Risky Business - Risky Biz Soap Box: runZero shakes up vulnerability management
Episode Date: September 15, 2025In this sponsored Soap Box edition of the Risky Business podcast, industry legend HD Moore joins the show to talk about runZero’s major push into vulnerability managem...ent. With its new Nuclei integration, runZero is now able to get a very accurate picture of what’s vulnerable in your environment, without spraying highly privileged credentials at attackers on your network. It can also integrate with your EDR platform, and other data sources, to give you powerful visibility into the true state of things on your network and in your cloud. This episode is also available on Youtube. Show notes
Transcript
Discussion (0)
Hi, everyone and welcome to another Soapbox edition of the Risky Business Podcast.
My name's Patrick Gray.
These Soapbox podcasts are wholly sponsored, and that means everyone you hear in one of them paid to be here.
And today, we are chatting with H.D. Moore, who runs Run Zero.
He's the chief executive and founder of Run Zero, which started off as an asset discovery platform.
But as you're about to hear, they've done a huge.
huge push into vulnerability management, which is going to shake things up, in my opinion,
pretty substantially. Many of you may know HD as the creator of the Metasploit framework,
which was first released all the way back in 2003, so 22 years ago, which is, it's making me feel
a little bit old, going to be honest, because I remember, I remember writing about the release
at the time. But yeah, HD, thanks for joining us, and let's get into it, right? So Run Zero was
always, you know, an asset discovery platform. Now it's a vulnerability management platform,
basically. I don't think I'm overstating it to say that it is now a vulnerability management
platform. This has gradually been coming together over the last couple of years,
though, this transformation. Why don't you walk us through it? Sure. Going back to the reason
that we have the company in the first place, I was doing pentest work, and we kept breaking
in through things that our customers didn't know about. So we'd find a device in the corner,
a subnet, didn't realize they had a domain, a device, something. And that led to, you know,
the demand to build run zero, which is something to help find all your assets, whether
are the things that were on your map or not. What we've seen of the last few years, though,
is that the assets that folks aren't aware of that aren't part of the volume management are
the ones that are getting breached the most. So we're seeing, you know, lots and lots of compromises
based on edge facing equipment, all your fortinets, all your Polo Alto's, all your Avantis,
things like that. And existing tools that do vulnerability management are really bad at
telling you whether those devices exist in our patch. And that's really been it.
Our customer's been pulling us towards vulnerability management, specifically in exposure management,
in general for a couple years now, and we decided just to go, you know, full hog into it and
do our best to help folks not just identify what they have, but identify when it's exposed
and fix it as quick as they can.
I mean, to a degree, it almost feels like you shouldn't have needed to do this, because
the whole idea with Run Zero is like it's going to show you all of these assets that are out
there, probably unmanaged stuff you didn't know about.
Obviously, you know, Run Zero has done its job at that point, right?
But no, it feels like a case if you can lead a horse to water, but you can't make it
And in this case, you needed to go that extra step, right, and really draw people a picture
and say, well, we've found this one, you know, this, this host.
But now we're going to go that extra step and tell you what's wrong with it.
If you look at how the volume industry works today, it's very much like, you know, scan
patch, wait, scan patch, wait, where a new vulnerability comes out, you have to wait for the
vendor to get a detection together.
Then you have to apply the update and wait for your scan window, run the scan, look at the results,
and then you can triage it.
In the meantime, you've already been backdoored.
So that just doesn't work.
So where Run Zero came into the picture.
is that within a couple seconds of knowing that there's new Apollo
Alto bug or something else we could say here's exactly where there's devices
on your network here's you know it doesn't matter whether they're patched or not
on day zero of course they're impatched so now we're taking a step further
and saying not just here are the devices that are currently you know
vulnerable to the current emerging zero day but here's actually all of your
impatched devices and you know prioritized by highest exposure yeah now I should
mention too that you know Decibel is one of the investors in your company obviously
Decibel is an investor in risky business as well and I'm a founder
advisor with Decibel and I'm an advisor to you as well. So, you know, I just want to make it clear
of the listeners that I do work with you on this stuff and, and I do hold some share options
in the company. But one thing I sort of wanted to zero in on, too, is the changes in the
vulnerability management market, right? There's some pretty big shifts going on right now that I think
a lot of people haven't just quite caught up on, right? So the big three vulnerability management,
you know, or scanning companies have been tenable, you know, Rapid 7 with Nexpos and Qualis, right?
