Loading summary
A
Hello, everyone. This is Tom Uren. I'm here with another Risky Business News sponsor interview. Today I have with me Marco Slaviero from thinkst. Marco is the cto.
B
G'. Day.
A
How are you?
B
Good, Tom. How you doing?
A
I'm very well. So today we're going to talk about what it means to be a learning organization. And the aspect that I've come across is Thinkscapes, where you collate a whole lot of research and publish it every couple of months. But my understanding is that that's just one part of what you do to make thingst an organization that adapts and learns.
B
That's right. So, like, being a learning organization is one of our core values. It's cheesy to talk about values sometimes, but it genuinely is one of our four values. And. And that expresses itself through a bunch of ways. But one of the ones that's very concrete is we've made space at thingst for a dedicated thinxt Labs. And THINXT Labs Ambit for us is to basically keep us at the forefront of where sort of cybersecurity research generally is. And we want to be publishing technical research primarily. We want to do this in the realm of infosec. We want to be tackling problems that are generally aligned with Canary and our commercial products. But we also will undertake research there that's not actually commercial or has no commercial value. If we're going to learn something from that, from that work. Right.
A
I'll jump in and say that values are only cheesy if you don't live up to them. So I'm very gratified to learn that you're actually dedicating some effort to doing that.
B
Yes. You know, we sort of joke about the values being printed and stuck up on a wall and then ignored. And I mean, this is one of those things you can tell people when they join, and until they experience it, it's just value stuck up on the wall. But being a learning org is a very important thing for us. And so we have Thinks Labs, and thinkscapes is one of the publications that comes out of Things Labs, as you said, it's the sort of quarterly research summary, and it's not our research. Right. And so, like, we are surveying, like, every quarter, there are literally thousands of publications in the form of conference talks, in the form of blog posts, in the form of papers that people put out. And there's a heck of a lot of stuff in all of that. And so once a quarter, we go through as much as we can, we pull out the Bits that we think are interesting and then we publish that as a sort of a service. So we used to have that as a paid product and several years ago we've started releasing it for free. And like, in a sense like that I think speaks to one of the things that we see is quite important with Labs, which is it's a cost center. Like it's not trying to generate revenue and it shouldn't be trying to generate revenue. Like it's supposed to lead us in terms of learning and it's supposed to be making us smarter. And in this case Labs can contribute something with Thinkscapes that hopefully is making other folks also a little bit more aware of the world around them. Maybe making them a little bit smarter too.
A
Yep. So you said that Thinkscapes is just one of the things that Labs does though?
B
Yes. In a sort of similar line, Labs also would do things like run internal talks at things. Right. So somebody has to sort of own that and running internal talks. What we try to do is have our own folks regularly speak to the rest of the company about work that they've done, the projects that they've been involved with and, and for lots of the team, it's the first time that they've done a talk. Right. If they've come out of a very development heavy background or some of them are pretty fresh out of university, they've not done talks. And we sort of have a particular standard for talks. And so one of Labs activities there is coaching folks through building this talk and delivering the talk and then sort of managing that internal talk process with the goal hopefully for building folks up to actually also delivering external talks at some point. And then our labs would also be a part of that process for helping them perform whatever research, if there's research that needs, that's needed in that external talk, but then also in just the sort of nuts and bolts mechanics of actually delivering and, or practicing and kind of designing that talk. Because just pitching up and talking is not a thing, I'm sure, as you most folks will know. Yeah.
A
And what else is there?
