Risky Biz Soap Box: Thinkst Canary's decade of deception

Patrick Gray

Hey everyone and welcome to this soapbox edition of the Risky Business podcast. My name's Patrick Gray. These soapbox editions are like long form discussions that we have with our sponsors. This means everyone you hear in one of these editions of the show paid to be here. Today's guest is Harun Mir, who is of course the head honcho and founder of thinkst Canary, which I guess you'd describe them as a deception vendor and not only that, you'd kind of describe them as the only major deception vendor. And it's been a decade now, so we're going to be talking about a decade of deception and really we're going to have a bit of a history of thinks, a bit of a recap on what it is that they actually do. We'll be looking back on those 10 years of thinkst canary and why they're still the dominant player after so long, you know, and really is that because this is such a simple technology that's quite low margin and the market size is kind of small, which sort of discourages VC backed players from trying to come in and do that sort of high margin, explosive growth thing. Like we really just have a bit of a chat about like why it is that think is where it is. It's sort of odd to just have one player that's so dominant when they're making a technology this useful. But we started off with Harun just really recapping what it is that Thinks actually does because, you know, he's been a guest on this show for 10 years and there's quite a few people out there who might not necessarily know exactly what it is that they do. So, so here is Harun Mia to kick things off. Enjoy.

Harun Mia

So fundamentally we make a honey pot like, like in its original pitch our, our take was we could make, we felt honey pots were useful but not enough people were using them. And our take was if we could make them simple enough for people to use, people would use them. So our pitch was to make the simplest honey pot that added value. And there's a few principles that we were really big on, but two of them were that they should be really quick and painless to deploy. And the second one was that they should never expose you to more risk than you already had on your network. And until today, like, we hold pretty firmly to these things and we've done some things quite unconventionally, like we famous for even removing features, but fundamentally what we focused hard on is that a customer should be able to buy a canary honeypot, deploy it in under Two minutes. And it's useful on their network. And there's some things that we bought hard about and some things that we got really lucky with. But fundamentally what happens is customers buy canaries, they drop them on their network. And typically attackers last on networks for months before they discovered, like, the numbers change, but like hundreds of days. And so what happens now is attackers land, they trying to make themselves comfortable, they're doing reconnaissance, they see this canary, they touch it because they don't know what's valid and what's not valid on the network. And the defender gets a really high quality signal that says there's badness on their network.

Patrick Gray

And you skipped a step there, which is that one of the key innovations in all of this is that prior to Canary, you know, we thought of honeypots as things that we exposed to the Internet and.

Harun Mia

Exactly.

Patrick Gray

Your big, you know, big brain idea was, hey, why don't we put them on the inside and we can catch people who already have a presence on the network, which is what makes that such a high quality signal.

Harun Mia

Exactly. And the honeypots outside networks really gave honeypots a bad name. Like, even till today. Like, we get calls from the local universities, and if someone wants to do an honors project, the easiest thing to do is put a honeypot up, draw graphs of how many attackers from China and how many attackers were from Belarus. But honeypots on the internal network really shouldn't be touched. And so our thing was take these honeypots, make them really trivial to deploy. And we spent a crazy amount of engineering early on to make sure that we can really keep that promise. So customers get them, they plug them in, they just work, and then we can up their sophistication. So just plug it in and it's a working Windows box. And by that I mean you can map to its SMB share, or you can RDP to it, or you can enroll it in active directory, or with two clicks you say, listen, actually I want this to be an IBM mainframe. And then you can 3270 to it, you can SSH to it, all of that stuff. And over time, one of the things we figured out is that you can do really complex things with canaries, but even really simple canaries, quarter attackers. And we kind of got lucky because, like, we didn't do lots of marketing. And early on, customers who bought us caught attackers and said nice things about us, and then other customers bought us. And that's pretty much been our trajectory till now. We also then did Canary tokens And if canaries were honeypots, reimagined Canary tokens were honey tokens finally made useful. And when we were attackers for years when we were pen testers, we would throw out the idea of, oh, you should use honey tokens to let you know when your data is breached. But no one we knew ever did it, and we never did it because you've got to have infrastructure around you to make that actually work. And so Canary tokens become honey tokens in various different forms that you can sprinkle around again to give you high quality signal. And with Canary tokens we do the slightly unusual thing of also giving them away completely free@canarytokens.org and like that's bloomed into an unusual thing. And if you go into your VC theory, in a few moments Canary tokens will feature. Interestingly, because we treat Canary tokens as a full blown hosted service and internally lots of the things we try to invent, we keep trying to invent new ways to detect attackers. And some of that stuff goes into Canary, but some of it goes into Canary Tokens. And then we give it away free so our customers get it. But it also joins this free Canary token service. And some of it, like if you take in the last year Jacob released the Entra. So basically with CSS you can tell when people are attacking in the middle your Entra login on Microsoft Azure. And we released that earlier this year. Like we've literally got thousands of users using the free service, something like 50 million logins a day get protected by that AITM phishing. And for us it's just free lives on canarytokens.org and does its thing.