But over the last, you know, I guess half a decade, the EDR companies have realized, hey, we've already
got a presence on people's endpoints. So why aren't we doing that part of the vulnerability
management? As in, you know, doing a full inventory of software that's on these endpoints that
we're already on so that we can cover off that part of vulnerability management, which is obviously
very bad news for those incumbent three, particularly because they seem to have neglected
the other part of Vaughn scanning, which is doing it over the network, right? So what I think is
interesting about what you've done here is you've gone, well, obviously that ground, you know,
of the on-host scanning is going to be ceded to the EDR companies, but the network
side's wide open because they have not done a good job of it. I mean, that's basically the
what's happening here, right? Yeah, that's a quick version. The existing vendors have done a
terrible job of unauthenticated scanning between like BeyondCorp stuff, the BIOD stuff,
kind of work from home. They've just kind of ignored that whole part of the business and instead
focused on things like agent-based discovery, cloud CSPM, CNAP, that kind of stuff. So what's happened
is that if you're a customer of one of these large three legacy vendors, you're effectively only
getting authenticated in agent-based scanning anyways. Less than 10% of the checks in most of these
products actually work if you don't have credentials. So the result is, well, if you're really just doing
agent-based scanning anyways, why wouldn't you use the other agents already on the device,
right? Take your crowd strike, take your Sentinel 1, something else that's already there.
And the challenge is, it's kind of a race to the bottom. As soon as folks say, okay, well,
un-authenticated scanning is no relevant, let's do agent-based, then anybody with an agent
can claim their vulnerability scanner now. And we've seen that where the VM, sorry, the EDR vendors
have come in and say, here's a list of, you know, unpatched software in your endpoint, we're
vulnerability manager too. It's like, yes, but you're not catching exposed services,
exposed ports, things that aren't installed, there's normal software packages. Like, you're
looking for the stuff that vulnerability scanner would find, you're just looking for outdated software.
And so for the longest time, we've had folks pretending to be volume management in the VR space
where all they're really doing saying, here's an outdated software package.
And of course, even if they're correct, even if they're correct that's vulnerability,
you don't know whether it's reachable because you're not checking the network.
It could be a totally vulnerable service, but it's unreachable because of the firewall.
So the great thing about doing unauthenticated scanning first and uncredential scanning first
is that if you can reach it from your discovery tool, you know, it's exploitable by an attacker.
Yeah, I mean, there's a little bit of nuance there around, you know,
client-side volns, though, I would say, because obviously you're still going to need to know
if someone's running a vulnerable browser, for example. But look, you know, one more point
on the authenticated versus unauthenticated scan part. Like, what's the point of trying to do
an authenticated scan against an unmanaged host where the authentication's going to fail, right?
Like, there's so much dumb stuff here. The great thing is the authentication won't just fail.
It'll give the attacker on that machine your password. Like, we still have not solved
authenticated scan. Yeah, because you're spraying, spraying creeds around on the network.
Yeah, yeah, yeah, heaps of fun. Yeah, I mean, that's still my favorite way.
to do anything, even if you go into a currently well-configured network today, and you run
Responder, Flamingo, SME server, what if you want, the local segment, and you just wait,
you're going to collect credentials while they long. And especially if you start doing scanning,
you'll collect credentials even faster. Things like Watch Guard, Palo Alto, they've got these
user ID agents where any time you trigger or, you know, tickle the firewall, it tries to determine
who's logged into the PC that's doing the attack. And so they just authenticate to you,
give you the credential that's stored in the pan, which is not what you want to happen,
where your attacker machines are being given
credentials on demand, and yet that's currently
at the state of these networks. So typically, if you're
in one of these networks and they have an authenticated scanner,
even if you are, you know,
locking into IP address, somebody can still
do ARP man in the middle of V6 re-routing, whatever
have you, and be able to steal those credentials
and use them for everything else. And as we've seen
with just about every major attack in the Windows ecosystem,
all it takes the single unauthenticator, sorry,
a low-privileged AD user to then
topple the rest of the fort.
Yeah, now I guess the idea,
here, though, is, and the reason I was mentioning the EDR stuff, it's not like you're saying,
oh, okay, well, the EDR is covering off that side of it, our jobs, that we're not even going to do
anything there. But what you've figured out is that if you do one of your network-based scans and
API scans, like, you're ingesting a lot of data these days into Run Zero. It's not just
network scans, right? You can give it API keys, and it can go and, like, pull down information
out of your cloud environment. But crucially, it could also pull in information from your EDR.
