The Team House - NSA Hacker | Kyle Hanslovan | Ep. 329
Episode Date: February 25, 2025Kyle Hanslovan is the co-founder and CEO of Huntress, a sleek cybersecurity operation recently valued at $1.5B; he knows a thing or two about success—or, as he likes to put it, “not failing.” Li...sted among CRN’s “Top 25 Tech Disruptors” and awarded EY’s “Entrepreneur of the Year 2024,” the serial entrepreneur and ex-military leader sits at the forefront of a revolution in cybersecurity, ruthlessly collecting a host of kickass titles like “award-winning cyberwarfare expert” and “elite NSA operative.” Outside of the office, Kyle is a father of three who follow in his footsteps as restless Florida youth engaged in minor mischief on the internet and inside their middle school and university classrooms.https://www.huntress.com/-------------------------------------------------------------------------------------------------------------New merch, patches, and stickers! ⬇️https://theteamhouse-shop.fourthwall.comSupport the show here:⬇️https://www.patreon.com/TheTeamHouse___________________________________________________Subscribe to the new EYES ON podcast here:⬇️https://www.youtube.com/@EyesOnPodcast/featured—————————————————————-Today's Sponsors:StopBox USA⬇️Get firearm security redesigned and save with BOGO the StopBox Pro AND 10% off @StopBoxUSA with code HOUSE at https://www.stopboxusa.com/HOUSE #stopboxpodGhostBed⬇️https://www.ghostbed.com/houseFOR 50% OFF!!!The Perfect Jean⬇️https://theperfectjean.nycuse code "HOUSE15" at checkout for 15% off & free shipping____________________________________Jack Murphy's new book "We Defy: The Lost Chapters of Special Forces History" today! ⬇️https://www.amazon.com/We-Defy-Chapters-Special-History-ebook/dp/B0DCGC1N1N/——————————————————————To help support the show and for all bonus content including:https://www.patreon.com/TheTeamHouse-AD FREE AUDIO-AD FREE VIDEO-Access to ALL bonus segments with our guestsSubscribe to our Patreon! ⬇️https://www.patreon.com/TheTeamHouseOr make a one time donation at: ⬇️https://ko-fi.com/theteamhouseSocial Media: ⬇️The Team House Instagram:https://instagram.com/the.team.house?utm_medium=copy_linkThe Team House Twitter:https://twitter.com/TheTeamHousePodJack’s Instagram:https://instagram.com/jackmcmurph?utm_medium=copy_linkJack’s Twitter: https://twitter.com/jackmurphyrgr?s=21Dave’s Twitter: https://twitter.com/dave_parke?s=21Team House Discord: ⬇️https://discord.gg/wHFHYM6SubReddit: ⬇️https://www.reddit.com/r/TheTeamHouse/Jack Murphy's memoir "Murphy's Law" can be found here:⬇️ https://www.amazon.com/Murphys-Law-Journey-Investigative-Journalist/dp/1501191241The Team Room Reading Room (Amazon Affiliate links):⬇️ https://jackmurphywrites.com/the-team-room-reading-room/Intro music by https://www.youtube.com/user/RemixSampleWant to sponsor the show?Email: ⬇️theteamhousepodcast@gmail.com#ufos #6thgenerationBecome a supporter of this podcast: https://www.spreaker.com/podcast/the-team-house--5960890/support.
Transcript
Discussion (0)
These are like saps that like 30 people in the entire world are read onto.
Yeah, all special, you know, all the work that we did were special access programs.
So not just only you're in a skiff, not just your top secret, but they are so limited.
I mean, we sometimes, like, if anybody's done the research on what an ODA is or an A team in the special forces world,
you're talking 12-some, you know, 12-person teams that subdivide into six-person teams.
I was on programs where sometimes it was six people.
Mm-hmm.
If you sleep hot at night, you know, just,
just how disruptive it can be. Whether you're having trouble falling asleep, you're waking up
sweating in the middle of the night or all the above. That's where Ghostbed can help. As the makers
of the coolest beds in the world, Ghostbed is your go-to for cooling mattresses, cooling pillows, and even
cooling bedding. From their signature ghost ice fabric to patent a technology that adjusts with your
body temperature, every ghost bed mattress is designed with cooling in mind. So whether you want a plush
your mattress that cushions your shoulders and hips or a firmer option with exceptional support,
your ghost bed will keep you cool and comfortable all night long.
When you purchase a ghost bed mattress, your comfort is guaranteed.
You can try out your mattress for a 101-night's risk-free
and make sure it's the right fit for you.
Plus, they offer free shipping and most items ship within 24 hours.
If you're not sure which ghost bed is for you, check out their mattress quiz.
You'll answer a few questions and get your personalized recommendation
or reach out for their friendly team of sleep experts for all the help you need.
Even better, Teamhouse listeners can get 50% off site wide for a limited time.
Just visit ghostbed.com slash house and use code house at checkout.
Again, that's ghostbed.com slash house with code house at checkout to save a whopping 50% off site wide.
And if you're not in the market for a mattress, check out their pillows, their bedding.
They have all kinds of great stuff there.
So thanks to Ghostbed and check them out.
Operations, covert ops, espionage, the team house, with your hosts, Jack Murphy, and David Park.
Hey, everyone, welcome to episode 329 of the Team House. I'm Jack Murphy here with David Park.
And our guest on tonight's show is Kyle Hansloven.
Kyle served in the military with the national security agency, and now he works in the cybersecurity realm with Huntress.
we're really excited to have him on the show.
As I was telling him beforehand,
you're somebody who's been on our list for like four or five years.
So we're really happy to finally have you here.
Absolutely stoked to be here.
It's one of those funny things, right,
of how long sometimes it just takes for good things to go down.
It's totally my fault, you know, just sitting on it,
not doing anything about it.
But so Kyle, let's start off at the beginning.
Tell us a little bit about how you grew up
and what took you towards,
military service initially.
Gotcha. Well, I'll try not to like cut onions or anything, but definitely grew up on the poorer
side of life, right? So think of like single mom. I never hungry poor, but like we always lived
with whoever mom was dating at the moment, you know, that type of situation. And, you know,
so I got to, though, bounce between Oregon, which was kind of great for outdoors life. And I eventually
moved to Florida. So it was good, but come 17, it was enlistment time. I kind of skipped college.
I did really well in high school, but it was a little bit of.
like a computer thug, I guess at that time.
And it was one of those things that never had a brush in with the law.
But it was pretty clear that if I stayed at home,
I was probably going to get in trouble.
So yeah, join the Air Force as well.
Is that because you had an early interest in computers from the get-go
and were doing some things that were a little shady?
I was a super nerd, right?
So it wasn't cool back then.
Like now, like my kids kind of like marvel of like,
yeah, my dad's a hacker.
That was not cool in the late 90s.
But yeah, a lot of AOL,
well, a lot of, I mean, when you're poor, like, I hacked myself to free internet, probably
most of my childhood all the way through probably like the very early 2000. So, yeah, a lot of unscrupulous,
but maybe not quite, you know, jail time worthy offenses. Yeah. So late, you said late 90s or late 90s
is around that time? Like, what was your first computer? Yeah, probably 97 all the way to probably
2003. What was your first computer? Or what was the first computer you had access to, whether it was a
public computer or whatever?
Yeah, a lot of public computer. I remember I built like a broke down Commodore once that kind of got me in, taught me a lot of the basics.
So I'm in this like weird generation for the geeks out there from like I can go as old school as like 70 style tech, very analog, no all that old school programming.
Yeah.
All the way to the most modern like technical stuff. So I'm kind of like this tweener, right?
Late millennial aged kind of just like this bourbon, right?
Yeah.
Like a fine bourbon.
Yeah. Yeah, that is, you know, that is.
because it's post like Commodore 64, the BBS, right, like that.
It's, yeah.
I had the bulletin board days, but immediately went to IRC,
and then it became AOL.
And a lot of those, like, it's just really lucky, you know.
It's because I was so poor I got to do the old stuff
because that's all I could afford.
Yeah.
And then obviously the world kind of changed when, like, dial up cable modems
and then everything became available.
So, yeah, it was a good time.
And was there, like, there was an online community, I'm sure, but did you know other people in person that were like you?
Not so much in person, right?
Everybody, like, back in those days, IRC kind of is like a modern day chat group, right?
Yeah.
Slack, a Discord server.
Yeah.
And so I spent most of my time back there, like reverse engineering software, you know, getting around like the activation codes, getting around, you know, kind of piracy type things.
Yeah.
Also, you know.
Alleged.
Alleged.
I mean, I think what's nice is when I joined the military, the polygraph, they said,
you got to answer all the questions, but only go to your 18th birthday.
And I was 17, so it made the polygraph really easy.
That's funny.
So time to enlist before you get into too much trouble.
What branch did you join MOS?
Where did you go?
Yeah.
So even though I was Navy Junior ROTC and I had a ride to Annapolis, there was no way I was going to make it.
Like I graduated really early at a high school.
And you had to be, you roughly, you know, 17 and a half or so by the time my birthday fell for me to be able to start the year.
And so I changed.
And I went, I got an uncle that was in the Marines.
And he said, look, Kyle, you're too damn soft for any other service.
You need to go to the airport.
And I did.
I scored good on the as VAB.
So I got guaranteed at the time.
I think they, it was communication systems.
Right.
COX-1 was my first AFSC in the, you know, in the Air Force.
So in the late 90s, was communication systems, was that still just, was it just radio tech?
Was it like setting up communication packages and stuff like that?
So I had both, I had both the analog side of the house.
So I actually got to do like combat com and do some more of the like proper encrypted radio, a lot of point to point systems.
But I also got to do IT.
And my first job was like regular base comm.
So think about maintaining the email servers.