Patrick Gray

So our it is pretty amazing to just give people access to very high quality alerting infrastructure that is sort of reliable. It's scaled like, you know, it's doing, doing some real work for the community there, sir.

Harun Mia

It's been interesting and for us, like in part, nobody told us we couldn't do it and Canary pays our bills and this gives us an interesting way to test new detections. And of course like people end up knowing us because of it. So it ends up working out all positive. But fundamentally as a company, that's what we do. So we build Canary and build Canary tokens and like internally our whole pitch is like, can we use hackery to make defenders win? Like our pitch as a company is make defenders win. And that's our pitch.

Patrick Gray

Okay, so now let's talk about why you're the only vendor, as far as I know, in this category what explains that?

Harun Mia

So I think fundamentally when we used to pitch Canary, I think I did on the first segment I did with you on Canary, like we used the line that said we stupid but work. And internally our pitch was canary should function like a brick. Like Marco saying was people should just be able to use it and know that it doesn't go wrong. And so we were pretty rare in that our stated aspiration was to be a brick. And it allows us to say dead simple, but works. And anyone who's trying to raise VC money has to say the opposite, right? They've got to say why they this super complex thing and how they this super clever thing. And even when people try to sell, they often end up trying to convince the customer how they this super clever thing. And it forces a type of thinking that just goes for more and more complexity. And complexity, like that's a bad idea for multiple reasons. But the two big ones are, historically, we know complexity is just a pain in the ear to secure, which is why so many vendors end up being the weak link on your network. And the other is you end up with all of these solutions that do everything or claim to do everything that nobody actually ever implements on their networks. Like, honestly, one of Canary's biggest challenges early on was fighting security. Folks default intuition that says this can't be that easy because you do the demo, you do the explanation and you say, trust me, just deploy it. And folks go, surely that's not gonna work. Except it does. And then word gets around. And so I think the early funded competitors, and they've been about 6 of them that raised like 60 million or so, all pivoted hard towards complexity because most people think that that's what's needed.

Patrick Gray

And yeah, I mean, I got needed. Yeah, I gotta say, I got, I gotta, I got a real kick out of their marketing. I remember once, like in your early days, you know, seeing some of these competitors come up and their, their animations and stuff at their booths were pretty funny. Like you will direct attackers into a maze that is a replication of your production. And it's like, that's not really what you need to do here. You know, like, let's just keep it simple.

Harun Mia

It's interesting. Keeping it simple. Look, simple is hard to pull off technically, but it's also hard to pull off for ego. Like, like early on, people are attracted to. I'm working on the smartest thing ever. And I think we got a little lucky because like, Marco and I had some history in the industry and so we could say we're doing this really simple thing that works and people gave us some credit to say, well, they're not complete monkeys. Like maybe we should try this thing. But, but I think simple but works is underestimated. So, so that part I agree with. I think people went for complex and run into trouble. The part that I'm not sure about, like, and my honest thing is one of the things we've grown to see is that Canary works for everyone. Like, like, this is not my used to call it shiny tooth salesman pitch, but we've got customers using canary for literally 10 years. Like they bought us in 2015. They still use us. It just updates multiple times a year and they just use it. We've got easily a whole bunch in the Fortune 100. We've got the highest tech companies that exist. Like, like if you a tech company today, there's a good chance you're using Canary. We've got two main law firms. Like, we've got an aquarium in the Midwest. And so one of the things we realized is that without sounding immodest, every org should be running Canary.

Patrick Gray

So that's where you're going to push back on the limited market size thing, I'm guessing.