So you can capture that vulnerability sort of state information from EDR, pull
it into Run Zero and then correlate that against, you know, scan information and information from
elsewhere. I mean, that's about right, right? So I guess at that point, you're approaching
something close to being a comprehensive, you know, vulnerability management platform by just
using data that people are already collecting. Yeah, I mean, obviously, you have to go a little
further. You have to do your own unauthenticated scanning. Like, the reason why the chasm-only
products didn't succeed is there wasn't enough data to be able to answer those questions with
the products already in place. Like, you know, you have to be able to answer those questions,
your phone scanner didn't know about your unmanaged assets because they weren't brought up the scan scope.
A lot of your other tools just didn't know about parts of your network.
So unless you have a native scan source, passive directory, passive discovery source,
you're going to have a hard time filling in the gaps using a Kazm-only approach.
So we've all been native data source first through active scanning, password detection.
But you start looking at APIs, now you can bring in the cloud side, the mobile side,
DDR, MDM, et cetera.
And now we can say, like, here's all your external IPs across your entire infrastructure,
even devices that are not going through your normal firewall.
And then we're really good at the network side.
So, you know, you can still use your existing volume management, either agent-based through, you know, your tenable qualus rep 7, or you can use agent-based volume management through your EDR, but then combine that with run-zero scanning, and you can find the rest of it.
Yeah, yeah, no, that makes a lot of sense.
Now, one thing to note, though, is you're not actually trying to bite off all of the compliance scanning-related stuff, right?
So your focus is find the bugs, you know, find the vulnerabilities that are present in an environment that are reachable and likely to be exploited so that they can actually be properly prioritized, not we can give you a checkbox against the PCI, you know, scanning requirements.
Why don't you talk to us a bit about why it is that you're not trying to take on that part?
Because that's actually a decent chunk of the market, right?
That you're just like, not, not interested.
Walk me through that.
That's what killed industry. That's why we got here. We got here because folks kept putting
more and more compliance requirements in the vulnerability scanning. You got to the point
where every single host had to do authenticated scanning or agent to do a full S-cap, do a full
policy profile assessment as part of your GRC. And as the trade-off, you gave up all your
unauthenticated scanning, discovery, exploitability. So now you've customers spending all this
time and all this money, patching vulnerabilities that are showing up with these volume management
platforms and not moving the needle at all on exploitability. And that's kind of the point.
Like, we're going to tell you the exploitable view of your environment.
We don't care whether there's a patch or not.
We don't care if there's a CBE or not.
And we don't care whether there's coverage for, you know,
a vulnerability management product.
We're going to do it ourselves.
So we feel like when it comes to what's being exploited every day,
like the way that we tackle it is really three ways.
We already have enough information about your environment
that when a new vulnerability comes out for, say, Apollo Alto.
We already know where those devices are.
So we can just tell you immediately that second.
Here's the devices that are exposed.
And of course they're in patch because the patch hasn't, you know,
just went out 10 seconds ago.
So that's the kind of first step of it.
You don't have to wait for research.
scan, you know, wait for a product update.
The next step is then going the next step further
and actually doing active scan to determine is it patch,
is it unpatched, is misconfigured.
And if you look at the covers that we've added to the product,
they're not that focused on CVs.
Like less than half of the stuff we've been adding
to the product actually have a CV associated.
We're really looking at things, like default logins,
misconfigurations, broken configuration,
broken authentication on different demons.
Things that will actually get you compromised,
not things you can apply a patch to fix.
So we assume that if you're already spending a lot of money
in your security program, you already apply
patches, the machines are going to patch. You don't need us to tell you about your patching
program. You need us to tell you about what's actually reachable by an attacker today that's
going to get you in the news tomorrow. I mean, it's kind of bizarre that there's been such a lack
of innovation in vulnerability management considering it's such a big part of security and security
spending, right? And I think that's partially because we've just had these three large
incumbents in the space. And people have sort of thought, well, that's a mature market. There's no
opportunity to disrupt. I mean, there's been exceptions. Like there's a company that advertises or
sponsors risky business called Nucleus. And I think their product's interesting because they
make a like a vulnerability management platform that ingests data from all sorts of vulnerability
scanners, including Run Zero, mind you. But it's for really, really big companies, right? So
they take in all of this data and help you do the triage and slice and dice it and give
you visibility top down, like which parts of the business are doing a good job, which parts aren't
and whatnot. But you know, that's a product that exists because most of the tech in the space is bad
it doing that, right? So oddly enough, it's like it's a solution that that had to be conjured
into existence because of deficiencies in this wider vulnerability management software
market. Why do you think it's atrophied like this? Like I saw your talk. There is that I mentioned
Decibel before as well is because Decibel has an event at RSA every year. Last year, I watched your
talk about vulnerability scanners and how little they've changed. And there was one slide. I still
remember it, even though this is like a year and a half ago.
