A

Foreign.

B

And welcome to another soapbox edition of the Risky Business podcast. My name's Patrick Gray. These soapbox podcasts are wholly sponsored and that means everyone you hear in one of them paid to be here. And today we are chatting with HD Moore who runs Run Zero. He's the chief executive and founder of Run Zero, which started off as an asset to discovery platform. But as you're about to hear, they've done a huge push into vulnerability management, which is going to shake things up, in my opinion, pretty substantially. Many of you may know HD as the creator of the metasploit framework, which was first released all the way back in 2003, so 22 years ago, which is, it's making me feel a little bit old going to be honest, because I remember, I remember writing about the release at the time, but. But yeah, hd, thanks for joining us. And let's get into it. Right, so Run Zero was always an asset discovery platform. Now it's a vulnerability management platform, basically. I don't think I'm overstating it to say that it is now a vulnerability management platform. This has gradually been coming together over the last couple of years though, this transformation. Why don't you walk us through it?

A

Sure. Going back to the reason that we have the company in the first place. I was doing pen test work and we kept breaking in through things that our customers didn't know about so we'd find a device in the corner, a subnet, didn't realize they had a domain, a device, something. And that led to the demand to build Run Zero, which is something to help find all your assets, whether the things that were on your map or not. What we've seen over the last few years though, is that the assets that folks aren't aware of, that aren't part of the vault management are the ones that are getting breached the most. So we're seeing lots and lots of compromises based on edge facing equipment, all your Fortinets, all your Palo Altos, all your Avantis, things like that. And existing tools that do vulnerability management are really bad at telling you whether those devices exist in our patch. That's really been it. Our customer's been pulling us towards vulnerability management specifically and exposure management in general for a couple of years now. And we decided just to go full hog into it and do our best to help folks not just identify what they have, but identify when it's exposed and fix it as quick as they can.

B

I mean, to a degree it almost feels like you shouldn't have needed to do this. Because the whole idea with Run Zero is it's going to show you all of these assets that are out there, probably unmanaged, stuff you didn't know about. Obviously, Run Zero has done its job at that point. Right. But no, it feels like a case of you can lead a horse to water, but you can't make it drink. And in this case you needed to go that extra step, Right. And really draw people a picture and say, well, we found this host, but now we're going to go that extra step and tell you what's wrong with it.

A

If you look at how the volume management industry works today, it's very much like scan, patch, wait, scan, patch, wait, where a new vulnerability comes out. You have to wait for the vendor to get a detection together, then you have to apply the update, then wait for a scan window, run the scan, look at the results, and then you can triage it. In the meantime, you've already been backdoored, so that just doesn't work. So where RunZero came into the picture, is that within a couple seconds of knowing that there's new Palo Alto bug or something else we can say, here's exactly where there's devices on your network. Here's, you know, it doesn't matter whether they're patched or not. On day zero, of course they're unpatched. So now we're taking a step further and saying not just here are the devices that are currently vulnerable to the current emerging zero day, but here's actually all of your unpatched devices and, you know, prioritized by highest exposure.

B

Yeah. Now I should mention too that, you know, Decibel is one of the investors in your company, obviously. Decibel is an investor in Risky business as well. And I'm a founder advisor with Decibel and I'm an advisor to you as well. So, you know, I just want to make it clear to the listeners that I do work with you on this stuff and, and I do hold some, some share options in the company. But one thing I sort of wanted to zero in on too is the changes in the vulnerability management market. Right. There's some pretty big sh going on right now that I think a lot of people haven't just quite caught up on. Right. So the big three vulnerability management, you know, or scanning companies have been tenable, you know, Rapid seven with Nexpos and Qualys. Right. But over the last, you know, I guess, half a decade, the EDR companies have realized, hey, we've already got a presence on people's endpoints. So why aren't we doing that part of the vulnerability management? As in, you know, doing a full inventory of software that's on these endpoints that we're already on so that we can cover off that part of vulnerability management. Which is obviously very bad news for those incumbent three, particularly because they seem to have neglected the other part of vuln scanning which is doing it over the network. Right. So what I think is interesting about what you've done here is you've gone, well, obviously that ground, you know, of the on host scanning is going to be ceded to the EDR companies, but the network side's wide open because they have not done a good job of it. I mean that's basically the what's happening here, right?