Harun Mia

Yeah, so it is true because early on, even when we had resellers wanting to sell our stuff, they would look at it and go, hold on, this stuff just costs $7500. I can sell Cisco kit for a few hundred K. This isn't worth my while. And that bit was completely accidental because it perfectly fits anyone who has ever read the Innovator's Dilemma, which is you come in at a price where incumbents don't want to fight you because you're too low, and then you start growing from there. But fundamentally that model really works for us. So two man law firm gets to put in five canaries and forget about it. And super tech firm gets to start off with 5, grow to 50 and then have hundreds of canaries if they need it. And genuinely, genuinely at this point, like I feel I can make an honest case for every org in the world to have five canaries. Like there are some who should be bigger, but like for seven and a half K, people should just put them down. And if they do nothing for you, like you paid 7 1/2 K, but almost certainly when you've got intruders on your network, you're going to get that alert really early on. And so it turns out the market isn't that small for it. And so periodically we get pitches from new companies going in or new companies wanting to do it, but now they've got multiple problems. Right. The one is we try hard to not suck and hopefully we'll keep not sucking. And the other turns out to be useful is Canary Tokens. Because now there's this really valuable, really easy to use thing out there that's free.

Patrick Gray

We should note too that it integrates nicely into the Canary console. So if you're a user of the hardware devices and you're using the Canary tokens, like it all meshes together quite nice. So even if it's like the free, the free stuff is canarytokens.org if you are a paying customer, you get that sort of all singing, all dancing, integrated experience, integrated ux.

Harun Mia

Exactly. You get your own private Canary token server which can be skinned and you can host it on your own domain and all of that stuff. But yeah, the combination ends up being useful. And at this point, our plan for world domination is a Canadian on every network.

Patrick Gray

It's like a taco truck on every corner, a Canary in every network. Both sounds pretty good. I just want to cut you off there because I think one thing we can say, like 10 years down the track, I think we can say that most people, you know, the more educated consumers, the more educated buyers in cybersecurity, they know who you are and they recommend you. So recently I introduced you to Rob Joyce because he dropped me a message saying, hey, you know, because he's doing a bit of advisory and whatever these days for all sorts. And he said, look, you know, I've got a customer who I think would really benefit from Canary. Would you mind putting me in touch with Harun? And I think we could say that, you know, Rob is about as educated as a customer can get. I mean, he used to run Tao, for God's sake. So if it's a control that he's into, we could say that's good. So I think there's some validation there where you've got the highly educated section of the market saying, yes, Canary is good. Use them. They're just amazingly cost effective control. Go for it. Then more recently, we saw Microsoft embracing honey tokens as a way to flush out automated abuse on their platform. So this is something that they're doing at scale. Right. I'm guessing you know a bit about what they're up to. Can you talk to us about. Because I don't think we really had a chance to discuss it on the main show. What are they up to with all of this? Like, I only saw the headline skimmed A story. But could you give us a bit more detail on what exactly Microsoft are doing with honey tokens?

Harun Mia

So Microsoft's going into deception in a few ways. Like Defender will now do deception stuff. So they'll do hosts, they'll do lures, they'll do stuff like that on enterprise networks. And like I've heard, I've heard of a few people taking them out for a spin. But Microsoft's got a chief deception officer and he's a real believer. Like, we've spoken to him. They, they may or may not be using some of our stuff. And yeah, they've got a good offering. Recently they spoke at BSIDES Exeter where they were actually speaking about running deception campaigns against existing phishing sites. So literally, they look for new phishing sites and then pump those fishing sites filled with fake credentials, essentially making those sites less useful and getting them a whole bunch of intel in the process. There's a few things that are interesting. The one is every Microsoft document on their deception stuff exactly sings the song of our people, right? It's here's why you should be doing it. It's smart, it's easy, it catches attackers. So we like it.

Patrick Gray

Well, I think also isn't one of the ideas behind pumping sort of honey creds into these phishing sites so that when they see them turn up on like M365 or Entra logins that all of a sudden they can flag that endpoint as being no bueno? Right?

Harun Mia

Yeah, exactly. Right. It's kind of funny because, like, one of our free canary tokens is a site clone token. And when we first built it, I think we might even have spoken about it on the channel, like years and years ago. But we first deployed it for the media org Al Jazeera when they were being attacked by the Syrian Electronic Army. And they did exactly this process that Microsoft is now doing something like nine years ago where they would, as soon as the phishing sites come up, they'd spam them with fake creds, essentially giving them a whole bunch of work to do without. Because once a phishing site comes up, you also can't control your remote users who might be giving their creds to that phishing site. And so now what they do is they've just put in a thousand other fake users into that system. And so now those people have to have to deal with all of the noise. Microsoft's presentation on it was great. But for me, the best part of it is again, them saying, absolutely, this stuff works. Why wouldn't you be using it in your org, which again, it's the song of all people. I don't have sleepless nights over it for a whole bunch of reasons. One is we like them and know them. But besides that, one of the things we've always taken a lot of care with Canary, and initially it was a tough decision, was to make sure it was outside your regular system. Like, one of the things we don't want is your system gets compromised, you can't trust your reporting channel. And now the thing you need for that one alert is in that reporting channel. And so canaries end up being inside enough to catch attackers, but outside enough to not be collateral damage if your network gets owned.

