A

Foreign and welcome to another edition of the Risky Business Snake Oilers podcast. My name is Patrick Bray. The idea behind Snake Oilers is that vendors pay us to come here and pitch their products to you, the Risky Business listener. So yeah everyone, you're about to hear in one of these podcasts, they paid to be here. And we've got three really interesting vendors you're going to hear from today. We've got Nebulock, which is a AI based threat hun platform. Damian Luke is going to be along in just a moment to talk through that one. We're going to hear from Valley Cyber. Austin Gradient, who's the CTO and co founder of Valley, that's vali, is going to talk about their product which is basically a VMware ESX security platform and really build as a ransomware control for, you know, VMware and private cloud, which is they brand it this way because people are getting whacked with ransomware in their VMware environments. But obviously a control that prevents ransomware is good at preventing other types of attacks as well. So Austin will be along soon to talk about that. And finally this week we're going to hear from Stephen Dowie who is the head of engineering at Cape. Now Kape is a very interesting company that has created a lot of buzz over the last year or so. It is a virtual mobile network operator in the United States that is focused on security. So it's a mob mobile network which doesn't collect much information about its subscribers and generally operates in a much more secure manner. It filters network messaging. There's not even any SS7. There's no SS7 messaging on their network. There's the, the other one that I can't remember the name of it right now. But yeah, you'll hear from Stephen a little bit later on about that. And frankly, 100% hand on heart, if I were an American, if I lived in the United States, I would be a Cape customer. I could be a Cape customer here, but then I would have to have an American phone number and that might make things a little bit difficult, but maybe one day. But yeah, we're going to jump into it now with our first snake oiler today and that is Nebulock. Now a disclaimer right off the bat, I am an advisor to Nebuloc, which means I do hold some share options in the company. So Damian Luke is the CEO and founder of Nebuloc. And basically what Nebulock is, is, I mean how it's AI threat hunting, right? Like there's so many companies out there, they might have a few people on a detection team, but threat hunting, I mean, it's more headcount, it's more work, it's a very specialized skill set, but it's also something that lends itself pretty well to AI automation, right? Much like, you know, tier one SOC analysis and stuff like that. Threat hunting, there's an awful lot you can do when you start throwing, you know, AI models at this, at this problem. So here's Damien Lukey explaining what Nebulock is enjoying.

B

Nebulock is an autonomous threat hunting platform. Basically we combine the ability to continuously test for malicious activity hiding inside your environment, while also giving customers the ability to translate these hunts into detections that they can push into their detection CI CD pipeline or back into Nebulock. So you can kind of think of us as your single port of call for all post exploitation to actions on objectives, behavior.

A

Okay, so the big question is, why do I need this? Say I've got my edr, it's all singing, all dancing, I've got my seam and whatever. Like why do I need some then automated agentic thing to go crawl through the same data looking for essentially the same sort of thing?

B

Yeah. And I mean, I caveat as like someone who's worked at a couple EDR vendors in the past, this is just one person's opinion, I think twofold, right? Like one, strategically EDR companies are starting to move into other markets, right? And see like, hey, can we apply EDR to cloud security or cnapp or other areas? So part of it might just be like folks are taking their eye off the ball. But I think more fundamentally, like EDR was built around anti malware and exploit prevention, right? It was just hardening, accepting the fact that the endpoint was the perimeter and improving perimeter defenses, while also balancing the fact that, you know, if you threw an alert for every informational low or medium, right. You're gonna blow up people's alerts, dashboards. And most folks don't wanna work with a system that's too chatty. The reality is there's so much value in the data that people have, right? And not every single customer has an active intruder at any point in time. But I'd be willing to bet, right? Like as soon as you add more than two nodes to a graph, like you have n number of complexities, there are applications and risky prot running in every environment. We just don't know because we don't have the time and it's not being flagged. Right. But there's so much goodness. And if you actually think about like deeper, longer tail, like if, if you're dealing with a real apt, right, they are going to masquerade in your existing telemetry, right? Like you will only throw low or informational or no alerts until like they're getting out of dodge, right? So to us the whole focus is like giving you more value out of all the stuff that you're paying for, right? Because there's so much there, you just have to know where to look.

A

So it's stuff that might not hit that threshold for something that's going to leap out of a seam screen or trigger a detection in an ADR console, but it's like there's something up 100%, right?

B

A great example I can think of is like the remote access tool, North Korean wave that we've seen this year, right? Like EDR is not going to alert on TeamViewer running in your environment. But if TeamViewer is not the way that you do, like RMM, that's not your RMM tool of choice, right? That's immediately a red flag. But we only know that now after the fact, understanding that that's how attackers are getting direct access to company secrets, right? So the whole focus is to give you more signal from all those lows mediums, from things that haven't even alerted, right? Because there's a lot of goodness in telemetry and surface that to a human, a human analyst or a human responder.

