Risky Business - Snake Oilers: Nebulock, Vali Cyber and Cape
Episode Date: September 8, 2025In this edition of the Snake Oilers podcasts, three vendors pop in to pitch you all on their wares: Automated, AI-powered threat hunting with Nebulock Damien Lewke... from Nebulock joins the show to talk about how its agentic AI platform can surface attacker activity out of all those “low” and “informational” findings your detection team doesn’t have time to look at. Runtime security for hypervisors from Vali Cyber Austin Gadient from Vali Cyber stops by to talk about ZeroLock, its hypervisor security product. It’s marketed as a counter-ransomware control but is just a generally useful security platform for virtualised environments. A secure mobile telco: Cape The only thing American cell providers love more than providing patchy coverage is getting their customers’ data owned. Cape is here to change that. It’s a security and anonymity-focussed virtual mobile network operator (MVNO) that’s been spun up by a highly competent team. If we lived in the USA we would be customers, and a bunch of CISOs listening to this might want to consider Cape subscriptions for their workforce. This episode is also available on Youtube Show notes
Transcript
Discussion (0)
Hi, everyone, and welcome to another edition of the Risky Business Snake Oilers podcast.
My name is Patrick Gray.
The idea behind snake Oilers is that vendors pay us to come here and pitch their products to you,
the risky business listener.
So, yeah, everyone you're about to hear in one of these podcasts, they paid to be here.
And we've got three really interesting vendors you're going to hear from today.
We've got Nebulok, which is an AI-based threat hunting platform.
Damien Lucie is going to be along in just a moment to talk through that one.
We're going to hear from Valley Cyber, Austin Gradient, who's the CTO and co-founder of Valley, that's VALI,
is going to talk about their product, which is basically a VMware ESX security platform
and really build as a ransomware control for VMware and private cloud,
which is they brand it this way because people are getting whacked with ransomware in their
VMware environments but obviously a controller prevents ransomware is good at preventing other
types of attacks as well so Austin will be along soon to talk about that and finally this week
we're going to hear from Stephen Dowie who is the head of engineering at Cape now Cape is a very
interesting company that has created a lot of buzz over the last year or so it is a virtual
mobile network operator in the United States that is focused on security. So it's a mobile
network which doesn't collect much information about its subscribers and generally operates in a much
more secure manner. It filters network messaging. There's not even any SS7. There's no SS7 messaging on
their network. There's the other one that I can't remember the name of it right now. But yeah,
you'll hear from Stephen a little bit later on about that. And frankly, 100% hand on heart. If I were an American,
If I lived in the United States, I would be a Cape customer.
I could be a Cape customer here, but then I would have to have an American phone number,
and that might make things a little bit difficult, but maybe one day.
But yeah, we're going to jump into it now with our first snake oiler today, and that is Nebulok.
Now, a disclaimer right off the bat, I am an advisor to Nebulauch,
which means I do hold some share options in the company.
So, Damien Luki is the CEO and founder of Nebulauk.
And basically what Nebulaq is, is, I mean, it's AI threat hunting, right?
Like, there's so many companies out there, they might have a few people on a detection team,
but threat hunting, I mean, it's more headcount, it's more work, it's a very specialized skill set.
But it's also something that lends itself pretty well to AI automation, right?
Much like, you know, tier one sock analysis and stuff like that.
Threat hunting, there's an awful lot you can do when you start throwing, you know, AI models at this problem.
So here's Damian Lukie explaining what Nebula lock is.
Enjoy.
Nebulaq is an autonomous threat hunting platform.
Basically, we combine the ability to continuously test for malicious activity hiding inside your environment
while also giving customers the ability to translate these hunts into detections
they can push into their detection CICD pipeline or back in a Nebulaoc.
So you can kind of think of us as your single port of call for all post-exploit to action
on objectives behavior.
Okay, so the big question is, why do I need this?
Say, I've got my EDR, it's all singing, all dancing, I've got my seam and whatever.
Like, why do I need some then automated agentic thing to go crawl through the same data
looking for essentially the same sort of thing?
Yeah, and I mean, I caveat is like someone who's worked at a couple EDR vendors in the
past.
This is just one person's opinion.
I think twofold, right?
Like one, strategically EDR companies are starting to move into other
markets, right? And see like, hey, can we apply EDR to cloud security or CNAP or other areas?
So part of it might just be like folks are taking their eye off the ball. But I think more
fundamentally, like EDR was built around anti-malware and exploit prevention, right? It was
just hardening, accepting the fact that the endpoint was the perimeter and improving perimeter
defenses while also balancing the fact that, you know, if you threw an alert for every
informational low or medium, right, you're going to blow.
up people's alerts dashboards and most folks don't want to work with a system that's too
chatty. Like the reality is like there's so much value in the data that people have, right? And
not every single customer has an active intruder at any point in time. But I'd be willing to
bet, right? Like as soon as you add more than two nodes to a graph, like you have n number of
complexities, like there are applications and risky protocols running in every environment. We just
don't know because we don't have the time and it's not being flagged, right? But there's
much goodness. And if you actually think about like deeper, longer tail, like if you're dealing
with a real APT, right, they are going to masquerade in your existing telemetry, right? Like,
you will only throw low or informational or no alerts until like they're getting out of
dodge, right? So to us, the whole focus is like giving you more value out of all the stuff that
you're paying for, right? Because there's so much there. You just have to know where to look.
