Risky Business - Risky Biz Soap Box: Thinkst Canary's decade of deception
Episode Date: October 28, 2024In this Soap Box edition of the podcast Patrick Gray chats with Thinkst Canary founder Haroon Meer about his “decade of deception”, including: A history of Think...st Canary including a recap of what they actually do A look at why they’re still really the only major player in the deception game A look at what companies like Microsoft are doing with deception Why security startups should have conference booths
Transcript
Discussion (0)
Hey everyone and welcome to this Soapbox edition of the Risky Business Podcast.
My name's Patrick Gray.
These Soapbox editions are like long-form discussions that we have with our sponsors.
This means everyone you hear in one of these editions of the show paid to be here.
Today's guest is Haroon Mir, who is of course the head honcho and founder of Thinkst Canary,
which I guess you'd describe them as a deception vendor.
And not only that, you'd kind of describe them as the only major deception vendor.
And it's been a decade now.
So we're going to be talking about a decade of deception.
And really, we're going to have a bit of a history of Thinkst,
a bit of a recap on what it is that they actually do.
We'll be looking back on those 10 years of Thinkst Canary
and why they're still the dominant player after so long.
You know, and really, is that because this is such a simple technology
that's quite low margin and the market size is kind of small,
which sort of discourages VC-backed players
from trying to come in and do that sort of high-margin explosive growth thing?
Like, we really just have a bit of a chat about, about like why it is that Thinkst is where it is. It's
sort of odd to just have one player that's so dominant when they're making a technology this
useful. But we started off with Haroon just really recapping what it is that Thinkst actually does,
because, you know, he's been a guest on this show for 10 years and there's quite a few people out
there who might not necessarily know exactly what it is that they do.
So here is Haroon Mir to kick things off. Enjoy.
So fundamentally, we make a honeypot. Like in its original pitch, our take was we could make, we felt honeypots were useful, but not enough people were using them.
And our take was if we could make them simple enough for people to use enough people were using them. And our take was, if we could make them
simple enough for people to use, people would use them. So our pitch was to make the simplest
honeypot that added value. And there's a few principles that we were really big on, but two
of them were that they should be really quick and painless to deploy.
And the second one was that they should never expose you to more risk than you already had on your network.
And until today, like, we hold pretty firmly to these things.
And we've done some things quite unconventionally, like we're famous for even removing features. But fundamentally, what we focused hard on is that a customer should be able to buy a canary honeypot, deploy it in under two minutes, and it's useful
on their network. And there's some things that we thought hard about and some things that we got
really lucky with. But fundamentally, what happens is customers buy canaries they drop them on their network
and and typically attackers last on networks for months before they discover it like the numbers
change but but like hundreds of days and so what happens now is attackers land they trying to make
themselves comfortable they're doing reconnaissance they see see this canary, they touch it because they don't know what's valid and what's not valid on the network.
And the defender gets a really high quality signal that says there's badness on their network.
You skipped a step there, which is that one of the key innovations in all of this is that prior to canary,
we thought of honeypots as things that we exposed to the internet.
Exactly. Canary, you know, we thought of honeypots as things that we exposed to the internet. And your big, you know, big brain idea was, hey, why don't we put them on the inside?
And we can catch people who already have a presence on the network, which is what makes
that such a high quality signal. Exactly. And the honeypots outside networks
really gave honeypots a bad name. Like even till today, like we get calls from the local universities and if someone wants to do an honors project, the easiest thing to do is
put a honeypot up, draw graphs of how many attackers from China and how many attackers
were from Belarus. But honeypots on the internal network really shouldn't be touched. And so
our thing was take these honeypots, make them really trivial to
deploy. And we spent a crazy amount of engineering early on to make sure that we can really keep that
promise. So customers get them, they plug them in, they just work. And then we can up their
sophistication. So just plug it in, and it's a working Windows box. And by that, I mean,
you can map to its SMB share, or you can RDP to it, or you can enroll it in Active Directory.