A

Okay, so what sort of data are you actually crunching here? Right? Because I'm guessing you're going to be taking in telemetry from things like edr, from things like Core Light, from things like IDP logs. You're going to stick it all in either structured or unstructured, you tell me. And then you're going to let LLMs crawl all over it and figure stuff out. So why don't you give us a rough idea of concretely how this thing works, what sort of data it's looking at and what sort of signals it surfaces.

B

Yeah, 100%, right. So best way to get telemetry is at the source. Right now we cover EDR and identity and access management platforms. We're kind of moving across the stack as we continue to build out the hunting capabilities of the platform. Really simple way is like we hit your EDR APIs, so we pull raw telemetry, same thing for your IDP. And the whole idea is like we want access to all the data so we can get as much juice for the squeeze when it comes to the hunting and analysis that we do. So you just need to share an API key with us and we plug in and away we go. Yeah. We've done 3,000 endpoints in five minutes, is our record so far in terms of onboarding customers.

A

Yeah. Now, speaking of, you're a very, very new company, just exited Stealth. You've actually got some paying customers already. One thing I often say is nobody buys anything because it's cool. And this is very cool. What you're describing is very cool. But what's the thing that's making people actually plonk down the money to buy this? What is the actual killer use case?

B

Yeah, I mean, the killer use case really is. I think a lot of people want threat hunting, but really what they actually want is clarity and repeatability. Right. Like, I want to understand what's happening in my environment and not just rely on my existing security vendors or like the brittle detections that I've written to alert me when something's happening. So the reason that people are buying Nebula is because we give you a continuous hunting ability for the fraction of an fte. And I'm really honored to say that we've got some people who've joined us along the journey and it works, which is great. The proof, to quote one of our recent customers, it does what it says on the tin, which is really, really exciting to hear, particularly in security when marketing and functionality don't always align.

A

Now, one of the other things you can do with this too, I believe, is you can actually take like public threat intelligence reports or even stuff that you've paid for and do some pretty sophisticated threat hunting based on that reporting and beyond IOC hunt. Right. That's kind of the idea here.

B

Yes. So hunting at Nebulock is all focused around behavior. More power to the folks who want to do IOC based hunting. But for us, we're really looking at behavior. And yeah, we've got two different sources of inbound telemetry. Right. We've got the EDR and IM from our customers. And then we take threat intelligence. Right. Threat intel is a super valuable way to extract detection possibilities, to extract hunt hypotheses, and then run that across your data. A big component of Nebulock is we've got this virtuous feedback loop between external threat intel that's powering new and different ideas, and then the organic hypotheses that us and our agents are developing as we run hunts across people's data and surface new insights. I think to your point, Patrick, though, Right. Like, what customers can do is say, like, great, I've got this piece of threat intelligence, Nebuloc, and what we've given them the ability to do is like, from a, from a piece of threat intel, one click, like, generate your own hunt idea, generate your own detection in English. You can select which operating system you want it to run it across, right? So Windows or Mac right now, and Linux is coming soon. And the idea is like, you just click a button and we'll run the retro hunt across your data. You'll have a newly minted detection that's been tested and validated, and you can push that into wherever your detections live.

A

Now, in addition to the paying customers, you've also got a bunch of design partners, and you're covering quite a few endpoints these days. And I just wondered if you could tell me what's the coolest stuff that you've been able to shake out? And as I say, very, very new. Haven't been around very long time, but what's the cool stuff you've been able to shake out immediately upon being deployed to some of these larger environments?

B

Oh, my gosh. Okay, so I've got a couple of examples. We'll start with some interesting malicious insider use cases. So obviously, like, we all have confidence around access control policies and what's allowed and denied. What we actually found was one of our, one of our design partners believed that they were preventing Tor from running in their environment, but Tor was actually misconfigured in the policy. So Tor browsers were running amok. But not only that, some folks had actually downloaded tools via Tor that presented some really risky implications to the business from, from, from a remote access perspective, we were able to catch that, like, right off the bat. So that was super exciting just to say, like, hey, you know, not only did we flag these two different misconfigurations and like, we've got these malicious insiders.

C

Right.

B

One of the employees was actually violating the company's code of ethics, but, like, immediately out of the box, provide that, that visibility and value. And that was on a crowdstrike data set. So super exciting.

A

Yeah. So that was Tor browser executed, file came onto disk, file executed off disk. And that was surfaced from, like, what was the prompting that you had to give Nebula to get it to tell you that?