So it's stuff that might not hit that threshold for something.
that's going to leap out of a seam screen or trigger a detection in an ADR console,
but it's like there's something up.
A hundred percent, right?
A great example I can think of is like the remote access tool, North Korean wave that we've
seen this year, right?
Like, EDR is not going to alert on team viewer running in your environment.
But if team viewer is not the way that you do, like RMM, that's not your RMM tool of choice,
right?
That's immediately a red flag.
But we only know that now after the fact, understanding.
that like, that's how attackers are getting direct access to company secrets, right?
So the whole focus is to give you more signal from all those lows, mediums, from things
that haven't even alerted, right?
Because there's a lot of goodness in telemetry and surface that to a human, a human analyst
or a human responder.
Okay.
So what sort of data are you actually crunching here, right?
Because I'm guessing you're going to be taking in telemetry from things like EDR, from things
like call light, from things like IDP logs, you know, stuff.
stick it all in either structured or unstructured, you tell me, and then you're going to
see it, let LLMs crawl all over it and figure stuff out.
So why do you give us a rough idea of, like, you know, concretely how this thing works,
what sort of data it's looking at and, you know, what sort of signals it surfaces?
Yeah, 100%.
Right.
So best way to get telemetries at the source are right now we cover EDR and identity and access
management platforms.
We're kind of moving across the stack as we continue to build out the hunting capabilities
of the platform.
really simple way is like we hit your EDR APIs so we pull raw telemetry same thing for your
IDP and the whole idea is like we want access to all the data so we can get as much juice for the
squeeze when it comes to the hunting and analysis that we do so you just need to share an API
key with us and we plug in and away we go yeah we've done uh you know 3,000 endpoints in
five minutes is our our record so far in terms of onboarding customers yeah now speaking of
you know, you're a very, very new company, just exited stealth. You've actually got some paying
customers already. You know, one thing I often say is nobody buys anything because it's cool,
right? And this is very cool. Like what you're describing is very cool? But like, what's the thing
that's making people actually plonk down the money to buy this? What is the actual killer use
case? Yeah, I mean, the killer use case really is, I think a lot of people want threat hunting,
but really what they actually want is clarity and repeatability, right?
Like, I want to understand what's happening in my environment and not just rely on my existing
security vendors or, like, the brittle detections that I've written to alert me when something's
happening.
So the reason that people are buying Nebulauk is because we give you a continuous hunting
ability for the fraction of an FTE.
And I'm really honored to say that, you know, we've got some people who've joined us
along the journey and it works, which is great.
The proof, to quote, one of our recent customers.
It does what it says on the tin, which is really, really exciting to hear, particularly in security when marketing and functionality don't always align.
Now, one of the other things you can do with this, too, I believe, is you can actually take, like, public threat intelligence reports or even stuff that you've paid for and do some pretty sophisticated threat hunting based on that reporting and, you know, beyond like IOC hunt, right?
Like, that's kind of the idea here.
Yes.
So hunting at Nebulauch is all focused around behavior.
More power to the folks who want to do IOC-based hunting.
But for us, we're really looking at behavior.
And, yeah, we've got two different sources of inbound telemetry, right?
We've got the EDR and I am from our customers, and then we take threat intelligence, right?
Threat intel is a super valuable way to extract detection possibilities to extract hunt hypotheses
and then run that across your data.
A big component of Nebulaug is we've got this virtuous feedback loop between external
threat intel that's powering new and different ideas and then the organic hypotheses
that us and our agents are developing as we run hunts across people's data and surface new insights.
I think to your point, Patrick, though, right?
Like what customers can do is say, like, great, I've got this piece of threat intelligence nebuloc.
And what we've given them the ability to do is, like, from a piece of threat intel,
one click, like generate your own hunt idea, generate your own detection in English.
You can select which operating system you want it to run it across, right?
So Windows or Mac right now and Linux is coming soon.
And the idea is like you just click a button and we'll run the retro hunt across your data.
You'll have a newly minted detection that's been tested and validated and you can push that into wherever your detections live.
Now, in addition to the paying customers, you've got, you've also got a bunch of design partners and you're covering, you know, quite a few endpoints these days.
And, you know, I just wanted if you could tell me, like, what's the coolest stuff that you've been able to shake out?
Like, I mean, you know, and as I say, very, very new, haven't been around very long time.
But what's the cool stuff you've been able to shake out immediately upon being deployed to some of these.