You showed a slide, which was a screen cap from one of the vulnerability scanners from like 25 years ago,
and then a screen cap from like the week prior to you doing the talk.
And it was just like all that had changed it is it had been re-skinned, right?
How do we explain the lack of movement in this space?
Is it just that they were chasing the next shiny red balloon across the room, like you mentioned,
like with the C-Nap and the this and the that?
Is that kind of how we got here?
Yeah, when I was working for Rapp 7, we really thought of it.
Anytime we lost a customer, we'd see him again a couple of years because we're going to go.
There's really three vendors in the space.
And we thought that at the time, the bar to getting into the industry was very high because you have to have 200,000 vulnerability checks or cover 90,000 CBEs.
So the idea was like, well, no one's going to join this or no one's going to be a new competitor here because the bar to, you know, getting in is so high to build all this backlog.
They realize it doesn't matter.
Like what we realized run zero is it doesn't matter at all.
That backlog is not what you need to worry about.
It's the new emerging threats.
It's the new stuff people are exploiting day to day.
it's the non-CBEed exposures.
That's what actually matters to people's security,
not catching up in 20 years of vulnerability coverage.
Like, that's not super relevant.
Same thing goes with the GRC, the audit,
all the compliance stuff.
Like, yeah, it's really useful for your audit,
but it's not particularly helpful
for you not getting owned tomorrow.
And where we've seen the innovation happen in the space
has really been the ASM side,
the continuous pentesting firms.
They call themselves continuous pen testing,
but effectively they're just doing volume management.
They're just calling something different.
And they're doing volume management
in a much smaller sector of vulnerabilities,
which are dynamic web applications or a smaller set of the surface.
We use Nuclei, the OpenServe scanner, in Run Zero,
and we do it a really interesting way.
We don't just take the scanner and run it.
We actually add unique logic to every single check
so that we already use the Run Zero fingerprinting engine to say,
we know exactly what this device and this service is,
and then we'll run a particular check against it,
but only if it meets that criteria ahead of time.
Yeah, I mean, you're like spinning up per check templates for this thing, right?
So that it's like not going to...
Per check engines, actually.
Yeah, it's not going to brick anything.
It's going to be nice and efficient.
And like, that's the play, right?
Yeah, every single service gets its own configuration and engine launch and configuration.
So if we run into a web service that's running, you know, IAS, for example, we're not going
to run anything.
It's not relevant to a Microsoft web server on that target, just by definition.
So the cool thing about that is because so few of the templates actually run when we do it
that way, we can do thousands of vulnerability checks at almost no additional speed.
Like, it doesn't slow you down at all.
It's just the same as it was to be worth from zero.
So the neat thing that we did recently is relaunched.
We added about 1,400 new checks to the product.
They're enabled by default.
they went out and no notice like there's no no cry from the customer base nobody said this thing's
broken no one said we're knocking a device over like that's just how careful it was built that we
can literally ship all that and it just starts working magically in the background without having
a serious impact to scan times or to evolve positive rates so we feel really good about our approach
there but then you look at what everyone else is doing and it's basically raised to the bottom still
it's oh we need coverage for x so let's report when there's missing patch or let's say you're
missing compliance on x again that stuff doesn't matter to preventing a breach like we're here to
prevent you from being breached. We're not here to help you checkbox your policy and
compliance statements. Although we're helpful for that. That's not the primary goal.
Now, you sort of mentioned this earlier, but I want to talk about it a bit more because you've got
to educate me here and tell me whether or not the, you've got to tell me whether or not the incumbents
actually have this as well, because if they don't, it's absolutely insane. And that's that sort
of rapid response emergency notifications around bugs that are being actively exploited.
So, you know, you can be in your run zero console and it will throw it up.
front and set a hey you know you've got this fortinet uh device that's being exploited right now
like everybody with this device is getting burned you got to go patch it immediately um so that's great
to have that in the console but it will also email you right or notify you uh via whatever means
you you select so you can actually set up runs here to let you know hey you know really sound
the alarm uh on a bug that is being actively exploited that's trivially exploitable that there's a
path to get it on your network and you're and you're going to get done um is that something that the
incumbents actually do? Because I remember, like, talking to you and Chris, like two years ago
about, you know, bringing that feature in because it was something that people really wanted.
