Risky Biz Soap Box: Push Security's browser-first twist on identity security

Patrick Gray

Foreign. And welcome to this special soapbox edition of the Risky Business podcast. My name's Patrick Gray. For those who don't know, these soapbox editions of the show are wholly sponsored. And that means everyone you hear in one of these podcasts paid to be here. And today we are going to be chatting to the team at Push Security. Now, I need to disclose right off the bat, I am an advisor to Push Security. So it's a product I spend a lot of time with. And yeah, I really like it for reasons that will become clear. So what is Push? Push is an identity security product that is essentially. I mean, the core thing in this product is a browser extension that allows you to monitor the use of identities in an environment. Right. So instead of just looking at SSO logs and saying, that is the complete picture. Push can monitor the browser for all accounts that a user in your environment be using. You know, the browser is the ingress point for identity information these days. That's just how it is. Right. And the fact we don't have visibility there is kind of nuts. So why would you want visibility in the browser? Okay, so it can do things like protect your SSO password. So if your user tries to enter a SSO password in anything that isn't your sso, it will stop that. That is becoming a commodity feature. And it's also becoming less relevant because Microsoft, through Entra, is doing things like mandatory pass keys, like, that's all coming, but that's not why you'd get Push. The reason you would get Push is for all of the other identities that are spun up by users in things like, you know, automation platforms, code repos, services like snowflake, external SaaS, all sorts of external SaaS that your users are using. You might even find that you have some SaaS that you've procured through official channels, and your users aren't actually signing into it with sso. Push even identified an example where users were spinning up Google accounts so they could SSO into external SaaS using their personal Google accounts that use their corporate email address. So there's just a lot there that you're not gonna see unless you're using something like this. And, yeah, it gets messy real quick. There's a part in this interview where Adam points out that when people run Push for the first time, it's sort of like doing a vuln scan for the first time. You know, back 10 years ago when people would do that and freak out at the results. Because, yeah, there are accounts absolutely everywhere. People using all sorts of unsanctioned stuff, people using the wrong authentication methods, not using mfa. Push can help you with, with all of that. So it's no surprise that, you know, this company is, is doing pretty well at the moment. So yeah, let's kick into it now. We're joined by Adam Bateman, who is a co founder of Push and he's the, the chief executive, and also by Luke Jennings, who is the head of research at Push. And I'll drop you in here as Adam Bateman kicks things off. Enjoy.

Adam Bateman

You've been in industry a ton of time, just like, just like we have. And you see all the time attackers go for the primary target and then as that gets more and more secure, they'll go off to wherever the lowest friction is. So attackers have been going after and phishing IDP creds, obviously it's the star prize because once you get access to that, you can then get access to every other application behind it. But as you're starting to see the introduction of passkeys and better MSA and kind of MFA by default and all these other things, attackers are starting to move out to other applications on the side. So we're starting to see people directly phish things like Postman directly and then use that to get access to loads of API tokens and use those to go and access other applications. We've had some pretty interesting attacks recently, like different phishing attacks that we've seen. Luke can probably talk through some of the things we detected there that are not against IDP accounts.

Patrick Gray

Yeah, Luke Jennings joining us now as well. You're getting eyes on stuff that other tooling just doesn't see. So, yeah, walk us through some nice examples, Luke, if you would.

Luke Jennings

Sure, yeah. So I think, yeah, we see a huge amount of that Sandbox of Asia stuff now. That's pretty default precision validated. Phishing is a new term that's been used for some of this too, where it's actually targeted specifically at the email and it verifies the email address before going through so that if you testify the correct email address, it won't turn into a phishing attack. But we've also seen some sort of interesting hybrid attacks where email is technically the delivery vector, but there'll be other legitimate services involved that can be as simple as just sharing a legitimate Google Doc with an account that can only be accessed with their account. But the phishing then takes place once direct in there. But we've seen other services evolved recently. Like Jotform is a really good example. I've seen A few instances of recently and quite clever email sort of trickery around that. So we saw a case recently where someone had filled out a contact request form on a website and that obviously engages the sales process and they set up fictional sort of people behind that. Then the salesperson ends up reaching out to the phisher and they then share a jotform with them and within jotform you can then redirect to another URL. So that eventually then leads to an attacker in the middle phishing server. But you've kind of gone through this convoluted route that got them there, which meant they reached out to you. And some of it happened over email. But for sort of email gateway looking at that, it's very difficult to go through all those phases and realize that the phishing happened at the end.