B

Yeah, So I think a core component within Nebuloc and the prompting that we had to give it is, you know, a lot of threat hunting starts with statistics and then is a whole lot of business context. So we looked at, you know, different processes running. It was a statistical anomaly. And then basically we were like, hey, based on these anomalies, find context and enrichment and see if you can get any more understanding around what this particular executable might be. And in near real time, the agent pulled that all together and said, hey, this is what you have, right? And this is why we're alerting on this.

A

It's so funny because that's always been such a good detection, which is show me the 10 least common binaries, 10 least common processes in an environment. They're not good, they're never good. Those outliers.

B

Oh my gosh. Right. And this is a really important part when it comes to how we built Nebula, which is it's all about business context and broader context. Because if you look for statistical anomalies alone, you're going to have this wildly long tail of applications that could throw potential alerts. The key is to figure out what's the context of whatever that application is, what were its parent grandparent processes, and then like, who's actually running that, right? So it's been interesting, right, like as we've continued to improve context and as we get more coverage in a more diverse data set, to be able to flag things like that faster, better and with more confidence because AI, while grade is not perfect and we're always looking to fine tune and improve and post train the agents that we have to deliver better, faster outcomes to our customers.

A

Now, I believe I derailed you there because that was the first example you were going to give. Like, what's another example of stuff you found?

B

Yeah, so this was a pretty cool one. We got to do a hunt along with one of our customers. So there was a suspected remote sharing services issue. And basically the customer was like, hey, you know, like we've got a hypothesis, but like Nebula, go do the analysis. And what we ended up finding was not just one, but a broad footprint of remote sharing tools across thousands of endpoints, ranging from standard collaboration apps to admin remote control utilities. And basically what we were able to do by being pointed and doing additional analysis was like a concrete map of where and how each of these tools were running and then flagging a few that were exceptionally risky. So it was cool to satisfy the initial use case, but then based on the intelligence and the fact that agents can hunt much faster than we can run an SPL query, we were able to get all this additional context. And yeah, they were so excited, they expanded our footprint by an additional several thousand endpoints. So that was super Exciting.

A

Yeah. So they had no idea this stuff was just like festering?

B

No.

A

Now where are you getting most interest from this? What sort of verticals is it? I'm guessing it's just larger teams who already might have like detection engineers, but they don't have that threat hunt piece. Is that kind of where it is?

B

Yeah. So it's interesting. That was my original hypothesis too. I'll make a long story short. I did a lot of customer discovery when I started this company. What we actually have seen is like enterprises between like 500 and 5,000 employees have kind of been our sweet spot. So late stage VC backed tech companies or early public companies, banking and financial services institutions, and then retail of all verticals have been kind of where we've hit. And then we're expanding into healthcare. So that's another area that we're moving into. But it really is more folks like, you know, if you've got two people in security, you know, Nebula is probably not a great solution for you. But as soon as you've got like a security engineer, a detection engineer, your teams, maybe five or six, you immediately see the value because you might not be able to pay what JP Morgan can pay for a team of 24 by 7 threat hunters and like former NSA people to write your detections. But you still have the same need. Like adversaries are still going to target you. In fact, those are the folks that get targeted a lot more than the J.P. morgan's of the world because they don't have those controls, they don't have those people.

A

All right, well Damien Luke, thank you so much for joining me to tell everyone all about Nebula. It's very interesting stuff and indeed we'll be chatting with you a bunch more through 2026. Thanks for joining us.

B

Thank you for having me, Patrick.

A

That was Damien Lukey there of Nebuloc. Big thanks to him for that. It is time for our next snake oiler. Now we're going to be chatting with Austin Gadiant, who is the CTO and co founder of Valley Cyber. And that is spelled V A L I. Now anyone who listens to Risky Business regularly would know that if you're a VMware customer these days, like life's life's a little bit tough, right? You know, especially since the Broadcom acquisition, life of VMware customers is a bit tough. They're not really doing a lot of feature development on it. There's some security features just frankly missing from VMware products. So Austin developed and his team developed Valley Cybers main product to really help people get a handle on their VMware environments, particularly around trying to reduce ransomware risk. But you know, as I said at the top of the show, anything that's a ransomware control is going to be just generally a good security control as well. So here is Austin Gadiant, the CTO and co founder of Valley Cyber, explaining what they do enjoy.