Do the others do that? Not very well. So the way we do it, we officially launched it to everybody
last week. And the idea is the second we put a rapid response out, which is, hey, there's
new series vulnerability that affects a product. I'll pick on Palo Alto again. We actually kick
off a query across every single customer instance on every install. And if we find a applicable
device that matches that query, like you've got a Palo Alto or VMware Horizon exposed to the internet
or something else that matches that, you'll get an email within 15 minutes now at the box,
and you don't have to do anything all to do it.
So the idea is that you don't have to, you know, go look at an advisory, search environment,
run some queries, you're going to get a notification in your box the second that we know
about it telling you what it needs to do to avoid getting compromised.
The way that other vendors do that, they typically will have like an alert mechanism,
we'll have an alert saying, hey, there's new vulnerability in Palo Alto.
And you say, okay, great, what are you guys going to do about it?
And like, well, we're working on a check.
It's like, great.
So you wait two days, then you get the check.
Then you wait until Saturday for your scan window, then you run your scan.
and then you are doing instant response because you waited two long.
So that's the problem with that approach is that while these other firms are good at alerting
you about new threats, they're not particularly good at telling you where those threats
are applied in your environment.
And we're seeing some folks play with that a little bit, like some of the Kausen vendors
are pretty good at doing more real-time response.
But the legacy vendors definitely have not excelled at responding quickly to new events
when it requires coverage changes on the product side to cover.
So I've got to ask, like what's the response?
Well, you know, how long has this stuff actually been in the product and actually out there in the marketplace?
Because I understand it's pretty new.
It's funny that I remember that emergency response stuff, like we were kicking that around like a couple years ago, right?
So I didn't realize it was that new in the actual platform.
That's cool.
But what's the response been?
How long has this been out there?
How long have you been doing the volume checking stuff?
And yeah, who's into it?
What sort of organizations are into this?
Yeah, if you go back about a year or so, we started doing vulnerability reporting in the product based on queries.
We would say, you've got a thing that we know is exploitable.
You've got a database without a password.
You've got this misconfigured device.
We'll create a vulnerability record automatically.
Not just a third-party import.
We'll create a native vulnerability and run zero attached to the asset.
Beginning of this year, we rolled all this up into findings.
So instead of getting a giant list of bones, you now get like three findings.
Here's three categories of things that are problematic in your environment.
Default credentials, you know, misconfigured device in this particular way,
missing aquls over here.
And so you're not getting this gigantic list of remediation.
You're getting a list of categories to go focus on.
And then more recently, we've been adding more direct vulnerability.
covered. So first we added default login checks, so default credential checks for a, you know,
a couple thousand platforms that we rolled out exposed administrative panels. So looking at things
like your admin panel, if it's supposed internet, we can out flag that really easily. So not
necessarily the most critical vulnerability, but it's something that you should know about for
sure. And then more recently we added as many of the Sisa Kev and critical remotes that we could
in the first round. So that went out. That's about 700 new critical remote checks. And I just
eyeball all the stats this morning to see, you know, how many folks are actually getting alerted by this
And I think last night we sent out three critical alerts, all three of them got to click.
Two of them turned into a sport ticket with customer ask for help.
And they're like, yeah, this is great, thank you.
So people are seeing it.
They're reacting to it.
They're responding.
We're really slow at rolling this out because the last thing you want to do is, like, annoy your customer base into turning it off.
We don't want our default mode to be so obnoxious.
People just turn it off.
They don't get the value.
So you only really get one chance to not, you know, burn that trust with customers.
If you start spamming people on day one of the product, the very first thing to do is turn off notifications,
then you're no longer providing that value unless they go turn it on again.
And defaults really are the most critical thing in security.
If they're not on by default,
then you have to do a lot of education
to get people to go try the feature.
So just like the new vulnerability checks are on by default,
we don't ask permission.
We just say, here they are, and you can turn them off if you want to,
but they're there by default.
Same thing goes to notification.
We want you to know immediately ahead of time
for these types of things.
But again, if we get that wrong
and we know everybody there and turn it off,
and that's why we wait as long to get it right.
So you've been slow burning this, right?
At what point do you come out and say,
we should be your vulnerability management platform?