I got to do a BlackBerry server.
Like, I don't even know those things, you know, I'm sure they don't exist anymore.
But it was a good time.
And like I said, my first duty station was all regular just comes.
Yeah.
No, that's fascinating because, you know, where cyber is a career field now, back then, you know, it was, like, the military needed it, but didn't really have it.
Yeah.
When you said cyber back in, like, the early 2000s, that meant like something dirty you're doing in a chat room.
It definitely didn't mean what it means now.
Yeah. I mean, for me, it still means the dirty stuff in chat rooms, but, you know, I'm just kidding.
But you, old habits die hard, right? Yeah, yeah. Yeah, yeah, yeah. Cyber the, yeah. Yeah, exactly.
So how is, how was the Air Force treating you at that point? I mean, it sounds like you're probably enjoying it.
Yeah, you could imagine, like, being 17, I did real well in, like, basics, since I had already done, like, years of ROTC or junior ROTC. And so that part was kind of a breeze. And what was really lucky is this was right at the cusp that,
you know, people were already doing offensive cyber operations.
They weren't calling it that.
It was called a lot of like, you know, info security.
There was information operations.
But really nobody knew what that meant.
And it kind of gave me the benefit of because my rank was enlisted and I had a lot of technical potential,
it kind of had a lot of parallels where nobody really held you down because of your rank.
It was your ability to execute kind of was like where they would cap you.
So for me, that first duty station was in England.
I actually did end up two tours in England.
And that was just great because it opened up my whole life
from moving from just basic security.
And that's what I started getting to work with GCHQ and NSA.
So it was like really good timing.
And, you know, for like NSA was like SIGA.
And they still are, but that was their bread.
You know, everybody who's sitting there wearing their cans.
was the NSA sort of on the cutting edge of what was going on in, you know, in this kind of
cyberspace or were they trying to catch up with kids reading 2,600 every month?
Yeah, so General Hayden at the time running, you know, as the director of NSA,
was definitely on the cutting edge of realizing that, like, these basic things that we were already,
you know, listening on just about anything, right?
Is it a cable?
Is it, you know, overhead?
anything along those lines, we really started realizing there was this whole new domain that if we
couldn't master it quick, somebody else was, especially like nation state adversaries. So early 2000s
all sudden blossomed, even though nobody knew what these names were, right? They were trying to
figure out like, how do we stand up organizations that aren't really? Because at that time, my MOS was a
three series, right? It wasn't a one. It wasn't an operator, AFSC. And it kind of mimics, you know,
MOSs and other ratings where we were looked as support.
Yeah.
And so you can imagine there was a lot of folks on the outside
that actually had substantially better skills on the inside.
However, there was pockets always from the beginning,
like Navy Postgraduate School.
They have always had amazing offensive cybersecurity talent.
And they kind of had both like that 2,600 early hacking vibe.
Yeah.
But definitely with the government, you know, espionage flare.
So it's pretty cool.
That's fascinating.
How did these commands, overall commands, because hacker at the time was a bad word, right?
And so, it's...
I would call myself a hacker, but people kind of like, shame.
There was no concept of ethical hacker.
It was just like, oh, you know, immediately it's like, you know, some skinny dude in his basement and with a hacker hoodie, right?
That's what it invokes.
It doesn't invoke military at all.
Right, right.
So like how would, you know, this is a new technology,
it's a new space that, you know, a bunch of old fuddies don't understand,
you know, we're going to drop bombs or we're going to, you know,
you know, send tanks.
And how are you guys selling this?
There is a new domain that needs to be addressed.
Yeah, you could imagine the human world has been vibrant since humans were humans, right?
Just trying to be able to gather.
And all of a sudden, this world that de-risks, wait,
you could gather intelligence from somebody completely remote.
And remember, we've always been doing, you know, whether it's radio, just good old fashioned RF.
So there was a lot of these parallel analogies that from my interpretation as a very young airman,
I don't think I appreciated how many of those parallels that some of these real early, you know, early,
sorry, late 90s, early 2000s officers that at that time, the military, right, if you think about
the Air Force, they were run by pilots.
The Navy admirals were commanding, you know, a fleet.
Right. And of course, you know, instead of regular legs or stuff like that in the Army, you actually had folks that might have been tank commanders all of a sudden now thrust into this brand new domain.
And I just totally missed how far ahead some of these people were.
But I'm willing to bet that like finances came into it, do a really expensive human operation doing all this crazy stuff or put some geeks in the basement with some shady software and get it a lot cheaper at low risk.
That had to be part of it. I don't know for certain, but it had to play it into it.
Yeah, yeah, that is interesting, Code Red, Mountain Dew and Pizza or, yeah, to get the job done.
Or, you know, tank rounds.
I definitely was that.
I was the skinny nerd that give me pizza, get back code.
Yeah, that's funny.
So it sounds like you started off your military career more unlike the IT side, but then you got exposed to some of these other career fields.
What was that sort of like as you, you know, progressed in your Air Force career?
Yeah, my first pivot was not straight into cyber writing software for espionage. It was actually a mission security. So think about gathering like signals that would, you know, leak from those big old monitors, right? That would ride over top of cables. That type of stuff was a real big threat, right? Especially when we had, for instance, like embassies in other countries. So I got exposed to that. I got to do a lot of that work and a lot of stuff that was overhead related too, right? Think of like satellite things. But it was.
wasn't really for me, the real cyber side of my career didn't really take off till probably
2008, 2009. I happened to be deployed when, you know, that's now very much publicly talked about
the Buckshot Yankee incident. And I happened to be in theater. I was attached to third
group being just support, you know, I'm the furthest thing from an operator. But it was just kind of
a wild time where all sudden these whole worlds collide of very physical everybody's in the aOR
and the area of responsibility and now all of a sudden cyber is being used to gather intelligence on
like some of our highest uh you know sensitive assets what was a wild shot yankee for for the squares
out there like myself yeah so uh if you go read wikipedia we'll use that as our official source
the inside scoop um buckshot yankee is a claimed nation state actor developed some software that rumor had it
got into not only systems in the military that were unclassified, but even to classified networks.
As somebody was there on ground and one of the only offensive cyber guys on ground, it was just
kind of a really cool moment, a luck, purely by luck, to during the first days of this to get to be
able to do the forensics. And it kind of was some of the first truly tying what other adversaries
could do to our warfighting capability and the importance of cyber. So was was this when the whole
USB controversy, like when they started taking away are USBs?
Was that that time frame?
So you're nailing it there.
You're absolutely nailing.
The USB drives themselves were definitely one of these things of like, where did they come
from?
The software, they called it Agent BTZ, is the malware name for any of the super nerds.
But it's just a piece of software that when you put a USB or put a CD in a drive,
it would auto run.
Right.
It would literally automatically start running.
And next thing you know, bad stuff.
And so that was a kind of wild time for the U.S. military.
Yeah. Yeah.
And, you know, I, you know, not to like, whoever the, you know,
nation state actor was, but when you consider like all the SSC that was going on and people
throwing, you know, taking CD-ROMs or USBs off targets and, you know, throwing them in,
like, we were exposing ourselves for that stuff all the time just from our everyday activities.
Yeah, I mean, it was, it was life, right?
There's a process, by the way, like when you go from these low systems to high, just like anything, you know, it's just like a clearing barrel.
You got to be able to, you know, clear your gun.
You got to be able to follow these processes to make sure you don't accidentally, you know, bring something nasty.
But this is the first time that, for instance, people didn't think that maybe the clearing barrel wasn't enough.
Right.
So to be able to find something that you're just doing your job and think about when you gather intelligence, like my deployments in Afghanistan, we're all, you know, a team related.
ODA work gathering human intelligence.
Human intelligence doesn't start classified.
It starts unclassified, right?
Right.
And then you bring it up to the systems appropriately.
Right.
And this threat actor just really seemed to understand how that system worked and how they could exploit it.
So I'm curious because, you know, you are, you're an offensive guy.
Not you're not an offensive guy.
I would be an offensive, but also offensive, right?
Yeah, yeah.
But you're, you know, so you're in this cyberspace before you even join the military.
You join the military.
You get into sort of the IT track.
Do you know, like, are you aware that sort of there is or isn't a cyber capability?
You know how to get there?
And how are you spending your evenings?
Are you like sweating bullets every morning when you go into work going, boy, I hope nobody heard about this.
So it was already in the IT world, like every day tech was already changed.
We were moving from these old Novel systems into early Windows NT and Windows 2000 systems.
So I was already used to that grind of like every day something was different.
But at this time, IT and cyber, what we call it now, were largely blended.
Like most folks wouldn't have called a cyber.
It was this maturing.
And if you got lucky that you were stationed at a place that only did offense, but my job at a time was just as much defense as it was often.
It was really odd.
And then, of course, we got a lot better when some of this started increasing and nation states, right, started really going after us.
We had to get much better and mature because we could see that if not, we were going to be left in the dust.
Right, right.
No, essentially, because like the military, it's running like most mom and pop businesses right now, right?
We need an IT guy to make sure our computers are secure.
Yep.
Yeah.
So at the sum of the work, I was literally the IT guy unlocking accounts and stuff in the early, like,
2003, 2005 days.
By 2007, 2008,
I was usually only doing the upper end,
but that's how quick it happened.
Only in about three years,
I would say, my whole life changed.
Were they sort of,
were they splitting that off?
Were they making the commands?
Were they making that distinction?
Did they see that security was not IT?
The career fields hadn't updated yet,
but you could get to certain places that were like,
I know it's acronym soup.
Nobody likes that military stuff,
but JTF, G&O, right?
The Joint Task Force for doing this started like huddling together,
some of these offensive-minded.
And the way I would actually describe it in a lot of ways,
it was purely, you know, for those that follow US,
it was Title 50, Intelligence and Espionage Gathering Activity.