Or with two clicks, you say, listen, actually, I want this to be an IBM mainframe. And then you can
3270 to it, you can SSH to it, all of that stuff. And over time, one of the things we figured out is that you can do really complex things with Canaries, but even really simple Canaries court attackers.
And we kind of got lucky because, like, we didn't do lots of marketing and early on customers who bought us court attackers and said nice things about us, and then other customers bought us.
And that's pretty much been our trajectory till now.
We also then did canary tokens.
And if canaries were honeypots reimagined, canary tokens were honey tokens finally made useful. And when we were attackers for years,
when we were pen testers,
we would throw out the idea of,
oh, you should use honey tokens
to let you know when your data is breached.
But no one we knew ever did it.
And we never did it
because you've got to have infrastructure around you
to make that actually work.
And so Canary tokens become honey tokens in various different forms that you can sprinkle around,
again, to give you high quality signal.
And with Canary tokens, we do the slightly unusual thing of also giving them away completely free at canarytokens.org.
And like that's bloomed into an unusual thing. And if you
go into your VC theory in a few moments, Canary Tokens will feature interestingly, because we
treat Canary Tokens as a full blown hosted service. And internally, lots of the things we try to
invent, we keep trying to invent new ways to detect attackers.
And some of that stuff goes into Canary, but some of it goes into Canary tokens.
And then we give it away free.
So our customers get it, but it also joins this free Canary token service.
And some of it, like if you take in the last year, Jacob released the Entra. So basically with CSS, you can tell when people are
attacking the middle, your Entra login on Microsoft Azure. And we released that earlier
this year. Like we've literally got thousands of users using the free service. Something like
50 million logins a day get protected by that AITM phishing.
And for us, it's just free,
lives on canarytokens.org and does its thing.
So I mean, it is pretty amazing
to just give people access
to very high quality alerting infrastructure
that is sort of reliable.
It's scaled like, you know,
it's doing some real work
for the community there sir it's been interesting and and for us like like in part nobody told us
we couldn't do it and canary pays our balls and this gives us an interesting way to test new
detections and and of course like people end up knowing us because of it. So it ends up working out all positive.
But fundamentally as a company, that's what we do.
So we build Canary and build Canary tokens.
And like internally, our whole pitch is like, can we use Hackery to make defenders win?
Like our pitch as a company is make defenders win.
And that's our pitch.
Okay, so now let's talk about why you're the only vendor,
as far as I know, in this category.
What explains that?
So I think fundamentally, when we used to pitch Canary,
I think I did on the first segment I did with you on Canary,
like we used the line that said, we stupid but work. And internally, our pitch was Canary should
function like a brick, like Marco's saying was, people should just be able to use it
and know that it doesn't go wrong. And so we were pretty rare in that our stated aspiration was
to be a brick. And it allows us to say dead simple, but works. And anyone who's trying to
raise VC money has to say the opposite, right? They've got to say why they're this super complex
thing and how they're this super clever thing. And even when people try to sell,
they often end up trying to convince the customer how they're the super clever thing.
And it forces a type of thinking that just goes for more and more complexity. And
complexity, like that's a bad idea for multiple reasons. But the two big ones are, historically, we know complexity is just a pain
in the ear to secure, which is why so many vendors end up being the weak link on your network.
And the other is you end up with all of these solutions that do everything or claim to do
everything that nobody actually ever implements on their networks. Like, honestly, one of Canary's biggest challenges early on
was fighting security folks' default intuition that says,
this can't be that easy.
Because you do the demo, you do the explanation,
and you say, trust me, just deploy it.