Because it sounds like you haven't been
doing that until now, right? Because you've been like slowly, slowly changing the product,
right, and turning things on and waiting to see what the reaction's like. At what point do you just
come out and you say, we should be that center console for your vulnerability management,
hook in your Sentinel One or your defender or your crowd strike into us, and we're going to cover
off that function for you. When do you pull the trigger on that? I think we're there. I mean,
at this point, just user education, it's customer education. It's getting more coverage in the
background. But depending on your use case, we're already there today. If what you care about is
avoiding breaches and your external-facing stuff.
We do that all day long.
You can turn off your tenable today if you want to and use us and we're great.
If you have a massive internal environment, you've got a compliance requirement.
You may have to scope it down.
So maybe you may stealth use qualis for like your PCI environment and then keep us for everything
else, including PCI.
But we're not going to go after the PCI certification or ASV or anything like that anytime soon.
We're really going after the real-time exploitable stuff.
So for a lot of customers today, the product will already do more than the value you're
getting out of your phone scanner.
And kind of the reason we got here is that we've been importing third-party volunt data for four or five years now.
So we've been pulling in the tenable data, the Qualis data, even the crowdstack vulnerability data.
And that's why we got here.
We realized that the data we're getting for these products is useless.
Like we will spend five hours importing 180 gigs of stuff from Qualis.
And the customer gets absolutely no value out of it.
They look at this giant list of volunteers.
You'd be like, well, what does that mean?
I guess I should apply some patches.
Like, yes, but.
And then you'll actually try to figure out, well, where's my Sonic Walls here today?
Oh, yeah, they don't even have a check for it yet.
So we're getting this ton of data into the platform.
We're trying to help people prioritize it, kind of like the nucleus security side where you bring it all the ones place, you do triage on it.
And then we realize we're missing the vulnerabilities that matter.
Folks are working off a list of loans that doesn't even include the ones that are going to get them own tomorrow.
And that's been the focus.
So we've said, you know, based on what we've seen in the product with our actual customer data, what's missing right now is actually better coverage.
Like vulnerability detection is not a commodity.
Bad detection quality is how we got in this mess.
And it's also what's kind of leading to this like, you know, EDR.
EDR is eating ball management is because the bar has been dropped so low.
We kind of go the other way.
We say that un-authenticated remote detection needs to be high quality,
needs to be reliable, needs to be fast.
And if you can do that, you don't necessarily need the rest of it quite as much.
Now, as you sort of alluded to it earlier,
which is there's these attack surface measurement companies,
which are almost doing sort of like bulk pen-test-y sort of behavior,
like doing remote scanning, using similar tricks to what's in Run Zero.
And now you've got a situation where you're starting to see these like AI-enabled pen test firms pop up.
There's a few of them, Horizon 3, who I think we've booked into a snake oil slot coming up soon.
So I'm going to get to, because I'm interested.
I want to know what they're doing.
So you've got companies like Horizon 3, I think there's Crossbow as well.
So at what point to vulnerability scanning technologies like what we're talking about that's in Run Zero
and services like those, at what point are they all AI-Fi?
and start to converge.
This is something I'm curious about.
Like, you know, I know you, man.
You've been playing around with models.
There is no way you have not been playing around with AI.
You know, what's on the roadmap there?
And what does that do to this platform?
And how does it look in a few years?
I'm dying to know what your plans are there.
We found a couple of use cases for the AI so far.
Like, we use it for some of the threat intelligence
for getting a head start of new vulnerabilities.
We tend to, you know,
we use a service that scrapes all the social media,
flag stuff that's trending before it hits the news, and that way we can stay ahead of things
and get customers notified well before it becomes widespread exploitation. We also use AI for things
like doing enrichment of vulnerability data, but we haven't found a use case where having an AI
model in line actually makes any sense. Yeah, so what you've just described is very much like
a content use case for AI. That's where everybody starts, right? It's like, you know,
companies like Corlite who first started using AI to do things like explain alerts, right? Like,
Here is a really poorly written, you know, 10 words to try to explain an alert,
but, you know, it can actually have a detailed write-up, you click on it, whatever.
So that's the content use case.
You know, I guess I was wondering what the agentic, and I'm sorry to sound like such a VC guy at the moment,
but I was wondering what the agentic use case is, because there's got to be one there eventually.
Yeah, that's a good question.
I mean, we have to find a model or find a scenario where it makes more sense and works better.