A

Yeah, that's a quick version. The existing vendors have done a terrible job of unauthenticated scanning between like Beyond Corp stuff, the BYOD stuff kind of work from home. They've just kind of ignored that whole part of the business and instead focused on things like agent based discovery cloud, cspm, cnapp, that kind of stuff. So what's happened is that if you're a customer of one of these large three legacy vendors, you're effectively only getting authenticated and agent based scanning anyways. Less than 10% of the checks in most of these products actually work if you don't have credentials. So the result is, well, if you're really just doing agent based scanning anyways, why wouldn't you use the other device? The other agents already on the device, right? Take your CrowdStrike, take your Sentinel one, something else that's already there. And the challenge is it's kind of a race to the bottom as soon as folks say okay, well authenticated, sorry, unauthenticated scanning is no longer relevant. Let's do agent based then anybody with an agent can claim their vulnerability scanner now. And we've seen that where the vulner, sorry, the EDR vendors have come in and say here's a list of unpatched software. In your endpoint we're a vulnerability manager too. It's like yes, but you're not catching exposed services so as ports, things that aren't installed as normal software packages. Like you're not looking for the stuff that a vulnerability scanner would find, you're just looking for outdated software. And so for the longest time we've had folks pretending to be vulnerable management in the EDR space where all they're really doing is saying here's an outdated software package. And of course, even if they're correct. Even if they're correct, that that's a vulnerability. You don't know whether it's reachable because you're not checking the network. It could be a totally vulnerable service, but it's unreachable because of the firewall. So the great thing about doing unauthenticated scanning first and un credentialed scanning first is that if you can reach it from your discovery tool, you know it's exploitable by an attacker.

B

Yeah, I mean there's a little bit of nuance there around client side vulns though, I would say, because obviously you're still going to need to know if someone's running a vulnerable browser, for example. But look, one more point on the authenticated versus unauthenticated scan part. What's the point of trying to do an authenticated scan against an unmanaged host where the authentication is going to fail? There's so much dumb stuff here.

A

The great thing is the authentication won't just fail, it'll give the attacker on that machine your password. Like we still have not solved authenticated scanning.

B

Yeah, because you're spraying creds around on the network. Yeah, yeah, yeah. Heaps of fun.

A

Yeah, I mean that's still my favorite way to do anything. Even if you go into, you know, currently well configured network today and you run responder, flamenco, SME, server, whatever you want a local segment and you just wait, you're going to collect credentials all day long. And especially if you start doing scanning, you'll collect credentials even faster. Things like watchguard Palo Alto, they've got these user ID agents where anytime you trigger or you know, tickle the firewall, it tries to determine who's logged into the PC that's doing the the attack. And so they just authenticate to you, giving you the credential that's stored in the pan, which is not what you want to happen where your attacker machines are being given credentials on demand and yet that's currently the state of these networks. So typically if you're in one of these networks and they have an authenticated scanner, even if you are locking into IP address, somebody can still do arpman in the middle of V6, rerouting whatever have you and be able to steal those credentials and use them for everything else. And as we've seen with just about every major attack in the Windows ecosystem, all it takes is single unauthenticated, sorry, low privilege ad user to then topple the rest of the fork.

B

Yeah. Now I guess the idea here though is, and the Reason I was mentioning the EDR stuff, it's not like you're saying, oh, okay, well, the EDR is covering off that side of it our jobs that we're not even going to do anything there. But what you've figured out is that if you do one of your network based scans and API scans, like you're ingesting a lot of data these days into Run zero. It's not just network scans, right. You can give it API keys and it can go and like pull down information out of your cloud environment. But crucially it can also pull in information from your edr. So you can capture that vulnerability sort of state information from edr, pull it into run zero, and then correlate that against scan information and information from elsewhere. I mean, that's about right. Right. So I guess at that point you're approaching something close to being a comprehensive vulnerability management platform by just using data that people are already collecting.