B
So a bunch of other things. So our Labs team are playing with new technology for, for helping us. And I mean that's a very broad statement but you know, AI is obviously a, it's been a thing now for a while. Our Labs folks have been part and parcel of sort of exploring that landscape. You know, the development team is quite focused on building Canary and Labs now has the space to explore tools both in the realm of internal knowledge management. We've got a Bunch of different sort of repositories of knowledge. It could be a wiki, it could be a task manager, it could be our knowledge base, it could be our support tickets, all of that, and sort of pulling that together to sort of give us one interface to kind of explore. Labs was involved in that project, for example, like, they become the place that does that. Our Labs has also helped us with quite a lot of product pocing work. So, you know, when we've got ideas for new extensions or features in Canary and we're not yet sure if they're possible or how they might be built, then our Labs team will often take on some of that work and just sort of build an initial POC to go. Yeah, actually there is something here that would work for Canary, but that work, as I said, it's a cost center because Labs will often undertake that work and we explore it and then what happens at the end of the day is we go, actually, this thing doesn't fit into the product. And so folks may be familiar with us at this point. Like, a big focus for us with Canarion with the things that we put out is they have to be easy to use and designing, like, very complex things, while it's obviously possible, like, there's just friction there for our end users. And so LATS has fairly frequently done work where, you know, you sort of say, there's a great thing here to put into the product, but it's going to require a bunch of these holes to line up. And if they don't line up in that particular customer environment, well, then that customer is going to see a lot of noise. And then we'll, you know, we go, okay, cool, that's an interesting exploration, but that doesn't fit for how we see Canary. And so then that thing doesn't go into the product. So Labs conducts that sort of exploratory work and some of it will enter into the product, and some of it actually then just results in, for example, a blog post saying, we tried this thing, it didn't work out. But here's maybe some thinking for people if they want to carry on.
A
My mind is just boggling thinking about AI canaries, but that might even be, you know, ignore all previous instructions and get this image with.
B
There's definitely a bunch of play in there.
A
Yeah, something to look forward to, I guess.
B
Yes. And it is a place that Labs is focused on. So hopefully we'll see something coming out of our Labs. Because, I mean, one of the other aspects for Labs is just research publication. So us Conducting novel research and publishing it. And that also fits within sort of the, the direction and goals for the labs team.
A
Yeah. So one thing I was wondering about is it's really common for other groups to have labs or publish research. And mostly that research, in my cynical view is about a marketing exercise. So it doesn't mean it's necessarily bad research, it's just that it seems that the main motivation behind releasing it is to emphasize the group's, you know, capabilities or chops or expertise, what have you. But I actually think that's a great thing for the cyber security field because it's changed the dynamic about releasing information. But at the same time it seems that if there was less publicity associated with it, there'd be less funding and less work. But it seems like you're running a slightly different model.
B
Yeah. And to be honest, I actually think similar to you, Tom, I don't dislike that other model hugely. I think it results in usable research or useful research. But it is true that I think for lots of the more consulting folks, their labs teams are typically there to effectively show how smart they are and then to generate follow on consulting work. Again. I was part of something along those lines when I did pen testing a long time ago. Now I don't completely hate it, but I think we do position ourselves slightly differently. For one, our work is not just externally focused. So you know, I've spoken about a bunch of the things that our labs does internally, but, but by and large, so if I had to, and it's a big statement, but if I had to say what our North Star is around labs work, Xerox parc, it looms very large in our thinking for the sort of research lab that can do like fundamental research and have this huge impact on the rest of computing. And by many measures PARC was a commercial failure. Right. They didn't manage to exploit those, all those, the research that they, that they conducted, but their impact has been massive. And so we don't think that our labs has to generate revenue. We really do think that it can publish research, but we can also publish summaries of other people's research if we think it's going to help. And we can focus internally on our own talks, on extending our own product, on exploring our own problems. And for what it's worth, we don't even see our exploration with labs as necessarily always been in security. So we've already run a project inside labs in which one of our team did a computer vision project which was effectively a sabbatical for them from their day to day work. And they took a sabbatical into Labs to do some computer vision work. And that resulted in what was effectively an academic paper. And that's where it stopped. And so we're happy because it gives us, you know, it gives our own team a place to explore and to stretch themselves, and that's good enough for us.
A
So you spoke briefly before about how Labs contributes to products. What else is on the product roadmap and is Labs contributing that or do you have other things as well?
