to me, when I'm looking at hiring folks, professionals, even outside of just huntress, it's literally, are you the type of person who's thinking the right way about doing this? Even if it's in defense? Can you think offensively to be able to plug these holes? And I'm seeing the huge difference already amongst MSPs who are actually leveraging this.

The last three major vulnerabilities in our own, like P-S-A-R-M-M related tools, all three of them brought to me by three different MSPs. That's a great indication of where our community's going. These are some of the things that you're gonna have to figure out. Um, just the same way painters or electricians will come and say, look, we are compliant with these standards, and we have these insurances, and they're able to truly differentiate themselves.

And if somebody still wants to go with the janky guy down the road that once played with, you know, the electrician box, they can make that differentiation. But for you, you're gonna have to have somebody's external credibility saying, yes, my staff does think this way, and they're at least this high, but it's just one part of it. So, um, yes, I get a lot of calls from MSPs under distress, uh, this weekend, sharing a little bit of threat intel.

I had, uh, somebody whose con, uh, screen connect, uh, set up where they had an old API user with a weak default password. Got in there, you know, over 5,000 computers targeted that way. Another one was through Kaspersky Security Control Center. This is an antivirus product that allows you to push products. Well, it also allows you to push ransomware. But what was beautiful about this is both of these companies had employees that thought with a hacker mindset, they still missed it.

So they're not perfect. But what's cool about it is when they came to me, they said, look, I've already identified the source. I know this is here, here's the actions I've taken. And I think all of these will help you better align, not just from a technical and measurable standpoint, but hopefully it starts going into your sales, your marketing piece.

And I won't steal any of Gary's thunder, but to me, what this means the most is you're thinking in the right way that's gonna allow you to differentiate somebody who never makes this investment. So you're gonna get two thumbs up from me. Thanks, Kyle. Wes. Um, so let me ask you from kind of the practitioner side, if you will, you've been through a ton of audits, had pen testers in, but you also personally, you do ethical hacking.

You're very familiar with these tech type of techno, you know, skills. What are your thoughts? What, what would you like to share? Um, yeah, I, you know, I wanna make sure we capture all areas of the audience today on this call when we're talking about this, right? So what I mean by that is, you may be a small MSP and you're hearing this, and you're like, okay, so how do I get in? Are you telling me that I need to start, like, start doing penetration testing?

You telling me I gotta start doing like red team kind of stuff internally? Like, what are you telling me here? And what I would tell you is it's commensurate with who you are. It's commensurate with your maturity. You're just building your security stack. You need to focus, like I was saying in the chat just a minute ago to Jeremy, focus on building a security culture first. And then once you get that culture going, you'll understand how to operationalize this, right?

And so, like, why do we get involved in this? So I, you know, I've worked with a lot of other banks in my banking days that had enormously large red teams. And now the hot thing is purple teams. It's sort of like this conglomeration between the defense guys and the offensive guys that are sort of meshing together, like DevOps, everyone loves to, you know, I'm sure eventually it'll be like pink team and so on and so forth.

But, you know, the, the reason that big orgs do things like that is so that they can test their control. So they have a leg up and thinking through, Hey, how would an adversary do something? And I wanna operate with full knowledge of my network. You know, a lot of times I bring in a third party penetration test. I just wanna say, how would they handle this from a blank slate?

But red team, how would they handle this from knowing the infrastructure internally, if, you know, how could we bypass certain controls? When can those controls be bypassed? How do we make sure we report and have knowledge of those things?

I'm not saying every MSP has to do those things, but the advantage of like even the certified hack hacker pathway is it gives you this knowledge, it gives you this understanding, it gives you this level of comfort of what security and security testing is all about. And then guess what happens? That then bleeds into the understanding and comfort of talking about security concepts in a rela in, in a relatable way with your clients, which is really, really important.

That's something I think we, we miss as a gap. And so, you know, I guess I just wanted to say that that's the, the, the goal is there's an internal goal that you get out of this, but there's also an external function that you get outta building security expertise as well. And something I think we could all, uh, leverage as well. Yeah, it's a good point. I like the, the, again, coming back to the, keeping it simple, starting with security culture, this question's kind of to all of you.

I'm gonna start with Steve. Um, where do you, where do you begin, Steve? Like Wes said, the, you know, and you've seen Steve, there's varying levels of maturity with MSPs. Um, that's not a bad thing. It just, it is. And, and, and so there's some simple steps that you'd recommend people taking. Uh, I'll start with you and then kind of just go around the one. Yeah. You know, to be honest, I think this is, this is a really tough battle to fight from the bottom up.

So when you look at, you know, where do I start? You, you start by, I think getting the executives to care, right? That's, that's a really good place to start so that you have their backup. Um, but you know, when you look at, you know, from a security professional standpoint trying to get into this, there's tons of resources out there. There, um, there's, there's lots of places that you can go learn, you know, individual fundamentals. There's, there's tools where you can start to get into it.