Lodge environments. Oh my gosh. Okay, so I've got a couple of examples. We'll flag, we'll start with
some interesting malicious insider use cases. So obviously, like we all have confidence around
access control policies and what's allowed and denied. What we actually found was one of our
design partners believed that they were preventing Tor from running in their environment,
but Tor was actually misconfigured in the policy, so Tor browsers were running amok.
But not only that, some folks that actually downloaded tools via Tor that presented some really risky implications to the business from a remote access perspective, we were able to catch that right off the bat.
So that was super exciting just to say like, hey, you know, not only did we flag these two different misconfigurations and like we've got these malicious insiders, right?
One of the employees was actually violating the company's code of ethics.
but like immediately out of the box provide that that visibility and value and that was on a
crowd strike data set so super exciting yeah so that was that was that was tour browser executed
file came onto disk file executed off disk like that was and that was and that was surfaced from like
what was the prompting that you had to give nebuloc to get it to tell you that yeah so i think a
core component within nebuloc and the prompting that we had to give it is um you know a lot
of threat hunting starts with statistics and then is a whole lot of business context so
we looked at you know different processes running it was a statistical anomaly and then basically
we were like hey you know based on these anomalies right like find context and enrichment and see if
you can get any more understanding around like what this particular executable might be and you know
in near real time like the agent pulled that all together and said hey this is what you have right
and this is why we're we're alerting on this so it's so funny because that's always been like
such a good detection which is show me the 10 least common binaries
You know, 10 least common processes in an environment, like, they're not good.
They're never good, those outliers, you know?
Oh, my gosh, right.
And this is a really important part, you know, when it comes to how we built Nebulak, right?
Which is, it's all about business context and, like, broader context.
Because if you look for statistical anomalies alone, like, you're going to have this wildly
long tail of applications that could throw potential alerts, right?
The key is to figure out, like, what's the context of whatever that application is,
what were its parent-grandparent processes?
And then, like, who's actually running that, right?
So it's been interesting, right?
Like, as we've continued to improve context
and as we get more coverage
in a more diverse data set,
to be able to flag things like that
faster, better, and with more confidence.
Because AI well, grade is not perfect,
and we're always looking to fine-tune and improve
and post-trained the agents that we have
to deliver better, faster outcomes to our customers.
Now, I believe I derailed you there
because that was the first example you were going to give.
Like, what's another example of stuff you've found?
Yeah, so this was a pretty cool one.
We got to do a hunt along with one of our customers.
So there was a suspected remote sharing services issue.
And basically the customer was like, hey, you know, like we've got a hypothesis,
but like Nebula, go do the analysis.
And what we ended up finding was not just one,
but a broad footprint of remote sharing tools across thousands of endpoints,
ranging from standard collaboration apps
to admin remote control utilities.
And basically what we were able to do
by being pointed and doing additional analysis
was like a concrete map of where and how
each of these tools were running
and then flagging a few that were like exceptionally risky.
So it was cool to like satisfy the initial use case
but then like based on the intelligence
and the fact that agents can hunt much faster
than you know, we can run an SPL query.
We were able to get all this additional
context. And yeah, they were so excited. They expanded our footprint by an additional
several thousand endpoints. So that was super exciting. Yeah, so they had no idea. This stuff
was just like festering. No. Now, where are you getting most interest from this? What sort of
verticals? Is it, I'm guessing it's just larger teams with, who already might have like
detection engineers, but they don't have that threat hunt piece. Is that kind of where it is?
Yeah, so it's interesting. That was my original hypothesis too. I'll make a long story short. I did a lot
a customer discovery when I started this company. What we actually have seen is like,
uh, enterprises between like 500 and 5,000 employees have kind of been our sweet spot. So,
uh, late stage VC back tech companies or early public companies, um, banking and financial services
institutions and then retail of all verticals have been kind of where we've hit. And then,
um, we're expanding into healthcare. So that's another area that we're, we're moving into. Um,
but it really is more folks like, you know,
If you've got two people in security, you know, Nebula lock is probably not a great solution
for you. But as soon as you've got like a security engineer, a detection engineer, your team's
maybe five or six, you immediately see the value because you might not be able to pay what J.P.
Morgan can pay for a team of 24 by 7 threat hunters and like former NSA people to write your
detections, but you still have the same need. Like, adversaries are still going to target you.
In fact, those are the folks that get targeted a lot more than the J.P. Morgan's of the
world because they don't have those controls. They don't have those people.
All right. Well, Damien Lucie, thank you so much for joining me to tell everyone all about
Nebulauk. It's very interesting stuff. And indeed, we'll be chatting with you a bunch more through
26. Thanks for joining us. Thank you for having me, Patrick. That was Damian Lucie there of Nebulock.
Big thanks to him for that. It is time for our next snake oiler now. We're going to be chatting with
Austin Gadiant, who is the CTO and co-founder of Valley Cyber.
and that is spelled VALI.
Now, anyone who listens to risky business regularly
would know that if you're a VMware customer
these days, like life's a little bit tough, right?
You know, especially since the Broadcom acquisition,
life for VMware customers is a bit tough.
