Spend Advantage Podcast
Welcome to The Spend Advantage™ Podcast by Varisource, the competitive advantage for your spend. Get access to discounts, rebates, benchmark and renewal savings for 100+ spend categories automatically for your company
We interview amazing people, companies, and solutions, that will help you 10X your bottom line savings and top line growth for your business --- https://www.varisource.com
Spend Advantage Podcast
How to get 5x more Pentesting and still save 50%?
Welcome to The Did You Know Podcast by Varisource, where we interview founders, executives and experts at amazing technology companies that can help your business save a lot of time, money and grow faster. Especially bring awareness to smarter, better, faster solutions that can transform your business and give you a competitive advantage
https://www.varisource.com
Welcome to the Did You know Podcast by Varisource, where we interview founders and executives at amazing technology companies that can help your business save time and money and grow. Especially bring awareness to to smarter, better, faster solutions that can transform your business. 1.3s Hello, everyone. Thank you for joining us today on another episode of the Did You Know Podcast with Varisource. This is Victor. I'm one of the cofounders, and today I have one of my favorite solutions. And as you guys know, we have a lot of different partnerships, but this is actually one of my favorite one of my favorite solutions. But also the founder is just so smooth. We have Elton on the call. We'll introduce him in a second. But Alton is the co founder of Vonahi, and essentially they're an automated network penetration testing platform. And once I understood what they built, it just made so much sense and it's needed. So welcome to the show, Allen. 1.6s
U1
I appreciate it. Thanks for the opportunity. Looking forward to it.
U2
Yeah. So why don't you give us a little intro of yourself and then maybe go into again that founding story, right? Like what were you doing before and what made you have that AHA moment that you're like, you need to go out and do this and yes, fascinating.
U1
Yeah, absolutely. So, von high security. We are an automated network penetration testing platform and we primarily focus on the network level, right? So we do offer some additional traditional cybersecurity services like web app testing, wireless assessments, spread, team engagement, social engineering, the whole nine yards. But we primarily focus on the network level when it comes to penetration testing. And so my background so just to kind of backtrack a little bit as to how I got started into the industry. So, first of all, I've been hacking since I was eleven. 7.1s I was back in AOL. We were all like in the chat rooms and stuff like that, having a good time. 2.4s
U2
I never forget somebody sent me a file and I opened it just out of curiosity and next thing you know, my screen started going crazy. They started flashing the screen. It was really like the Matrix, right? The screen was black. I could see the cursor blinker and blink and stuff like that and I was just like, what's going on when the world is happening here? And so. 1.1s The person that did it to me. They actually showed me how they did it. They were like, hey, I hacked you. They started open, closing the CD Rom. They printed something out on a printer. Just doing a lot of freaky stuff. And there's a tool called sub seven pro rat net devil. Those are very old popular tools in the, I guess the hacking community or influence community. 1s So I just started doing it to everybody else just out of curiosity. 2s
U1
I just wanted to get access to computers. I didn't care who the computer was, I didn't care what was on the computer. I just wanted to know, could I get access?
U2
Wow. 2.2s
U1
Yes. I became very passionate about that. It's kind of funny, passionate about hacking as a kid, but anyways, so I don't know how to code in visual basics, and my AOL is the messenger client and just really kind of went that route for several years as a teenager. And I didn't realize you can get paid to hack until I got much older. And so I got my first opportunity back in 20, I believe, to work in basically cybersecurity. It got promoted pretty quickly. And so for the last ten years I've been pen testing as a professional pen tester. And obviously I have a coding background too, starting from a while back. And so the reason I started Bonna High Security was because as a penetration tester, there's just a lot of inefficient issues. I am a very impatient person, right? Like 1.1s in a good way. Like when I see a problem, I want to resolve it. I want to be the person to get involved to resolve it. I don't like to just talk about things for years and months and meet about it. I like to actually do it. I'm very driven, I'm all about action. Right. And so a lot of the challenges that I ran across when working for other companies is that I believe that we could do things a lot better as a penetration tester. Like, for example, penetration testers don't like writing reports. We hate it. We just want to hack and we want the report to write itself. But I was trying to move towards that, right? Like, so, hey, you know, we're hacking companies all day long, but we're having to copy icons back and forth and Word documents. There's something weird about this. Doesn't seem to sit right with me. I propose the idea behind automating reports something that you would think should be automated and would have been automated for a long time and just never really got a lot of traction. And so that's what initially got me to go out on my own because I just got tired of doing things the old way, very slowly and very inefficiently. And so I wanted to build something that I could use to automate myself as a pen tester and deliver much better results through efficiency. And that's pretty much the story behind Von high security.