A

Yeah, I mean obviously you have to go a little further. You have to do your own unauthenticated scanning. Like the reason why the Chasm Only products didn't succeed is there wasn't enough data to be able to answer those questions with the products already in place. Like your vuln scanner didn't know about your unmanaged assets because they weren't part of the scan scope. A lot of your other tools just didn't know about parts of your network. So unless you have a native scan source, passive directory, passive discovery source, you're going to have a hard time filling in the gaps using a chasm only approach. So we've always been native data source first through active scanning, passive detection. When you start looking in APIs now you can bring in the cloud side, the mobile side, edr, mdm, et cetera. And now we can say like here's all your external IPs across your entire infrastructure, even devices that are not going through your normal firewall. And then we're really good at the network side. So you can still use your existing vault management, either agent based through your tenable Qualys Prop 7, or you can use agent based vault management through your edr. But then combine that with Run zero scanning and you can find the rest of it.

B

Yeah, yeah, no, that makes a lot of sense. Now one thing to note though is you're not actually trying to bite off all of the compliance scanning related stuff, right? So your focus is find the bugs, you know, find the vulnerabilities that are present in an environment that are reachable and likely to be exploited. So that they can actually be properly prioritized, not we can give you a checkbox against the PCI scanning requirements. Why don't you talk to us a bit about why it is that you're not trying to take on that part? Because that's actually a decent chunk of the market, right? That you're just like, no, not interested. Walk me through that.

A

That's what killed industry. That's why we got here. We got here because folks kept putting more and more compliance requirements in the vulnerability scanning. You got to the point where every single host had to do authenticated scanning or agent to do a full scap, do a full policy profile assessment as part of your grc. And as the trade off, you gave up all your unauthenticated scanning discovery, exploitability. So now you have customers spending all this time and all this money patching vulnerabilities that are showing up in these vault management platforms and not moving the needle at all on exploitability. And that's kind of the point. We're going to tell you the exploitable view of your environment. We don't care whether it's a patch or not, we don't care if there's a CVE or not, and we don't care whether there's coverage for a vulnerability management product. We're going to do it ourselves. So we feel like when it comes to what's being exploited every day, the way that we tackle it is really three ways. We already have enough information about your environment that when a new vulnerability comes out for say, Apollo Alto, we already know where those devices are. So we can just tell you immediately that second, here's the devices that are exposed and of course they're in patch because the patch hasn't just went out 10 seconds ago. So that's the kind of first step of it. You don't have to wait for a rescan, you don't have to wait for a product update. The next step is then going the next step further and actually doing ActiveSCAN to determine is it patched, is it unpatched, is it misconfigured? And if you look at the, the coverage that we've added to the product, they're not that focused on CVEs. Like less than half of the stuff we've been adding to the product actually have a CVE associated. We're really looking at things like default logins, misconfigurations, broken configuration, broken authentication on different daemons, things that'll actually get you compromised, not things you can apply a patch to fix. So we assume that if you're already spending a lot of money in your security program, you already apply patches of the machines you're going to patch. Like, you don't need us to tell you about your patching program. You need us to tell you about what's actually reachable by an attacker today. That's going to get you in the news tomorrow.

B

I mean, it's kind of bizarre that there's been such a lack of innovation in vulnerability management, considering it's such a big part of security and security spending. Right. And I think that's partially because we've just had these three large incumbents in the space and people have sort of thought, well, that's a mature market. There's no opportunity to disrupt. I mean, there's been exceptions. Like there's a company that advertises or sponsors risky business called Nucleus. And I think their product's interesting because they make a, like a vulnerability management platform that ingests data from all sorts of vulnerability scanners, including Run zero, mind you. But it's for really, really big companies. Right. So they take in all of this data and help you do the triage and slice and dice it and give you visibility top down, like which parts of the business are doing a good job, which parts aren't and whatnot. But, you know, that's a product that exists because most of the tech in the space is bad at doing that. Right. So, oddly enough, it's like, it's a. It's a solution that. That had to be conjured into existence because of deficiencies in this wider vulnerability management software market. Why do you think it's atrophied like this? Like, I saw your talk. The reason I mentioned Decibel before as well is because Decibel has an event at RSA every year. Last year, I watched your talk about vulnerability scanners and how little they've changed, and there was one slide. I still remember it, even though this is like a year and a half ago. You showed a slide which was a screen cap from one of the vulnerability scanners from like 25 years ago, and then a screen cap from, like the week prior to you doing the talk. And it was just like all that had changed is it had been reskinned. Right. How do we explain the lack of movement in this space? Is it just that they were chasing the next shiny red balloon across the room, like you mentioned, like with the cnapp and the this and the that? Is that, is that kind of how we got here?