It wasn't Title X war powers type stuff.
This is still very, very early,
let alone the modern world where it's our offense and support of defense.
So you can imagine this time frame, U.S. doctor in, all on the unclassified side of the house,
is all about just trying to figure out, like, how do I enable espionage?
So I want to take a minute today to tell you guys about the perfect gene.
I've been wearing them for a few weeks now and really enjoy them.
And I just want to share it with our audience.
You know, sometimes genes have this problem where, you know, you guys all have seen these skinny jeans
that they like crush your balls and, you know, it's just not comfortable to,
wear or the other way around jeans are like too baggy you know you have that sort of like diaper
in your ass area it looks like uh so there are these problems that you know different fits of
different types of genes have and the perfect gene strives to fix that um both the fit but also the
mobility the maneuverability uh it has a stretchy fabric like they say it's like yoga ready
um but you know i would say it's athletics ready um you know moving furniture
doing things around the house, you're not going to have that super tight, like, constricted
fit that you feel like you're not going to be able to move around in. And there are over
400,000 people out there wearing these jeans at this point. So not all of them can be wrong.
I hope you guys will go and check them out. So a few scenarios where you can wear these jeans and
where they really come together, everything from, you know, doing yard work or doing things around
your house if you have to move furniture around or you have to do handiwork they're perfectly comfortable
but you can wear them you know getting your man spread on on the subway if that's your thing
so the perfect gene is great for all kinds of different environments whether it's doing
handiwork around the house or on the job or athletics and we really hope you guys will go and
check them out for a limited time our listeners get 15% off their first order plus free shipping
at the perfect gene.
Or Google the perfect gene
and use the code House 15 for 15% off.
That's 15% off for new customers
at the perfect gene.
com with promo code House 15.
After you purchase, they'll ask you where you heard about them.
Please support our show and tell them we sent you.
So fuck your khakis and get the perfect gene.
Well, that must have anything that didn't go to Congress.
You said you did some,
deployments overseas supporting SOF, I'd be interested to hear a bit more about that and how this
IT security fields kind of interfaces with that.
Yep.
So for any of the other fans of silent professionals out there, they don't just exist in espionage
or, you know, they exist in special forces, right?
Human intelligence.
And it turned out these A teams were all about how do I gather intelligence, right?
The old school ways, local, building.
building relationships, things like that,
HA, humanitarian assistance.
But they need a geek like me to keep some of the systems up,
whether it's classified systems,
being able to be able to keep the data.
You can imagine for how do you covertly record,
how do we make sure things aren't bugged.
All of that stuff is normal parts of just any sort of espionage doctrine
all the way back to the 50s.
It's not unique.
But there is definitely shortage.
And so folks like me who are cyber warfare operators,
completely different than special forces operators,
got attached on the same teams.
And I was, like, super grateful to get that.
Did they, did you basically have to teach them how to utilize you?
I think in a way, in a lot of it, like, when I first got there,
the team was actually pretty clear, like, reminding me, hey, you know,
hey, turd, keep the systems up, make sure the morale drive is running.
Right, right.
You know, very similar, though, you could imagine, like, their career,
is often defined by their capabilities, which was identical to mine.
And so in a lot of ways, I got lucky that my team treated me pretty darn fair.
I won't say that there wasn't hazing.
Like we had an incident that involved diverting a drone one day.
And I'll be darned if they didn't.
Not only like after this incident goes down, I get in, they tell me to pack my stuff.
They have me fill out a incident report.
I'm thinking I'm going to jail.
I'm like crying, you know, filling this out.
I get to the last page and it says, remember, you're not a special forces operator.
You're an Air Force tech geek.
Sign here, puss.
So these guys let me have it, even though, you know, I got to help them with a lot of great stuff.
I was definitely, though, still support.
So that type of relationship was actually pretty cool.
And for me, who had always been very athletic, not the same style of athleticism,
it was a really, like, kind of humbling experience to get to spend a couple of appointments with these guys.
So in addition to like telling people what you can do, like did you have to tell people what you couldn't do based on like misconception?
Like like enhance a picture, enhance, enhance, enhanced.
But you have to be in frame, Kyle.
Yeah, exactly.
Yeah, so you can imagine all the TV shows and movies ruined it for, you know, folks that for instance are like, look, you know, I blow things up, I'm a demo guy.
Or, you know, I'm the combat medic.
just the same way that people don't understand
how transfusions do and don't work.
They didn't understand some of the technical stuff.
So like Wi-Fi hacking, I could do that.
That would impress them.
Other things, it's just like, yeah,
I took this, this camera was on a flip phone
or some Nokia on a Roshan network somewhere,
enhance this.
And I'm like, guys, it's not, you know, it's not minority port
where there's not enhanced, enhance, enhance.
So you can imagine there was definitely some disappointment.
I disappointed at times, guys.
Yeah.
I mean, you can do stuff
there's like literal magic to them
and then they ask you for something
to them that's basic.
Hey, enhance this picture.
It's like, there's nothing like...
Nothing to enhance.
There's nothing to enhance.
Yeah.
I literally remember some surveillance stuff that we did
that I soldered some kit
that was very simple pinhole camera
to like an existing like cable
that was hidden away, very, very far away
and they thought that was magic.
And then I'm letting them down on stuff
that they felt that was so basic.
It's just a weird dichotomy.
Yeah.
Yeah.
So did you do, I mean, were you with them?
Or did you do multiple trips with SF?
Yeah, yeah, multiple ODAs.
But they were like, they would go and do like 12, 13 month rotations.
And I'd be in and out in like five.
You know, by the time I could actually deploy,
go back home and come back and the same team could still be in place.
So it was, it's kind of sad, actually, if you think about it.
Yeah. And how do you see, like, during this time where you're doing these deployments,
how do you see technology changing and how the military is or isn't embracing technology?
So the teams were becoming more technical, like the 18 echoes, right, who had comms roles.
Our team actually also doubled as a team sniper, right?
So he was very different than he could have, like, encrypted comms.
And so you could imagine, as I could take on some of those responsibilities,
it allowed them to take their own specializations and focus on it.
So I actually think in many ways it was, you know, even like today at my current job,
the best thing I can do is focus on the skills only I can do.
And so this blending started happening in the late, like, you know, late odds.
Think of like 2008 to 2012.
All of a sudden you had these geeks that were taken away some of the, I would call it mundane monotonous
and allowing like real operators to do stuff that only they're trained on, right?
And so that was, I think, kind of a true, like, people use that word force multiplier lightly.
This was an actual case where they're like, whoa, I have somebody now that can do this, can run this, is fit enough to do this.
And then it enables, you know, an extra body because these, again, these teams are very small.
So anyways, it was a cool difference because that from my first time, like even just on small deployments, think about like TARC weight stuff.
We were modernizing IT systems, but they weren't impactful, not like this.
Right, right. Yeah, you're watching people's IP addresses, their Mac addresses, and they're going to porn sites, shutting them down.
It's really, really cool that you got to see, like, the blending of these capabilities pretty early on.
Yeah.
Yeah, and again, right place, right time. And if you fast forward, even just a couple years later, by 2011, I had left active duty and I started National Guard time.
So the typical one week in a month, two weeks a year, and that led me at Fort Meade.
And that time, no joke, within two years, you had going from these type of incidents to things that were like, you know, people publicly claimed, you know, the U.S. and Israel were related to, like, Stuxnet.
Right.
So it's such a big difference where you're going from four years earlier, scared of, like, bad USBs to now all of a sudden a world that supposedly some nation state actor made some centerfugees spin extra fast to prevent enrichment of uranium.
Like, that is a crazy difference in four years.
Yeah.
Were there things during this sort of blossoming, were there things that, like, you just wanted to jump on somebody's desk and tell the, like, tell the military you're missing this?
Like, or the government in general that you're not paying enough attention to this particular thing?
So 2012 was the first time I actually thought, because we have so many flyers running some of these, you know, what a lot of people, we call them wings, right?
Air Force nonsense.
but when you have some of these flyers making policy decisions,
I would say 60, 70, 80% of them just couldn't get the force multiplier,
but there was a rare 20, 30% that kind of at this time had laid the groundwork
to create, you could imagine, the beginnings of U.S. Cyber Command,
some of even the separation, because at this time, like, NSA is doing what they can do to help.
But NSA's mission is foreign adversaries abroad for espionage.
And so you could imagine in the U.S.
we're watching all the other nation state actors.
They're changing their techniques.
They're using schools for espionage.
They're using commercial entities.
So in many ways, like, we were both ahead and learning at the same time everybody else was.
So it was, again, I can't tell you like how lucky I am at right place, right time for all of this stuff to change.
So you joined the guard, which exposes you to me.
What's your first impression when you like?
when you're there.
So I wasn't a guard guy.
I had deployed with guard people before.
Oh, sorry about that.
Oh, no, no, you were right.
But I wasn't at this time, think about it,
I wasn't really a National Guard guy.
I was in the National Guard, but I didn't know what that meant.
I thought at this time, Guard were kind of like, you know,
hey, you'd have like 65-year-old tech sergeants, right?
E-6 is for us, right?
And I thought, oh, man, this isn't the tip of the spear.
But it turned out the National Guard and a little bit
bit of the reserves, but really on the National Guard side of the house realized there was going to be,
they're not talking about the word hemorrhage. They called it stem ridge. All the science, technology,
engineering and math folks doing cryptography, advanced, for instance, offensive cyber operations,
even defense. They were racing to go to support, you know, remember Google got mass hacked in
2009. So even the industry is now dropping major dollars. I'm talking like 400, 500,000 dollars a
year and this talent was bleeding, but it turned out the National Guard realized this was going to
happen. And our whole goal was, let me retain the best talent in the world. So even if we can't
have them full time, how do we have that reserve capacity? And it was brilliant. I didn't even know
that this was going down and it didn't become apparent to me for probably two or three years later
that some good flyers realized this was going to happen. I guess there's some parallels with flyers.