U2
Yeah, that is what an amazing childhood. It'd be interesting to go back and find all the friends you had back then and see what you found on their computers, I guess, back then, if they're still your friends. But that is so fascinating because I think you have all the ingredients, right? Not only do you have a cyber security, like you're interested in hacking and then but you also are a coder and then you kind of see all angles of this problem and yes, it's absolutely amazing. And obviously this is a problem, especially cyber security, as you know. Right? It is like wildfire today. I mean, there's so many bad guys out there. It's a very profitable business for those guys and they're obviously trying to obviously every company, for compliance reasons or another, they want to make sure they're protected, maybe through compliance or just insurance, like they want to do pen testing for themselves or make sure they're as good as they can be. 1.6s But the fact that right now kind of for people, for a lot of companies who just do it because they have to, or they just hire some guy to come in and do it once a year because once maybe expensive, or they just feel like it's something they need to do, right? Like I just need to buy car insurance. I don't know, I guess I need it, so I just buy it. They don't actually understand what the report or what it is. 2.4s How would you explain Pen testing to founders or stakeholders at these SMB market companies? What is pen testing? Why do they need it? And yeah, what do you think?
U1
Yeah, absolutely. So we'd like to kind of touch on the difference between Pen testing and vulnerability assessments because I think the vast majority of the listeners probably understand what vulnerability scanning is, right? So vulnerability scanning is really just you run your typical open boss nessus, rapid seven or whatever, and typically vulnerability scanners are designed to just tell you, hey, here's a vulnerability, here are all the things that could possibly happen one day in the future if you don't do anything about it, right? So it just basically tells you the things that could happen and that's where it leaves off. And I think that's why there's a lot of issues with vulnerability management remediation, because there's just so much noise and people don't really know what to focus on. But when it comes to penetration testing, that's where we're now talking about impact. Right? So the vulnerability assessment told you that this vulnerability could potentially lead into X. Now, from the penetration test perspective, we're basically proving it. We're taking the critical issues that regardless of their severity, ratings and a vulnerability assessment, we're taking those issues and we're actually exploiting vulnerabilities, conducting lateral movement within the environment, escalating privileges, looking for sensitive data. And the end goal of a penetration test is to prove the impact of the vulnerabilities, right? So at the end of the report, we want to say, hey, here's all your sensitive data, here's all of your intellectual property, here's your confidence with things that you don't want people to get access to. Like here it is, here's a screenshot, here's the proof, right? And then the penetration tests, what we do is we basically say, hey, these are the things that we did, or these are the tasks that we were able to accomplish in order to get to this sensitive data. So we're picking up where the vulnerability assessment off. So we're not just saying, hey, this vulnerability exists, here's something that could possibly happen, we're actually showing it by impact, we're demonstrating it, walking you through that process and then showing you how to fix each single step of the way that led to us getting access to that sensitive data.
U2
Yeah. And then you're kind of automating that through your platform, which is part of the game changing aspect. Because when you can automate, you can scale, you can 1s be more cost efficient as well. So we'll get to that. But I guess walk through the audience, 4s what is the current way? What's the old way? Right. And a lot of people start doing that old model, which is, again, maybe to hire a consultant, to hire somebody to come in once a year, kind of do it as a professional service. What is the old way that's manual that's not efficient. Right. And then talk about kind of how you guys are doing it through automation, because that is amazing. Obviously, we love the audience to schedule demos with us to see it live, but can you walk the audience through what's the problem people are facing in the old way and how are you guys solving it?