Patrick Gray

Well, I mean an email gateway is not looking for outbound mail going to people doing the phishing. Right. If anything, that's a signal that address is clean and can be trusted if the contact was initiated from inside the company. So yeah, woof.

Luke Jennings

Yeah, that's true. I mean and obviously we've also, we also see things that completely, you know, avoid email entirely too. Like malvertising has always been a thing, but we've definitely seen instances of that on our states recently. Like I spoke publicly recently about one that was targeting on Fido, which is like a digital identity verification company and they'd spun up an evil jinx server emulating their dashboard and just advertised it on Google and were taking people there. And in our case we saw someone that normally accesses it via okta, just Google for it, click on it, get taken to the malicious server and in that case actually some of the aspects of it combined with what's been in the news recently makes me think it might have even been scattered spider that were behind it. But I spoke about it. So once it was public it got taken down fairly quickly. But I think yeah, there's targeting of the sort of non IDP accounts and sort of various trickery around sandbox evasion and kind of getting around email filters is just becoming almost a default now through various different means.

Patrick Gray

Yeah, I mean I suppose some of the good news here though like you spoke about, what is it? Evilgenics, Is that how you actually pronounce it?

Luke Jennings

Evil Jinx.

Patrick Gray

Yeah, Evil Jinx. Okay, right. So Evil Jinx. This is one of the fish kits that's the, you know, the probably what the most popular at the moment. And it allows for one time passcode like pass through you know will successfully log in a user, but also copy over the authentication token to the attacker. I guess the reason I wanted to talk about that is because the good news here is once you are actually in the browser, that stuff is reasonably easy to spot.

Luke Jennings

Yes. Yeah, we're in a pretty unique position there. We get to the point where everything's been decoded, the DOM has been decoded, all those things, and we can look at the interactions with the user as well. So we can see when they're interacting with different components of the page, such as entering their password as well. So being in the browser puts you in a pretty unique position to inspect things at various different levels, which is just very difficult for other controls to do. So I think it's a sort of. It's the difference of like, to some extent, static analysis versus dynamic analysis and what we saw with evasion techniques in the malware world before.

Patrick Gray

So, Adam, back to you for a moment. Obviously you're the chief executive. You're got your eye on the numbers and the sales and all of that. Where's the market at right now with regard to even understanding this? Because I've spoken to you just recently, actually about, you know, enterprise browsers popping up everywhere, right? And people are like, oh, yeah, rah, rah, rah. Lots of buzz around enterprise browsers, but enterprise. And I. Look, I think enterprise browsers are good, but they don't do this. Right? So it seems like there's a lot of buzz around enterprise browsers, particularly around some of the features which you can kind of get elsewhere, like access control and whatever, which you can do through identity aware proxies and whatnot. I guess I'm curious, like, when you're going out there and talking to CISOs, you know, are they coming to you already knowing that they've got a problem here, or is it more a sort of sales process where people gradually figure it out as you're talking to them?

Adam Bateman

Yeah, there's a couple of parts to that. I'd say identity attacks are front of mind for people now. When we first started this, people were very much focused on endpoint infrastructure, but I think there's just been more and more attacks like the Snowflake one, there's been a ton of different phishing attacks and, you know, groups like Scad Spider have been bringing this front of mind. So people are definitely out there looking for solutions to solve identity security. I'd say the other thing is that when we first started being in the browser was just really weird to people. They were like, you Know, we had comments like really a browser extension? Hadn't even considered that as being a security control. We're actually really grateful to the enterprise browsers because I'd say over time they've really normalized that and it's now really accepted way and it just makes a ton of sense to people to move into the browser and put security controls in there. But yeah, we're very different. We don't see ourselves competing with enterprise browsers at all. I think the moving into the or being in the browser is people are over indexing on the browser component of this at the moment, if you see what I mean. But once you actually get past being in the browser, there's a ton of different problems you can solve. Right. You could solve insider threat, you could solve access control, you can solve detection response and stopping phishing. We happen to be solving identity attacks because it's a big problem hitting the industry right now with a big, big focus on phishing just because of the amount of attacks that we've seen there at the moment. So yeah, so for us we see enterprise browsers as like another operating system. We support and we work inside every browser, including enterprise browsers. We very much complement them and add on top of them, I'd say.