And so far, you know, we kind of old-school ML, old-school AI in the platform with a bunch of roles,
and they get weighted and they do stuff like that,
and we've got a decision trees and things like that.
And the great thing about it is deterministic.
We know exactly what check is going to fire in what direction.
We know exactly how we can safely enumerate an OT device
because it's always going to work a certain way.
So you need to start bringing gentic stuff into it.
You've got temperature to twiddle.
You've got all this stuff that means that when you run the same test
three or four times a row, you don't get the same result.
So do you really want your critical vulnerability scanning
and exposure detection working only one-tenth of the time
or missing every fourth time?
Like, that's the problem with the gentic stuff right now, is it's not reliable, it's not consistent enough.
So, you know, we can all, where a lot of folks have been taking that is, you know, have one model come up with a recommendation, a bunch of other models self-check it, then do some validation.
But at that point, you just start off and build it better in the first place.
So we're just being a little practical about it, trying to figure out, like, where does it make sense to bring in a model?
And we're not quite there yet.
Yeah, I mean, I would have thought, like, just off the top of my head that where AI would make the most sense here is other agents actually just using Run Zero.
Like instead of baking the, you know, instead of baking the agentic stuff into Run Zero just treat it as something that a model can use via some sort of, you know, model context protocol server or something.
I mean, I'm guessing you're going to do an MCP server for this, right?
Yep, it's actually shipped.
We are an MCP server baked into Run Zero.
The great thing is you don't have to run like a local standard IOS server.
It's actually all part of the remote install, whether it's self-oocid or on the cloud.
So you just pointed at your current console URL, give an API key, and you've got a full NCP server built into the product, as opposed to having, you.
get another thing to manage on the side. So the funny thing about the MCP is we have a lot of folks saying,
we want an MCP server. Like, great, what do you want to do with it? We don't know, but when do you
want it now? It's like, okay, but what do you want to do with it? So we're still, we had the first
versions out so far. We're getting feedback on it. We're trying to figure out, like, what do folks
actually want to query? Like, obviously you can say, show me devices that have external, you know,
IP, tell me devices that have the highest risk, show me systems where this user has logged in
recently or this type of user is logged in recently. So you can do a lot of interesting stuff there,
But almost any one of these use cases, you can do better through the console specifically without using AI.
Yeah, but do you need to know how to structure or run zero specific query?
That's the point, right?
And like everybody's really sick of learning everybody's query language and syntax, right?
Yeah, that's a good point.
We're working on natural language queries right now.
So that'll be one of the things we do in line, at least for the cloud side.
But of course, we need to be really careful about that.
We need to make sure the customer's query never leaves our environment.
You know, we're really, we're about as paranoid as it gets.
Like, we do not let Dita leak out of our platform anywhere.
and we sell to a lot of folks that are on-prem and, you know, air-gapped,
and we need to make sure that it works just as well in those environments as it does in the cloud.
So we're really careful at where we deploy technology.
Our entire technology stack is a go-binary and a Postgres database.
Like, we're not experimental or brave when it comes to using like PubSubs or Kafka
or any of that kind of silly stuff.
Like, we're old-school and boring because, you know, we need to build a deploy anywhere.
Yeah, so just going back to a question I asked earlier,
which is who's showing interest in this.
It sounds like you haven't really started marketing it yet as a vulnerability
management platform so it's maybe a little bit early for that question of like who's you know who in
the market is buying i mean is that is that about right yeah starting to turn until about a month ago
most of the inbound that we've received folks who are interested in hearing about the product
we're asking about chasmuse cases as an inventory a tax service management in the last month or so
especially after blackout we had this amazing experiential booth thing and all kinds of cool stuff
and marketing around it um we really started pitching like hey you can actually use this to do
full-blown bowl management without another bowl management tool and that's where folks started
saying, wow, I can actually just kick out product A, product B, product C.
So you've displaced the legacy of home management platforms in three or four cases in the last
month. And we feel like that's going to be our future. These are customers that they need a
loan management platform, but they also need everything we do in CASM. And they don't want to buy
two products. And they want to have a product that doesn't write in the first time. So having a
product that has a native data source through high quality scanning, does passive detection,
can do OOT, does the vulnerability scanning, and also does the CASM integrations reporting.
That's been a really good sell so far. So we're really excited about providing that more
comprehensive product to our customers it's funny man i got i got a friend uh around here who recently took
a job as a security person at a local government right so like a council and the stuff he's found in
that environment is just bizarre so uh he's he's not traditionally been a security guy like he's a
security minded like computer guy right like perfectly qualified for the job but he's gone in there
And the Vauln scanning stuff they're using in there is something that I've never heard of in my life.