And folks go, surely that's not gonna work
except it does and then word gets around and and so i think the early funded competitors and
there have been about six of them that raised like 60 million or so all pivoted hard towards
complexity because most people think that that's what's needed and yeah i mean i got
i got needed yeah i gotta say i got i got i got a real kick out of their marketing i remember once
like in your early days um you know seeing some of these competitors come up and their their
animations and stuff at their booths were pretty funny like you will direct attackers into a maze
that is a replication of your production and it's, that's not really what you need to do here.
You know, like, let's just keep it simple.
It's interesting.
Keeping it simple.
Look, simple is hard to pull off technically, but it's also hard to pull off for ego.
Like early on, people are attracted to I'm working on the smartest thing ever. And I think
we got a little lucky because like Marco and I had some history in the industry. And so we could say
we're doing this really simple thing that works. And people gave us some credit to say, well,
they're not complete monkeys. Like maybe we should try this thing. But I think
simple but works is underestimated. So that part I agree with. I think people went for complex
and run into trouble. The part that I'm not sure about, and my honest thing is one of the things we've grown to see is that Canary works for everyone.
Like, this is not my, you used to call it shiny tooth salesman pitch, but we've got customers using Canary for literally 10 years.
Like, they bought us in 2015.
They still use us.
It just updates multiple times a year and they just use it.
We've got easily a whole bunch in the Fortune 100.
We've got the highest tech companies that exist.
Like if you were a tech company today, there's a good chance you're using Canary.
We've got two main law firms.
Like we've got an aquarium in the Midwest.
And so one of the things we realized is that without sounding immodest, every org should
be running Canary. So that's where you're going to push back on the limited market size thing,
I'm guessing. Yeah. So it is true because early on, even when we had resellers wanting to sell
our stuff, they would look at it and go, hold on, this stuff just costs seven and a half K.
I can sell Cisco kit for a few hundred K. This isn't worth my while. And that bit was completely
accidental because it perfectly fits anyone who's ever did the innovators dilemma which is you come
in at a price where incumbents don't want to fight you because you're too low and then you start
growing from there but but fundamentally that model really works for us so two main law firm
gets to put in five canaries and forget about it And super tech firm gets to start off with five, grow to 50,
and then have hundreds of canaries if they need it. And genuinely, genuinely at this point,
like, I feel I can make an honest case for every org in the world to have five canaries.
Like, there are some who should be bigger,
but like for seven and a half K, people should just put them down. And if they do nothing for you,
like you paid seven and a half K, but almost certainly when you've got intruders on your network, you're going to get that alert really early on. And so it turns out the market isn't that small for it. And so periodically,
we get pitches from new companies going in or new companies wanting to do it.
But now they've got multiple problems, right? The one is we try hard to not suck and hopefully we'll
keep not sucking. And the other turns out to be useful
is canary tokens because now there's this really valuable really easy to use thing out there
that's free and and so we should we should note too that it integrates nicely into the canary
console so if you're a user of the hardware devices, these honeypots, and you're using the Canary tokens, like it all meshes together quite nice. So even if it's like
the free stuff is canarytokens.org, you know, if you are a paying customer, you get that sort of
all singing, all dancing, integrated experience, integrated UX. Exactly. You get your own private
Canary token server, which can be skinned and you can host it on your own domain and all of that stuff.
But yeah, the combination ends up being useful.
And at this point, our plan for world domination is a Canary on every network.
It's like a taco truck on every corner, a Canary in every network.
Both sounds pretty good.
I just want to cut you off there because I think one thing we can say, like 10 years down the track, I think we can say that most people, you know, the more educated consumers, the more educated buyers in cybersecurity, they know who you are and they recommend you. So recently I introduced you to Rob Joyce because he dropped me a message saying,
hey, you know, because he's doing a bit of advisory
and whatever these days for all sorts.
And he said, look, you know, I've got a customer
who I think would really benefit from Canary.
Would you mind putting me in touch with Haroon?
And I think we could say that, you know,
Rob is about as educated as a customer can get.
I mean, he used to run TAO for God's sake.
So if it's a control that he's into,
we can say that's good.