Patrick Gray

Yeah. But I guess the thing is people, yeah, as you say, they're sort of over indexing on that side because it's the shiny new thing. And you know, you can still get phished if you're a enterprise browser customer.

Adam Bateman

Yeah. And well, it's also the ability to do investigations. Right. Like we can dive a lot deeper. We can see, see what actually happened. You can see a timeline leading up to the event. There's lots of other information you can do. You can also see things like the entire identity attack surface. You can see every identity that passes through the browser. We can like diff logins with stuff that's up for sale on the dark web, for example, or we just go a lot, lot deeper into that particular problem. I think ultimately enterprise browsers are there to protect the company from the employees. It's like who should access what, what kind of access control, DLP should you be screenshotting and that kind of stuff. We're much more focused on how do we stop the company or how do we protect the company from attackers, specifically around identity attacks.

Patrick Gray

Now you just mentioned investigations, right. So this is, you know, you've kind of got some detection and response use cases. One thing that you've told me prospects really like is when you call it, it's like edr, but for the browser. But what does that actually mean? Like, what is, what does that mean when you're doing, you know, an investigation into the sort of data that you collect? Like, what are you going to be investigating?

Adam Bateman

Yeah, so we built the product to be super easy to use. So you deploy it and it blocks. That's the main thing. Like, just like, you know, again, EDR example, you can get loads of raw telemetry out and you can feed it into your SIM and your saw and you can do lots and lots of clever rules and you can augment that with other logs in the environment, but 99% of the planet will deploy it and it just does the blocking. Right. So we've very much followed that same approach where you deploy it, we can inspect the page and we can see how a user's interacting with it. If they're entering a critical password, it'll just block it. So a lot of people use that as set and forget. But the power of being inside the browsers, we can see things like, you can see network traffic, you can see libraries like JavaScript libraries that are loading externally or inside the page. You can see what local storage looks like, you can see what cookies are being set and tons of different things. What that means is that you can effectively hunt across the browsers in such a way that you could say, show me whoever's visited this particular domain. That's behind cloudflare Turnstile, which is common technique we see for doing bot protection, to do evasion where local storage is empty, meaning that no one's ever visited this before and it's just been done for the first time. You can also see things like whether it all came from a single tab, which might sound trivial, but actually if you think about doing that at the network level, it's quite difficult to sort of tie the same, like multiple requests together, because they could be coming out of multiple different websites and different tabs. When you can see them as one, you know, it's one viscoot actually behaving in a particular way, if that makes sense. So you can actually see a timeline, you could see, you know, you can get screenshots, you can see who actually clicked on a particular link on LinkedIn. You can see then what that opened, what people did after that event, and whether or not they typed a password into it or not. They could have just visited the site, for example, but you can actually see they've actually gone further on what they typed into the username password box as well.

Patrick Gray

So are people actually doing like what you just described, too. Like, some of it is like some searches and there's some logic around that that would make great seam alerts. Are people actually doing that yet? Or is this just more like, you know, the vision of the future and how people might use it? Because, I mean, I. Honestly, Adam, I get the impression people just are mostly buying this because it's a phishing control that works, that just. You install it and it does stuff. But I. So that's why I'm asking, are people actually doing that or is that just something you want them to do in the future?

Adam Bateman

Yeah, like it's something we're building towards in the future, but it's. The reason that we are doing it this way is because, as I said, the majority of people like the fact that we can hunt across the browsers and write detections quickly.

Patrick Gray

Yeah.

Adam Bateman

Then later on, towards the end of the year, we're actually going to be putting that at the hands.