D

Valley Cyber is a product that protects hypervisors from ransomware and other sorts of attacks. It's called Zero Lock. And so Zero Lock, one of the big capabilities of it is its ability to protect ESXI systems at the host level. And so we're the first company that has a runtime security solution that runs on ESXi systems that is digitally signed and certified by VMware. And for those listeners that are not familiar with attacks against hypervisor infrastructure, you need to look no further than Scattered Spider. So Scattered Spider has launched quite a few attacks against hypervisor infrastructure, notably the MGM breach, the Marks and Spencer breach. Those were all ransomware attacks against hypervisor infrastructure. And the reason that threat actors take this approach is they try to Encrypt all the VMs that run on top of these systems. And if they do that successfully, it's a very devastating attack. You can imagine an organization's private cloud all goes down at the same time, which is really devastating. The other sort of attack that we see is more of a nation state level attack. You've seen this against the defense industrial base in the US. Mitre got breached for example, in May of 2024. So the mitre breach was on ESXI infrastructure. Basically the goal of the attacker was to break into that environment and dwell there for a long time because they recognized that there's a lack of detection response capability in these environments. If they can dwell on the hypervisor, they can sit there for a long time and use it as a beachhead for further attacks into that network. Now Zero Lock is really special because it gets delivered as a VIB or a VSPHERE installation bundle that is digitally signed and certified by VMware, as I mentioned. And so you can Deploy it through vSphere just like a normal ESXI update. We also support any sort of Linux based hypervisor like ProxBox or OpenShift. And there are a few key capabilities it provides, one of them being multi factor authentication for command line logins. And so this is really important because one of the common ttps we see of threat actors against these systems is stealing a credential for a System administrator account, then just logging into the hypervisor as an admin, downloading malware from there. And so by having mfa, you prevent a simple credential compromise from giving them all the keys to the kingdom. Another key capability is virtual patching. Virtual patching is essentially exploit prevention. You can also think about it this way, where we're going to block behavior associated with the exploitation of various applications on the system. And so a good example would be an escape to host exploit where the attacker gains access to a guest VM and they use a CVE or zero day to exploit that VM and gain access to the host itself. Zero lock and block these sorts of attacks. And then lastly, I'll mention behavioral detection for various types of malware, one of them being ransomware detection. So we can detect when files are being encrypted on the system. And if we see that we can block that behavior, we can kick the attacker off the box and we can even restore files that have been encrypted back to the pre attack state and remove that damage. And so I think these attacks are just going to increase in prevalence because threat actors recognize there's good EDR tools on traditional endpoints. And so they're looking for systems that don't have EDR on them, like these hypervisors, and that's why they're launching attacks against these unpredicted systems.

A

Now, I am absolutely not any kind of like vSphere or VMware expert here. Right? So why don't you tell us a little bit more about how this is deployed. Right, because you keep talking about, oh well, it's, you know, it's the hypervisor, whereas I just think of that hypervisor as that shim between that, you know, private cloud supporting infrastructure and the actual OS that's running in a vm. Right. So where exactly does your tech actually sit? Where do you install it? How does it work? You know?

D

Yeah, so the tech installs on the hypervisor itself. So in the case of the VMware environment, you typically are going to upload this VSPHERE installation bundle into VCenter. VCenter is the management console for ESXI hosts. And then there's just a simple process for updating the hosts using something called VM or Lifecycle Manager. And so you just apply the new component or the new vid to these systems like a typical update. And it's very straightforward process that folks that are used to administering these environments would be familiar with. And on the Linux side it gets delivered either as a Dead package or an RPM package that you just install with Yum or APT or one of the common installation capabilities on Linux systems.

A

So this isn't something that you're installing into the VMs that are running in this private cloud. This is something that you actually. That is what, like an extension to the hypervisor that does all of this security. Goodness.

D

Exactly. And it's focused on protecting the hypervisor. It's not looking into the VMs and looking at the VM behavior, it's focused on protecting the hypervisor operating system.

A

Yeah, you were talking about like EDR and whatnot before. And like quite often people who are running these VMs, like they will have EDR in these VMs. But I guess the point here is there's a whole bunch of stuff that the EDR can't see.

D

Exactly. That's right. Running at the VM level, they're not able to see the activity on the host hypervisor. And this provides a beachhead or an area where attackers can get onto the network and launch further attacks.

A

Yeah. So give us an example of some sort of stuff that you've actually managed to catch in the wild, because I'm guessing given the level of attacker activity around like vsphere stuff, I'm guessing you've, you've actually bumped into a few attackers in the wild, many of them over the last few years.

D

Yeah, it's absolutely right. I think something that we see a lot is just attackers stealing a credential from a system administrator, using that to log in. So the SSH MFA capability or the command line MFA capability of this solution gets exercised quite a bit. If someone fails the MFA attempt, you're going to get an alert and that's one of the first signals that your infrastructure is being breached, or there's an attempt to breach the infrastructure. The other sorts of attacks that we've seen in stock would just be ransomware attacks where the attacker attempts to detonate ransomware on the hypervisor and there's all sorts of different samples out there with all fancy funny names. But at the end of the day what they try to do is they try to shut down virtual machines that are running so that they can unlock the VMDK files, the VMDK files, or the virtual hard disks. And that's what they try to encrypt. And so we have various detection and protection mechanisms that prevent that sort of activity. And this is something that we see on a regular basis.