But I think, you know, I think for the long haul, it's, it's always best to learn the math before you learn how to use a calculator. Um, and it comes down to your core IT concepts. And that's one of the things I think a lot of people are afraid of is, you know, I've had this career in IT and I've heard about this cyber thing, but I haven't really made the leap. Um, we talked to a lot of people that are like that, and we told 'em, you have the core set.

If you've been working it, you're doing network admin work, you're doing configurations. It's not really that much different. We're just going to use a lot of those similar tools in a different way. Um, and then it's a matter of changing your mindset, but a lot of it is the same type of work. It's the same, you know, you're going through logs and you're, you're going through configurations and you're working with a couple of frameworks to figure out, you know, what does a vulnerability mean?

Um, and then you can start playing around with some of the exploit tools. Um, but I think, you know, where, where you start to play, um, and I think it plays into the rest of this conversation, is find a playground. And that's what some of these competitions do, right? When you look at these CTF events and red versus blue, um, the last thing you want to go is go deploy a big attack on your live network.

You don't know what it's gonna do because you might unintendedly actually take that company out. Um, so do that in a safe environment and, you know, learn how powerful the tools really are. Um, learn how powerful a single configuration change can be and what it means to the organization. Um, and once you start to establish those boundaries, you'll know you have to learn where your own limits are. I think before you do this in any kind of a live environment.

And that's one of the things, having that, you know, a competition network or a sandbox to play in, you know, something that just allows you to test the actual skills. You've gotta get beyond the theory and the reading, and, you know, you've gotta go out and fly that plane for the first time. Um, but do it in a way that you're not gonna kill yourself, right? Do it, do it in a safe sandbox, deploy some tools, crash some stuff, and just see how it behaves.

That's, that's a good, a good way to start. Yeah, absolutely. I think it's, what is the book? Uh, uh, I have it over here, but they talk about the link. You'd mentioned a crash, a plane, it's some something called the link, the link trainer. It, it, it was when, uh, believe it or not, in World War, right around between World War ii, these pilots were asked to deliver mail in the winter. They took 'em from the Army and they kept crashing. Um, hold on. It's, it's an awesome book.

The talent code, it, it talks literally about that. Wes, you're shaking your head. I'll turn it, turn the question to you. Can you believe And, and go to you then Kyle, 50 50, I asked, um, do you practice ethical hacking in your organization? We got, you know, of the votes. I'm really, really interested, really cool to see at least we got a 50 50 split here. What are your where? Talk to me. Yeah.

You know, I I actually would've guessed it would be lower, it'd be more trending towards No, but I promise you, if you were to poll those that say yes, it's different, varying degrees of it. Yeah. Okay. And that's, that should be celebrated. Yeah. The way that my organization practices testing of internal security should be and is different than every other organization, it's called. And that is okay, that is a good thing. We should have it in a way that's nimble and flexible for all of us.

And what I mean by that, again, is you're gonna have some very capable organizations that do a lot, some that are not. And a great example of this, and the CTF that we did with Huntress, uh, a few months ago at, uh, Peric Con, we got the same feedback. We had people that said, I don't really know a lot about security. I just wanna do the CTF to like learn. And then you had others that like within, you know, minutes were solving, uh, solving some of the flags. I mean, that's a good thing.

We're all learning here. We're all practicing that trade craft. We're all getting better, and we all have a different starting point. We all have a different point where we're at today. And, and again, that's okay. There's nothing wrong with that. It's better to start now to not do anything at all. Right. And I think that's a, that's something we should celebrate, Andrew. Yeah, Very true. Kyle, there are internships at Huntress for the msp. Is that, what would you say, Kyle?

Where's your people? Well, I mean, I, the internship starts with the, uh, CTF we're hosting, right? The between US Perch and ID agent. Um, I have read the talent code. Oh, cool. Um, so their tagline in that book is something like, you know, greatness isn't Born. It's Grown. Yeah. Um, that's a pretty cool way that, that, you know, reiterates the same point that we started the episode with, with Steve saying like, look, it's about building from the ground up.

So I would also, you know, maybe if you don't even read that one that's like an audible, you know, use one of those credits that you've, uh, you know, said you were gonna use forever and go look it up. Yeah, very true. Um, Steve, uh, maybe just briefly, um, I'm keeping an eye on time here. Um, I always say we're gonna go a half hour, we always go about an hour, but, um, we're gonna be doing this CAP competition.

Um, can you share a little bit about, you know, uh, jeopardy style versus Red Team Blue Teams? For those who don't know, this is ours is gonna be a Jeopardy style type event Fair West from what we, we typically run. And, and, but Steve, can you share a little bit about the differences there? Yeah, I think, uh, a lot of that is how, how well you can can plan, attack and adjust, right?