Patrick Gray

They might want to do that themselves, right?

Adam Bateman

Yeah, yeah, yeah, exactly. So more advanced teams are working with us in that way. But the way we're thinking about this at the moment is we have. Luke is VP of research and he has his research team and they're constantly looking into new fishing kits either across our customer base or ones that are just coming out of the wild from live attacks. And we're taking those things apart and we were in a position where in order for us to get those detections out very, very quickly and so we can block those for our customers, we need to go through a process of, you know, actually building any indicators into the browser extension and then shipping it across the customer base. The thing is with detections, Right. Is there's two sides of the coin. You can test that your. Your kit will detect a fish kit within a lab, but then you also need to make sure it doesn't detect legitimate stuff out in the wild. So you have to go through a process here where once you've written the detection, you deploy it out across the customer base, you monitor for a while to make sure that it's just picking up the true positives. And then you get into production and that length of time can be fairly long. So what we've been working on is effectively what's much more like you can consider, like OSquery in the browser. So the browser is effectively recording lots of different activities, like JavaScript that's being loaded, like network requests that are coming out the browser, like the state of the DOM and cookies that are being set and those kinds of Things which effectively allows us to build those detections out in a no code way. And it just basically means that once we detect something we want to build a detection in, it could be done really, really, really fast. So at the moment we're using that to actually go look back retrospectively to find indicators of attack, to ship detections much, much faster. And then later on, towards the end of the year, we're going to be starting to ship that and putting it in the hands of more advanced teams so they can actually write their own detections as well.

Patrick Gray

Yeah, it makes a lot of sense. Now, Luke, I got a question for you, which is we're talking about, okay, you found something new. You want to write a detection for that new fish kit or whatever, roll it out to all of your customers. You know, how are you alerting on new phish kits? Like is this the case that you might see some external research or one of your buddies who's like in some underground marketplace managed their hands on some new fish kit that's being shopped around? Or is it the case that you are actually doing sort of, you know, forward hunting through your user's telemetry and actually just looking for these things? And how do you begin to actually search for fish kits, like novel fish kits, new fish kits in those sort of data sets? How does that whole process work?

Luke Jennings

Sure, I mean, it's a range of methods really. Some fish kits are widely spread out there and we see new examples of them, even from simple sources like URL scan coming online. So we're constantly evaluating changes and looking for increasingly better ways of finding things, especially if they adapt and change. So we've got that sample set to go by, but also we have a control called SSO password protection where we can tell if someone enters their SSO password into any website and we can stop it.

Patrick Gray

Right, so this is, I like, I'll just, I'll just interrupt you there and explain to the listeners and viewers who, you know, because I don't think we mentioned that previously, but like you, once you're a push user, you cannot enter your SSO password into a website that is not your idp. It just won't let you. So that makes so much sense that you basically wait for the phishing attempt to succeed. When they're doing SSO based phishing, they try to drop their password at that domain and then that gives you a red hot signal that that's a phishing site.

Luke Jennings

Yeah, so we find new things that we don't have any other detections for. That way too. I mean like 99% of the time it's a legit website. Someone's just using their password in, right? Yeah, but then 1% of the time it's a phishing server. I mean, just the other day I saw a postman phishing server that I hadn't seen before and someone entering SSO password into that. So yeah, like that's a great way of finding zero day threats for us as well to then help build new, better pre auth detections to put back in the funnel as well. So that's a great source for us.

Patrick Gray

I mean, you could also do that with. It wouldn't just need to be SSO passwords. You could also alert when they're trying to, you know, use their legitimate passwords from various. Which of course you're not storing like before anyone writes in and says why are they storing part they're not. They're not. Because they're not dummies. Okay. But you know, you could take, you know, a secure hash of like a selection of the accounts, you know, across a user base and then just see where they're popping up where they shouldn't. And you're right, it's going to be most, mostly people misremembering their passwords and entering the wrong one into the. But you know, you could write some exclusions for that pretty easily for, you know, you could, you could sort of just block list the legitimate services from the, from the alerting logic there and you'd be, you'd be pretty good to go. Sorry, my mind's just spinning with like how easy, you know, it's easy fishing. Fish in a barrel. There you go. That's what you need to call that, that feature. Adam, you wanted to jump in there.