This happened, you know, at the drawdown of like Vietnam.
We didn't necessarily have for a while the flying talent to be able to do other air superiority.
And it turns out those same type of flyers realized this was going to happen in cyber.
And again, I just happened to be part of the right unit that was trying to be able to not only like retain talent,
but in case there was ever like a surge capacity, we could step up in support.
So you can imagine for me, my perception of the National Guard went from old kind of
unfit, you know, you know, airmen to all of a sudden, like, whoa, it turned out the National Guard
actually had in many cases better talent than active duty had.
Were they, were they, was there any process at that time in formalizing training and
divulging partnership with like Sands or any, you know, any of the big organizations, were they
sending you to Black Hat?
Like, how were they, you know, working on your professional skills and things like that?
Or how were they supporting that?
So you could imagine when this hemorrhaging or stemorrhaging started happening,
everybody started realizing we're going to start losing to commercial.
They weren't so worried about overseas.
They weren't worrying about national threats, although there were some of that.
You know, if you think about humant, there's always a worry somebody's going to go start,
you know, mercenary types of stuff.
Right.
That wasn't really a concern at this time.
But you could imagine they're sitting there going, if we can't retain, how do we build this cadre?
And it turns out there's.
there's a couple epicenters, right? In the DC area, you look like the National Guard had a handful
of units that were trying to retain, but they also were smart enough to realize if we don't set
up some sort of commercial training, we are not going to be able to backfill. It was a pipeline
problem. Yeah. I mean, still to this day, 25, I have to build more talent than I can hire.
Yeah. Because they're still that rare. So yeah, companies like Sands and even other like research
institutes. Think about the national labs, had to step up and help grow people.
Yeah. And then what was the relationship with the government side of this, whether it's military
or NSA or whoever, and, you know, the kids or the people who, you know, are anti the man or
whatever, but still doing this stuff, you know, and like, you know, I think DefCon is a funny
example, you know, where guys are always like trying to point, you know, pick the Fed.
and stuff like that.
Spot the bed, right?
Yeah, yeah.
So, like, what was that relationship like
and how has that developed over time?
So for a guy like me who I've been going to DefCon
since early 2000s, every year showing up
or Black Hat, I had done presentations,
there was always this irony that those, you know,
that current statement that my Gen Z kids will say,
if you know, you know.
All of us that were sometimes involved
in some of these hacking events,
by kind of like late oz, you know, 2005, 2007, 2010.
A lot of people realized spot the Fed was ironic because a lot of people organizing
had now become in support of some of the federal side.
So there was always this irony of, you know, catch the actual active agent.
And I'll be honest, a lot of people wanted to pick up FBI.
There's a very big difference between NSA, who is very much a mission that is going after
non-U.S. citizens.
Right, right.
FBI, that's looking at U.S. citizens, and I won't lie.
It wasn't even, it's not a lie to say there wasn't a schism between some folks who are like,
fuck you, stay out of my, you know, U.S. citizens.
And so even sometimes some of the, you know, I see guys, or maybe spotting the more field agent type guys of like, you know, get out of my corner.
Yeah.
I know everybody was feds.
Yeah.
Yeah.
Take your 5-11s and your polo shirt and get out here.
Yeah.
There you go.
Yeah.
But that is true.
because the IC is the IC and the FBI is the man.
Like, you know,
people don't realize that.
Yeah. But you're hitting a culture thing that there will be more books on this.
Like, I think, I can't remember that politician.
He was out of maybe Texas, but people found out he was an early hacker.
I'm spacing on his name.
And it blew some people's minds that some of these people that didn't seem like they could
be from the hacker culture were actually the same guys on bulletin boards and, you know,
you know, IRC and stuff like that,
but had now held like actual governor,
or sorry, that's not correct,
congressman positions.
So it was a weird time at the, you know,
kind of 2010 period where you're the man but not the man.
Right, right.
But we're also looking at a time from the time you started
when you were a kid,
up until this time,
you know, there wasn't hacked the box.
There wasn't, there, there,
I'm pretty sure that people who were,
good at offensive stuff, at the offense side of the house, at some time may have, you know,
pushed up against the legal system.
There is definitely gray.
And what's weird is a lot of people don't realize the polygraph is not necessarily to find
out who's breaking the laws.
It's to figure out who has integrity.
And so I remember people that I knew flat out had like done not crazy hard drugs,
but admitted they had done drugs and made it through polygraphs just fine.
Or some shady level of like now even looking back,
there's nothing that I think that as long as I was honest on my polygraph,
if it actually asked me about those questions,
I don't think anything would have precluded me from service.
They're not looking for somebody that have you broken a law
or do you, you know, dip into the gray.
They're making sure that when they ask you,
they know you're going to be honest.
And integrity is worth a hell of a lot more than occasional bad judgment.
So I think the actual U.S. government had to change their mind a little bit.
And for me, I mean, I've been tiptoe in this line my whole career.
You cannot, you know, you have to obey laws, period.
Right.
You know, the intelligence communities, you obey laws.
If you're, you know, forward-deployed, you know, soldier, airman, marine, sailor, you obey the laws.
But there's always this level of gray that I noticed that the offensive cyber world, you know, they're even to this day.
people will say, ah, I use my offense in supportive defense. And somewhere there's a little
little bit level of understanding. Just don't go too far, right? Right. But in order, like I said,
before all these, you know, cool little sites, you can go on and learn this stuff, you know,
when you're 13 or 14, and there aren't sites like Hack the Box or whatever, you know, or pen testing
or whatever. Like, how do you learn how to hack into a network?
You know, for me, it was these Capture the Flag competitions. You know, they weren't
physical capture the flag like the sports game. They were the hack into other systems. And it
turned out there was a lot of these. They were actually hacked the box in a lot of these modern
training systems started from kind of war games type events. And I don't even think people knew.
Like the year that, you know, for those that don't know what I'm talking about, these capture the flags.
Think of possibly 15 to 20, eight-person teams of stinky pasty nerds creating exploits and hacking each other to steal data.
That's they're stealing the flag.
They then submit the flag, bring it back to base, and they get a point.
That's kind of how this worked.
And these competitions were kind of the breeding grounds that at one time, I remember,
Lain, capture the flag at DefCon, where all the nerds get together in Vegas every year,
that I remember looking and going, nation state, nation state, U.S. school that probably
supports offensive cyber operations, defense contractor, we were a team that were just as guilty.
A lot of us were five eyes, right?
Yeah.
U.S. and some of our closest allies.
And it was wild.
This was almost like, you know, you can't train publicly.
So the next best thing you could do is make a game out of it.
And that's kind of what happened for, I would say, even still to this date,
there's Capture the Flag that runs every year at DefCon.
So there was Captured the Flag Events, like as young, for you as young as like 17.
I thought that was a more recent type of thing.
So back then they were called crack me's or reverse me's.
So people would make fake software to teach reverse engineering.
So they would make like a fake software that had like a fake digital rights or like key code that you had to pay for.
And so they would actually teach you.
And that's what I grew up on was learning how to reverse engineer so I could get free software back to my broke days.
Right.
But that's how it started.
People then started training by creating fake software and fake activations and giving these tutorials, too, this is what they were called, right?
And you would actually use these tutorials to reverse engineer and that turned into a whole game.
So you're right.
It didn't just go straight from the IRC channels into this full on war games.
Right.
There was these kind of minor trainings that kept getting bigger.
and bigger all the way to hundreds-person events, right?
Yeah.
So let's jump into, you know, you're in the National Guard.
And now it sounded like at a certain point you make the jump over to the three-letter side
of the house or actually have a foot in both.
Explain to us a little bit about like how that comes about and how that works.
Yeah.
So a lot of my life you can tell is still kind of recovering from, you know, it's hard growing up broke, right?
And so you turn to, you know, you make decisions based on money and what, you know, gives fun.
And I realized as a, you know, an E6, I was not going to have the stability for my family at this time.
I have two kids.
You know, I had my first one at 18 years old.
So you can imagine like a little bit of my psyche of trying to learn while grazing kids while being a kid.
And I needed that.
So I'm now six, seven, eight years into the military.
And I decide I'm going to become a contractor.
And so I'm using my skill.
full-time at NSA as a contractor for most of my time.
And that just means I can do most of the stuff
that a government civilian can do,
but there is some rules that they wouldn't let me do.
And at this time, my job turned into creating,
they called it computer network operations.
It's creating these things called implants that gather software.
If you were on the receiving end of an implant,
you'd call it malware.
So that was my job at night, or sorry, during the day,
I'm creating malware professionally to support intelligence
gathering and one week and a month, two weeks a year, I'm using those cyber capabilities to actually
gather intelligence or to support offensive cyber operations.
That's pretty interesting. So I mean, literally dual-hatted in a sense.
I remember some meetings where, again, you're limited as a contractor. You're getting paid better.
So you kind of like it. But with me having both feet in this world, there were times where I would
actually have to remove myself because it wasn't appropriate being a contractor.
And there were sometimes I'd have to literally flip my badge to have the right badge color and step in and say, I want to tell you this on behalf of me in this role.
I'm no longer a contractor, Kyle.
But this is how we're going to use this for not espionage, but attack, computer network attack.
And that was a real different role that I could actually use my National Guard time to often now benefit people who are only able to do espionage.
So if I won't bore the audience with like all the laws.
there's a big difference between Title 50 espionage and Title 10,
which allows you to truly do attack, denied, degrade.
Yeah, destroy.
They didn't use the face.
It was destroy, disrupt.
But that type of actual effects.