They're not really doing a lot of feature development on it.
There's some security features just frankly missing
from VMware products.
So Austin developed and his team,
developed Valley Cyber's,
main product to really help people get a handle on their VMware environments,
particularly around trying to reduce ransomware risk. But, you know, as I said at the
top of the show, anything that's a ransomware control is going to be just generally a good
security control as well. So here is Austin Gadiant, the CTO and co-founder of Valley Cyber
explaining what they do. Enjoy.
Valley Cyber is a product that protects hypervisors from ransomware and other sorts of
attacks. It's called Zero Lock. And so Zero Lock, one of the big capabilities of it is its
ability to protect ESXI systems at the host level. And so for the first company that has a
runtime security solution that runs on ESXI systems that is digitally signed and certified by
VMware. And for those listeners that are not familiar with attacks against hypervisor
infrastructure, you need to look no further than Scattered Spider. So Scattered Spiders launched
quite a few attacks against hypervisor infrastructure. And
notably, the MGM breach, the Marks and Spencer breach, those were all ransomer attacks against
hypervisor infrastructure.
And the reason that threat actors take this approach is they try to encrypt all the VMs
that run on top of these systems.
And if they do that successfully, it's a very devastating attack.
You can imagine the normalization's private cloud all goes down at the same time, which is
really devastating.
The other sort of attack that we see is more of a nation-state level attack.
You've seen this against the defense industrial base in the U.S.
Midre got breached, for example, in May of 2024.
So the mitre breach was on ESXI infrastructure.
Basically, the goal of the attacker was to break into that environment and dwell there
for a long time because they recognize that there's a lack of detection and response
capability in these environments.
If they can dwell on the hypervisor, they can sit there for a long time and use it as a
beachhead for further attacks into that network.
Now, Zero Lock is really special because it gets delivered as a Vib or a VEFphere
installation bundle that is digitally signed and certified by VMR, as I mentioned. And so you can
deploy it through VSphere, just like a normal ESXI update. We also support any sort of Linux-based
hypervisor like Proxbox or OpenShift. And there are a few key capabilities that provides, one of them
being multi-factor authentication for command line logins. And so this is really important because
one of the common TTPs we see of threat actors against these systems is stealing a credential for
assistant administrator account and just logging into the hypervisor as an admin, downloading
malware from there.
And so by having MFA, you prevent a simple credential compromise from giving them all the keys
to the kingdom.
Another key capability is virtual patching.
Virtual patching is essentially exploit prevention.
You can also think about it this way, where we're going to block behavior associated with
the exploitation of various applications on the system.
And so a good example would be an escape to host exploit, where the attacker against access
to a guest VM and they use a CDE or zero day, exploit that VM and gain access to the host
itself, zero lock and block these sorts of attacks. And then lastly, I'll mention behavioral
detection for various types of malware, one of them being ransomware detection. So we can detect when
files were being encrypted on the system. And if we see that, we can block that behavior. We can kick the
attacker off the box and we can even restore files that have been encrypted back to the pre-attack state and
remove that damage. And so I think these attacks are just going to increase in prevalence because
actors recognize there's good EDR tools on traditional endpoints. And so they're looking for
systems that don't have EDR on them like these hypervisors. And that's why they're launching
attacks against these own predictive systems. Now, I am absolutely not any kind of like V-Sphere or
VMware expert here, right? So why don't you tell us a little bit more about how this is deployed, right?
Because you keep talking about, oh, well, it's the hypervisor.
Whereas I just think of that hypervisor is that shim between that, you know, private cloud
supporting infrastructure and the actual OS that's running in a VM, right?
So where exactly does your tech actually sit?
Where do you install it?
How does it work, you know?
Yeah, so the tech installs on the hypervisor itself.
So in the case of the VMware environment, you typically are going to upload this V-Sphere
installation bundle into V-Center.
V-Center is the management console for.
for ESXI hosts.
And then there's just a simple process
for updating the hosts using something
called VM or lifecycle manager.
And so you just apply the new component
with a new Vib to these systems like a typical update.
And it's very straightforward process
that folks that are used to administering
these environments would be familiar with.
And on the Linux side, it is delivered either
as a dead package or an RPM package
that you just install with YAM or AAPT
or one of the common installation capabilities on Linux systems.
So this isn't something that you're installing into the VMs that are running in this private cloud.
This is something that you actually, that is what, like an extension to the hypervisor that does all of this security goodness.
Exactly. And it's focused on protecting the hypervisor. It's not looking into the VMs and looking at the VM behavior.
It's focused on protecting the hypervisor operating system.
Yeah, you were talking about like EDR and whatnot before. And like quite often people who are running these VMs, like they will have EDR in these in these VMs.
But I guess the point here is there's a whole bunch of stuff that the EDR can't see.
Exactly. That's right.
Running out the VM level, they're not able to see the activity on the host hypervisor.
And this provides a beachhead or an area where attackers can get onto the network and launch further attacks.