Um, so we see in the, in the Jeopardy style competitions, you know, typically you're going up after kind of a, it, it's a predefined target. You may or may not know all the details about that target. Um, but you know, your job is to capture a flag in, in kind of a controlled environment. Um, the nice thing about those, they work really, they lend themselves very well to learning because it's a fairly static environment when you're in them.

Um, whereas when you've got an active, you know, red versus blue or a red and blue exercise, those sands are shifting under your feet the whole time. Um, so you definitely need to have a better grasp on, you know, what's really going on down range. Um, because in, you know, red and blue, you're, you know, you've got a defending team and, and an offensive team and, you know, the defensive team has a set of assets they have to protect, and the red team is doing everything they can to break in.

Um, so you're gonna see a lot of change on the network, a lot more, you know, active network traffic, people coming at you from different angles. Um, whereas, you know, in that, in that Jeopardy style, what we typically see is you're going up against, there's a vulnerability that's been configured, um, that you know, is gonna be exploitable, but you've gotta figure out how to classify that, um, you know, identify what the vulnerability is.

That's, you know, usually figuring out what target you're looking at, how you're gonna go after it, what tools you're gonna use, what, what are the, the kind of, the scope of limitations in that environment. Um, but it's a great way to learn. 'cause you can nail down, you know, different core techniques if it's, you know, if it's hacking into a, a web server, maybe it's a SQL injection, you know, it's a, a SQL vulnerability that that site has.

Um, you'll have those kind of specific vulnerabilities sitting there. But, um, yeah, there, there are fun competitions to attend. Well, we had a, we had a, a, a great one the last time, and I expect this one to be the same. So, um, Steve, just talk to us in closing about, oh, by the way, I put up a poll. Would you like to learn more about this skill of those answered 41 yeses, one? No.

Um, we don't do any quote unquote pitching and selling here, Steve, but, um, I will email people on the side if it's okay with, with everybody, just maybe gimme a yes or no. Um, you created, um, something called Code Red, which is allows people to take, like, like I think there's like a hundred courses in there now. There's ethical hacking, capture the flag courses, identity and access management, all this stuff.

I think, um, there's gonna be even a promo for $99 a year per per person for a short period of time. It'll eventually go to 1 99, but it's still ridiculously even at your full price. So I just wanted you to, it was cool to see the, uh, um, the, um, yeses. Um, so I will put that out there if it's okay with everybody in a follow up email. Um, but Steve, talk to us about, in closing in, in a few minutes here about what Cyber Queue is.

I think it's a really interesting concept that hopefully we're gonna be able to bring to everybody. And I'd love Kyle's and Wes' comments on what Cyber queue is, and then we'll move on and bring a, a real live MSP on here with Gary and we'll talk business. So go ahead, Steve. So, so Andrew, do you want cyber queue or do you want code Red? No, talk to us about Cyber Queue. Um, what, what you got going on there?

We'll, we'll I'll, I'll make sure that I talk to them about Code Red and those types of things. So, but go ahead talk, because cyber queue's really interesting. I think, you know, where it'd be you analogize and IQ to it, so, Okay. Um, yeah, so real fast background, and I'll just take a minute on this. Um, one of the, I I had kind of talked about, you know, the value of getting started is you gotta have a sand, a sandbox to play in.

Um, we built a lab product, it's, you know, education technology to go along with our learning back in about 2008. And, you know, we, we give people access to a remote data center, and you know, in that you can spin up, you know, five virtual machines, 10 virtual machines, um, and practice different attacks and stuff across the wire. It's pretty, you know, a pretty simple just asynchronous lab platform.

But what we realized over time was, you know, as cloud computing started to, to really develop, um, what were the ways that we could build a platform that would bring, you know, DOD grade cyber competition capability to everybody, um, you know, without having a million dollar price tag. Um, so ultimately what we set out to do was build a technology that, the best way to describe this thing in a very short form, and I apologize for the analogy, but it's kind of like the AWS of cyber ranges.

Um, so we built in, you know, software defined networking, you can spin up pretty much any exercise you want. You can build full, you know, jeopardy style CTFs, you can build red versus blue. Um, it's got all the team coordination events, all that kind of stuff in it. And you can do all that in a matter of a couple of minutes because the whole thing runs on a templating system.

Um, but the part of it that's unique that we're really looking forward to is, we've linked this up with a partner we have called yet analytics, um, where we extract all of the information of how they interact with this cloud environment. And we do full packet capture. We analyze the entire stack, um, as anybody's in interacting with a vm.

So anything they send across the network, anything they do with an individual machine or a file, you name it, we capture all that out into a thing called a learning record store. And we're able to run these, you know, analytical assessments on everything they do in the system, and then we can benchmark them against others.

So if there's a specific vulnerability and it has an attack, if they deploy the attack, their method of deploying that attack, is it gonna be compared to a thousand other people who did the same thing? And instead of saying, this is right or wrong, we can say, well, you did this in a very skillful, stealthy fashion versus you took out all of the critical network services as you were trying to log into this website, right?