A

Why is it that we need a third party tool just to give VSphere MFA. I'm curious about that part of it.

D

That's a very interesting point. I think MFA for the command line is something that has been asked before by VMware customers. It just hasn't been delivered yet. You'd have to ask Broadcom why they haven't done it. But I'm sure they've got their reasons and they've got their own product roadmap that they have to worry about.

A

I'm sure they have their own reasons. I just doubt any of them actually are good reasons. But I mean, you started off as a sort of Linux security company before moving into this specialty of, you know, hypervisor security. What was the reason for that?

D

Yeah, so three things kind of happened all at the same time. There was a meeting that we had with a Gartner analyst who suggested we take a look at hypervisor security. There was a meeting with our CISO advisory board. So we have the CISO advisory board with CISOs from large companies, small companies. And we basically went through a product roadmap of different capabilities we could add to the product. One of them was protection for ESXI systems. And that was the thing that got highest rated amongst this group of CISOs. And all those events happen at the same time as the MGM breach. And so the MGM breach was a major ESXI ransomware attack. And so it was just very clear that something needed to be done and there was a desire to have something done. So we just needed to figure out how to do the engineering work to deliver a product onto these systems.

A

And is it the case that you built out this part of the product and it just sort of ate your business? Like it was just the uptake was such that you focus less on the previous Linux stuff or how did that work?

D

Yeah, we still have customers using the Linux product and we still support the Linux product. But our main focus as a company today is on hypervisor security, in particular ESXi security. Just because there's so much demand for that capability and because there are so many attacks happening against VMware infrastructure right now.

A

Yeah, I mean, it's interesting for us, right, because we sit here and people say, hey, we would like to do a Snake Oilers spot and whatever. And we look and investigate the technology and see like, is this something that listeners will be interested in? And the one that really stood out is that like, this is such a big problem. And it's also vsphere and whatnot is sort of seen as a bit of a legacy tech. So there's not investment going into it. There's not a whole bunch of people queuing up to offer solutions like yours. So. But, and yet the market is still really big. Right? And there's a. And there's a lot of work to be done there. So I'm just curious what sort of companies tend to be your customers? Like you mentioned the defense industrial base previously. I understand your career prior to this company, you worked at the Air Force. So I'd imagine there's a bit of DIB. DoD sort of stuff is like, is that, is that where this stuff is most popular or is it just Anyone who runs vSphere? Is it sort of scattergun across the whole install base?

D

Yeah, so we have a lot of different verticals that we're engaged with. I think we see a lot of traction from heavily regulated industries or industries that have high security requirements, like the government and like the Department of Defense. But we see on the commercial side a lot of interest from banks and financial institutions and also healthcare organizations, hospitals. So those sorts of typical victims of ransomware attacks or the organizations that are typically trying to really up their security to keep up with compliance or to differentiate themselves from their competitors. Those sorts of verticals are where we see the most traction with this product. And a lot of them are using VMware because they have private cloud implementations as well. So anyone that is using private cloud to some extent and is using VMware as going to be a good target for this product. I also think it's worth mentioning that there's a lot of growth in the private cloud industry. It seems like it's something that's dying and that public cloud is in the world. But private cloud is growing at a steady clip too. If you just look at Broadcom's reported numbers of their revenue growth for VMware or Nutanix's growth as well. And Nutanix is a popular competitor to Broadcom. They're both growing at double digit cagrin. It's really interesting to see the growth of the private cloud as well as the public cloud.

A

So not as much of a dead industry as I was making out, huh?

D

No, I don't think so. I think it's a lively industry. And Broadcom's big push right now is all about private AI. They think that organizations are going to want to run large language models on private infrastructure so that they have all that data secured. We'll see if that ends up happening. But that's really what they're banking on, is a lot of growth from large language models. And generative AI.

A

All right, so I've got a couple of tech questions I just want to end on. Now, you mentioned before that you can detect, you know, encryption. So I'm guessing this is when people are actually taking over, like the, you know, the control plane, the VMware stuff, and they're just trying to, you know, unmount everything and just encrypt all of that storage. Are you just detecting those, you know, how are you detecting those operations? Is this just like looking at what's happening on disk, or is it looking at what's happening in memory? Like, I'm just curious how you, how you do that.

D

Yeah, we're looking at process behavior. So we're looking at the applications that are running on the system or looking at the behavior of those applications. It's worth noting that the solution doesn't have any sort of kernel hooks or kernel modules. That's a big distinction between us and many EDR tools. The reason we don't do that is for stability and performance. But our detection capabilities are all based in user space. And we're really just looking at things like file access, program execution, network access, those sorts of behaviors that can be associated with malware activitying, with ransomware activity.

