Risky Business: Snake Oilers – Nebulock, Vali Cyber, and Cape

Host: Patrick Gray
Date: September 8, 2025
Guests: Damian Luke (Nebulock), Austin Gadiant (Vali Cyber), Stephen Dowie (Cape)

Episode Overview

This special "Snake Oilers" edition of the Risky Business podcast brings three innovative security vendors into the spotlight. Each company presents their technology, targeting critical pain points in security operations, infrastructure protection, and privacy-focused mobile networks. Host Patrick Gray facilitates in-depth discussions with:

• Nebulock: AI-driven, autonomous threat hunting for security teams
• Vali Cyber: Zero Lock, providing specialized hypervisor security for VMware ESXi environments
• Cape: A US MVNO built with end-to-end security and subscriber privacy at its core

Below, each segment is broken down to capture insights, notable quotes, and key content moments.

Segment 1: Nebulock – Autonomous AI Threat Hunting

Guest: Damian Luke (CEO & Founder, Nebulock)
Segment Start: 00:56

Key Discussion Points

• What is Nebulock?
  Nebulock is an autonomous threat hunting platform. It pulls in telemetry from EDR and identity platforms, continuously tests for post-exploitation and suspicious behaviors, and allows users to rapidly translate hunts into new detections.

  • "You can kind of think of us as your single port of call for all post exploitation to actions on objectives, behavior." (02:59, Damian)

• Why Use Nebulock if You Have EDR/SEIM?
  Traditional EDRs are focused on malware and exploit prevention and are tuned to avoid alert overload, often missing low-signal or context-dependent threats.

  • "If you're dealing with a real APT, right, they are going to masquerade in your existing telemetry ... the whole focus is like giving you more value out of all the stuff that you're paying for, right? Because there's so much there, you just have to know where to look." (04:17, Damian)
  • Example: EDR won’t alert on legitimate tools unless business context is provided.

• How Nebulock Works

  • Onboards via API access to EDR and identity platforms.
  • Harvests raw telemetry and applies AI/LLMs for hunting.
  • Rapid onboarding: "We've done 3,000 endpoints in five minutes, is our record so far." (07:00, Damian)

• Killer Use Case

  • Continuous, low-FTE threat hunting, providing repeatable clarity without building a massive in-house team.
  • “It does what it says on the tin.” (08:10, Damian, quoting a customer)

• From Threat Intelligence to Custom Hunts

  • Integrates threat intel and allows one-click creation of behavioral hunts and detections from public or private reporting, not just IOCs.
    • “From a piece of threat intel, one click – generate your own hunt idea, generate your own detection in English.” (09:20, Damian)

• Early Value for Customers

  • Immediate detection of policy misconfigurations and risky behaviors (e.g., Tor browser running where it shouldn’t, or discovery of unauthorized remote access tools).
  • "Right off the bat, we flagged these two different misconfigurations and ... these malicious insiders." (10:37, Damian)
  • "It's so funny because that's always been such a good detection, which is show me the 10 least common binaries... they're not good. Those outliers." (12:03, Patrick)

• Business Context – The Crux for Reducing Noise

  • "It's all about business context and broader context . . . if you look for statistical anomalies alone, you're going to have this wildly long tail... The key is to figure out what's the context." (12:18, Damian)

• Target Customers

  • Sweet spot: Mid-size enterprises (500–5,000 employees), especially VC-backed tech, banking, retail, and moving into healthcare.
  • "As soon as you've got a security engineer, a detection engineer, your teams, maybe five or six, you immediately see the value..." (15:10, Damian)

Notable Quotes

• “Threat hunting... lends itself pretty well to AI automation, right?” (01:20, Patrick)
• “A great example ... is TeamViewer running in your environment. If TeamViewer is not your RMM tool of choice, that's immediately a red flag…” (05:33, Damian)
• “The proof... It does what it says on the tin, which is really exciting to hear, particularly in security when marketing and functionality don’t always align.” (08:10, Damian)
• “AI, while great, is not perfect, and we're always looking to fine-tune and improve and post-train the agents that we have.” (12:48, Damian)