And being able to pull that kind of analytics back, it shows people broken down to an individual skill level. You know, you're doing this in a very skilled fashion or, um, you know, this is something that you really need to work on. And we can break that down to individual knowledge elements to help them start, start building, you know, ultimately that core assembly of knowledge and skills that they need.

Um, it gives 'em the insight a little bit more than you earned X number of points in this competition is, yeah, you got some points and you won the competition, but we're actually assessing every skill you deployed along the way and how skillfully you use those things.

And giving that kind of, of, you know, a level of feedback, you can start to see where your weaknesses exist and you know, where you can invest for your employees or where you invest your time as an individual to start just, just getting better at the job. Yeah, that's, that's really cool. Les comments on that. And I got Kyle, I'm gonna ask Kyle a question here, and Yeah, The one thing I do want to say very quickly is cyber ranges that are prebuilt for you are a godsend.

I mean, it's, you'll spend, I remember the early days of, you know, having to download, you can't even remember ice and some of those like exploit, uh, like it damn, damn vulnerable Linux, like all of those that are out there. It's like, it's an enormous amount of work just to build something that you can test on and play with and learn from.

And then even then it was like super, super scaled down on exactly what it could do and it couldn't do, having entire labs built out to give you training opportunity, sort of like a greenfield for you. It's, it's really, really, really valuable. And I, we've been chatting about O-S-C-P-A lot here.

I mean, they take very similar approach and not to just, you know, I know there's several certifications we're talking about here, but you know, it's the same approach of like, let's give someone a lab and let them actually play on that and have the, the closest to a real world environment we can. I mean, that's what we're talking about here. This is different than like a CI ISSP where, you know, it's, it's academic and head knowledge.

It's a, you know, everyone says inch deep, mile wide when you're talking about ethical hacking, we're talking about doing things right, and that requires a lot of practical experience. And so getting your hands in a lab like that, that Steve is talking about, super, super, super valuable. So, um, I can't say enough about that it, that that is the way to learn, for sure. Cool. Kyle, I'm gonna transition, uh, with a question.

We'll, and, you know, we'll thank afterwards, I'll thank Steven West and move them, but this is kind of a perfect question coming from Joe k Clap, which will transition bringing on Carl and Gary. He said, Joe says, why would MSPs redirect their people's focus to other skills like ethical hacking rather than focusing on core competencies and bring in experts as needed? So I thought that was a good question.

Yeah, I, I think I've heard this question also asked at times of, you know, where is the line between IT and security? And usually my answer back, right, if it's a technician, I'll get techie, but if it's somebody in business, I usually respond. That line is usually where you could stop showing value and stop making money.

Uh, and that's, uh, you know, that hurts to have somebody get you right back in the, you know, the chops when they say like, everything is an opportunity to make money if you can actually make it. You and I all know that, you know, MSPs as a whole, you know, are good at delivering, you know, solutions, good at delivering technology, not the greatest at selling.

So I think I would say for some MSPs, you know, massively investing in something as extreme as like an OSCP, uh, which is a solid, solid, you know, uh, one of the many different options you can get certified. Yeah, it might be too much, but at the end of the day, I would argue, you know, these are two, you know, two Ps in a pod security and it go hand in hand whatever track you decide to, to, you know, secure yourself with, right?

And where I'm going, uh, you know, very specifically with this is, you know, that line could actually be the thing that opens you up for maybe your total addressable market with your clients right now is, I'm gonna be able to make $3 million, but I'm hyper competition and I can't get over that chasm.

If you can now open yourself to other opportunity, a larger total addressable market for the business folks in here, to me, those are things that you're saying, why wouldn't you make that investment? So I, I've taken the notes, I've seen Robin, uh, gave some feedback that they're also having a hard time being able to justify why, uh, you know, why to give me the money and I'll make sure that I come back next week with a better answer. So I hope that gave you a good segue. Yeah, Yeah.

And, and I wanna say super quickly, in 30 seconds, I think one key to that is sometimes we bite off more than we can chew. And so what I mean by that is, if your M ms P is not already engaged in, uh, like offering and selling security services, you're not security enabled and you're not, you don't have a culture of security, start with building the culture first.

Oftentimes a key indicator that your senior management doesn't have the buy-in and doesn't have that culture of security is that they question things like that. They say, I don't see the value in that, right? And that no is not, don't interpret that no as a no, never interpret that, no as a no, not now until I can get them to understand and I can get them to buy into that culture of security.

Maybe we can talk about that more on a future episode of how we build a culture of security inside our MSP. But that is the key entryway to getting that done. And I learned that even the bank I came from is building the culture first will then secure the resources you need second. And so that's probably a good thought for all of us to, to keep in mind.