U1
Absolutely. So there's a lot of inefficiencies on both sides, right, when it comes to scheduling right. Looking for the penetration test and then even on the other side from the pen testers, basically on the execution. So to start off with the customer looking to do a penetration test. The old way would be to look around to see what type of security companies are available, obviously get some pricing information, try to figure out when they're available to do the test, what is the methodology look like, get some sample reports. Basically, you have to kind of call around and figure out who can do your work for you. And with that process, we all have discovered that when it comes to traditional pen testing is extremely expensive, right? Like, it's extremely expensive. And that's just for one time. Not twice, not three times, just one time. And then, not only that, but typically, depending on the time of the year, you may not be able to get a penetration test scheduled for the next two or three months. And then on top of that, whenever the princess kicks off, whenever you get that person engaged, it can take another month or two just to even get the results. Right. So the start to finish process for, hey, I need a pen test, is, like, 2.1s very time consuming. It takes a long time. It's very expensive. It doesn't really provide as much value as we're seeing today with automation. Right. So. And then on the penetration testing side, just to kind of collaborate on that a little bit before I kind of dive into what we're doing. So as the people who were typically doing a penetration test, the penetration testers were, you know, usually having to run a lot of commands manually, over and over and over, having to write these long reports, which obviously increased is the cost for the customer because they're doing a lot of inefficient things rather
U2
than automating them. 1.9s For the pen tester, who's actually executing the work? 1.3s What do they have to do to even they have to try to hack the system or they use tools and they have to do the testing and then they take all that result and have to go back and write a ten page, 20 page, whatever, documentation of what they found manually. Is that correct?
U1
Exactly. 2.1s Free, time consuming. Take the report, write it up, go back and forth with QA for a couple of days and then you finally deliver it. And there's just a lot of issues with that process. It takes a really long time. And if the consultant is doing two assessments at the same time, or even three, which is not uncommon for pen testers, it can get very confusing. You can start mixing up data if you have two clients with the same name, like, you know, the proof of concept. I mean, the point of contact name is Bill. If you got two of them named Bill and then you get the names mixed up. I peter is mixed up. So there's just a lot of room for error as a human conducting a penetration test 1.1s and the way we've solved both of these problems. Right. So on the customer side now, as opposed to having to like, call around to figure out who's available, what can they do it? How many millions of dollars is going to cost? They could just simply log into the platform, schedule a pen test to run whenever they want. They could have one running today or tomorrow or on Christmas. There's no limits as to when the test can run. And you can also do it more than just one time. So rather than just a once a year pen test, you can now do it multiple times a year. And on top of that, the cost is only 30% of a one time traditional pen test. So you can basically do however many test assessments you want throughout an entire year for just 30% the cost of a traditional single pen test. So there's a lot of benefits that we've been able to add as far as the cost goes and of course, the turnaround time, because we're not having to manually conduct all of these tasks, we have that automated. So rather than waiting two months for a Pennsylvania report, you'll get your results back in just a matter of a few days. And because it's automated, it eliminates the possibility of typos and errors and mismatch and stuff like that. So there's a lot of things that we've seen from the automation site that has significantly improved the way penetration testing has been conducted.
U2
What about on the Pen tester side? Could they leverage this or is this more of a competition to them? Or how would they leverage this tool? 1.6s
U1
Yeah, honestly, it's really cool. Like the kind of feedback that we've gotten from penetration testers. You know, as we were starting to build a solution, I really thought that we were going to have a lot of pushback from Pen testers. But we get on the phone with them, like they fall in love. They're like, oh yeah, I absolutely hate writing reports. And we just get each to others. We all are on the same page. It's just that they can use our solution to basically do other things that they don't want to do. So they can use VPN test to run the assessment, not have to write the report. And they could focus on things like web apps or they could try to dive a little bit deep into some of the other exploits that aren't necessarily as common as the ones that are exploiting. So they could take that time to dive a little bit deeper if they want to without having to deal with the headaches of like the back and forth QA and the reporting and stuff like that. So there's a lot of ways that the Pen testers could use the platform to also make their job a lot easier. And so far they've loved it. We haven't gotten a lot of push back with it, surprisingly.