Patrick Gray

One thing we should point out is that a Canary is not like a pizza box rack mountable, you know, fully featured Linux box with some software loaded on it. It is a very small, like, it looks like an external hard drive. You know, it's a small embedded device. And funnily enough, like I remember when you did that way back when, and one of the reasons you gave it that form factor is to make it easier for people to deploy without having to get authorization from the data center team to like get the rackspace. So you could sneak in security, people could literally sneak into the data center and just tuck it away back there somewhere where no one could see it and, you know, they would not have to ask for permission. Which I thought that was very clever actually, at the time.

Harun Mia

Thank you. It's interesting we thought that over time because the first versions that we shipped were just those hardware versions. And then we've got Azure versions and AWS and GCP and whichever virtualization platform you're running. And we thought that over time people would stop buying the hardware versions and the aw, the others. The others still sell in their thousands, but by far hardware versions still dominate. So that thought that says let's take this and plug it in is still an easy winner. And now we've got different use cases for it. Like we've got one of the really large tech companies, we literally carry their asset numbers and they just ping us and say, send three boxes to this location in China. And so we put on the asset boxes and ship it off. It comes up, it's now on their console and they've got visibility. So, yeah, so far the hardware stuff still works surprisingly well.

Patrick Gray

Again, it just folds into that. Keep it simple. But cloud, I'm guessing, well, obviously over the last 10 years. It's not like Cloud was new 10 years ago, but it's like it wasn't as ubiquitous.

Harun Mia

Yeah, it's, it's interesting. Putting the stuff in the cloud works and works nicely. And then there's a good case for dropping tokens in different cloud environments. And currently we spend a lot of time playing in that space, so. So you'll find lots of tokens play almost exclusively in the cloud space. We've spoken previously about our AWS token, stuff like that, which essentially is throw this around your clouds, know when people are poking around. But again, our pitch is, should be dead simple, should just work.

Patrick Gray

So this is how you've managed to own the market for 10 years. You know, you've had some challenges come in, but largely, I mean, it's pretty much just you. So where to next is becomes the question. Right? Like, you know, 10 years from now, a few more gray hairs. I'm guessing ten years from now. But what will we be talking about, you know, in 10 years from now when it's, you know, Harun Mia's 20 years of deception.

Harun Mia

Yeah. Touchwood. So, so far, like what. One of the things we've managed to get right as a company is like we build stuff that people like and by doing it that way we've managed to build a really nice team so the people on board enjoy working for the craft of it. Like, I put out a silly tweet today, but it's Halloween and so the front end team have this amazing slight change to the console because you get to see the Halloween theme and you get to see Table Mountain and all of that stuff. But essentially the team worked on that just in their own time just because they like delighting customers. And so with the last 10 years we managed to put together a team that really like building useful stuff. And so at this point we kind of just enjoying making things the best we can and so inventing new tokens, trying to make that stuff work. So we think we've got good room for growth with that stuff. And if you think about the Canary in every home, which I joked about, like, even though we started slowly, at this point we genuinely think there's huge space to grow. Like, like we've, when we started we were a little bit lame in that we kind of ignored partners and, and mainly it's because we were too small to handle partners and we just didn't want able to handle it. And as time went by, we found some MSSPs come in who literally took Canary and deployed them at every customer they've got. So Eric Foster came through with sidearis and literally every customer they have would also get canaries. For us it's a win. And for them it's a win because they get the super easy to deploy thing when the canary chirps. Sidearist look good sidearists get to go in and sell them extra stuff. So these days we're more friendly with partners. Like, you're seeing more and more of that business where socks come in and say, let us Deploy this, or MSSPs come in and say, let us deploy this. And so for the next while, one of the things we want is we saying, look, we know canary works. How do we get it to more and more people like, so how can we partner to put that bird on every desktop?