Yeah.
So give us an example of some sort of stuff that you've actually managed to catch in the wild.
Because I'm guessing, given the level of attacker activity around like V-Sphere stuff,
I'm guessing you've actually bumped into a few attackers in the wild, many of them over the last few years.
Yeah, it's absolutely right.
I think something that we see a lot is just attackers stealing a credential from a system of an administrator, using that to log in.
So the SSHMFA capability or the command line MFA capability of the solution gets exercised quite a bit.
If someone fails, the MFA attempt you're going to get an alert, and that's one of the first signals that your infrastructure is being reached,
or there's an attempt to breach the infrastructure.
The other sorts of attacks that we've seen installed
would just be ransomware attacks
where the attacker attempts to detonate ransomware on the hypervisor.
And there's all sorts of different samples out there
with all fancy, funny names.
But at the end of the day, what they try to do is
they try to shut down virtual machines that are running
so that they can unlock the VMDK files,
the VMDK files with the virtual hard disks,
and that's what they try to encrypt.
And so we have various detection and protection mechanisms
that prevent that sort of activity.
And this is something that we see.
on a regular basis.
Why is it that we need a third-party tool
just to give V-Sphere MFA?
I'm curious about that part of it.
That's a very interesting point.
I think MFA for the command line
is something that has been asked before
by VMware customers.
It just hasn't been delivered yet.
You'd have to ask Broadcom why they haven't done it,
but I'm sure they've got their reasons
and they've got their own product group map
that they have to worry about.
I'm sure they have their own reasons.
I just doubt any of them actually good reasons.
But I mean, you started off as a sort of Linux security company before moving into this specialty of, you know, hypervisor security.
What was the reason for that?
Yeah, so three things kind of happened all at the same time.
There was a meeting that we had with a Gardner analyst who suggested we take a look at hypervisor security.
There was a meeting with our CISO advisory board.
So we have a CISO advisory board with CISOs from large companies, small companies.
And we basically went through a product roadmap of different capabilities we could add.
the product. One of them was protection for ESXI systems. And that was the thing that got highest rated
amongst this group of scissors. And all those events happen at the same time as the MGM breach. And so
the MGM breach was a major ESXI ransomware attack. And so it was just very clear that something needed to
be done. And there was a desire to have something done. So we just need to figure out how to do the
engineering work to deliver a product onto these systems. And is it the case that you built out this
this part of the product and it just sort of ate your business like it was just the uptake was such
that you focus less on the previous Linux stuff or you know how did that work? Yeah we still have
we still have customers using the Linux product and we still support the Linux product but
our main focus is a company today is on hypervisor security in particular ESXI security just
because there's so much demand for that capability and because there are so many attacks happening
against VMware infrastructure right now. Yeah I mean it's interesting for us right because we sit here
and people say, hey, we would like to do a snake oilers spot and whatever.
And we look and investigate the technology and see, like, is this something that listeners will be
interested in?
And the one that really stood out is that, like, this is such a big problem.
And it's also V-sphere and whatnot is sort of seen as a bit of a legacy tech.
So there's not investment going into it.
There's not a whole bunch of people queuing up to offer solutions like yours.
So, but, and yet the market is still really big, right?
And there's a lot of work to be done there.
So I'm just curious what sort of companies tend to be your customers.
Like you mentioned the defense industrial base previously.
I understand your career prior to this company.
You worked in the Air Force.
So I'd imagine there's a bit of dib, DoD sort of stuff.
Is that where this stuff is most popular?
Or is it just anyone who runs V-Sphere?
Is it sort of scattered gun across the whole install base?
Yeah.
So we have a lot of different verticals that we're engaged with.
I think we see a lot of traction from heavily.
regulated industries or industries that have high security requirements like the government
and like the Department of Defense. But we see on the commercial side a lot of interest from
banks and financial institutions and also healthcare organizations, hospitals. So those sorts
of typical victims of ransomware attacks or the organizations that are typically trying to
really up their security to keep up with compliance or to differentiate themselves from their
competitors, those sorts of verticals are where we see the most trash in with this product.
But then a lot of them are using VMware because they have private cloud implementations as well.
So anyone that is using private cloud to some extent and is using VMware is going to be a good target for this product.
I also think it's worth mentioning that there's a lot of growth in the private cloud industry.
It seems like it's something that's dying and that public cloud is in the world.
But private cloud is growing at a steady clip too.
If you just look at Broadcom's reported numbers of their revenue growth for VMware or Nutanix's growth as well,
Nutanics is a popular competitor to Broadcom, they're both growing at double-digit
Cagger, and it's really interesting to see the growth of the private cloud as well as the public cloud.
So not as much of a dead industry as I was making out, huh?
No, I don't think so. I think it's a lively industry, and Broadcom's big push right now is all
about private AI. They think that organizations are going to want to run large language models
on private infrastructure so that they have all that data secured. We'll see if that ends up happening,
but that's really what they're banking on.
It's a lot of growth from large language models and generative AI.