We might even do, I, I just off the top of my head, Wes, as you and Kyle talk about this, segueing for next week, do that building, culture transitioning, but also maybe even bringing on, I, I, I had the good fortune of, uh, interacting with, uh, somebody that wrote an article on ethical hacking. And it actually, you know, there's not a lot of females in this, uh, expert. Um, her name is Ruit. I think I'm pronouncing it correct. I'm probably butchering it. She's in here watching us.

But it'd be cool to bring in some females into the mix, um, because, uh, I think it would be, uh, uh, important for others to know that, you know, there are experts in that area as well. So Steve, with that, um, thank you so much for coming on. It was great to have you. I hope you stay on with us. And um, Wes, I'll move you into the audience as well. You got it. Bring on Carl and Gary. Steve, we'll talk soon. Thanks again. Everything.

Alright, Kyle, if you can keep everybody entertained for me, I'm gonna go find Gary and Carl and we'll get on the business side of things. This has been good. It, it's been solid, obviously long episode today, but all valid points. Um, I think, you know, may maybe my favorite part of the, the tap dance here while we bring people on board is we are finally starting to blur from technology, right?

Cybersecurity is about technology, but from technology to businesses, which is where we all make the money at the end of the day. So, um, in, in 12 episodes, I would say we're really starting to elevate our conversations, especially because the people participating. There's a lot of technicians talking about business, talking about how do I get investment. Uh, we're really starting to have growth, I think both as presenters and the audience. So I'm pretty stoked. Yeah.

Well, hey, I don't wanna focus on me. Hold on a second. I'm focused. Carl. Um, we have your, your, um, can you hear us first off? I can hear you. Okay. We can't see you. Is that on purpose? Oh, we're waiting for Kyle. Hey There, he's Jerry. You know, it's a, it's a browser security thing. I can't just let anything access my camera. Oh, okay. You have one of those things you had to move to the side, Something like that. Alright, So Carl, thanks for coming on with us.

I'm gonna let Gary take over from the business side of things, but I'll kind of segue this, Carl. Um, you've been running a, you know, like a soc two M-S-P-M-S-S-P now for over five years. You've invest heavily in security, you've been on with us before. I thank you for coming on again. Um, so you take this pretty seriously. You have ethical hacking in your business. Um, so with that, Gary, I'm gonna let you kind of transition things and, and take over a bit here.

So Yeah, I enjoyed, uh, getting to listen to that first part. It was awesome. And, um, so this is a perfect segue, you know, uh, Carl, uh, I, I have here, Andrew gave me a, a quote from you and I wanted to maybe start with that. You said that MSPs need to own their security, uh, because if you get compromised, no vendor is gonna pay for your mistakes. Yeah. Look, it comes down to, in any business you should be thinking about as an owner, about profit and about risk, right?

And, uh, the reality of it is, is nobody's gonna come save you. You have to save yourself. You have to prevent it yourself. And so, yeah, it is just an offhand conversation I was having with Andrew. I said, yeah, you know, you have to remember, you know, when, when it all comes down to it, you can cry about your vendor making a mistake.

You can cry about following their best practice or whatever, but if that ultimate was the reason that some hack came into your environment and owned you and your customers, it's your problem not theirs, you know? Yeah. It just, it's how it is. Yeah. So I want to ask you a couple specific things, but you know, conceptually I think what people are struggling with is what their role is, right? As an MSP.

And if you heard me, I'm not saying that all MSPs should be MSPs, I think you should rely on vendors, but you, you can outsource capabilities, but you, you have to have a culture and some knowledge, you know, in order to be even able to manage vendors and, and, and be able to get the end result you want for your customers. So the first question I had for you, something like, um, ethical hacking, you know, how did you get it implemented?

Like, what was the process you used to be able to get that in as part of your culture? Well, it, it's something that's kind of happened somewhat organically, I would think, say that kind of the first thing is that we just became regularly concerned with our risk. And so, you know, it became a part of every conversation. It it's like there's no meeting that goes on in our organization that it's not talked about or thought about. And then we simply constantly iterate.

I mean, earlier they were talking about what's the line between it and security? And in my mind there's like, there is no line if I'm gonna do good it, I have to be doing it securely. That's just a period, right? And so it, it's just a matter of like, do we wanna be competent or do we wanna be one of the jokers out there slinging, you know, insecure stuff and causing all sorts of risk?

And so from our perspective, you know, I, I know at least in our organization as owners, we became convinced that there's significant risk. And because of that, we naturally wanted to find ways to remediate it. And, and so we found ourselves doing vulnerability scans that we didn't used to do. We found ourselves, uh, implementing change management in a very strict way, uh, that we used to not do when we were very early in this process.

We found ourselves vetting vendor vet vetting vendors much more stringently than we did before, and asking for a lot more things. And we've learned how to do that better as we went. So it's just as we've continued down the process of developing our company at some point in time we said, you know what? It's just not enough to trust the vendor. You have to go out and actually try to get at it yourself, think like the hacker and think, where are the things I have to close up?