A

Yeah. When I was working for rap, Seven. We really thought of it anytime we lost a customer, we'd see him again a couple of years because where are you going to go? There's really three vendors in this space. And we thought that the, you know, at the time the bar to getting into the industry was very high because you have to have 200,000 vulnerability checks or cover 90,000 CVEs. So the idea was like, well, no one's going to join this or no one's going to be a new competitor here because the bar to getting in is so high. To build all this backlog, then we realized it doesn't matter. Like what we realized around zero is it doesn't matter at all. That backlog is not what you need to worry about. It's the new emerging threats. It's the new stuff people are exploiting day to day. It's the non CVE exposures. That's what actually matters to people's security. Not catching up on 20 years of vulnerability coverage, that's not super relevant. Same thing goes with the grc, the audit, all the compliance stuff. Yeah, it's really useful for your audit, but it's not particularly helpful for you not getting owned tomorrow. Where we've seen the innovation happen in this space has really been the ASM side. The continuous pen testing firms, they call themselves continuous pen testing, but effectively they're just doing vault management. They're just calling something different and they're doing vault management. A much smaller sector of vulnerabilities which are dynamic web applications or a smaller set of the surface. We use nuclei, the open source scanner in run zero. And we do it a really interesting way. We don't just take the scanner and run it. We actually add unique logic to every single check so that we already use the Run zero fingerprinting engine to say we know exactly what this device and this service is. And then we'll run a particular check against it, but only if it meets that criteria ahead of time.

B

Yeah, I mean you're like spinning up per check templates for this thing, right? So that it's like not going to.

A

Per check engines actually.

B

Yeah, it's not going to brick anything. It's going to be nice and efficient. Like that's the play, right?

A

Yeah. Every single service gets its own configuration and engine launch configuration. So if we run to a web service that's running iis, for example, we're not going to run anything. It's not relevant to Microsoft web Server on that target. Just by definition. The cool thing about that is because so few of the templates actually run. When we do it that way, we can do thousands of vulnerability checks at almost no additional speed. It doesn't slow you down at all. It's just the same as it was before Zero. So the neat thing that we did recently as we launched, we added about 1400 new checks to the product. They're enabled by default. And they went out and no one noticed. There was no cry from the customer base. Nobody said, this thing's broken. No one said, we're knocking a device over. That's just how careful it was built, that we can literally ship all that and it just starts working magically in the background without having a serious impact to scan times or to false positive rates. So we feel really good about our approach there. But then you look at what everyone else is doing and it's basically race to the bottom still. It's, oh, we need coverage for X. So let's report when there's a missing patch or let's say you're missing compliance on X. Again, that stuff doesn't matter to preventing a breach. Like we're here to prevent you from being breached. We're not here to help you checkbox your policy and compliance statements, although we're helpful for that. That's not the primary goal.

B

Now, you sort of mentioned this earlier, but I want, but I want to talk about it a bit more because you've got to educate me here and tell me whether or not the. You've got to tell me whether or not the incumbents actually have this as well. Because if they don't, it's absolutely insane. And that's that sort of rapid response emergency notifications around bugs that are being actively exploited. So, you know, you could be in your Run Zero console and it will throw it up front and center. Hey, you know, you've got this Fortinet device that's being exploited right now. Like everybody with this device is getting burned. You got to go patch it immediately. So that's great to have that in the console, but it will also email you, right, or notify you via whatever means you. You select. So you can actually set up Run Zero to let you know, hey, you know, really sound the alarm on a bug that is being actively exploited that's trivially exploitable, that there's a path to get it on your network and you're going to get done. Is that something that the incumbents actually do? Because I remember like talking to you and Chris like two years ago about, you know, bringing that feature in because it was something that People really wanted. Do the others do that?