All right, so I've got a couple of tech questions I just want to end on.
Now, you mentioned before that you can detect, you know, encryption.
So I'm guessing this is when people are actually taken over like the, you know,
the control plane, the VMware stuff and they're just trying to, you know,
unmount everything and just encrypt all of that storage.
Are you just detecting those, you know, how are you detecting those operations?
Is this just like looking at what's happening on disk or is it looking at what's happening in memory?
I'm just curious how you do that.
Yeah, we're looking at process behaviors.
So we're looking at the applications that are running on the system
or looking at the behavior of those applications.
It's worth noting that the solution doesn't have any sort of kernel hooks or kernel modules.
It's a big distinction between us and many EDR tools.
The reason we don't do that is for stability and performance.
But our detection capabilities are all based in user space.
And we're really just looking at things like file access, program execution, network access,
those sorts of behaviors that can be associated with malware activity and with ransomware activity.
But I'm guessing you will not be identifying that sort of activity when it's just happening on a single VM on this infrastructure.
So this is more about when someone's taken over the whole enchilada and they're trying to just like, it crypt everything.
When they're inside the hypervisor itself, that's where we're going to activate.
If they're operating just inside the VM and there's no really activity that's being executed on the hypervisor, that's not something that we're going to be.
paying attention to. That's something the traditional EDR tool can see and can manage. We're focused on
protecting the hypervisor activity. No, 100%. And I'm guessing this exploit mitigation stuff very much the
same. Exactly. That's right. Yeah. So, I mean, this is almost like EDR for the hypervisor
like stuff because it's a little bit exotic and like Crowdstrike don't sell it. Yeah, it's a, I hesitate
to call it EDR because there are architectural differences like lack of kernel modules or lack of
kernel hooking, but it is a similar concept and that we're running an agent on the hypervisor,
that agent is protecting it from attacks. Yeah, I guess it's not an, it's not an EDR. It's like
host, host hardening with some detections, I guess. I don't know. It doesn't really fall into a
neat category, does it? Yeah, exactly. I think it's a hypervisor detection response is
something you could call it. Not that we need another category in the security space. They're already
way too many today. No, 100%. Look, Austin, I think this sounds like this, you know, there's a bunch of
people out there listening to this who are probably going to be very
interested in that tech. The name of the company
is Valley Cyber and the name of the product is
Zero Lock. So Zero Lock from Valley Cyber
V-A-L-I. Austin
Gadiant, thank you so much for your time.
Absolutely. Happy to be here, Patrick.
Thanks for having me.
That was Austin Gadiant there from Valley
Cyber. Big thanks to him for that.
And again, it is V-A-L-I-Ciber.
So our final
snake-weiler today, we're going to hear from
Stephen Dowie, who is the head of
engineering for Cape. Now, Cape is an interesting one. I first heard of it quite some time ago
now when a friend of mine was thinking about actually investing in Cape. And so I was well across
this company for quite a while. And then I started hearing from friends of mine who were trying to
introduce me to them and say, hey, do you want to try the service and whatnot? Like it's generated
actually quite a bit of buzz, at least in my community. And what Cape is, is a, you know,
MV&O, right? It's a virtual mobile network operator. But normally we associate,
virtual mobile network operators is being like with low cost service right like white labeled
service maybe the you know generous data plan speed not as good you know that sort of thing
whereas what cape is trying to do is actually offer a real premium experience and one that's very
much centered on security and privacy the whole idea with cape is they do not collect much information
about their subscribers at all let alone on sell it for profit which is something that unbelievably
American carriers actually do. So Stephen joined me to talk all about Cape.
So look, not only do they do they not sell, you know, collect and sell data,
but they're just trying to make their network much more secure and and do things
like spot devices acting weird, subscriber devices acting weird and all sorts of
stuff. You can even get hardened Android devices from them that are, you know,
play nice with their network and stuff. It's very, very cool. Stephen Dowie,
join me to explain what Cape is all about and here's what he had to say.
enjoy.
CAPE is a mobile network operator built for privacy and security first.
We strive to protect people against a range of threats, specifically targeting through signaling
attacks, protecting user information, geolocation information, your communications,
and really your identity.
So how do you go about actually building a mobile network that's going to do all of those things?
Yeah, it's hard.
hard. You have to build it from the ground up. You have to build it and design it from an interoperability
approach, but also rethinking how the systems were meant to work. You can't just take
everything off the shelf and plug it in. You have to design it from a minimum trust model from
the ground up, thinking through things like encryption, thinking through things like minimum PII
collection, and building your system to actually be anonymous and not track people from the
start. Yeah, okay, right. So basically the way this works is you're like a virtual mobile network
operator, which means you're relying on other people's towers and whatnot, but the rest is you. The sort
of core of your network is all managed by you. So, I mean, who are you using for starters? Who are you
actually using for that last mile of like actually turning data into radio waves? So who are your
telco partners? We have a variety of partners. I can't reveal specifics, but it's in the US domestically
over 12 regional and national carriers.