Where are the problems I can resolve? Where are, are, are the opportunities? And, uh, the reality of it is that you never really complete the picture until you're actually actively trying to get into an environment or thinking how it could happen and how can I prevent that? Yep. So two things.

Um, one, so does that mean you have some people to kind of lead this in your organization or is this something that pretty much anybody who's involved in your company, regardless of role, needs to think in this way? So funny, put it that way. See, in our, um, we do a, a quarterly all hands state of the company meeting. And one of the things that we do is we talk about how everybody in our organization is a cyber warrior and we're at war and we must defend ourselves.

And that is our default position. And there's nobody that's exempt from that. And so yes, we have technical people that lead different areas of expertise in our organization, but there is nobody at any level in our organization that doesn't need to be trained aware and part of the process and part of defending our environment and our customers. Okay.

So how much compared to when you look back maybe three years ago, right, compared to being more mature now, how much more time and effort does this all take? Is the, is part one of the question number two, how were you able to go out and, you know, charge enough to your customers so you can put that time and effort, you know, into this compared to someone who doesn't? You know, it's funny you say that because uh, that's another one that's like really been interesting to work out.

I mean, because what we found ourselves doing is not only for ourselves is more audits, more checks, more configuration reviews than we used to do. And we've, we call it our compliancy process. And we do this on, we have weekly tasks, monthly tasks, quarterly tasks, annual tasks, that, and we've mapped that out. And, and so, you know, to be perfectly frank, there's a fair amount of things that we're regularly doing for ourselves and our customers. Yeah, that sounds Expensive.

It's a lot of time. And so we ended up finding a way of monetizing by creating an offering for it. And basically that audit and review calendar is, is a charged labor event. And so it became a billing center, not a cost center for us. Yeah. So that's one way, right. To do it is a couple ways to skin the cat. Uh, I was just reviewing, uh, uh, a proposal. Someone, a friend is looking for a new, uh, you know, provider.

And, um, the funny thing was when I looked at 'em, there was like four vendors, the bottom two, I said, well, you can't use these two, they don't charge enough. And they said, well, what do you mean that's usually I'm looking? He goes, no. I said, no, it's the opposite with this. Let me tell you what happens when they charge that much. They're guaranteeing you can't be secure among other things. Security is only one symptom, right? You know of it.

And so I think, uh, that has to, I I'm assuming be part of your culture where you're va now that you've done it, you know what it takes, you value that, right? Your team. And when you're out talking to a customer, you're able to share that value. This is the classic thing, Gary, and you've been a a long time, uh, industry proponent of this, is learning how to sell based on value rather than, uh, getting into some type of, uh, you know, commoditized conversation.

The reality of it is, is when we come to market, there are clients that we end up not getting because they see us is too expensive because oftentimes our monthly is double the other people in the, on the list. And then it just is what it is. But the reality of it is, is we win more deals than we don't because we've learned how to express why.

And you know, any business owner that really cares about actually getting a vendor that's successful and effective is going to prefer the approach where you're more comprehensive, they will pay more if you can simply explain the value. And, and so there you go. It's just, it's that simple. So Andrew, over these weeks, anybody we bring on, we get to the same answer. I say it in my specific way to make a point, but everybody gets to that same thing.

What Carl is saying is, we've learned to weaponize low prices. Mm-Hmm. We've learned to weaponize the competitors low price. So I want that message to get through. People been asking like, how do we get budget? Well, think about the IT director that goes to get budget, what, what their board realizes or the person they report to that security. And it is a really small part of the total expenses in a thousand person company. The same way we're a really small cost right? To each of our customers.

And when you start to get that and take the approach that Carl is, which is more comprehensive compared to less comprehensive, um, that that changes. 'cause that keeps coming up now every week. How do we get budget? They're asking the same question. Like that's the roadblock. Well, what what's strange, Gary, is, you know, if we were to turn back the clock 15 years when, you know it was more insourced than it was outsourced, right? I was right. Tremendous shift.

But people would have an IT person, you know, on staff. And if you think about what the cost of an IT person is in today's dollars, right? Um, and, uh, you know, you, you think about like the, the overhead of that and then you say, well, I'm three, you know, you're a 30 user environment, let's just say and, and I'm, you know, 4,500 or 5,000 a month or whatever it is, 6,000 a month. Okay, it's 6,000 a month. And people and MSPs are like, but that's $200 a C, it's $72,000.

Tell me a IT person worth their salt that's gonna handle your IT and security for $72,000. I'm saying, who cares, right? Whether you could do it for 72 or a hundred, like it's all relative to all the costs and all the risk Carl, right? Yeah. Is, is out there to these companies, whether you charge 'em, whatever, like that, it's such a small, like they're saying, I'm gonna have a wet blanket moment here. That's my job to come on. But no, we're not. We never end on a wet blanket.