So I think there's some validation there
where you've got the highly educated section
of the market saying, yes, Canary's good, use them.
They're just an amazingly cost-effective control,
go for it.
Then more recently, we saw Microsoft
embracing honey tokens as a way to flush out automated abuse on their platform.
So this is something that they're doing at scale, right? Like I'm guessing, you know,
a bit about what they're up to. Can you talk to us about, because I don't think we really had a
chance to discuss it on the main show. What are they up to with all of this? Like, I only saw the headlines, skimmed a story.
But could you give us a bit more detail on what exactly Microsoft are doing with Honey
Tokens?
So Microsoft's going into deception in a few ways.
Like, Defender will now do deception stuff.
So they'll do hosts, they'll do lures, they'll do stuff like that on enterprise networks. And like I've heard, I've heard of a few people taking them out for a spin.
But Microsoft's got a chief deception officer and he's a real believer.
Like we've spoken to him. They may or may not be using some of our stuff.
And yeah, they've got a good offering. Recently, they spoke at
B-Sides Exeter, where they were actually speaking about running deception campaigns
against existing phishing sites. So literally, they look for new phishing sites and then pump
those phishing sites filled with fake credentials, essentially making those sites less useful and getting them a whole
bunch of Intel in the process. There's a few things that are interesting. The one is every
Microsoft document on their deception stuff exactly sings the song of our people right it's here's why you should be doing it it's smart
it's easy it catches attackers um so so we like it um well i think i think also isn't isn't one
of the ideas behind pumping sort of honey creds into these phishing sites so that when they see
them turn up on like m365 you know or entra log, that all of a sudden they can flag that endpoint as being
no bueno, right?
Yeah, exactly right.
It's kind of funny because like one of our free Canary tokens is a site clone token.
And when we first built it, I think we might even have spoken about it on the channel like
years and years ago. But we first deployed it for the media
org Al Jazeera when they were being attacked by the Syrian Electronic Army. And they did exactly
this process that Microsoft is now doing, something like nine years ago, where they would,
as soon as the phishing sites come up, they'd spam them with fake creds, essentially giving them a whole bunch of work
to do without, because once a phishing site comes up, you also can't control your remote users who
might be giving their creds to that phishing site. And so now what they do is they've just put in a
thousand other fake users into that system. And so now those people have to deal with all of the noise.
Microsoft's presentation on it was great,
but for me, the best part of it is, again,
them saying, absolutely, this stuff works.
Why wouldn't you be using it in your org?
Which, again, it's the song of all people.
I don't have sleepless nights over it for a whole bunch of reasons. One
is we like them and know them. But besides that, one of the things we've always taken a lot of
care with with Canary, and initially it was a tough decision, was to make sure it was outside
your regular system. Like one of the things we don't
want is your system gets compromised, you can't trust your reporting channel, and now the thing
you need for that one alert is in that reporting channel. And so Canaries end up being inside
enough to catch attackers, but outside enough to not be collateral damage if your network gets owned
one thing we should point out is that a canary is not like a pizza box rack mountable you know
fully featured linux box with some software loaded on it it is a very small like it looks like an
external hard drive you know it's a small embedded device and funnily enough like i remember when you
did that way back when, and one of the reasons
you gave it that form factor is to make it easier for people to deploy without having
to get authorization from the data center team to like get the rack space.
So you could sneak in security.
People could literally sneak into the data center and just tuck it away back there somewhere
where no one could see it.
And, uh, you know, they, they would not have to ask for permission, which I thought that was very clever, actually, at the
time. Thank you. It's interesting. We thought that over time, because the first versions that
we shipped were just those hardware versions. And then we've got Azure versions and AWS and GCP and
whichever virtualization platform you're running. And we thought that over time,
people would stop buying the hardware versions
and the others still sell in their thousands,
but by far, hardware versions still dominate.
So that thought that says,
let's take this and plug it in,
is still an easy winner.