And what's really funny is when he rang the software distributor that they buy this package from, that they license this package from, they had never heard of it either, even though they were like the ones charging money for the licenses, right?
Wow.
So he's obviously looking to shake up Vauln management stuff.
And when he's seen what you're doing, because this is like perfect timing, he's like, oh man, like that's going to work.
probably have to keep some other stuff for the PCI because they do handle credit cards for like
you know local like council tax payments and fine payments and things like that uh but you know
for operational vans scanning he's just like well we've already got that like e5 or g5 Microsoft license
we're just going to get all of that sweet information from defender from the endpoints pump it into
run zero and he's going to save so much money doing that yeah absolutely um even for pcii we can help
helps save folks quite a lot of money because we can help you scope it down. So if you're buying,
you know, a given product right now because you need PCI support, we can actually help you
figure out which part of your network is actually fully isolated and which parts are actually
breaching your CDE or otherwise combining your PCI with non-PCI. So you can get really tight
scopes using Run Zero. And that means you can carve down the existing license you have for
these third-party products to have a much smaller, smaller piece. And since you're often paying
buy IP address for these products, we save a lot of money that way. So I got to ask, final
question, right? Where do you see this sitting in the market? Because, you know, this local
government use case that I'm just talking about, like they've probably got a few hundred, you know,
like it's a small organization. And for them, it's an absolute no-brainer. For a larger organization,
I can still see the unauthenticated scan stuff. Like, even if you're a mega corporation, I can see
using Run Zero, because it's very efficient, very performant, like it works really well. You know,
100% you could use it for that as well. But would you then also use it as your primary vulnerability
management tool in a very large organization.
Like, how do you see this, you know,
slotting in at orgs of different sizes?
Yeah, sure thing.
For long or short, is in the early days,
the Penn Test, assessment, vulnerability scanning tools
were all really the red team part of the house.
In the last 10 years or so,
they really all moved to the blue team.
So the person running your vulnerability management program
is really more of your SOC team.
It's not necessarily your red team.
They're just basically, you know,
getting a list of alerts,
figuring out what to do with it,
mitigating it, triaging, et cetera.
So that kind of runs your vulnerability
program, the run-jerk appliance program, but it's not really there to save your bacon from the
next vulnerability next year or day coming in. Like, it's not fast enough, it's not agile enough to save
you. So instead, you have security operations teams turning to things like Run Zero and other
Kazan products to say, like, what, you know, do we have this new thing that I've never heard of
until today being exposed to the internet, how we expose this network, connected this other network
in this strange way. And basically kind of the bleeding edge of exposure and compromises what those
teams care about. So we feel like we've done a really good job of serving that security operations
team for a while in terms of preventing exposure, finding all your stuff, being that kind of
second set of eyes for the entire organization.
But we also feel like the ball management teams have kind of been underserved.
And if we can give them a tool that, you know, works better, it's faster, it takes less time,
it's more accurate.
It cuts down the amount of work that they're doing and triage are doing even better.
So for us, the future really is doing everything around exposure management, everything
from external tax service management, your internal discovery and internal networks, you know,
network segmentation, compliance, you name it, while still kind of being true to our, you
character, which is not throwing your password around the internet, not requiring an
Asian every machine.
So I guess your position here is that's a nice market, we'll have all of it, thank you.
Pretty much. I mean, we have customers, especially if you're a smaller customer, you can't
afford 20 tools. So we have to do a much, much broader portion of functionality than, you know,
let's say we, if we wanted to stare at her feet and work on cool protocol stuff all day,
we'd love to do that, but that's not going to move the yield. You need to provide a much
quieter product these days, especially with smaller orgs. If you're a 100% organization,
you can't buy five security products. You may be able to
get away with one and that one's probably defender um so if you can afford something more than your
edr we recommend run zero being that tool um you can't really get your get rid of edr but you can typically
replace everything else with run zero from the exposure management side yeah well as i mentioned you know
that friend i sent him a bunch of stuff to investigate run zero was one of them and that's actually
his first item uh first spend is going to be that so um cool beans uh all right hd uh thank you so
much for joining us to chat through all of that. I think, you know, I think there's a real
future for this as a very useful tool for all manner of organizations. It's great to see it.
And it's always great to see you, my friend, and we'll chat again soon.
Appreciate. My pleasure.