So you actually get the ability to have access to multiple different telco providers
and get enhanced coverage as a result.
Yeah, I mean, I guess that's why I asked, right?
Which is this all sounds great, but like if you're only got one, you know,
one of the smaller telcos in the US, like your coverage might not be great.
So, okay, that's awesome.
That's a good change.
So what sort of security and privacy risks?
We'll get to the anonymity part in a bit.
But what sort of security risks are you looking to address with something like this?
We've seen a lot of problems in the United States, in particular, of like foreign adversaries using SS7 to track people.
I guess that's maybe something that you're going to address.
We've also seen that it's very difficult to monitor the security of things like iOS devices,
because on the hosts themselves, there's very little inspection you can do,
whereas if you're controlling the network, you might be able to spot some C2.
So is it basically just a grab bag of everything that you're trying to look at?
Yeah, it's a very holistic approach.
Our threat model, it includes a little bit of everything, right?
And what we kind of look at is everything from actual selling of user information.
How do you minimize tracking and minimize the telcos and really your mobile provider being
complicit in selling your geolocation information, right?
The other thing we'll also look at is compromise.
So compromise, as you probably know, every single telco has been compromised in the last 12 months, right?
If Salt Typhoon in April of 2024 was probably one of the largest compromise of U.S. infrastructure, and it affected functionally everybody.
And you managed to compromise everything from called data records to geolocation information, and it occurred for a period of months.
So when we look at the problems we're trying to solve, it's everything from how do you minimize,
the data that's we or your telco has about you in the case of breach, right?
Data can't be leaked or data can't be sold if you don't have it, encrypting data as much
as possible at rest or in such a way that only you can decrypt it or the person you're
talking to can decrypt it.
So in the case of breach, it is not functionally usable.
And then also protecting the perimeter of the network, but also protecting the internals between
components. So traditionally telecoms really approached it from a interoperability and perimeter
security model perspective, only kind of securing the outside from non-telco adversaries.
We kind of approach it a little bit differently, which is we don't trust anybody and we make
sure to secure the perimeter between not just ourselves, but other telcos, as well as internal
to our own system.
I believe one of the ways you've done that is like you just don't support SS7 at all.
you only allow diameter for roaming and that sort of messaging between networks, is that right?
And diameter is just like the newer signal signaling protocol, right, for mobile networks.
That's correct. We only support 4G and 5G, which enhances the security and reduces the attack surface.
Yeah. I'm guessing, though, that you still have to reduce some inspection and filtering on diameter messaging, right, across the network.
Absolutely. Diameter is not.
impervious to attacks their vulnerability.
So there's plenty of examples of it being used for targeting for individuals, tracking of individuals.
So you still have to go through the effort to build signaling firewalls in order to protect individuals from just having their information requested.
Location information or, you know, protect them against having SMS being hijacked or rerouted to an adversary, leaking OTPs.
All those are still vulnerabilities that can be exploited through diameter.
Okay. No, this is interesting, right? So you've talked about building a more secure telco essentially, right? And I think that's, that is interesting because a lot of the U.S. telco is the stuff they do, like here in Australia, like they just would not be allowed to do when it comes to the way that they handle their subscriber data. So, you know, that's an interesting model in and of itself. You know, people used to say data is the new oil. I think I prefer the term data is the new, you know, radioactive waste because it's very dangerous to hang on to that stuff. So it's great to see a company that thinks about it.
way. What are you doing in terms of actually monitoring subscriber devices for signs
of compromise? Is that something that Cape also does? We do have the ability and do partner
with some enterprises, corporate entities, in order to do that, right? The way we kind of view it
actually is most telecoms don't really value or do any support in any notion of like EDR or
like network level monitoring. There's just too much data, right? They don't really have the ability to
monitored it at such a scale. And so for us, actually, we don't necessarily want to be the ones
that analyze or make decisions around if your devices are compromised, but we have access to
very unique data that traditionally is unavailable to the Infosec and, you know, people with
the tools and the ability and the incentives to monitor that data. So for us, we can integrate
with, you know, corporate seam or sassy platforms in order to actually share that information
and create a more holistic view of the world. So you can you can, you can
pipe it out basically into some data pipeline product and then from there they can choose what to
archive, what to pump into the same. Yeah. And honestly, we can also even make decisions or actions
on it, right? If you think about it from the perspective of international high risk travel,
right? When I go somewhere, there's opportunities for me to be targeted by local law enforcement
or adversaries in the region if I'm going to somewhere where that isn't particularly
friendly to Americans as an example.
I might be interesting to know when my information is being requested, when it shouldn't be
or I connect to a network that is a little bit suspicious, what can I do to actually mitigate that?
And it could be things like identity rotation, right, changing your identities to make targeting
actually harder or alerting the actual Infosec department around, you know, what is actually occurring.
You spoke about having access to data that normal Infosec teams don't have.