Segment 2: Vali Cyber – Zero Lock for ESXi/Hypervisor Security

Guest: Austin Gadiant (CTO & Co-founder, Vali Cyber)
Segment Start: 15:48

Key Discussion Points

• Background: The Hypervisor Security Challenge

  • Attacks against VMware ESXi are surging, especially post-Broadcom acquisition; little feature development or security improvements from VMware itself.
  • High-profile attacks such as Scattered Spider (MGM, Marks and Spencer) and the MITRE ESXi breach underline the stakes.
  • "Scattered Spider has launched quite a few attacks against hypervisor infrastructure, notably the MGM breach..." (17:18, Austin)

• Zero Lock Overview

  • Delivers runtime security directly on the hypervisor (ESXi) as a VMware-certified VIB (vSphere Installation Bundle).
  • Also supports other Linux-based hypervisors (e.g., Proxmox, OpenShift).
  • Key features:
    • Multi-factor authentication for command line logins
    • Virtual patching/exploit prevention for host escape exploits and others
    • Behavioral detection and ransomware rollback: Detects and stops hypervisor-level ransomware, can restore encrypted files.
  • "We can detect when files are being encrypted on the system ... block that behavior, kick the attacker off the box, and even restore files that have been encrypted." (19:13, Austin)

• Deployment Model

  • Installs on the hypervisor itself, not inside guest VMs.
  • On VMware, deployed via vCenter and Lifecycle Manager; on Linux, via standard package managers.
  • "You just apply the new component or the new VIB ... it's a very straightforward process..." (20:35, Austin)

• Why a Third-Party Tool?

  • MFA for CLI logins is not natively available in vSphere/ESXi products.
  • Demand driven by customers and advisory boards, with a notable bump after the MGM ESXi attack.
  • "MFA for the command line ... just hasn't been delivered yet. You'd have to ask Broadcom why." (23:26, Austin)

• Practical Attack Examples

  • Stolen admin credentials, ransomware that attempts to shut down VMs to encrypt VMDK files, and failed MFA alerts as breach signals.
  • "If someone fails the MFA attempt, you're going to get an alert and that's one of the first signals..." (22:23, Austin)

• Target Customers and Industry Trends

  • Regulated industries/government (defense, finance, healthcare), but also broader as private cloud adoption persists.
  • "Private cloud is growing at a steady clip too... Broadcom's big push right now is all about private AI." (27:18, Austin)

• Technical Details

  • Detection is in user space, without kernel modules for performance/stability.
  • Monitors process behaviors on the hypervisor.
  • "The solution doesn't have any sort of kernel hooks ... our detection capabilities are all based in user space ... looking at things like file access, program execution, network access." (28:08, Austin)
  • Focus is solely on the hypervisor itself, not on attacks contained within guest VMs.

Memorable Exchanges

• "This is almost like EDR for the hypervisor ... CrowdStrike don't sell it." (29:13, Patrick)
• "I hesitate to call it EDR ... there are architectural differences ... but it is a similar concept." (29:20, Austin)
• "I think it's a hypervisor detection response is something you could call it. Not that we need another category in the security space." (29:41, Austin)
• "Private cloud is not as much of a dead industry as I was making out, huh?" (27:14, Patrick)
• "No, I don't think so. I think it's a lively industry." (27:19, Austin)

Segment 3: Cape – A Privacy- and Security-Focused US MVNO

Guest: Stephen Dowie (Head of Engineering, Cape)
Segment Start: 30:09

Key Discussion Points

• What is Cape?