And now we've got different use cases for it. Like we've got
one of the very large tech companies, we literally carry their asset numbers and they just ping us
and say, send three boxes to this location in China. And so we put on the asset boxes and ship
it off. It comes up, it's now on their console and they've got visibility. So yeah, so far, the hardware
stuff still works surprisingly well. Again, it just falls into that, keep it simple. But you
know, cloud, I'm guessing, you know, well, obviously over the last 10 years, it's not
like cloud was new 10 years ago, but it's like, it wasn't as ubiquitous. Yeah. It's interesting
putting the stuff in the cloud works and works nicely and then there's a good case for
dropping tokens in different cloud environments um and and currently we spend a lot of time
playing in that space so so you'll find lots of tokens play almost exclusively in the cloud space
we've spoken previously about our aw token, stuff like that, which
essentially is throw this around your clouds, know when people are poking around. But again,
our pitch is should be dead simple, should just work. So this is how you've managed to own the
market for 10 years. You know, you've had some challenges come in, but largely, I mean, it's
pretty much just you. So where to next becomes the question, right? Like, you know, 10 years from now,
a few more gray hairs, I'm guessing, 10 years from now. But what will we be talking about,
you know, in 10 years from now when it's, you know, Haroon Mir's 20 years of deception. Yeah, touch wood. So, so far, like, what, one of the things we've managed to get right as a company is, like, we build stuff that people like.
And by doing it that way, we've managed to build a really nice team.
So, so the people on board, like, enjoy working for the craft of it.
Like, I put out a silly tweet today, but like it's Halloween.
And so the front end team have this amazing slight change to the console because you get
to see the Halloween theme and you get to see Table Mountain and all of that stuff.
But essentially the team worked on that just in their own time, just because they like
delighting customers. And so
with the last 10 years, we managed to put together a team that really like building useful stuff.
And so at this point, we kind of just enjoying making things the best we can. And so inventing
new tokens, trying to make that stuff work. so we think we've got good room for growth with
that stuff and if you think about the canary in every home which i joked about like even though
we started slowly at this point we genuinely think there's huge space uh to grow like When we started, we were a little bit lame in that we kind of ignored partners.
And mainly it's because we were too small to handle partners and we just weren't able to
handle it. And as time went by, we found some MSSPs come in who literally took Canary and
deployed them at every customer they've
got. So Eric Foster came through with Sideris and literally every customer they have would also get
Canaries. For us it's a win and for them it's a win because they get the super easy to deploy thing
when the Canary chirps Sideris look good. Sideris get to go in and sell them extra stuff. So these days, we're more
friendly with partners, like you're seeing more and more of that business where SOCs come in and
say, let us deploy this or MSSPs come in and say, let us deploy this. And so for the next while,
one of the things we want is, is we saying, look, we know know canary works how do we get it to more and
more people like so so how can we partner to put that bird um on every desktop well and so sorry to
cut you sorry to cut you off there but i mean it's it's a product that i think really makes sense
for mssps because it just lets them jump in there earlier, right? Like it doesn't mean,
like you sell a canary to one of your customers as an MSSP.
It doesn't mean that you rip out
the rest of the detection and response stack.
Like this, it just means that you know
when something really bad is going on.
So you can roll incident response
and that's billable hours.
So I think this idea that maybe some
might've had previously, that it was like gonna cost them i don't think so i don't think that's
right i think it's just it just lets them make better use of the other technologies that they've
deployed to the client some of the best love that we get like like if you look at our canary.love
stuff is from mssps and and sock vendors like that, because literally what they're doing is
super quick deployment, super high signal. And at the end of the day, like you say,
they then get to go pull at that string and unravel huge messes that start off with that
first canary that chirped. And so our pitch again, our dream is keep inventing new ways to detect it,
keep rolling out canaries so that we can put this canary on every desktop.
And that's the dream.