A

But I'm guessing you will not be identifying that sort of activity when it's just happening on a single VM on this infrastructure. So this is more about when someone's taken over the whole enchilada and they're trying to just like encrypt everything when.

D

They'Re inside the hypervisor itself, that's when we're going to activate. If they're operating just inside the VM and there's no really activity that's being executed on the hypervisor, that's not something that we're going to be paying attention to. That's something the traditional EDR tool can see and can manage. We're focused on protecting the hypervisor activity now, 100%.

A

And I'm guessing this exploit mitigation stuff very much the same.

D

Exactly. That's right.

A

Yeah. So, I mean, this is almost like EDR for the hypervisor, like stuff because it's a little bit exotic and like CrowdStrike don't sell it.

D

Yeah, I hesitate to call it EDR because there are architectural differences like lack of kernel modules or lack of kernel hooking. But it is a similar concept in that we're running an agent on the hypervisor. That agent is protecting it from attacks.

A

Yeah, I guess it's not an IT'S not an adr. It's like host. Host hardening with some detections, I guess. I don't know, it doesn't really fall into a neat category, does it?

D

Yeah, exactly. I think it's a hypervisor detection response is something you could call it. Not that we need another category in the security space. There are already way too many today.

A

No, 100%. Look, Austin, I think this sounds like there's a bunch of people out there listening to this who are probably going to be very interested in that. Tech of the company is Valley Cyber and the name of the product is Zero Lock. So Zero Lock from Valley Cyber V A L I Austin Gadian, thank you so much for your time.

D

Absolutely happy to be here, Patrick, thanks for having me.

A

That was Austin Gadiant there from Valley Cyber. Big thanks to him for that. And again it is Vali Cyber. So our final snake oiler. Today we're going to hear from Stephen Dowie who is the head of engineering for Cape. Now Cape is an interesting one. I first heard of it quite some time ago now when a friend of mine was thinking about actually investing in Cape. And so I was, I was, I was well across this company for quite a while and then I started hearing from friends of mine who were trying to introduce me to them and say, hey, do you want to try the service and whatnot? Like it's generated actually quite a bit of buzz, at least in my community. And what CAPE is, is a, you know, mvno, right? It's a virtual mobile network operator. But normally we associate virtual mobile network operators as being like, like with low cost service, right? Like white labeled service, maybe the, you know, generous data plan speed, not as good, you know, that sort of thing. Whereas what Kape is trying to do is actually offer a real premium experience and one that's very much centered on security and privacy. The whole idea with Kape is they do not collect much information about their subscribers at all, let alone on sell it for profit, which is something that unbelievably American carriers actually do. So Stephen joined me to talk all about Cape. So look, not only do they, do they not sell, you know, collect and sell data, but they're just trying to make their network much more secure and do things like spot devices acting weird, subscriber devices acting weird and all sorts of stuff. You can even get hardened Android devices from them that are, you know, play nice with their network and stuff. It's very, very cool. Stephen Dowie joined me to explain what Kape is all about. And here's what he had to say. Enjoy.

C

Kape is a mobile network operator built for privacy and security. First, we strive to protect people against a range of threats, specifically targeting through signaling attacks, protecting user information, geolocation, information gear, communications, and really your identity.

A

So how do you go about actually building a mobile network that's going to do all of those things?

C

Yeah, it's hard. You have to build it from the ground up. You have to build it and design it from an interoperability approach, but also rethinking how the systems are meant to work. You can't just take everything off the shelf and plug it in. You have to design it from a minimum trust model from the ground up, thinking through things like encryption, thinking through things like minimum PII collection, and building your system to actually be anonymous and not track people from the start.

A

Yeah, okay. Right. So basically the way this works is you're like a virtual mobile network operator, which means you're relying on other people's towers and whatnot, but the rest is you. The sort of core of your network is all managed by you. So, I mean, who are you using for starters? Who are you actually using for that last mile of like actually turning data into radio waves? So who are your telco partners?

C

We have a variety of partners. I can't reveal specifics, but it's in the US domestically, over 12 regional and national carriers. So you actually get the ability to have access to multiple different telco providers and get enhanced coverage as a result?

A

Yeah, I mean, I guess that's why I asked. Right. Which is. This all sounds great, but like, if you've only got one, you know, one of the smaller telcos in the US like, your coverage might not be great. So. Okay, that's awesome. That's a, that's a, that's a good change. So what, what sort of security and privacy risks? We'll get to the anonymity part in a bit, but what sort of security risks are you looking to address with something like this? We've seen a lot of problems in the United States, in particular of like, foreign adversaries using SS7 to track people. I guess that's maybe something that you're going to address. We've also seen that it's very difficult to monitor the security of things like iOS devices, because on the hosts themselves there's very little inspection you can do. Whereas if you're controlling the network, you might be able to spot some C2. So is it basically just a grab bag of everything that you're trying to.