And I will tell you, being able to have both badges, it was a, again, I used this
word earlier, force multiplier, seeking these opportunities to use my experience.
And again, right place, right time, super thing.
Well, you spoke a little bit earlier about like these blended teams and blending these capabilities.
And I mean, you continue doing that.
I mean, do you think that is that something that this line of work is sort of institutionalized or is it still sort of like a stovepipe there?
I think it's getting better.
This is the stuff that like if you hear people in the like deployments in the AOR saying we're going to use total forces.
That means usually they're secure in the sky right with air power.
They're maybe jamming the signals with electronic warfare.
They've got human intelligence on the ground.
They've got infantry pushing up, you know, doing the hard work.
And then all the support that goes into it, when you use total force, we've known that using all domain warfare is very powerful if you can coordinate it.
At this time, people are trying to figure out not only how to, you know, add cyber to that story.
They're trying to figure out, oh my gosh, even within cyber, there's all these different domains, right?
It's an inch deep and a mile wide of skill sets.
So I'll tell you by this time probably 2013, 2015,
they're just starting to figure out what are all the blended skill sets.
And they're learning this by accident, right?
The civilian world, by the way, starts calling this purple teaming.
What they mean is blue teaming was always defense.
Red teaming was always aggression, assessing.
And they start realizing you can use your red team offense to improve your blue team defense.
And vice versa, you can use your offense.
to deliver effects so you never have to defend.
So this world all of a sudden is completely learning.
The whole thing is changing.
And it's kind of like what we're seeing right now in Ukraine,
where warfare is completely changed to drones,
autonomous systems.
This same effect was going down.
Just out of curiosity, if you can answer in a roundabout way, even,
how many different tools do you think you used on a daily basis
when you went into work?
I don't want to be cliche,
but it was definitely maybe sometime in a day,
it might be a half dozen to a dozen,
but in a month it could be 100.
It was really the old school,
you know, folks that were lucky enough like me
to grow up and learn, remember those early computer programming
languages like assembly and then blend them
with modern programming languages like, you know,
Python and then stuff in between like C and C++.
There wasn't many of us who could do this.
So you could imagine this was a time where they were really trying to do everything they could,
whether it was retaining people on the active duty side or national guard side,
because once you lose this to the tech world, getting them back into these spaces was pretty hard.
So I'm not going to sugarcoat it.
It was a cluster for a really long time.
And it's definitely maturing now.
It's maturing to the level that some of these teams not only understand what manpower needs to look like,
they can forecast it, they can grow it, and they know.
But again, this is still mid 2015, 2013, and this stuff isn't figured out yet.
Can you tell us a little bit?
And I don't want to get into anything too sensitive.
So I'll say, like, if we think of, you know, you mentioned espionage and attack.
And if we think of espionage as intelligence collection, right, that we're collecting information.
And, you know, in a lot of times there's probably, I imagine the attack.
and espionage often share similar entry points right yeah so there's a fancy word unclassified word
but it's talking about the preparation of an environment right think about the difference between
when you deliver an effect let's make up one in this room maybe the light that's above my hair right
giving me this fancy hair light the difference of me being able to turn that on and off is often like
flipping a switch right however this is the time that all sudden we start realizing our legal frameworks
following laws, period. I know there's a lot of disinformation. There's a lot of BS, especially post-Snowden,
but the most law-abiding organizations I've ever worked at, military NSA, plenty of examples of where
it didn't happen. But it's kind of crazy. And where I'm going with this is you started learning.
Our laws might not have let us prepare to get in just in case you have to flip that switch.
So I'm telling you, when you start getting into this time period, 2015, 2017, we're realizing
things have to change quick because our adversaries are not hung up on laws.
Right.
And if you think about people that aren't nation state, let's start talking about the emergence
of cybercrime, they give no shits about what the laws are.
They are just moving faster than anybody to innovate.
So we actually got caught up in a world in the U.S. for a little while that the real heroes
were actually the policy wonks.
The lawyers, the legal folks actually realizing that if we're going to obey the life,
laws, we need to make sure the laws not only protect U.S. citizens' rights, we have to be able to
handle all the murky situations. What if a U.S. citizen goes abroad and you accidentally do something
and collect? How do you like all this stuff? Because no offense. Like my mom is my best, you know,
supporter. She's also the first tinfoil hatter who's like, are you listening to my calls? And I'm like,
no cares what you're talking about in your calls. But that crap can happen by accident.
So you could imagine lawyers had to allow us to get in place,
Gather intelligence so you don't have this 9-11 event where you had the info but couldn't action it.
And so this time period again, we as the U.S. are still trying to make sure we follow laws,
but we can't get cut flat-footed, right?
We are a nation-state power that stays in power by projecting power.
Right.
And if we hamstring ourselves by being perfect, you can sometimes let perfect be the enemy of good.
And good enough sometimes gets, you know, get shit done.
There was that example just a couple of years ago.
If you remember Tucker Carlson making a big stink about how somebody illegally weak to him
that he had been caught up in an intercept, it turns out, yes, he was contacting the Russian
government and talking to them.
So if you do that, no shit, you're going to get, your comms are going to get intercepted.
And what's wild.
And this is some of the stuff that I think many government agencies realized that we were
caught flat-footed during the Snowden era because there was a lot of things that
people just zip their lips, right?
No such agency type world where we weren't going to talk about this stuff.
Right.
And what it did is when you have the absence of a narrative, people will be more than happy to fill it in for you.
And so this is the stuff that, to be honest, the armed services, I would generally say gets it done.
Right.
We don't over classify.
We have a mission.
And that's because I think we realize and we cherish loss of life.
But when you work in this world where it's all secrets and it takes.
it away from loss of life, you sometimes let some of this perfection get in the way.
And I'll tell you, like, nobody wants to collect.
But I'll be darned, you'll find cases of people abusing.
Just like think about any employee.
You probably hired somebody that seemed legit when you hired them.
They turn out to be a turd.
This stuff happens.
Hey, guys, it's your pal Jack.
I just want to take a moment to tell you about the sponsor for this show, which is
Stopbox.
Stopbox makes this very cool boxed.
to secure your items in, your valuables or weapons,
could be a firearm, knife, things that you want to keep away from kids.
It opens up like so.
And the way it locks is very interesting.
And you can change the combination, by the way.
So you have these actuators on the side.
And in this case, for demonstration purposes,
the code is to hold down the index finger and pointer finger
and then come over and there's a thumb.
Hit that and it opens up.
So that's the code.
And this thing is proudly made in the US of A.
So they keep the quality very high.
It's also TSA compliant so you can throw this in a bag and travel with it.
And Stopbox also offers a range of other innovative products,
including their vehicle safe, chamber lock,
and other essential gear designed to keep you prepared and protected wherever you are.
For a limited time only, our listeners are getting a crazy deal.
Not only do you get 10% off your entire order when you use the code house at stopboxUSA.com,
but they are also giving you a buy one, get one free for their stopbox pro.
That's 10% off and a free stopbox pro when you use the code house at stopbox.com.
Discover a better way to balance security and readiness with stopbox.
I think you touched on something that's like really interesting, I think,
especially around like the Snowden period.
because there really was not a public interface between NSA and the public.
I'm sure they had a public affairs office, no offense.
But it was the House of Glass, right?
I mean, you know, see no evil.
So when that scandal broke, it was a little bit different, I think, than the military,
because people can see their soldiers, they can hear their soldiers,
they can get to know them a little bit, and it kind of takes away the mystery of it.
Whereas with the NSA, if it's a black box, we can project all sorts of nefarious things upon what you're actually doing.
Yeah, no offense.
When somebody doesn't tell me how something works, I have survived by being very pessimistic, right?
Right.
As humans evolved, right, bad stuff outside of the cave.
And if you make something seem shady in the dark, I'm not going to assume positivity happens in the dark, right?
That's literally how we evolved as a species.
So I can't wait.
If you do the math, right, you've got some of the Snowden era type stuff, 2010 to 2015.
Usually U.S. has a lot of like declassification things that happen in 25 years for some of this.
I cannot wait to fast forward to, you know, our equivalent of 2040 when some of these stories start to become declassified,
maybe governments and officials declassify these things early and tell the real story of how some of this stuff happened.
Because I will say, remember that word stemmridge?
I used, if we thought it was bad in this kind of 2010, when you don't give somebody a voice
and you don't defend somebody who's working hard every day, I'll just go take Google's $500,000
a year, thanks. Because my civilian pay at $96,000 a year ain't cutting it, right?
Right. Yeah, and you know, both the CIA and the NSA have this problem of not, you know,
they'll never talk about their victories. They'll never talk about their victories. They'll never
talk about the victories, they'll never, you know, air out like things that they've accomplished.
But when they, when somebody does go rogue or somebody does something bad or an op fails,
you hear about that. So it's easy to see these shady evil organizations that are secretly,
you know, pulling strings all over the world. Yeah. And I'll tell you, it's what's weird is you
work at a spy agency for about 13 years. And now I appreciate my privacy and transparency more than I've
ever appreciated.
Yeah.
But there's also this like, again, this level of like,
the black and white is always easy.
It's the gray where things get dicey.
Right.
It's that I think about like AI and autonomous cars these days.
Do I go and, you know, make the decision right.
Do I take a right and run over three or four people or do I take a left and run over
one person?
How do you make that decision and value life?
And it could be, you know, one child or three 90 year old people.
all this logic.
And the reason I'm given this example is national security is not one in the black and white.
It's one on interpreting the gray and trying your best during a crappy situation to make the best decision
and not regret it for the rest of your short life.
Right.
So back to the notion of like lifting the veil or clearing the fog a little bit.
I'd love to ask you since you were there for a hot minute.
I think a lot of people, including myself, don't really understand.