A

Not very well. So the way we do it, we officially launched it to everybody last week. And the idea is the second we put a rapid response out, which is, hey, there's new series vulnerability that affects a product, I'll pick Apollo Alto again. We actually kick off a query across every single customer instance on every install. And if we find a applicable device that matches that query, like you've got Apollo Alto or VMware, Verizon exposed to the Internet or something else that matches that, you'll get an email within 15 minutes now out of the box. And you don't have to do anything at all to do it. So the idea is that you don't have to go look at advisory search environment, run some queries. You're going to get a notification in your box. The second that we know about it, telling you what you need to do to avoid getting compromised the way that other vendors do that, they typically will have a alert mechanism. We'll have an alert saying, hey, there's new vulnerability in Palo Alto. And you say, okay, great, what are you guys going to do about it? And like, well, we're working on a check. It's like, great. So you wait two days, then you get the check, then you wait till Saturday for your scan window, then you run your scan and then you are doing instant response because you waited too long. So that's the problem with that approach is that while these other firms are good at alerting you about new threats, they're not particularly good at telling you where those threats are applied in your environment. And we're seeing some folks play with that a little bit. Like some of the chasm vendors are pretty good at doing the more real time response, but the legacy vendors definitely have not excel that responding quickly to new events when it requires coverage changes on the product side to cover.

B

So I got to ask, like, what's the response? Well, you know, how, how long has this stuff actually been in the product and actually out there in the marketplace? Because I understand it's pretty new. It's funny that, that I remember that emergency response stuff. Like we were kicking that around like a couple of years ago. Right. So it's. I didn't realize it was that new in the actual platform. That's cool. But what's the response been? How long has this been out there? How long have you been doing the volume checking stuff? And yeah, who's into it? What sort of organizations are into this?

A

Yeah, if you go back about a year or so, we Started doing vulnerability reporting in the product based on queries. So we'd say you've got a thing that we know is exploitable. You've got a database without a password, you've got this misconfigured device. We'll create a vulnerability record automatically, not just a third party import. We'll create a native vulnerability in run zero attached to the asset. Beginning of this year, we rolled all this up into findings. So instead of getting a giant list of bones, you now get like three findings. Here's three categories of things that are problematic in your environment. Default credentials. Misconfigured device in this particular way. Missing ACLS over here. And so you're not getting this gigantic list of remediations, you're getting a list of categories to go focus on. And then more recently we've been adding more direct vulnerability coverage. So first we added default login checks. So default credential checks for a couple thousand platforms. Then we rolled out exposed administrative panels. So looking at things like your admin panel, if exposed Internet, we can now flag that really easily. So not necessarily the most critical vulnerability, but something that you should know about for sure. And then more recently, we added as many of the CSIC, EV and critical remotes that we could in the first round. So that went out. That's about 700 new critical remote checks. And I just eyeballed the stats this morning to see how many folks are actually getting alerted by this stuff. And I think last night we sent out three critical alerts. All three of them got a click. Two of them turned into a support ticket where the customer asked for help and they're like, yeah, this is great, thank you. So people are seeing it, they're reacting to it, they're responding. We are really slow at rolling this out because the last thing you want to do is annoy your customer base into turning it off. We don't want our default mode to be so obnoxious. People just turn it off, they don't get the value. So you only really get one chance to not burn that trust with customers. If you start spamming people on day one of the product, the very first thing to do is turn off the notifications. Then you're no longer providing that value unless they go turn it on again. And defaults really are the most critical thing in security. If they're not on by default, then you have to do a lot of education to get people to go try the feature. So just like the new vulnerability checks are on by default, we don't ask permission we just say here they are and you can turn them off if you want to, but they're there by default. Same thing goes to notification. We want you to know immediately ahead of time for these types of things. But again, if we get that wrong and we annoy everybody there and turn it off and that's why we wait as long to get it right.

B

So you've been slow burning this, right? At what point do you come out and say we should be your vulnerability management platform? Because it sounds like you haven't been doing that until now, right? Because you've been like slowly, slowly changing the product, right? And turning things on and waiting to see what the reaction's like. At what point do you just come out and you say we should be that center console for your vulnerability management. Hook in your Sentinel 1 or your Defender or your CrowdStrike into us and we're going to cover off that function for you. When do you pull the trigger on that?