C

Look At Yeah, it's a very holistic approach. Our threat model, it includes a little bit of everything. Right. And what we kind of look at is everything from actual selling of user information, how do you minimize tracking and minimize the telcos and really your mobile provider being complicit in selling your geolocation information. The other thing we'll also look at is compromise. So compromise. As you probably know, every single telco has been compromised in the last 12 months. If Sol typhoon in April of 2024 was probably one of the largest compromises of US infrastructure and it affected functionally everybody. And you managed to compromise everything from call data records to geolocation information and it occurred for a period of months. So when we look at the problems we're trying to solve, it's everything from how do you minimize the data that we or your telco has about you in the case of breach, Right. Data can't be leaked or data can't be sold if you don't have it. Encrypting data as much as possible at rest or in such a way that only you can decrypt it or the person you're talking to to can decrypt it. So in the case of breach it is not functionally usable. And then also protecting the perimeter of the network, but also protecting the internals between components. So traditionally telecoms really approached it from a interoperability and perimeter security model perspective, only kind of securing the outside from non telco adversaries. We kind of approach it a little bit differently, which is we don't trust anybody and we make sure to secure the perimeter between not just ourselves but other telcos as well as internal to our own system.

A

I believe one of the ways you've done that is like you just don't support SS7 at all. You only allow diameter for roaming and that sort of messaging between networks. Is that Right. And diameter is just like the newer signaling protocol. Right. For mobile networks?

C

That's correct. We only support 4G and 5G which enhances the security and reduces the attack surface.

A

Yeah. I'm guessing though that you still have to do some inspection and filtering on diameter messaging right across the network.

C

Absolutely. Diameter is not impervious to attacks or vulnerabilities. There's plenty of examples of it being used for targeting for individuals, tracking of individuals. So you still have to go through the effort to build signaling firewalls in order to protect individuals from just having their information, requested location information or you know, protect them against having SMS being hijacked or rerouted to an adversary leaking OTPs, all those are still vulnerabilities that can be exploited throughout diameter.

A

Okay, no, this is interesting. Right. So you've, you've talked about building a more secure telco, essentially. Right. And I think that's, that is interesting because a lot of the US telcos, the stuff they do like here in Australia, like they just would not be allowed to do when it comes to the way that they handle their subscriber data. So, you know, that's an interesting model in and of itself. You know, people used to say data is the new oil. I think I prefer the term data is the new, you know, radioactive waste because it's very dangerous to hang on to that stuff. So it's great to see a company that, that thinks about it that way. What, what are you doing in terms of actually monitoring subscriber devices for signs of compromise? Is that something that CAPE also does?

C

We do have the ability and do partner with some enterprises, corporate entities in order to do that. Right. The way we kind of view it actually is most telecoms don't really value or do any support in any notion of like EDR or like network level monitoring. There's just too much data. Right. They don't really have the ability to monitor it at such a scale. And so for us, actually we don't necessarily want to be the ones that analyze or make decisions around if your devices are compromised. But we have access to very unique data that traditionally is unavailable to infosec and people with the tools and the ability and the incentives to monitor that data. So for us, we can integrate with corporate SIEM or SASE platforms in order to actually share that information and create a more holistic view of the world.

A

So you can, you can pipe it out basically into some data pipeline product and then from there they can choose what to archive, what to pump into the scene.

C

Yeah. And honestly, we can also even make decisions or actions on it. Right. If you think about it from the perspective of international high risk travel. Right. When I go somewhere, there's opportunities for me to be targeted by local law enforcement or adversaries in the region. If I'm going to somewhere where that isn't particularly friendly to Americans. As an example, you know, it might be interesting to know when my information is being requested, when it shouldn't be, or I connect to a network that is a little bit suspicious, what can I do to actually mitigate that? And it could be things like identity rotation. Right. Changing your identities to make targeting actually harder, or alerting the actual infosec department around you know what is actually occurring.

A

You spoke about having access to data that normal infosec teams don't have.

C

Like, what did you mean by that signaling information? What cellular networks you connect to? Is there data leaking out over the vpn? Because you can't necessarily control all data with a VPN and an MDM on a mobile device. Maybe things like comm center traffic or system level apps are communicating outside of the bounds of the vpn.

A

Now is there a. I believe there might be sort of like a CAPE handset that is optional that you can use, which is some sort of modified Android thing. Is that right? Or have I got my wires crossed there?