Patrick Gray

Sorry to cut you off there, but I mean, it's a product that I think really makes sense for MSSPs because it just lets them jump in there earlier. Right. Like, it doesn't mean like you sell a canary to one of your customers as an mssp. It doesn't mean that you rip out the rest of the detection and response stack like this. It just means that you know when something really bad is going on so you can roll incident response and that's billable hours. So I think this idea that maybe some might have had previously, that it was like going to cost them, I don't think so. I don't think that's right. I think it's just, it just lets them make better use of the other technologies that they've deployed to the client.

Harun Mia

Some of the best love that we get, like if you look at our Canadian love stuff, is from MSSPs and SOC vendors like that. Because literally what they're doing is super quick deployment, super high signal. And at the end of the day, like you say, they then get to go pull at that string and unravel huge messes that start off with that first canary that chirped. And so our pitch again, our dream is keep inventing new ways to detect it, keep rolling out canaries so that we can put this canary on every desktop. And that's the dream. So see you in 20 years.

Patrick Gray

Well, I mean, fundamentally nothing's really changed in the last 10 years with what you're offering. It's all been about refinement, incremental improvement. And I'm guessing that's the way you want it to stay.

Harun Mia

Yeah. So again, we spend like as a company, we super deeply, I know lots of people might say deeply invested in invention. Like, we take the time for it, we carve out time for it. But there's a distinction between just making things and foisting it on your users and making something that works better. And so with Canary, we really about making it easier, making it pain free, making sure there's fewer false positives. And then at the other end, what can we invent that can move the ball forward? So with tokens, with new detections. And so it gives us a pretty good mix to say, let's make this thing consistently better while keep trying to invent new ways to do detections that work. It gives us a good space, it gives us a product that works. And yeah, that's where we double down.

Patrick Gray

So the plan is to keep turning the handle.

Harun Mia

Yes, so far turning the handle sounds good. Like I say, we, we keen to talk to other partners who want to take canaries to the, to the masses because it's simple and it works. Like, at this point we know it does. And yeah, we'll keep doing what we do, which is making it better and better and inventing new ways to make defenders win.

Patrick Gray

Now, I want to talk to you quickly about a blog post you wrote where you extolled the virtues of conference booths, which I think even you were surprised. You surprised yourself by writing this thing. Yes, I found it interesting because funnily enough, I went to the OSSERT conference earlier this year and you had a booth there. And I met. What was his name, the fellow who was on Bradley. Yeah, yeah. So I met Bradley, had a good chat with him, and it was just, you know, it was just really funny for me because, like, you know, you and I have known each other since well before Canary. And it's just funny. It's like, well, here's. Here's Haroun's booth at a conference in Australia. You know, you've written a passionate piece sort of saying you should run conference booths, but you should run them this way. And I gotta say, I agree with it wholeheartedly. And I think you should walk us through the rationale there while we've got time.

Harun Mia

Yeah. So again, young hacks on me hates that this is true, but conference boots are great for us. Like we do about five of them every year. And I hate saying it every time because it seems like the most vendor y thing ever. But A, I think they're good and B, I think. I think so many people do them terribly that I feel bad for one thing, because they're mostly just lighting their VCs money on fire. But for the other, one of the things I worry about is that they killing a good and a useful thing and so for us, we wrote this really long blog post a few years back when we did our first rsa, and we tabulated all of the expenses and how that worked out for us. But fundamentally for us, these conference booths are great way to meet our customers. Like, we have customers now that have paid us hundreds of thousands of dollars that we've never met in person. And what happens is, like, when we came down to Australia, we've got so many customers in Australia, largely because of Risky Business, who we've never met. And so now what happens is they get to come by the booth, they get to say nice things, and an interesting thing happens, which is your existing customers come by and say nice things with an ear shot of new potential customers. And one of the things we found that's super interesting is lots of customers would never be able to go through legal and say, I'm from big company and I use Canary. But when they come to your booth, they'll happily say to the people standing next to them, they'll happily say, hey, we use this stuff. You should, too. So, absolutely. Companies score with it. One of the things that I think is interesting with Boots, though, is I think most people do them badly. So. So from the start, we use our booths for demos. So. So we do hundreds of demos. People come in, we show them a demo, and. And we staff our booth with us. So literally, the support people working on it, Marco's almost always there. Bradley's Canary. Since day one, I spend all my time at the booth, and. And what happens is people then come and get to have real conversations about the product. If something's sucking in Canary, then those people who come down to the booth are going to let you know that they suck. And I'm surprised that more founders and more product people don't use booths for.