A

I think we're there. I mean this one's just user education, it's customer education. It's getting like more coverage in the background, but depending on your use case, we're already there today. If what you care about is avoiding breaches and your external facing stuff, we do that all day long. You can turn off your tenable today if you want to and use us. And we're great. If you have a massive internal environment, you've got a compliance requirement, you may have to scope it down. So you may still have to use Qualys for your PCI environment and then keep us for everything else, including pci. But we're not going to go after the PCI certification or ASV or anything like that anytime soon. We're really going after the real time exploitable stuff. So for a lot of customers today, the product will already do more than the value you're getting out of your Vuln scanner. And kind of the reason we got here is that we've been importing third party vuln data for four or five years now. So we've been pulling in the tenable data, the Qualys Data, even the CrowdStrike vulnerability data. And that's why we got here. We realized that the data we're getting for these products is useless. Like we will spend five hours importing 180 gigs of stuff from Qualys and the customer gets absolutely no value out of it. They look at this giant list of volumes and be like, well what does that mean? I guess I should apply some patches like yes, but. And then you'll actually try to figure out, well, where's my sonic Wall Zero day? Oh yeah. They don't even have a check for it yet. So we're getting this ton of data into the platform. We're trying to help people prioritize it. Kind of like the Nucleus security side where you bring it all to one's place you do triage on. And then we realize we're missing the vulnerabilities that matter. Folks are working off a list of vulns that doesn't even include the ones that are going to get the mowed tomorrow. And that's been the focus. So we've said based on what we've seen in the product with our actual customer data, what's missing right now is actually better coverage. Like vulnerability detection is not a commodity. Bad detection quality is how we got in this mess. And it's also what's kind of leading to this EDR eating ball management is because the bar has been dropped so low we kind of go the other way. We say that unauthenticated remote detection needs to be high quality, needs to be reliable, needs to be fast. And if you can do that, you don't necessarily need the rest of it quite as much.

B

Now as you sort of alluded to it earlier, which is there's these attack surface measurement companies which are almost doing sort of like bulk pen testy sort of behavior like doing remote scanning using similar tricks to what's in Run zero. And now you've got a situation where you're starting to see these like AI enabled pen test firms pop up. There's a few of them, Horizon 3, who I think we've booked into Snake Oiler slot coming up soon. So I'm going to get to because I'm interested, I want to, I want to know what they're doing. So you got companies like Horizon 3. I think there's Crossbow as well. So at what point to do vulnerability scanning technologies like what we're talking about, that's in Run zero and services like those, at what point are they all AI fied and start to converge? This is something I'm curious about. Like what you know, I know you man. You've been playing around with models. There is no way you have not been playing around with AI. What's on the roadmap there and what does that do to this platform and how does it look in a few years? I'm dying to know what your plans are there.

A

We found a couple use cases for the AI so far. We use it for some of the threat intelligence for getting a head start on new vulnerabilities. We use a service that scrapes all the social media flag stuff that's trending before it hits the news. And that way we can stay ahead of things and get customers, you know, notified well before it becomes widespread exploitation. We also use AI for things like doing enrichment of vulnerability data, but we haven't found a use case where having an AI model in line actually makes any sense.

B

Yeah, so what you've just described is very much like a content use case for AI. That's where everybody starts, right? It's like companies like corelight who first started using AI to do things like explain alerts. Right. Like here is a really poorly written, you know, 10 words to try and explain an alert. But you know, it can actually have a detailed write up, you click on it, whatever. So that's the content use case. You know, I guess I was wondering what the agentic, and I'm sorry to sound like such a VC guy at the moment, but I was wondering what the agentic use case is, because there's got to be one there eventually.