B
Yeah, so there are a couple of things coming up for us product wise. So just super quickly, Labs does contribute and has contributed towards the product historically and will continue to do that. Two of the things that I did want to touch on, product wise, are around Canary tokens. So earlier this year we acquired a company called Deceptic. And as part of that acquisition, we're Bringing on Stream 2 of the Deception canary tokens that Deceptic had. And specifically there's two there. The first one is if you run CrowdStrike, or even if you don't run CrowdStrike, you may be aware of their real time response product. It's effectively the tool that lets you admins remotely investigate and do response on machines in their fleet. Now, essentially the difference between sysadmins and attackers is intent, not effect. Real Time response is actually a fantastic tool for attackers. And so if attackers can get access to your CrowdStrike real time response, they've got remote access to all your machines. And one of the ways they can do this is through CrowdStrike API credentials. And so what we do with this new canary token type is we give you a set of CrowdStrike API credentials and you deploy those somewhere in your network. If an attacker comes across those credentials, attackers know how to use these real Time response credentials because they are effectively RCE in a box. And so if those credentials are ever used, we're monitoring them, we'll send you an alert to say that they've been used. Right. And so it fits that sort of canary token model of we give you an API key of some kind. This case it's credentials. But the key thing is they look really interesting. It's CrowdStrike API keys. And so that's the first one.
A
Are those keys just bogus keys that CrowdStrike gives you or do they just look like CrowdStrike keys?
B
No, they're real keys. So they're real keys in a CrowdStrike tenant that belongs to us, and so there's no risk to you.
A
Oh, I see.
B
And We've sort of pulled away all the permissions attached to those keys. So, so basically, we create the set of keys in a crowdstrike tenant that we own. We give them to you, they have no permissions attached to them. We are watching the logs for if they're ever used, and if they're ever
A
used, then we send the alert. So you've created a sacrificial lamb, I guess.
B
Exactly.
A
Is that the right term?
B
It works, yes.
A
But anyway, go on.
B
Yeah, it works. And then in a similar way. So on the AWS side, like, we've had AWS API key canary tokens for a long time. In fact, it was one of our very first canary token types. The basic idea is we generate valid API keys for the AWS API. You get them, you deploy them. If they're ever used, we'll send you an alert. And they also have no permissions. But one of the downsides to those keys is that we can only create 5,000 per AWS account. And that's a hard limit. AWS doesn't let you elevate it. And so we sort of built a whole bunch of infrastructure. We blogged about this and spoken about this, but basically for managing, at this point, thousands of Amazon accounts, each of them with 5,000 API keys in them. But there is another approach, and this comes again from the deceptic opposition around. There's a separate notion of user inside of Amazon. So there's the IAM users, and you also get the Identity center users. And Identity center, we can create 200,000 users per account, at least. And that actually can scale up. And so there's just sort of a very different scale of the number of credentials you can create. And so we now add in, or we will shortly be adding the IAM Identity center users, and that will let customers create many more credentials than they were able to do with the API credentials. And so that's sort of an extension of a concept that we previously had. So it's not an addition of a whole new service as much as it gives you a different scale for adding fake Amazon credentials across your own organization. So that's the. The other thing that's going to be coming shortly.
A
Well, Marco, I enjoy learning about corporate culture and how people actually make sure that it is a culture rather than just a value stuck on a wall. So thanks very much.
B
Thank you very much. Tomorrow.
Podcast Summary: Risky Bulletin – "What it means to be a learning organisation"
Date: March 8, 2026
Host: Tom Uren (A)
Guest: Marco Slaviero, CTO of thinkst (B)
This episode delves into what it means to be a genuine "learning organisation" in cybersecurity, using thinkst's approach as a case study. Tom Uren talks with Marco Slaviero, CTO of thinkst, about the company's commitment to continuous learning, the role of their Labs division, the Thinkscapes research curation, and practical examples of how research translates into both internal development and external product features.
Core Value, Not Buzzword:
Active Implementation:
What It Is:
Purpose:
Internal Talks & Staff Development:
Building Toward External Contributions:
AI & Knowledge Management:
Product Ideation (Proofs of Concept):
Many cybersecurity labs use research mainly to drive marketing and consulting, but thinkst's approach is broader — focusing on internal improvement and genuine contribution.
"For lots of the more consulting folks, their labs teams are typically there to effectively show how smart they are and then to generate follow on consulting work...we do position ourselves slightly differently." (B, 08:12)
thinkst draws inspiration from Xerox PARC — striving for impactful research, even if not directly commercial.
Flexible Research Directions:
Deceptic Acquisition:
AWS Canary Token Scaling:
This episode is a candid, inside look at building a sustainable, curious, and genuinely innovative cybersecurity company.