Patrick Gray

This reason, because, I mean, you write in your. You write in your piece that, you know, often they're off in a suite somewhere schmoozing with the, you know, the CISOs for the Fortune 500s or whatever, or talking to investors where really your position is they need to get down and spend some time on the floor because it's a really valuable thing. I mean, it's hard to argue with that.

Harun Mia

I think it's such a wasted opportunity. Like, and I genuinely. It's one of the things I really want security founders to take away is you almost never get a chance to meet a thousand customers and potential customers in the same day. Like, why aren't you there? It's. It makes absolutely no sense. And for us, it works out super great. Like, like, there's no question the booths work great for us.

Patrick Gray

I mean, I think at a certain scale, that becomes impractical for the founders, especially when they might have five booths happening at five different events around the world. But I think you could still take that fundamental lesson, which is you need to staff your booths with real people who have agency within the company. I mean, I think that's the lesson.

Harun Mia

Yeah, absolutely. Like, like, if you, if you megacorp at that point, staff it with your product people. Like, staff it with people. Marco and I for years have this running joke where we go around to some of the other vendors who used to offer deception stuff and talk to them about their product. And most of the time we couldn't get someone to demo the product just because the people at the booth go, no, that's niche and we don' Know what that is. And again, it's, it's silly. It's a wasted opportunity. And, and one of the things I feel in terms of the community good that comes out of it is if you make these conferences just about stupid games and bad T shirts, then that's all it's going to be. And it's got the opportunity to be so much more.

Patrick Gray

It's funny, right? Because I remember my first RSA. I think this would have been, man, somewhere between 2010 and 2013 or something like that. So I've been in this game a long time, so that was even kind of late for me. But it was so funny. It was so funny because you had the people dressed in lab coats and you had the jugglers and, you know, it was just, it was very funny. I think the contraction in that stuff in the industry has been pretty sensible. Funnily enough, I went to RSA this year, but I was going to a side event. I tried to get in to walk the floor and they hadn't opened it yet. I was like an hour or something early, so I didn't wind up going in. But is it still like that? I saw you over there. Yes, but I didn't, I didn't see the floor.

Harun Mia

It, it, it is crazy. Like, like every time you see it, you, you look at it and go, that's something like, like, for one thing, it's the size. Like, I also went to RSA late, like, relatively. And the first time I went, it, honestly, one of my first thoughts were, no wonder people are so confused because.

Patrick Gray

Like, there's so many companies you've never heard of, right?

Harun Mia

Like, you've never heard of and, and all of them. And I'm at the time I was like, man, like in my years of pen testing, none of these people have been a speed bump to me. Like, like.

Patrick Gray

No, I know. And it's like, it's like I just had this thought, but it's like walking into a Turkish market, which I have by the way. Like this isn't some imaginary Turkish market experience. This is kind of like some weird twisted American grand bazaar for enterprise software.

Harun Mia

It's still not. So it was a little muted with the end of zurp, but not completely. Like there was still, I think Black Hat still had one of the major vendors doing insane booth babe type stuff.

Patrick Gray

I kind of, I don't mind the floor at Black Hat. I gotta, I gotta be honest, I always found it a little bit more sober, a little bit more focused on, you know, something approaching reality.

Harun Mia

It's a little less nuts. But, but it actually happened at Black Hat this year where some major vendor had a case of the stupids. But, but no, there's still some of that insanity. They're still juggling fire breathing dudes and mostly my thing is do demos, talk real stuff. It's a chance to meet customers for us. We get a bunch of other benefits from it because of our size, but again, it really works out for us. If you're a young SEC company, I advise it. I think it's good for you, good for the industry.

Patrick Gray

So the reason I mentioned all of that is that if you're listening to this or watching it and you happen to walk past a THINKST booth at a conference, you can stop and chat and you're not going to get sales droned to death. You're probably going to chat to someone real who has agency within the company and have an interesting conversation. We're going to wrap it up there. Harun Mia, it is just such a pleasure to see you. Listeners and viewers wouldn't know this, but what we do every time we do one of these is we catch up for about an hour before we hit the record button and have a good conversation, solve the world's problems and then onto the interview. Such a highlight to see you again, my friend. Great to chat and we'll do it again soon. Thank you.

Harun Mia

It's always cool that. Bye.