A

Yeah, that's a good question. I mean, we have to find a model or find a scenario where it makes more sense and works better. And so far, you know, we've kind of old school ML, old school AI in the platform with a bunch of roles and they get weighted and they do stuff like that. And we've got decision trees and things like, like that. And the great thing about it is deterministic. We know exactly what check is going to fire in what direction. We know exactly how we can safely enumerate an OT device because it's always going to work a certain way. As soon as you start bringing gentic stuff into it, you've got temperature to twiddle, you've got all this stuff. That means that when you run the same test three or four times in a row, you don't get the same result. So do you really want your critical vulnerability scanning and exposure detection working only 1/10 of the time or missing every fourth time? That's the problem with the gentic stuff right now is it's not reliable, it's not consistent enough. So we can always, where a lot of folks have been taking that is have one model come up with a recommendation, a bunch of other models self check it, then do some validation, but at that point just start off and build it better in the first place. So we're just being a little practical about it, trying to figure out where does it make sense to bring in a model and we're not quite there yet.

B

Yeah, I mean I would have thought just off the top of my head that where AI would make the most sense here is other agents actually just using run zero instead of baking the. Instead of baking the agentic stuff into run zero, just treat it as something that a model can use via some sort of model context protocol server or something. I mean, I'm guessing you will bring in you're going to do an MCP server for this, right?

A

Yep, it's actually shipped. We are MCP server baked into Run zero. The great thing is you don't have to run like a local standard I O server. It's actually all part of the remote install, whether it's self hosted or on the cloud. So you just point it at your current console URL, give an API key and you've got a full NSP server built into the product as opposed to having yet another thing to manage on the side. So the funny thing about the MCP is we have a lot of folks saying we want an MCP server. Like, great, what do you want to do with it? We don't know, but when do you want it? Now it's like, okay, but what do you want to do with it? So we're still. The first version is out so far, we're getting feedback on it. We're trying to figure out what do folks actually want to query. Obviously you can say show me devices that have external ip, tell me devices that have the highest risk. Show me systems where this user has logged in recently or this type of users logged in recently. So you can do a lot of interesting stuff there. But almost any one of these use cases you can do better through the console, specifically without using AI.

B

Yeah, but do you need to know how to structure a run 0 specific query? That's the point, right? And everybody's really sick of learning everybody's query language and syntax, right?

A

Yeah, that's a good point. We're working on natural language queries right now, so that'll be one of the things we do inline, at least for the cloud side. But of course we need to be really careful about that. We need to make sure that the customer's query never leaves our environment. We're about as paranoid as it gets. We do not let you leak out of our platform anywhere and we sell to a lot of folks that are on prem and air gapped and we need to make sure that it works just as well in those environments as it does in the cloud. So we're really careful where we deploy technology. Our entire technology stack is a go binary in a postgres database. We are not experimental or brave when it comes to using Pub subs or Kafka or any of that kind of silly stuff. We're old school and boring because we need to be able to deploy anywhere.

B

Yeah. So just going back to a question I asked earlier, which is who's showing interest in this? It sounds like you haven't really started marketing it yet as a vulnerability management platform. So it's maybe a little bit early for that question of like who's, you know, who in the market is buying? I mean is that, is that about right?

A

Yeah, it's starting to turn. Until about a month ago, most of the inbound that we've received folks are interested in hearing about the product. We're asking about CASM use cases, asset inventory attack service management. In the last month or so, especially after blackout, we had this amazing experiential booth thing and all kinds of cool stuff and marketing around it. We really started pitching like hey, you can actually use this to do full blown vault management without another role management tool. And that's where folks started saying, wow, I can actually just kick out product A, Product B, Product C. So we've displaced the legacy vulnerable management platforms in three or four cases in the last month and we feel like that's going to be our future. These are customers that they need a vulnerable management platform, but they also need everything we do in Kasm. And they don't want to buy two products and they want to have a product that doesn't write in the first time. So having a product that has a native data source through high quality scanning does pass through detection can do ot does the vulnerability scanning and also does the chasm integrations reporting. That's been a really good sell so far. So we're really excited about providing that more comprehensive product to our customers.

B

It's funny man. I got a friend around here who recently took a job as a security person at a local government, right? So like a council and the stuff he's found in that environment is just bizarre. So he's not traditionally been a security guy, like he's a security minded like computer guy, right? Like perfectly qualified for the job. But he's gone in there and the vuln scanning stuff they're using in there is something that I have never heard of in my life. And what's really funny is when he rang the software distributor that they buy this package from, that they license this package from they had never heard of it either, even though they were like the ones charging money for the licenses. Right.