And like, what is the culture of the NSA?
What is it like to actually work there?
Who are your colleagues, the type of people that you're working around?
So, I mean, this is the fun stuff about these big agencies, right?
And we haven't even talked.
People forget that the U.S. has like, I don't know, what is it?
16, 18 different intelligence agencies, right?
Yeah.
Even Treasury has, like, some type of work.
But the part of I'm getting at is that the big ones, you get the whole spectrum, right?
You get some people that are top-level operators.
And you get some people at NSA who are janitors, right?
They'll go out and tout and, you know, stolen valor and everything else about how cool they were at NSA.
But it's like, you weren't in the thick of it.
And so you can imagine you get all shapes, just like in life, just like any type of, you know, career.
But the one thing that seemed to drive everybody together was understanding that like,
if you mess up the things that we appreciate, right, true freedom, true just being good to people.
Screw politics and how you lean.
Like, I don't care which way you lean.
people love the smell of a neighbor's good smelling barbecue.
We also hate paying taxes.
I hate getting a red light ticket.
We all share way more that unites us than divides us.
And I would actually describe that was the era that I got to grow up in the intelligence
community.
It didn't matter whether it was political.
It was just, oh my gosh, democracy is fragile.
People forget the U.S.
It's only a couple hundred years old.
Like we are a footnote.
Like I remember the first place that I lived in England in the duty station.
the house that I lived in was 100 years older than the U.S.
That's a perplexing thing.
And I think people forget, like,
if you don't just unite behind the like, you know,
I'm not talking about DEI stuff,
but like belonging, just carrying around a mission
that this thing that we love, which is freedom could go away,
like it'll disappear.
And so I liked it.
I really felt good.
And all the different things that outside of work divided people at work,
it was just like mission, mission, mission, get shit done.
I've heard, well, first off, I've heard stories about D&D games down in the cafeteria.
Ooh, so you've done some digging here.
And then the question is what cafeteria, right?
I don't know.
Ops 2 has a different cafeteria than R&E.
So this is for anybody who's been in the buildings knows that there's a different level of geek, right?
Are you the neckbeard geek?
Right.
Does math?
Or are you more of like the modern cyber?
Like there's different levels of, you know, geek versus nerd.
So, but you are right.
It's a pretty broad spectrum from your type A personalities.
I used to be a lot quieter.
It turns out you can't be a very good CEO if you can't storytell.
I had to learn that skill.
And so what I'm talking about is all walks of life, all race, all nationality,
spicy to very timid.
And it turns out some of the people that you expect, like some of the biggest badasses I
ever worked with, I can think of, I only had probably two or three women co-women
workers, but I think they had like something to prove like they really had their whole career
to prove. So some of the most competent people I work with were actually like hardcore math and
computer science women. And that was sometimes intimidating. You don't have that in the physical like,
you know, if you think of like operator life, you guys are going to be able to drag somebody heavier
most of the time, 90% of the time just because of like physicality. It's a little intimidating
when you have someone five foot two, crush your soul.
Right.
Because they're just that much better because this is about mental mind power and not the
physicality that like testosterone and stuff separates.
So I'll tell you, it was a cool place to even be humbled real freaking quick because
I have a cool resume.
I will tell you I still only fit in probably the top 80%.
There's about another 20% who could wreck me.
They probably can't communicate the same way I can.
Right.
But from skill to skill, they'll wreck me.
Right. And, you know, and that's, I think that is one of the interesting things about, you know, like, in Ranger Battalion, they should say there are smart rangers and there are strong rangers, right? So, you know, this idea. And it's interesting that in, in this cyber world, and this, you know, that, like you say, there's this percent that they, they, they, their ability to interact with other humans.
It's limited. Like, it's best if they have, like, a translator a lot of times, probably.
Right? Somebody who gets what they're saying and, you know, gets this.
Being a true nerd, we used to call it a middleware.
That's a middle layer that like, okay, people that need to understand what they're talking
and a translation layer between, you know, geek to chic, right?
You sometimes need that.
But, you know, the idea that there is this place in our government security structure
for these very brilliant people who, again, may not, you know, be great at dealing
with people, but they're really good at their job. And they care, which is funny. Like, it's so weird when
you hear about, like, I'm not a big polarizing fan of anything. And the reason for it is there's
always something bigger. There's a bigger mission. Right. I think that's a dope place, though,
when you're like, whoa, this person that I probably on the outside would never go, like, drink beers
with or whatever is literally in the same trenches with me, fighting the same war. It's a, again,
coming from military that had deployment skills coming into the intelligence community where it comes in all shapes and forms.
It was like both, I said earlier, humbling, but also kind of like it definitely helped me be a better dad to understand like kids come in all shapes and forms as well.
And it made me maybe a little bit more appreciative of like, you better watch out because somebody for instance that might not, you know, be able to take me in a game of beer pong or be able to run sprints with me might.
just run me under the ground because their brain is like a 10-pound brain.
Yeah, yeah.
They'll turn your lights off at night.
I've met a few of those 500-pound brains.
And, yeah, it's interesting you put it like that because I thank God that there are these people out
there who are so much smarter than I am, but they're also super patriotic.
Like they're on our side.
I'm like, thank God for that.
Yeah.
What is, you know, could you mention this idea of this evolution?
into this attack mentality.
And I'm sure that there are people who were like,
well, if we have the espionage,
if we have the placement,
why are we going to attack
and let them know we have the placement?
But then there are other people who probably like,
hey, like,
yeah, and espionage, there's that whole thing of like,
then they'll know that we know that they know that we know.
Right.
Like, what are the pros and cons of attack?
Yeah, David,
one of the best cases I remember
and this was, again, humbling, and it was more human, actually, than cyber,
but it's the same mentality.
I remember us having Intel that was IED-related, you know, roadside bomb type scenario,
and exposing the roadside bomb that could save, not necessarily U.S.,
but maybe, like, it could be second, third-party ally, definitely civilians.
And if you gave that up, could prevent us from, you know, at the time it was always been Lodden-related.
that math is like,
it's like, I don't know, like today I don't have,
I've been really lucky not have any form of PTSD,
but the closest thing that I had was that type of scenario
where you're literally measuring tradeoffs in
whose life is more valuable.
And I'll tell you, it also like,
when you create attack tools that you were talking about,
this new world,
I remember the first person,
the first time somebody said,
okay, I appreciate you doing your work with the espionage.
You don't have to create an uninstallel.
And I thought, I have to uninstall my malware, right?
And they said, no, don't worry.
It's going to be kinetically uninstalled.
That's a moment that humbled the shit out of me.
Yeah.
Because you're starting to realize that, oh, because of me doing my job, just like anywhere else,
bombs on bad guys get dropped.
It's kind of similar to like, you know, the folks in Las Vegas that are flying drones,
right?
That still get PTSD, even though they're thousands of miles away from any sort of battlefield in combat.
And I didn't have anything like that, but I remember those moments that I thought, oh, I didn't gather the intelligence and people blew up that day.
Like, that's also like a really, that's the analyst PTSD that those folks get.
Right.
Why didn't I see that?
Well, and it's like, it's like when you have, you know, when you have a low level, you know, you have this, you've identified this low level AQ guy.
And you're like, all right, if we roll him up, we lose access to anything he has.
but if we leave him out there, he might kill innocent people.
And it's that dilemma.
And I don't think, I mean, I really don't think enough actually gets talked about that.
Because I think in the movies, right, you watch any born identity type, you just think that it's go, go, go.
But like, people don't realize there's a lot of, like, calculated risk.
And even worse than the calculated risk, sometimes you just have to make a decision very quick.
And hope that when you're not in the black or in the white, those are easy decisions.
You later have to hope you got it right.
in this like semi dark shade of gray.
I just, again, I think that some of the better side of stories that will come out,
like, you know, growing up, I idolized the black cock down stories and the things that
were very physical.
I was a big fan of like platoon, right?
The, you know, the military stories that were all, you know, all testosterone.
And I think the stories that probably need to come out, especially as we're starting to
realize like mental health directly has a relation to like people's,
peak performance.
Right.
I don't think people normalize these things well enough.
I don't think that we normalize, like, how much goes down.
Like you called it, the analyst trauma, right?
But even just things in business, right?
People forget there's like real good humans behind these things.
Then go home and have to like smile to their family because it's no such agency.
And like, how was work?
Oh, it's good.
Yeah, yeah.
Yeah.
Speaking of that, you know, I know you'd mentioned to us before the show, I think,
that you put some things through public review and,
and so on to make sure they're good to go.
Are there any like worse stories from NSA that you're allowed to tell?
I will tell you some of the best NSA stories that, you know,
the thing about NSA, right, is there's a lot that can make it through pre-publication.
It's usually how was it collected, who was it collected by,
and what the overall measurable effect.
And it turns out some of the moments, like I'll tell you, like NSA stories,
we were so compartmented.
People don't realize how compartmented truly.
tailored operations are. I would, like my co-founders, all three of us worked at NSA together.
I remember we were all on different access programs. None of us knew what we did.
And I remember a moment, I still to this day don't know if it's classified, unclassified,
just completely happenstance. But all three of my co-founders and I are sitting at a bar,
we're BSing, and we look, and it has like a country that has a nationwide internet outage.
And all three of us look at each other, trying to see if anybody will give a time.
That's hilarious.
Nobody breaks anything.
And to this day, I still don't know.
Did, like, some cable come and plugged?
Did they have a power outage?
Or was this an accidental, like, intelligence gathering operation that took down, like,
a core router?
I still don't know these days.
Yeah.
So I think those are the best stories of, like, not what you did, but people don't realize
to truly protect secrets.
You need to keep small amounts of people knowing them.
And the downfall of that is I, my best friends in life, I still don't.
know to this day, they could have been directly responsible or just as clueless as I.