C

That is true. We do have a device that you probably have seen that we sell to select customers. And it's for people with elevated risk profiles. It does a little bit more, but most of our customers end up just using a BYOD model.

A

Yeah. Okay, so let me ask, who is Kape for? Right. Is this for, you know, when I'm thinking about people who do risky international travel. Australia. Right. It might be like mining executives, for example, who are negotiating important deals in China. Right. Those guys are like, you know, their phone battery doesn't last because there's so many shells on the, on, on the actual device. Right. Like, are you trying to, you know, service that end of the market? Is it for government? Like, who's it actually for?

C

Security and privacy is for everybody is our view of the world. If you think about it from the individuals with the most elevated risk profiles, probably government, defense, law enforcement. Yes. They also are users of CAPE and have incredible interest in using the products. But at the end of the day, they all are still part of the general population and you, you want to be able to provide privacy, security and a right to those as a result. I think there's a little bit of traditionally learned helplessness around privacy and security. And it's. Nobody's ever considered that there might be an option to have it. From a personal perspective, it's always been, oh, I have my telecoms I want to use for us. I think we're providing that option.

A

Well, I think the FBI's advice in the wake of salt typhoon is just telling everyone to use signal. Right. Which, which solves some problem, but certainly, certainly not all of them. So you mentioned anonymity. Right. So what is it possible to become a Kape subscriber with only providing very limited information? Like, what did you mean by that?

C

Yeah, I think it starts if we go back to our holistic security model. It Starts with the information you give. And for us, we want as little information about you, essentially enough to just collect payment and then give you a SIM card and provide you service. We don't need to know where you live. We don't need to know what your name is. We don't need to know who your relatives are. We don't need to know your Social Security number for sure. So for us it starts there and from there you build onto it. Right. You don't need to collect more detailed tracking information about an individual. I don't need to know where you live, where you go from nine to five.

A

I mean, is there a concern there that people might start using CAPE for nefarious purposes? If it's, you know, essentially like, it's like, you know, burner level of detail on a subscriber. Right. Like, you know, this kind of been, this can't be something you haven't thought about.

C

Yeah, of course. I think for us, we view privacy as a right and we don't make decisions around what people do with our network or what they want to do with their, with their time or with their life. And so for us, it's, it's a trade off you have to live with with respect to giving people the option to pursue privacy and the option to pursue what they want to pursue. And there's always going to be people who do nefarious things.

A

We are fully imagine, I'd imagine too that, you know, like, if I'm a criminal, I'm much more likely to buy a, you know, burner at a bodega than sign up with a credit card to a service like CAPE in the first place. Right. So, you know, I'd imagine also if there were an instance of a subscriber doing, being involved in some, you know, heavy crime, you do have that payment information to fall back on, which would be enough for law enforcement.

C

Yeah, we do. We are fully compliant with law enforcement. We do have, we do supply them with information. What I will say is it's minimal information. Right. So it's not necessarily enough to effectively track somebody, but it's, it's enough to comply with regulations.

A

Well, it might be enough to identify someone. Right. But not give law enforcement their life story and all of their location tracking.

C

Yeah. One thing on the individuals who may be interested in signing up for CAPE.

A

Is.

C

It'S not necessarily just bad guys who would be interested in this. It's also people who, some of our customers have very interesting stories around, you know, things they're running away from. Right. You know, we've partnered with organizations around domestic abuse or journalists. Right. And there are individuals who have very real fears about, you know, their location information being bought by advertising brokers. Right. And even just googling your phone and removing trackers on your phone isn't enough if your telecoms are also selling that information as well. So for us, we're more focused on those sorts of individuals rather than thinking about who may maliciously be using our network.

A

100%. Well said.

C

One thing I would say it is we are live in the US it is not hard to try out our network and just use it. So for us, we have a promo code that anybody here can use. Snake oil, all caps, all one word for 33% off for six months. Privacy and security doesn't have to be optional. Give it a try.

A

All right, Stephen Dowie, thank you so much for joining me to give us the give us the skinny on Cape. Very interesting. And I wish you all the best with it.

C

Yeah, thank you so much.

A

That was Stephen Dowie there from Cape. Big thanks to them for that. And as I said at the top of the show, if I were American, if I lived in the United States, even if I lived in the United States, I would absolutely be a Cape customer. The telco ecosystem in the United States is a mess. Frankly, as an Australian, I can't believe what they get away with over there. And Cape would seem to be an awesome remedy for that. So go sign up, tell them Pat sent you. But that is it for this edition of the Snake Oilers podcast. I do hope you enjoyed it. I'll be back soon with more security news and analysis, but until then, I've been Patrick Gray. Thanks for listening.