So see you in 20 years.
Well, I mean, fundamentally, nothing's really changed in the last 10 years
with what you're offering.
It's all been about refinement, incremental improvement,
and I'm guessing that's the way you want it to stay. Yeah. So, again, we spend, like, as a company,
we super deeply, I know lots of people might say it, we deeply invested in invention. Like,
we take the time for it, we carve out time for it. But there's a distinction between just making things and foisting it on your users and making something that works better.
And so with Canary, we're really about making it easier, making it pain-free, making sure there's few false positives.
And then at the other end, what can we invent that can move the ball forward?
So with tokens, with new detections.
And so it gives us a pretty good mix to say,
let's make this thing consistently better
while keep trying to invent new ways to do detections that work.
It gives us a good space.
It gives us a product that works.
And yeah, that's where we double down.
So the plan is to keep turning the handle? It gives us a product that works. And yeah, that's where we double down.
So the plan is to keep turning the handle.
Yes, so far, turning the handle sounds good.
Like I say, we're keen to talk to other partners who want to take Canaries to the masses because it's simple and it works.
Like at this point, we know it does. And yeah, we'll keep doing what we do,
which is making it better and better and inventing new ways to make defenders win.
Now, I want to talk to you quickly
about a blog post you wrote
where you extolled the virtues of conference booths,
which I think even you were surprised.
You surprised yourself by writing this thing.
Yes.
I found it interesting because funnily enough,
I went to the OSERT conference earlier this year and you had a booth there.
And I met, what was his name?
The fellow who was on the booth.
Yeah, yeah, yeah.
So I met Bradley, had a good chat with him.
And it was just, you know, it was just really funny for me
because like, you know, you and I have known each other
since well before Canary.
And it's just funny.
It's like, well, here's Haroon's booth at a conference in Australia. You know, you've written
a passionate piece, sort of saying you should run conference booths, but you should run them this
way. And I gotta say, I agree with it wholeheartedly. And I think you should walk us through
the rationale there while we've got time. Yeah. So, so again, young hacksaw me hates that this is true, but conference booths
are great for us. Like, like we, we do about five of them every year and I hate saying it every time
because it seems like the most vendory thing ever. But A, I think they're good.
And B, I think so many people do them terribly
that I feel bad for one thing
because they're mostly just lighting their VC's money on fire.
But for the other, one of the things I worry about
is that they're killing a good and a useful thing.
And so for us,
we wrote this really long blog post a few years back when we did our first RSA and we tabulated all of the expenses and how that worked out for us. But fundamentally for us,
these conference booths are a great way to meet our customers. Like we have customers now that have paid us
hundreds of thousands of dollars that we've never met in person. And what happens is,
like when we came down to Australia, we've got so many customers in Australia, largely because of
risky business, who we've never met. And so now what happens is they get to come by the booth,
they get to say nice things. And an interesting thing happens, which is your existing customers come by and say nice things with an earshot of new potential customers.
And one of the things we found that's super interesting is lots of customers would never be able to go through legal and say, I'm from big company and I use Canary.
But when they come to your booth, they'll happily say to the
people standing next to them, they'll happily say, hey, we use the stuff you should too. So absolutely
companies score with it. One of the things that I think is interesting with booths though, is I think
most people do them badly. So from the start, we use our booths for demos. So we do hundreds of demos.
People come in, we show them a demo. And we staff our booth with us. So literally,
the support people working on it, Marco's almost always there, Bradley's canary since day one,
I spend all my time at the booth. And what happens is people then come and
get to have real conversations about the product. If something's sucking in Canary, then those
people who come down to the booth are going to let you know that they suck. And I'm surprised
that more founders and more product people don't use booths for this reason.
I mean, you're right in your piece that, you know, often they're off in a suite somewhere
schmoozing with the, you know, the CISOs for the Fortune 500s or whatever, or talking to investors
where really your position is they need to get down and spend some time on the floor because
it's a really valuable thing. I mean, it's hard to argue with that. I think it's such a wasted opportunity.