Adam Bateman

I was just going to say, keep in mind that we are observing logins to and like app usage for the entire company. So we can kind of tell and build up an inventory of all the apps that are being used inside that company. So if we see someone entering their SSO password outside of that group of applications, then that's different to it being used inside that group of applications.

Luke Jennings

Right.

Adam Bateman

So we can distinguish.

Patrick Gray

That's kind of what I meant with the block list there. But, you know, but I guess the question is like, if you see a user trying to put their LinkedIn password into some weird Russian domain that was registered three days ago, like, you know, that would be a fairly solid indication as well. That's where I was going with that.

Adam Bateman

Yeah, totally. And we've been careful not to go too far ahead of the market. So we focused on protecting SSO passwords being re entered into other sites initially because that's where attackers were going. Now we're seeing increasingly, as you know, like you said, entra adding passkeys by default soon and people getting better at enabling MFA by default on their accounts. We're starting to see attackers move off of SSO and targeting things outside of that. So we're just now adding more and more and more support into protecting password reuse for those other applications as well.

Patrick Gray

Yeah. So what are the most commonly targeted sort of applications that you're seeing at the moment? Like what are attackers really loving? What are they going after that's not their Entra or their Okta creds.

Adam Bateman

I think the big ones recently have been like Jira, because there's just lots of interesting information. That Hellcat, we saw a huge increase of attacks there and we caught an attack recently against Postman. I think you saw. Well, there's some other ones you can think of, Luke.

Luke Jennings

Yeah, I mean, the on Fido one was an interesting one because they're a digital identity verification company and that I think would have been after their customers. That would be fairly interesting sort of fintech customers and so forth. I saw an automation platform being spoofed just the other day. I forget which one it was now. But obviously workflow automation systems often have very privileged access via OAuth to other systems. So they're a great target for lateral movement to other sensitive systems. So that's one I saw.

Patrick Gray

Yeah, all of that makes sense. And obviously we're seeing certain classes of attacker really focus on supply chain. You know, I just published a podcast with a couple of the Sentinel one people talking about attackers going after their suppliers, for example, and also, you know, trying to get North Korean. North Korea. Trying to get workers hired in there and whatever. Mostly they think because they have a fairly decent customer base within the sort of crypto ecosystem. But it's certainly where we see those sort of attacks, like targeting the crypto exchanges and, you know, defies and whatever. I'd imagine that. Well, I'm curious, Adam, like, are you finding you're getting traction in that space? Because it seems like the. The crypto world is one that really sort of understands the risks that can be posed from these sort of External Services. External SaaS.

Adam Bateman

We do have. We do have some crypto customers, but I mean, honestly, at this point we. We have customers across pretty much every sector. And that actually surprised us because initially when, when we started to build the company. We felt like the place we were going to target were like completely SaaS, native type companies. Right. Like startups that were all SaaS orientated, that were much more like modern tech companies because we're like the primary control for that sort of company. If you think of probably MacBooks that do all their work in the browser, it makes sense. We do have a lot of those sorts of customers and crypto exchanges would fit into that profile. But we even have like charities and you know, like local tourist centers and you know, we have a regional US Airport, for example, that just signed up for this stuff as well. I think ultimately, just because everyone that gets that phishing is a problem, everyone gets that you can click on phishing links in multiple places and you're starting to see that expand out. And even so, like, people want to understand what SaaS applications people are using. They want to understand what accounts are out there, which ones are vulnerable. I think inherently people just understand that it's an easy attack to execute. You basically just log into the account and you do your thing. There's no trying to bypass some MDR service and having to persist on an endpoint and move out to the network. You just log into an account. So something that people just get, which is why we're just seeing such a, I guess a wide customer base from different sectors.