A

Wow.

B

So he's obviously looking to shake up vuln management stuff. And when he's seen what you're doing, because this is like perfect timing, he's like, oh man, like that's going to work. They'll probably have to keep some other stuff for the PCI because they do handle credit cards for like, you know, local like council tax payments and fine payments and things like that. But you know, for operational vuln scanning, he's just like, well, we've already got that like E5 or G5 Microsoft license. We're just going to get all of that sweet information from Defender from the endpoints, pump it into Run zero and he's going to save so much money doing that.

A

Yeah, absolutely. Even for pci, we can help save folks quite a lot of money because we can help you scope it down. So if you're buying a given product right now because you need PCI support, we can actually help you figure out which part of your network is actually fully isolated and which parts are actually breaching your CDE or otherwise combining your PCI with non pci. So you can get really tight scopes using Run zero. And that means you can carve down the existing license you have for these third party products to have a much smaller, smaller piece. And since you're often paying by IP address for these products, we save a lot of money that way.

B

So I got to ask final question, right? Where do you see this sitting in the market? Because you know, this local government use case that I'm just talking about, like they've probably got a few hundred, you know, like it's a small organization and for them it's an absolute no brainer for a larger organization. I can still see the unauthenticated scan stuff. Like even if you're a mega corporation, I can see using Run zero because it's very efficient, very performant, like it works really well, you know, 100%, you could use it for that as well. But would you then also use it as your primary vulnerability management tool in a very large organization? Like how do you see this, you know, slotting in at orgs of different, different sizes?

A

Yeah, sure thing. Long story short is in the, in the early days, the pen test assessment, vulnerability scanning tools were all really the red team part of the house. In the last 10 years or so they really all moved to the blue team. So the person running your vulnerability management program is really more of your SOC team, it's not necessarily your red team, they're just basically getting a list of alerts, figuring out what to do with it, mitigating it, triaging, et cetera. So that kind of runs your vault management program, the run your compliance program, but it's not really there to save your bacon from the next vulnerability, next zero day coming in, it's not fast enough, it's not agile enough to save you. So instead you have security operations teams turning to things like Run Zero and other Chasm products to say, do we have this new thing that we've never heard of until today, Being exposed to Internet, how we expose this network, connect to this other network in this strange way, and basically kind of the bleeding edge of exposure and compromise is what those teams care about. So we feel like we've done a really good job of serving that security operations team for a while in terms of preventing exposure, finding all your stuff, being that kind of second set of eyes for the entire organization. But we also feel like the ball management teams have probably been underserved and if we can give them a tool that works better, it's faster, it takes less time, it's more accurate, it cuts down the amount of work that they're doing and triage are doing even better. So for us, the future really is doing everything right. Exposure management, everything from external tax service management, your internal discovery, internal networks, network segmentation, compliance, you name it, while still kind of being true to our character, which is not throwing your password around the Internet, not requiring each and every machine.

B

So I guess your position here is that's a nice market, we'll have all of it, thank you.

A

Pretty much. I mean we have customers, especially if you're a smaller customer, you can't afford 20 tools. So we have to do a much, much broader portion of functionality than, you know, let's say we, if we wanted to stare at our feet and work on cool protocol stuff all day, we'd love to do that. But that's not going to move the needle. You need to provide a much wider product these days, especially with smaller orgs. If you're a 100 person organization, you can't buy five security products, you may be able to get away with one and that one's probably defender. So if you can afford something more than your edr, we recommend Run Zero being that tool. You can't really get your get rid of EDR, but you can typically replace everything else with Run 0 from the exposure management system side.

B

Yeah, well as I mentioned, you know that friend I sent him a bunch of stuff to investigate. Run Zero was one of them. And that's he's actually his first item. First spend is going to be that. So cool beans. All right, hd, thank you so much for joining us to chat through all of that. I think, you know, I think there's a real future for this as a very useful tool for all manner of organizations. It's great to see it, and it's always great to see you, my friend. And we'll chat again soon.

A

Appreciate it. My pleasure.