  • A US-based virtual mobile network operator (MVNO) architected for privacy and security.
  • Doesn't harvest or sell customer information; also actively limits information held.
  • "Cape is a mobile network operator built for privacy and security first. We strive to protect people against a range of threats..." (31:54, Stephen)

• Technical and Policy Differentiators

  • Minimal PII collection; just enough for payment and service provisioning, no legal name or address required.
  • Zero SS7 support; only allows modern and (somewhat) more secure signaling protocol (Diameter).
  • "We only support 4G and 5G, which enhances the security and reduces the attack surface." (36:27, Stephen)
  • Over a dozen regional/National carriers backing their “last mile”, enabling broad coverage. (33:13)

• Security/Privacy Risk Management

  • Focus on threats like location tracking (e.g., via SS7 and Diameter), device compromise, and minimizing data exposure in case of breach (like the “Sol Typhoon” incident in April 2024).
  • "Every single telco has been compromised in the last 12 months ... Data can't be leaked or sold if you don't have it." (34:19, Stephen)

• Network Security: Defense-in-Depth

  • Signaling firewalls for Diameter, not just SS7.
  • End-to-end encryption in transport and for user data.
  • Zero-trust model, enforcing security between systems and between partner telcos – not relying solely on perimeter.

• Device Monitoring & Integration

  • By default, prefers privacy, but for enterprises, can integrate Cape network metadata/signals with external SIEM or SASE platforms.
  • "We have access to very unique data that traditionally is unavailable to infosec and people with the tools and ability and incentives to monitor that data." (37:53, Stephen)
  • Use cases include high-risk travel, suspicious signaling events, and even identity rotation for at-risk users.

• Custom Handsets for High-Risk Customers

  • Offers a custom Android handset with hardened firmware for select users with elevated risk profiles (e.g., government, journalists).
  • "It does a little bit more, but most of our customers end up just using a BYOD model." (40:13, Stephen)

• User Segments

  • Anyone can subscribe, but there’s special interest from government, defense, law enforcement, journalists, and people escaping abuse.
  • "Security and privacy is for everybody is our view of the world." (40:57, Stephen)

• Anonymity and Abuse Prevention

  • Privacy is a right; Cape collects only what is required and complies with law enforcement requests, but has little data to provide.
  • "We don’t make decisions around what people do with our network or what they want to do with their, with their time or with their life... There’s always going to be people who do nefarious things." (43:09, Stephen)
  • Payment info is required, providing some accountability.
  • Also helps survivors of domestic abuse, activists, journalists, and others at risk who seek strong privacy.

• Getting Started

  • Available in the US, takes minimal effort to switch.
  • Promo code: SNAKEOIL for 33% off six months (45:17)

Quotable Moments

• "Data is the new radioactive waste because it’s very dangerous to hang on to that stuff." (37:14, Patrick)
• "We want as little information about you, essentially enough to just collect payment and then give you a SIM card and provide you service. We don’t need to know where you live. We don’t need to know what your name is." (42:16, Stephen)
• "Privacy and security doesn't have to be optional." (45:17, Stephen)

Conclusion

This episode brought listeners three solutions innovating at different layers of security:

• Nebulock: Removes the tedium and complexity of threat hunting with continuous, behavior-driven AI analysis—especially valuable for resource-constrained security teams with complex environments.
• Vali Cyber’s Zero Lock: Places robust, host-level security on an overlooked layer—hypervisors—addressing a real and present ransomware and APT risk in private clouds.
• Cape: Rethinks US mobile service from the ground up to deliver a radically privacy-respecting, security-first network, providing practical options for both high-risk and everyday users.

Each company’s offering responds to concrete, unsolved industry pain points—making them especially relevant for listeners grappling with today’s threat landscape.

Timestamps: Segment Highlights

• Nebulock Introduction & Value: 02:55 — 15:48
• Vali Cyber on ESXi Security: 15:48 — 30:09
• Cape on MVNO Privacy/Security: 30:09 — 45:46

For more security news and deep dives, continue tuning in to Risky Business with Patrick Gray.