Patrick Gray

Yeah. So I just want to go back to something you mentioned, Luke, which is people were going after this. Was it like an automation platform or something? And the reason they were doing that is because they could then use that access to OAuth, authorize entry into a bunch of other different services. But that brings up the topic of like OAuth grants in the browser. So we've been, we've been just focusing this conversation on phishing. But another thing that is really taking off in terms of popularity is like OAuth phishing, because that gets you an awful lot. Right. If you could put an OAuth grant to a malicious application in front of a user and they approve it, that is a compromise. Right. So what are you guys doing currently around OAuth? Because I know that you've been thinking about it, you've been talking, but I'm not actually clear on what it is that you're actually doing to Prevent malicious, like OAuth grants.

Luke Jennings

Yeah, so we're not covering that in the browser for detection. Right now we have backend integrations with Google, Microsoft, where we analyze that and we get all of the integrations that we see and new ones and we Analyze the permissions and we highlight ones that are risky. So we've got that from backend integration perspective. But I think we'll probably do more in the browser as well with that in future.

Patrick Gray

Well, I mean, but that is one case where you don't strictly need that. You don't strictly need to be in the browser. If everybody's using an enrolled device, if everybody's using Edge or whatever and it's through their 365 account, you could just pull an API and get that list, that's fine. But I guess one area where it might be handy to see it in the browser is the context through which that user wound up having that grant put in front of them in the first place. I mean, is that sort of the thinking there?

Luke Jennings

Yeah, so I think in the browser we would definitely see more context around it. So that's one reason, I think also until now, probably 99% of OAuth related grants are something connecting into Microsoft or Google. But over time we're getting more and more SaaS apps that are offering OAuth in the other direction. So we're seeing OAuth connections between apps that don't involve the major IDP. So I think that sort of sprawl of the OAuth side is increasing too and we'll get visibility there through the browser.

Patrick Gray

Why are they doing that? That sounds just. I mean, I get it. I mean, I'm sure there's a reason, but what you just described sounds like it's not going to be a fun time.

Adam Bateman

What can go wrong?

Patrick Gray

Unless you're exactly right. But like, so, okay, so you know, how do you even begin to tackle that? Because Adam, previously we've talked and you're like, look, OAuth grants are easy to see in the browser because it's all going through your major IDP. Right? Like it's a, you know, an OAuth grant. If you're a Google shop, it is actually going to be a Google thing that pops up in front of the user. It's not like a fake page. It's always a legit page from the actual, you know, authorizing, you know, from the point of trust. Right. But I suppose if every Tom, Dick and Harry starts offering, well, you have a valid session token for this, you know, Pat's Risky Business web application. And now you can OAuth grant access to that one over here. Like, I don't know, man, it's sort of hurting my brain. Like, is it going to be easy? I guess is the question to come up with generic ways to understand when an OAuth grant is happening, when it's happening across multiple applications. Like when the user could be doing an OAuth grant across like 10 different apps.

Luke Jennings

Yeah, so like, because it's a standard or standard ish protocol, what we see is that there's a very small variation in the way that it's implemented in terms of protocol requests. So yes, you can actually pretty generically track OAuth across anything in the browser. I've only seen a very small number of different types of IT in terms of names of params and all that sort of stuff. So separately I already do this inside of Push. I have my own research extension, I track the whole of Push. I found things that we didn't know were happening just via that.

Patrick Gray

What sort of things? I'm curious.

Luke Jennings

So this is not a malicious example, but it's just another case of the complexity of modern identity. But say we use Loom, for example for sharing videos, right? And we log into everything ideally with SAML based logins for Google, if not oidc Google logins. And that's how we would access LOOM normally. But we've got Slack integration for it, which we knew about. But if what happens is we realized if someone just posts any Loom video on Slack, which is how we normally share them when someone clicks it to view it, it was auto logging in with Slack rather than with Google.

Patrick Gray

So what I mean is that like Slack then is becoming like a pseudo IDP for logging into loom. And that's, I mean that sounds like a relatively benign example, but it's just like with all of these developer tools and you know, and cloud and SaaS. I keep saying it's kind of the same thing these days, right? Like what are those relationships look like in five years from now? And that's why I've been sitting here like kind of, you know, with my brain on fire a little bit because I just think oh God, what are we doing?