Like, and I genuinely, it's one of the things
I really want security founders to take away
is you almost never get a chance
to meet a thousand customers
and potential customers in the same day.
Like, why aren't you there?
It makes absolutely no sense and and for us it works
out super great um like like there's no question um the the booths work great for us um i mean i
think at a certain at a certain scale that becomes impractical for the founders especially when they
might have five booths happening at five different events around the world but i think you could still take that fundamental lesson which is you need to staff
your booths with real people who have agency within the company i mean i think that that's
the lesson yeah absolutely like like if you if you make a corp at that point staff it with your
product people like staff it with people. Marco and I for years have this
running joke where we go around to some of the other vendors who used to offer deception stuff
and talk to them about their product. And most of the time we couldn't get someone to demo the
product just because the people at the booth go, no, that's niche and we don't know what that is.
And again, it's silly. It's a wasted opportunity and and one of
the things i feel in terms of the community good that comes out of it is if you make these
conferences just about stupid games and bad t-shirts then that's all it's going to be and
it's got the opportunity to be so much more it It's funny, right? Because I remember my first RSA,
I think this would have been, man,
somewhere between 2010 and 2013 or something like that.
So I've been in this game a long time.
So that was even kind of late for me,
but it was so funny.
It was so funny because you had the people dressed in lab coats
and you had the jugglers and, you know, it was just,
it was very funny i think the contraction in that stuff uh in the industry has been pretty sensible
funnily enough i went to rsa this year but i was going to a side event i tried to get in to walk
the floor and they hadn't opened it yet i was like an hour or something early so i didn't wind up
going in but is it still like that i saw you over there yes but i didn't i didn't see the floor it it it is crazy like like every time you see it you
you look at it and go that's something like like for one thing it's the size like i also went to
rsa uh late like relatively and the first time i went it honestly one of my first thoughts were no wonder
people are so confused because like there's so many companies you've never heard of right like
you've never heard of and and all of them and i'm at the time i was like man like in my years of pen
testing none of these people have been a speed bump to me.
No, I know.
And it's like, I just had this thought,
but it's like walking into a Turkish market,
which I have, by the way.
This isn't some imaginary Turkish market experience.
This is kind of like some weird, twisted American grand bazaar for enterprise software.
It's still nuts.
So it was a little muted with the end of Zerp,
but not completely.
Like there was still,
I think Black Hat still had one of the major vendors
doing insane Booth Babe type stuff.
Really?
I don't mind the flaw at Black Hat.
I gotta be honest.
I always found it a little bit more sober,
a little bit more focused on something approaching reality.
It's a little less nuts.
But it actually happened at Black Hat this year
where some major vendor had a case of the stupids.
But no, there's still some of that insanity.
There's still juggling, fire-breathing dudes.
And mostly my thing is do demos, talk real stuff.
It's a chance to meet customers.
For us, we get a bunch of other benefits from it because of our size.
But again, it really works out for us.
If you're a young sec company, I advise it.
I think it's good for you, good for the industry. So the reason I mentioned all of that is that if you're a young sec company, I advise it. I think it's good for you, good for the industry.
So the reason I mentioned all of that is that if you're listening to this or watching it
and you happen to walk past a Thinkst booth at a conference, you can stop and chat and
you're not going to get sales droned to death.
You're probably going to chat to someone real who has agency within the company and have
an interesting conversation.
We're going to wrap it up there.
Haroon Mir, it is just such a pleasure to see you.
You know, listeners and viewers wouldn't know this,
but what we do every time we do one of these is we catch up for about an hour
before we hit the record button and have a good conversation,
solve the world's problems, and then on to the interview.
Such a highlight to see you again, my friend.
Great to chat, and we'll do it again soon.
Thank you.
It's always cool, Pat.
Bye.