We always end on, uh, opportunity in hope, Carl. Right? So Here's the thing, I mean, uh, you have to have a certain confidence in your approach. And when somebody comes to you and says, Hey, this guy's gonna do it for half your price, your reaction shouldn't be, oh man, I overcharged your reactions should be, oh, good, that person is incompetent that tried to sell them, and now I just need to help 'em understand why.

Because they, if they, your point is so solid that in fact, sometimes I do this analogy for, uh, an opportunity where I'll set, I'll lay out the role, lay out the work, and give them what it costs for them to just do it in source. That number's astronomical compared to what it for an outsource organization. And it's a great way to kind of put it in the context of what the budget really is. And I guarantee it.

Anybody sitting around thinking that they're, uh, need to be competitive and bring their prices down, they're not even close to what that number is. Not even a little bit close. And so, you know, even if our number doubles, we're still a really small, we're like right there with electricity, you know? Right, right there with the janitorial services on cost, yet we're making their business secure and we're keeping them functional.

And so it, it's just not at all a, a stretch to just be proud of what you do know its value and express it. Right. I I always say sometimes they, they pay as much to the people that water the plants. Right? Right. And those people are also proactive. They water the plants before they die. No, I, I like this conversation a whole lot because there's a whole lot of belief here at the end of the day when you know you're doing it right, when your data shows you're doing it right.

When you know the, your value, it's really easy to tell somebody to pound sand, or maybe the more appropriate weight of this is actually why it's going to enable you to go above and beyond, and this is why it's worth investing in me more than your janitor or whatever widget that they're probably wasting money on too. So anyways, Carl, I I thought it was awesome. Yeah, Do, do, do. Carl, I was gonna say, do you know what I find, this is why it's great having you on today.

I find, and again, I I, I have a hundred, you know, MSPs that I work pretty closely with in my peer and a bunch of others. What I have found in every case, those people, if you listen to what we've been talking about the past 12 weeks, who get involved with this at the top down that build that culture of security, the pricing and the value, it just changes. Because once you're doing it, it's easy, right? To express it. Like all the questions people have are concerns, they just melt away, right?

As you build that and you build confidence in all the hard work you did to get where you are compared to where you were, Yeah. It's, uh, you know, it's a journey. It's something that it can feel uncomfortable if you don't have a lot of experience with it, but the reality of is you see this in your life all the time. Most of us buy based on value rather than a commoditized price when to anything of significance or service.

And the reality of it is, is the, the, the good companies know their value and they know how to express it. Yep. Absolutely. Awesome. This is really awesome stuff. Um, so Kyle, uh, you and I got to do, we did a webinar just, uh, recently together, so we're getting to spend, uh, more and more time together.

One of the questions that comes up and uh, Andrew and I were talking prior to this, is, um, kind of, there's some confusion, um, between vulnerability management and, and penetrate pen testing. How do you kind of look between those two and define it? What's awesome is there's some people on this call that do professional pen testing and vulnerability testing at the same time, like Joe Clap that's on here. And what's beautiful is you're really looking at the result.

If you talk to any of these professionals who do this full time, you're asking, what are you trying to accomplish? For instance, I can tell you, you know, most of the time somebody says, I'm looking for a penetration test. They're using the cool descriptive word that's got everybody excited. But what they're really trying to say is, I'm looking to slightly harden this process.

Most of the time penetration tests are done in a very specific way to say, I wanna harden this specific attack service, like a web application or this specific thing for this purpose. But you're really trying to accomplish a very specific goal. Vulnerability management might be your processes, the technical solutions, what goes in them.

And yes, it might be have you patched or have you tweaked and hardened and configured, but I would argue most of the time, Gary, most people are not truly looking for a pen test, although the same person on that end, you might have people like, as I mentioned, Joe here that's on the, in the chat, who services both those roles. So that, that might be a cool thing, Andrew, in the future of getting some folks that do professional pen testing Yeah.

And share kind of their horror stories of when businesses ask for one thing, probably usually super technical and misworded, but they actually mean something completely different on the business management side. Sure, Sure. We can, Carl, how do you look at that, The difference between pen test and vulnerability? Um, I, you know, biggest thing is, is, uh, I feel like one's more active and one's more passive.

But I think Kyle's answer is, is is dead on in the sense that what are you actually trying to accomplish? Because you can reduce your risk and your footprint and your attack, uh, by, by doing both activities. The reality of it is, is pen testing is not as crazy as scary as people think it is. And it, it's just a matter of having the right mindset and being active about it.

Vulnerability scanning can be more passive, but it is also very important, especially if you're scanning methodologies, can help you not only find, you know, CBEs, but also configuration errors. Is there one thing, Carl, I wanted to ask you, through this process, was there one or two things that happened or either you planned or happened to you that kind of really changed your trajectory in turn, in terms of really moving towards more of a security culture?