Like, what did you mean by that?
signaling information
you know
what cellular networks you connect to
is there data leaking out over the VPN
because you can't necessarily
control all data with a VPN
and an MDM on a mobile device
maybe things like ComCenter traffic
or
system level apps are
communicating outside of the bounds of the
VPN
now is there a
I believe there might be sort of like a
Cape handset that is optional that you can
use which is some sort of modified Android thing
Is that right or have I got my wires crossed there?
That is true.
We do have a device that you probably have seen that we sell to select customers.
And it's for people with elevated risk profiles.
It does a little bit more, but most of our customers end up just using a B-YOD model.
Yeah, okay.
So let me ask, who is Cape 4, right?
Is this for, you know, when I'm thinking about people who do risky international travel
in Australia, right, it might be like mining executives, for example, who are negotiating
important deals in China, right? Those guys are like, you know, their phone battery doesn't last
because there's so many shells on the actual device, right? Like, are you trying to, you know,
service that end of the market? Is it for government? Like, who's it actually for?
Security and privacy is for everybody, as is our view of the world. If you think about it from
the individuals with the most elevated risk profiles, probably government and defense, law enforcement,
Yes, they also are users of CAPE and have incredible interest in using the products.
But at the end of the day, they all are still part of the general population.
And you want to be able to provide privacy, security, and a right to those as a result.
I think there's a little bit of traditionally learned helplessness around.
privacy and security, and nobody's ever considered that there might be an option to have it
from a personal perspective. It's always been, I have my telecoms I want to use. For us, I think
we're providing that option. Well, I think the FBI's advice in the wake of Salt Typhoon is just
telling everyone to use signal, right? Which solves some problems, but certainly not all of them.
So you mentioned anonymity, right? So what is it possible?
to become a CAPE subscriber with only providing very limited information?
Like, what did you mean by that?
Yeah, I think it starts, if we go back to our holistic security model, it starts with the
information you give.
And for us, we want as little information about you, essentially enough to just collect
payment and then give you a SIM card and provide you service.
We don't need to know where you live.
We don't need to know what your name is.
We don't need to know who your relatives are.
We don't need to know your social security number for sure.
so for us it starts there and from there you build on to it right you you don't need to collect
more detailed tracking information about an individual i don't need to know where you live
where you go from from nine to five i mean is there a concern there that people might start
using cape for nefarious purposes if it's you know essentially like it's like you know
burn a level of detail on on a subscriber right like you know this can't have been this
can't be something you haven't thought about. Yeah, of course. I think for us, we view privacy
as a right, and we don't make decisions around what people do with our network or what they
want to do with their time or with their life. And so for us, it's a tradeoff you have to live
with respect to giving people the option to pursue privacy and the option to pursue what they
to pursue. And there's always going to be people who do nefarious things. We are fully
compliant. I'd imagine, too, that, you know, like if I'm a criminal, I'm much more likely to buy
a, you know, burner at a bodega, then sign up with a credit card to a service like Cape
in the first place, right? So, you know, I'd imagine also if there were an instance of a subscriber
being involved in some, you know, heavy crime, you do have that payment information to fall back on,
which would be enough for law enforcement. Yeah, we do. We are fully compliant with law.
enforcement. We do have, we do supply them with information. What I will say is it's minimal
information, right? So it's not necessarily enough to effectively track somebody, but it's,
it's enough to comply with regulations. Well, it might be enough to identify someone, right,
but not not give, not give law enforcement their life story and all of their location
tracking. Yeah. One thing on the individuals who may be interested in signing up for Cape
is it's not necessarily just bad guys who would be interested in this.
It's also, you know, people who, some of our customers have very interesting stories
around, you know, things they're running away from, right?
You know, we've partnered with organizations around domestic abuse or journalists, right?
And there are individuals who have very real fears about, you know, their location information
being bought by advertising brokers, right?
And even just de-gooling your phone
and removing trackers on your phone isn't enough
if your telecoms are also selling that information as well.
So for us, we're more focused on those sorts of individuals
rather than thinking about who may maliciously be using our network.
100% well said.
One thing I would say, we are live in the U.S.
It is not hard to try out our network and just use it.
so for us we have a promo code that anybody here can use snake oil all caps all one word for 33% off for
six months privacy and security doesn't have to be optional give it a try all right stephen dowey
thank you so much for joining me to give us the skinny on cape very interesting and i wish you
all the best with it yeah thank you so much that was stephen dowey there from cape big thanks to
them for that and as i said at the top of the show uh if i were american if i'd
lived in the United States. Even if I lived in the United States, I would absolutely be a
Cape customer. The telco ecosystem in the United States is a mess. Frankly, as an Australian,
I can't believe what they get away with over there. And Cape would seem to be an awesome remedy
for that. So go sign up. Tell them Pat sent you. But that is it for this edition of the Snake Oilers
podcast. I do hope you enjoyed it. I'll be back soon with more security news and analysis. But until
then, I've been Patrick Gray. Thanks for listening.
You know.
You know,
You know what I'm going to be.