And I think those are probably the best stories that maybe when 40, 50 years gets done and
people start declassifying, we'll go back and read these things.
But I think that's actually the camaraderie that I love is the sometimes not knowing.
These are like saps that like 30 people in the entire world are read onto.
All special, you know, all the work that we did were special access programs.
So not just only you're in a skiff, not just your top secret, but they are.
so limited. I mean, we sometimes, like, if anybody's done the research on what an ODA is or an
a team in the special forces world, you're talking 12-some, you know, 12-person teams that subdivide
into six-person teams. I was on programs where sometimes it was six people. That's intense when you,
like, you know, I even think to this day of like, how do these stories, will they ever get told?
Like, what if people pass? Right. I'm not saying all stories need to be told, but I think nowadays
there's a lot of maybe even over classification that I learned a lot from what we used to do with like espionage in Vietnam.
And even during like Desert Storm Desert Shield.
And I don't know if those stories will be told fast forward in 25 years because sometimes they're so limited and so targeted,
the people just might not be around to tell them.
Do you think that leads to another type of stress?
We talked about it a little bit.
but I've kind of noticed on the military side of things,
when you have these saps, like you mentioned,
only six people on the program,
there's only six people in the entire world
that can do that very important job.
One of them gets sick.
One of them goes to, you know, his wife is having a baby.
Then you're even more shorthanded.
I mean, does that lead to a different type of, like, stress,
like, in burnout, really, is what I'm getting at?
Yeah, I think these type of things, like,
you're just asking people to do unnatural things.
right if you you know think about a sports team right any we just have the super bowl in the u.s not long
ago right for NFL football American football uh there's always two or three strings of you know
quarterbacks receivers when you don't have that not only do you have to have like that depth
to be able to still get the mission done it's just asking a lot i actually think some of my most unhealthy
work life balance was during these times where i just now look at it you know my company's now
500 people. I pride not having tiny, you know, people who can't do it. I call it the bus factor,
right? How many people at my company can get hit and the mission still gets going, you know,
run over by the bus? And I actually think in some of these places that we were so small,
we didn't even know we were creating stress because we were having to do the jobs of not just one,
but like, oh, if this falls, I better be able to do at least 60, 80 percent of that. So the mission
still gets done. So I don't think I've ever heard anybody publicly talk about that, but I bet that
happens. I know I felt it. Over-extended is what I felt.
You know, the other thing, in addition to that, because you've talked about post-traumatic stress
and you've talked about the camaraderie, but in addition to that is that, you know,
our friends, the commodity, we build those ties that bind us, when you walk out of that,
when you get red off, you lose something with those friends. Like, you can still hang out,
you can still barbecue, but you, you know, you.
You know, you're not going to talk, there are limits now.
There's a barrier.
And when you leave, especially when you leave a service,
whether it's the military, the intelligence, community, whatever,
and you're out in this world where there's not that purpose
and the post-traumatic stress or the operator syndrome and all this stuff,
and now you're also isolated.
And you can't even really be that close to people who are your best friends.
I used to be close to them, but those walls go up.
Once you leave, you're gone.
So my co-founder, Chris, right, he was Navy.
Don't judge him.
We now have these moments that we talk about this.
We're like, why did we end up creating Huntress?
And now that we're 10 years in, you know, hindsight's always 20-20, the amount of places that
we were like, look, we created a place that gave us the same mission and the same
fulfillment that we had.
And so people now ask, like, the finance people are like, oh, you got a big company,
you've done these things, but they don't realize the most of the motivations.
There was some very altruistic reasons.
but there were some also very selfish reasons that I just had to get back into the mission.
Right.
It's almost like, I bet there's some sort of like dopamine hit that comes that you're addicted to.
And I remember even going, like there's a couple of these like local like bars and watering holes,
not far from NSA that you go and you'd catch up with your friends and you're all read out now.
And there's a little bit of a look.
You know, nobody's going to disclose classified, but you're kind of, you look at each other and you're like,
okay, I can vibe you because we can, you know, we're speaking at a level that's, you know,
non-verbal, right? Non-physical. But you know, you kind of just, you got that gut feeling. You're like,
okay, I can stay connected. When I jumped into the civilian world, I felt probably as isolated and
purposeless as I did. And so, and what's, I'm lucky, like I've always had some sort of sexy flair.
I got early cyber, special forces. I don't know how the people, like a lot of the operators will call,
you know, the regular army folks, legs, right? But those folks there are the folks that didn't
get that sex appeal. They didn't get the intel. They didn't get it. I actually think about them a lot of
what happens when you didn't have that extra high that made all this worth it and you just were serving
a mission as best as you could and now you definitely don't have it because you don't like for me,
when I have my high highs and then low lows, I can always go back and think, ah, that roller coaster
ride was great, right? But what if everything was just mediocre and then you leave the service and now
you're low. You don't have these moments to reflect on. So I don't know. I think we're at a really
interesting place where both armed services, whether it's cyber, whether it's signals intelligence,
whether it's human intelligence and just good old-fashioned kicking doors in. I bet there's a lot
on the psychological side we're going to learn now that we're becoming very aware that these
things have real effects 20, 30 years later. Yeah, I think you're right. I mean, we're already
learning just on like the soft, like we're learning so much about like blast injuries, you know,
all the door breaches.
And, you know, and, you know, post-traumatic stress, like, you know, I mean, I'm 55,
so, like, I remember made-for-TV movies in the 70s about a Vietnam veteran having
post-traumatic stress and losing his, like having flashbacks in the office.
And people, there are still civilians out there who think that's what it is.
And that, you know, they don't understand it comes in all shapes and sizes from all different
types of things.
One of the things, the reason why I was asking you about how many tools you accessed on a daily basis,
I have an acquaintance working on a PhD dissertation about what that does to a person psychologically.
Really?
He was pointing out that if you're a soldier, let's say you're an infantryman, you learn how to shoot an M4, M240 Bravo machine gun, M249 saw through weapon systems.
Maybe if you're a sniper, you have a few more.
weapons systems, maybe you have to learn six, something like that.
But people who are in the cyber warfare field, you're having to learn hundreds of different
tools and move between those systems, those weapon systems, if you will, on a day-to-day basis.
And what does that do to particularly a young person, to their mind?
I, you know, obviously, you know, it's not ever worth joking about any folks that are on any
sort of a spectrum because, like, that stuff's real.
some of us get hit, you know, in the chest, some of us get nicked with the tism, you know.
Yeah.
I think about like, I think part of the reason we bonded so well from cyber to some of the operators
is very specifically, we all had to learn different weapons systems.
Like I remember my first deployment to Afghanistan.
None of us are shaving everything else.
Everybody's using Makarovs, AK-47s, and PKKs.
You don't learn that in basic training.
Right.
You don't learn any of that type of stuff.
And so, like, that.
flexibility and I think they called it fluidity at the time.
Like being able to go fluid between different weapon systems and different arms learning the basics
only gets ratcheted up to a level.
Like I remember the guys looking and they're like,
how do you keep track of what to do?
And I'm like, I don't even know.
Yeah.
I bet there is some real like ramifications.
Like if somebody asked me quantify the number of tools you've used like, so I joined in 2003.
So what would I be at?
I guess I would be at 22 years of like some of this professional experience.
Yeah.
I don't even know. It would be thousands. It doesn't even make sense. But I bet there's somewhere
that like if you're not on some sort of like okay with the spectrum, and I guess we're all
becoming like with scrolling a little short-minded and used to consuming a little bit more.
But somewhere in there it wears on you. So I would be stoked. If you actually have those resources,
I would love to see someone writing the dissertation on this. Yeah, I can introduce you to that,
dude. And maybe he can get it to you when he finishes it.
So you mentioned jumping into the private sector before we jump into that.
Any final thoughts on NSA that you want to talk about before we discuss your transition into the private sector?
I'm, you know, if I was to end it on there, obviously I'm long removed.
I don't carry a badge there anymore.
But if I was to, you know, end it with, you know, sanding on a soapbox, it's we owe a lot to folks just like in the armed services.
that are okay with being silent professionals.
Don't forget, you know, the typical hero doesn't always look like Jason Bourne.
It doesn't look like some folks like the three of us that can articulate.
It's kind of really interesting of like at the future of true peak performance,
brain power these days can actually be the equivalent of top level athlete who can bench the most weight.
So I just would challenge folks to consider that.
And even though I don't fit that personality, for instance, I think I, you know, next
time you sit back and think about where you want to go, maybe you don't fit in the military,
don't forget the opportunities you have to support, you know, national security in different
ways, even if you don't fit the mold. At least for me, I really enjoyed every bit of it working
for all the different types because I'm not a bodybuilder. I'm also not, you know, quiet.
And it was cool working with both sides of it. That's awesome. So what made you decide to transition
from, you know, your leave behind your National Guard and your NSA careers, essentially,
into the private sector.
I think you said what, you had 16 years in uniform.
Yeah, so start thinking about that.
I'm only four years away.
I think I might have had one bad year in the Guard because I was a scrub.
But either way, four or five years, very close to like a 20-year retirement of some sorts.
Gosh, you're asking me the spicy question, brother.
I was pretty, pretty upset by not having reference.
representation in that Snowden world. I was definitely part of those that felt like I had given it all. I had my kids, the amount of birthdays I had missed, the amount of things I had given. I finally had a moment where I said, okay, I've given all that I can. I need to use my skills to give back to a new mission. And I think I would have stayed longer if I would have had better support. Because at that time, I had the money. Contractor pays no joke. You can make some pretty decent money as a contractor.
Sometimes, you know, $200,000, $250,000, stuff that you usually can only get on combat pay.
That's good pay as a geek, right?
Maybe not quite the same pay as like a big, you know, Fortune 100 bank.