Well, you know, the reality of this is, if I be honest about the very first thing that happened to us is we got a large opportunity with a company that, that, uh, really required it. And I said, if you wanna be a part of this, this, uh, getting this this bid, you need to have these credentials and have this practice.

And so it was sales motivated initially, although I will say it's kind of in our DNA in the sense that I kind of grew up in the fi financial investment industry, worked for Charles Schwab, and we saw, I saw a lot of that going on there. So I had kind of a natural propensity towards it. But then, then I'll say the other thing is, is we started finding ourselves getting involved in instant response, uh, gigs and, uh, people would refer them to us and we would come and help clean up.

And, uh, you know, fortunately it wasn't on our own specific client, but we watched other managed service providers going through the chaos of becoming completely owned them and their customers and help them go through that and saw what that was like. And I've seen nothing more sobering for my entire team than to be able to sit there and do that, um, postmortem conversation with them and say, okay, here's what we saw. Here's what happened.

And so I love And like, Hey, that could have happened to us. Some of you probably said that could have happened to us. It just didn't. The reality of it is, is it caused us to go, we should go see if we have that vulnerability and oh my gosh, we do. And, and so, so it, it, it's, uh, it was sobering to see people I know, uh, and people that we're working with and the type of things that they were getting owned by. And the only thing I had to say back to my team was, we can't be these guys.

We've gotta do better than this. You know, You lost Gary and we lost Carl. What the heck did you, Hey, I'm, I, uh, I had to take the stage for all me, to be honest, Andrew, this is one of those moments that, uh, I needed to show hackers rule, um, the bookworms drool and, uh, that that is clearly what we're getting across here. Did you wipe 'em off? I mean, sometimes you gotta do what you gotta do, right?

Uh, you know, uh, we'll see, uh, you know, if they, they make it back with, with that said, I mean, we're right at the top of our hour. Yeah, we had some awesome points. Uh, to be honest, some of the chat, I don't know if you saw, I'd probably give my gold medal just recently to either, uh, Alan Miller, who threw some huge wisdom specifically, like how to, you know, challenge somebody who's asking you about cost.

But there was other comments actually above Gentleman George, uh, George CAPAs, uh, threw out some other stuff and I even asked him like, are you a technician? Are you in management? 'cause his points were so solid. It's a huge thanks. Yeah. Yeah. I could see all the, I, I wasn't able to capture all of the, the chat, but, um, I, I could see it was, you know, pervasive throughout the entire thing. And, and I appreciate you guys always keeping on top of it. Um, Just a great job today.

This was really good from like, from top to bottom, um, as well as what's going on in chat, right? And we see people exchanging ideas and, and what's happening. So people say, well, hi, we, how do we get started? Well, this was one good, and, and every week there's different things, right? We've, you know, you have captured a flag. We did the, the IR event. Like there's all these little things people can pick up.

And then, you know, also, again, and I don't say this because it's what we do, 'cause you can go other places too, but man, the ms you, you need to be in an MSP peer group right now because we see that together. They're more likely to, to go faster down this road and not necessarily a security base. You can do that too, but just MSPs that are working together, MSP leaders are more likely to be able to figure this out and, and move their cultures up, uh, you know, uh, as a team. So. Great. Yeah.

Well, thank you, Gary. I really appreciate you taking over there on the second part. It was, I, I had a blast today and, and we're gonna keep it going next week. Um, Wes uh, closing thoughts and comments? Yeah, I had to take the, uh, thug, the thug glasses off for that. So, uh, you know, what we're really talking about here is culture comes first, and I think that's something that we're hearing loud and clear, right? So we all are at different levels of maturity. Hey, there we go, Kyle.

I like it. Uh, different levels of maturity, different levels of capabilities, but you, you know, what it's really about is it's about building a culture, maintaining and establishing that culture and then using that to be able to accomplish and deepen your cybersecurity agenda. So hearing that loud and clear from Kyle, hearing that loud and clear from Gary, Kyle, uh, everyone else, Steve. So, uh, yeah, that's what I wanted to say. You're saying let's go people.

Kyle, before I let you say the final things, I just wanted to thank again Steve Graham for coming on from EC Council and Carl, um, thank you so much as well. Kyle, take us home, Comradery and community all day, every day is gonna save our butts. Um, the amount that we're learning, the points that we're going, even me as a speaker, I learn from you and then I get to learn from your chat and share it with others.

So just the same way that we brought, whether it's new vulnerabilities, how to start a conversation. I'm gonna go, I'm gonna team up with Wes, Gary, and Andrew, and we're gonna make sure that future episodes that we're going to, uh, have effectively address the questions that came up today. So please keep sharing the words, spreading the message. We're almost at 1900. Let's try to get the sucker closer to 2000 and build this community the right way. Tell Your friends. Awesome. Thanks everybody.

Have a great week. Look forward to seeing you next Monday. Thanks guys. Thanks, Gary. Kyle, Wes. Take care everyone. Bye.

Related Videos