Luke Jennings

Yeah, it's definitely increasing. And yeah, the ultimate target for these is automation platforms like the makes, the Zapiers, all those kinds because they are like full no code platforms. When you see people doing that, it's not just having like data access, it's. It's the ability to write code effectively that runs and does anything you want with that access in future. So like, you know, that's the really powerful target and it's an amazing persistence technique as well. If you compromise an account and you go and do the grants yourself as an attacker. So It's a huge attack surface.

Patrick Gray

Yeah. Yeah. Well, look, we're going to move towards wrapping this up, but I guess back to you, Adam, just for a couple more questions about, like, the adoption side of this. I mean, you mentioned, hey, we've got a charity, we've got a few people in crypto, We've got people sort of everywhere. You've also got the infosec bread and butter type customers, which are gigantic mega banks. I'm guessing you're probably seeing some pretty good adoption in banking and financial services. Would that be accurate to say that?

Adam Bateman

Yeah, we're across all sectors, but financial has been a really big one for us. I think generally they just care a lot about security, they invest a lot in security, and there's a lot of attacks.

Patrick Gray

Well, that's why I called them the Infosec. They're everybody's favorite payday is like the big banks, right?

Adam Bateman

Yeah. So we have some more traditional banks, like up to 300,000 employees, all the way down to companies that are like 20 employees. And they've just signed up on their own free trial because we have like 10 free licenses. People will just sign up and they'll deploy a browser extension out to Even just their VIPs or like their highly privileged users inside the company, and bang, they've got out of the box fish kit protection. So we sometimes see smaller companies just signing up and deploying for that reason, and then they'll just gradually grow and add more licenses as well. So, yeah, we literally have all the way up from huge, huge enterprises right down to smaller companies.

Patrick Gray

So I guess the reason I was asking that is now that we've established that your tech is in some pretty important places, can you think of a really great save that a customer's come to you and said, my God, one of our users tried to enter X into. Yeah, and if they had have done that, Zed would have happened.

Adam Bateman

We see everything that evades absolutely everything else and then we catch it at the end. So we see a ton of stuff like the things we've been talking about in this podcast, right? It's like we see all the different things that have evaded all the other controls and they've got around different places. But we also see stuff like people have found things, like we've had people reporting bugs to us saying, hey, there's a bug in the platform right now. Because it's saying that there's 60 people missing MFA on our GitHub, for example. And we dug into this and we're like, actually this isn't a bug. This is real. Nope, can't be possible. Turned out to be a big configuration issue where someone has sort of dragged someone into a different ou. And then it disabled MFA for a ton of different accounts. So we've had, you know, missing MFA with stolen credentials on people's cms that manage the entire website, which is really important to that particular company. Like, lots and lots of different things like this all the time. I think the way I think about this is it's very much like a new attack surface. And so how I'm feeling about it at the moment is, you know how when we used to have this external network perimeter, it's like you'd have a network diagram of how pretty things looked. And it looked like my firewalls configured like this, and it had three or four ports through. And then you do a vuln scan.

Patrick Gray

And then you actually do a bunch of NMAPs.

Adam Bateman

Yeah, exactly. And then it looks completely different. It's very similar to that right now is like people sort of. They have this view of what their identity attack service looks like, and they sort of feel like they have Okta with everything behind that. And actually, the reality is that when you actually get the visibility, you realize that there's not just okta as your IDP, but GitHub's an IDP. And, like, you know, Sage is an IDP. And just like, there's just IDPs hanging off of IDPs, hanging off of IDPs. We have different local accounts and there's people making mistakes and all those kinds of things in one go. So we just see so much stuff at this point. It's. Yeah, it's interesting.

Patrick Gray

All right, Adam Bateman, Luke Jennings, thank you so much for joining me to talk about, I guess, you know, how phishing, sadly, is still a problem even in the age of passkeys, and how the sprawling identities that your users generate and the relationships between them. I promise you, we all promise you, you do not understand. Yeah. Great to chat to you, Adam. Great to see you, Luke. Cheers.

Adam Bateman

Thanks, man.

Luke Jennings

Cheers. By.