U2
Yeah. So I got a billion dollar question for you, man, because I mean, that's the type of potential I see if you guys prove out the question I'm about to ask, that this thing is game changing, right? Anytime you can automate such an expensive and big 1.3s category, you got something awesome. 1.4s Obviously, when you automate, there's always the risk or concern that it's not as good. Sure you have some upside, which is it's faster, you can automate and all of these things. But is the accuracy, is the level of testing, is the results 1.2s better or the same? Right? 1.3s I want you to not only tell me that it is, which I'm sure you're going to say it is, right? But how is it different? How is it better than the reports that people are generating? Because again, if the people doing it has better results because of X, Y and Z, but they are more expensive in those things. Okay, now you've got some comparisons, right? But the billion dollar comes in when, hey, you're doing it cheaper, better, faster, and you're more accurate and you're automating. So walkers, I think that's a key thing. Love to hear from you on the results of the report. 1.6s
U1
Yeah, absolutely. So we do offer proof of concepts, right? So, free trial. So partners have the ability to basically sign up, do a pen test compared to the last pen test report. And we do like some calls as well to kind of walk in the reports to help them understand and stuff like that. So we've actually had a lot of partners and even larger besides. MSSP and cyber security companies compare our reports with the traditional pen test report from you to the previous year or side by side with their consultant. And the results are typically very close to the exact same or us providing a lot more. And then to kind of walk you through our methodology on how we're able to accomplish that and what we're doing, So whenever our automation completes, we actually have A-Q-A process where we basically go in, we have contestants on our team that are kind of playing the role of hey, I bet you can't do this. So it's kind of like a cat and mouse game for us. And so what we do is we basically take the opportunity in the QA window, which is two business days, to see if there's any opportunities or anythings that the platform didn't find or things that could be automated going forward. And so if there are new things that a person is able to find because they just happened to dive a little bit deeper and go a different angle or whatever, they will take that result. Like we'll take that process and we'll go back and automate that going forward. And we've been doing that since the beginning of the platform. So, I mean, you can imagine you have a human that's constantly trying to prove the platform isn't working and when they find these different areas, we go back and we implemented. So we have a process that allows us to continuously build based on what a human is doing, right? So it's never at a point to where it's like we've automated everything, it's time to walk away. We're constantly making sure that we're improving, finding different gaps that a human would find and that's how we keep the results just as comparable as to previous tests.
U2
So why network ten test? Meaning is that just because of your expertise, the easiest category to kind of start with? And I heard you say you have other, I mean, there's other areas of testing. Is the goal or what the roadmap is to be able to automate this concept of automated testing through other categories as well? Or what does that look like? 1.9s
U1
Yeah. So my background is primarily on the network side. Early on in my career I used to do both web app testing and network testing. And so if I were not moved to different largest type of security companies, we had different teams to do web app stuff. So like the apps and team and we primarily focus on the network side of it and more rate team engagement. And so that's primarily a lot of the things that I wanted to throw into the platform, all the things that I was doing, the people I was working with was doing, so that I could automate that process and that logic. And then of course, when it comes to network testing, there's a lot more like you can predict a lot more than you can, as opposed to like web app testing, for example, there's a lot more dynamics when it comes to web app testing compared to network testing. Every FTP server is an FTP server, right? There's not really too much you can do outside of the standard things to interact with an FTP server. But when it comes to a web app testing, I mean, there's a lot of different things that change. Everything is different when it comes to different applications, right? 1.2s And also too, when it comes to media compliance and cyber liability, the primary focus is really network penetration testing. They want to make sure that the environment is secure and so we have a pretty good handle on building up more and more logic to feed onto the network pen testing as far as our roadmap. And we do have the capability to perform like wireless testing and automate that. Obviously it's not as high in demand as it was prior to COVID but those are assessments that are primarily commandline driven as well that we can automate. So we do have some other services that we want to get into down the road, but for now we're heavily focused on the network side of it.
U2
So for, again, the business owners who care about security, they may not have the resource expertise to really understand cyber security, right? What would you say to them as what are they really dealing with, even the SMBs, the mid market, what are they dealing with this new world where cyber criminals are everywhere and they're targeting everybody, right? And like, what are they dealing with that they're not even aware that you want them to know? Like, hey, you might run it once a year, but like it's not enough. Or like, hey, this is what you're dealing with. You're playing with 1.5s being a security expert since you're twelve years old. 1.8s What advice or what would you tell these business owners what they really should be concerned about? 1.7s
U1
Yeah, I mean, I think one of the biggest problems that we see is that companies don't believe they're going to be a target. It's always there's this common thing where, like, if you're too small or something like that, you see some people say, well, we don't have anything for an integrity to do to compromise it for, and no one would target us, we're too small, blah, blah, blah. But the reality is there's kids that are just sitting on the Internet looking for vulnerabilities. You have some motivated attackers who are looking for specific things. Yeah, exactly. 2.2s You have some like, motivated attackers who have very specific objectives in mind and stuff like that. But you also have a lot of people who just want to get into hacking. And so the first vulnerable company that comes up, they're going to go after them just because it's easy. You're sitting behind a computer. Why not? Right? You just want to see if you can compromise an environment. A lot of curious minds out there. 2s I would definitely say that you should definitely be aware and be mindful that it's possible that you could become a target. A lot of small businesses go out of business due to a cyber attack, right? So you just don't want to become one end up in that scenario. I know that there's a lot of companies who want to do Pen testing and stuff like that and improve their security, but it's just that the cost of these traditional services are just too expensive. And so, yeah, I mean, there are solutions out there like us that will bring the cost down and make it more affordable and impossible to actually get into cybersecurity and start implementing security controls.
U2
Sure. So a couple of last questions for you. So as companies go to the cloud more and more, whether it's AWS, Azure, GCP, other cloud services, how does that impact the Pen testing? Does that change anything at all? Does that kind of impact as a lot of even their firewalls, all these things start to go into the cloud? How do you guys work with that? Or 1.3s how does it complement or does that kind of impact what you guys do? 1.6s
U1
Yeah. So there are, like, new aspects of, like, cloud like cloud security assessments that are kind of a little bit different from pen testing. And we do those two prefer more of a manual basis. But when you think about the cloud environment, we do have some pretty large customers that their cloud environment is basically just like an on prem environment. It's just that rather than having physical devices, those devices now live in AWS. Right? So they would deploy our virtual machine the exact same way as they would do it as if they had a nonspring environment. It's just that their environment is now hosted in a different location. Pretty much it. But a lot of the network stuff that we typically run across that are on prem are still present in the cloud environment. So there's a little bit of shifting there too, but we're able to accomplish the same goals they're just hosted in a different environment, if that makes sense. Yeah,
U2
no, for sure, man. Look, you should go, like, start a class or something. I feel like every time I talk to you, you teach me a lot and I just love hearing you still knowledge. 1.7s My last question for you, man, is 2s if you have to give one advice to founders or company owned owners or stakeholders listening to the show, one advice, whether it's a personal advice, business advice that you're really just, like, really passionate about, that you believe in, what would be the one advice you would give? You think. 1.9s
U1
Yeah, I think the biggest thing for me is really just be open minded because honestly, when I started like, this journey of my business, I was just intending to build something for myself to become a better pen tester. And as we started putting together Martin or Co, we started opening up like other opportunities for automating more and more stuff. So I totally understand people and they're like, yeah, this isn't possible. You can automate pen testing because I was once in the same shoes, but now being more open to it and kind of exploring that area, obviously believe that it is possible. Right. So I think we should definitely just ask ourselves, well, not necessarily say it's impossible, but maybe the question should be how is it happening? Or what are the things that are doing behind the scenes? Because when you think about just technology in general, automation is something that we've seen more and more of right over the last 510 years. When you used to mention the term AI, like five, six years ago, people look at you like you were crazy. Like, oh man, here we go. Another buzzword. Doesn't mean anything. It's going to go away in a few years. But here we are. Things are happening automatically in the world. Self driving cars and kitchens, preparing themselves, like preparing the meals and stuff like that. So, yeah, I would definitely just say be open minded to the possibility of things changing. Even if we don't know how it's going to change, just know that it's possible and it's just a matter of how's it going to happen. That makes
U2
sense. Yeah. No, when I talk to you, I would say, man, he got it all together. He knew this from the beginning. He's been sharp and then he just figured it out and made it happen. But it's interesting to hear you guys, like, I don't even know it's possible. 1.5s You made it work. But no, it's an amazing product and we're super excited to partner with you guys and I really appreciate you spending time with us.
U1
Yeah, likewise. I appreciate as well. Thanks for opportunities. 1.6s
U2
That was an amazing episode of the Did You Know podcast with Varisource. Hope you enjoyed it and got some great insights from it. Make sure you follow us on social media for the next episode. And if you want to get the best deals from the guests today, make sure to send us a message at sales@varisource.com.