But that's pretty great government services, you know, pay or government services light.
But I didn't.
I didn't have that support.
I didn't feel like the mission resonated.
And to be very frank, I was looking at these operations that I was supporting.
And people forget, when you're in the military and you're doing intelligence gathering,
you might be on the same computer with not only other nation states,
you might be on the same computer as a cyber criminal.
And so as I pour me a little bit of drink here in preparation,
I guess, of this segment, as I knew that there was kind of a wave,
a tsunami about to come where these people were going to go from just spy versus spy.
it dawned on me that we were about to see the first billion dollar cybercrime groups.
And in 2015, I realized if I don't help get ahead of this, we're going to see some of our most
critical infrastructure.
Like, don't think about just water and hospitals and, you know, electricity.
Think of like the backbone of world economies.
Your Fortune 500, yeah, that's dope, right?
They're the biggest 500 companies of the world.
but the U.S. has 33 million businesses,
and the vast majority of those are 2,500 employee companies
all the way to the smallest.
And I realized that nobody was going to be able to protect them
when cybercrime said, let's not go whale hunting.
Right.
Let's go hunting for like squirrels, rabbits, and mice.
Right, right.
And so you can imagine I'm a little bit bothered by the NSA system.
I'm getting crusty.
I'm missing my kids, right?
I'm realizing I'm missing life.
And I decided, okay, I'm going to punch.
even at 16 years, even being this close, I had a bigger calling and it was going to be protecting
not just the 1% of businesses, but the 99% that fall below the enterprise.
So you can imagine.
Before we jump into that, I do want to ask you to unpack a little bit the Snowden issue.
Yeah.
And share the, and, you know, your claim, your issue, it sounds like, was that there's no pushback against it.
And so I would love to ask you, you know, to give the insider point of view.
You talked a little bit about the importance of following laws and everything.
But like what would be as a intelligence professional, what would your pushback be against the Snowden narrative of mass ubiquitous surveillance against the American public?
And the like the argument that he was just a whistleblower.
Sure.
Yep.
Yep.
So we'll break those in two different parts, right?
The first one is people fuck up.
Let's call a spade a spade.
Anybody can do it.
I am not a fan of having my personal data leaked by any or snooped on by anyone.
Just the same way at DefCon when I would happily call Spot the Fed against an FBI agent.
Yeah.
Same guy.
Yeah.
So people don't realize sometimes these government agencies collab.
And when you get it wrong from everything that I've come to read in the public news,
it sounds like some pretty jacked up stuff that should.
have been fixed. It wasn't, by the way, NSA's first mistake. If you go back to like the Pike Church
Committee type stuff, this is not the first time a government agency has done dumb stuff.
Right. But accidents happen, right? And to be able to call like, you know, anybody, you know,
paint with a broad brush stroke, I was really surprised to hear some of the people that they
don't realize. The average Joe does not realize how much terrorism, how much abuse of money,
and how much kind of like world projection
all of our agencies do
to like keep the daily freedoms we have.
And then to get roasted in the news
by and again,
I'll tow the line on this really closely.
Edward Snowden was an IT administrator.
Edward Snowden did the good thing
that any person, for instance, could do,
which is if you find something that is truly illegal,
you should file an IG complaint
and get that shit to a,
attention and if somebody ignores you, you should do the most safe version of whistleblowing.
Right. Go to Congress. When 2040 drops, we will see a narrative that is very different. And I'll leave
it at that. And it's one of those that it doesn't match any narrative of a Roger Stone film or
if I got that wrong, right, some of the movies that were on this. He's an administrator that if you,
you know, when the actual cards spill and the proof comes out,
you'll see it's not a hero,
a hero in the sense that he challenged good things.
I'm not going to take that away,
but there's more to any story.
And I can't wait for that one to become public.
And that's as somebody who like, maybe from me to you,
I left my whole career behind because I was so bothered by the bigger story not coming out.
So I'm hoping.
And remember,
any president can declassified this type of stuff.
I hope we see some of these come public,
but I don't know.
Some of these stories don't become public.
And so on my end, it was enough that it bothered me
that me and enough people to come up with an acronym
called Stemorrhage left.
Yeah. Yeah.
And, you know, I have no personal inside knowledge of that.
But my, like, the way I see it,
like we can say whistleblower,
I, you know, the guy had, I think the guy got, I don't think he knew what he had.
He got lucky that there happened to be something that was, you know, sort of like implicating of the U.S.
government, but he was really just being mad sick.
You don't accidentally fly to China and then accidentally end in Russia.
Right.
Exactly.
Exactly.
Exactly.
Yeah.
Yeah.
And I think the other thing to point out is that he didn't just take, take,
documents or blow the whistle on documents about like prism.
That was the big, the metadata issue.
He took everything.
From what I understand, he took everything.
Yeah. Yeah. Yeah. Yeah. Anyway.
I so you're, we're right there.
We're on that knee respecting like my career and respecting not wanting to end up in
handcuffs. But, you know, when something's a problem, you raise the problem and
cause the minimal damage as possible.
Yeah.
If, for instance, you are created maximum damage as a plan.
plan to keep you out of jail. If what you were doing was ethical from the get-go, don't get me
wrong, there are plenty of cases where good whistleblowers have been hung to dry. I know this is the gray.
This isn't black. This isn't white. It's the gray. But when the details come out, I hope that these
things are settled. Call a spade a spade. Call it for all the good. And what I believe will be interpreted
is all the bad. We'll finally come to roost. And we'll see like, okay, there's, you know,
life is complex. And I guess, you know, the biggest thing that I appreciate, it seems like
that moment actually caused a lot of the intelligence communities to realize if they don't have a say
in the narrative, the narrative will be formed around them and that has consequences. Right, right.
Not everything's bad is what I'm saying. And the problem with that is, is that one, it hurts
recruitment to the public sentiment, which, you know, may or may not matter, but the public sentiment,
you know, about, you know, these nefarious organizations that are listening to our every phone call,
like how many people have to work at the NSA to listen to my every phone call I make, right?
Or, you know, the CIA also, you know, they're just all over the world, you know, creating coups
and stuff like that.
And it's, it, when these agencies won't stand up for themselves, it hurts them.
you know, it hurts their recruiting. It hurts their efforts.
Yeah. Yeah. So again, I'm, I am one of those type of people that, like, I don't believe you
should sit on a fence. You should have an opinion. But I also acknowledge, like, it's not always
left or right or, you know, that side or this side. Right, right. Some stuff is the devil in the
details. And you can kind of only help, you know, and hope that at the end, you chose the best thing.
So if you can tell enough for me to upend forgo retirement and say, I appreciate my service,
I need to use my skills for some other reason.
And thankfully, like, the service army to be able to do some pretty cool stuff.
So I can't be completely salty about Edward Snowden, but I am ready for the reckoning.
Yeah, yeah.
So talk to us about making the jump to the private sector and how that worked out for you.
Can I tell the embarrassing side instead of that?
Those are the best parts.
Absolutely, because all of us have that story about leaving governmental service and going into the private sector and slamming face first into the ground at least once.
So all the stuff that made me successful, right, promotions early, you know, awards, things along those lines.
When you decide to create a business, you have to go into sales.
And it turns out, I did not have to do much sales in the military.
you guys would be so, like, disappointed if you, like, if it ever leaked, like, some of my first cold calls and stuff like this, I sounded like a dumbass military guy.
I was at least had honest. Like, I think guys, the pitch usually went something like, hi, my name's Kyle, and I'm a former service member, and I'm exploring creating a startup.
Do you have a couple of minutes to, like, help me? Like, I need help. Like, I was always really honest.
And I found that if I was more honest, that people wouldn't hang up on me as much. And usually,
I'd find somebody that was either prior service or respect the service. It would give me a little
bit of time. But guys, you wouldn't believe. Like when I started, I started thinking like I was going to
be selling to like one or two person companies. Think about how many one or two, like these little
tiny micro businesses that are still important. But I didn't know how to make money. I knew like how to
personally make money and pay bills. But I didn't know how to do this at scale. And so I am so stinking
and lucky that like the state of virginia did this program they call it an accelerator it's pretty
much like an MBA in 16 weeks that teaches you how to build a startup guys if i didn't have that
program one i wouldn't be celebrating a whatever it is now two billion dollar business but i sure is
heck i wouldn't have like i would still be living in maryland in my three-bedroom townhouse
thinking about how i could use my military my military skills it was that bad yeah i'm cool now i can do
these things now. I can pitch confident and I can get over like the imposter syndrome. But 2014,
2015, 2015, 2016, these were like my puberty years that I'm just glad that there wasn't more
camera phones at that time. It was that embarrassing. You know, and I think that's very common for,
you know, people who are good at something and all business is sales, right? So it's like,
or like, I can make these. The acumen is a great there. Or I can make. Or I can make. Or I can make.
this table but be like table doesn't sell itself and I don't know how to run the business.
What, um, in addition to sort of that type of thing though, how was it difficult for you to
articulate to a two-person business who what they know about the internet is, you know,
plug it, you know, having the cable guy come out, plug it in and, you know, turning it on and
And you're trying to explain to them how their business is potentially at risk of getting ransomware or whatever.
And I'm speaking hypergeat.
I mean, to be honest, I think all careers have this.
I bet if a firefighter, right, I'm trying to choose something that's not, that's technical but not too technical.
Imagine a firefighter having to talk about all the physics things that you can smother a fire by spraying, for instance, and causing different vacuum.
Like, no one is going to understand that unless they've seen a video.
That was me in the cyber world talking to people that were just like,
Kyle, I know you have the skills, but if you can't learn to talk to me and story tell to me on my level,
I'm never going to appreciate what you're doing.
And thankfully, like, the one gift I got was I got a lot of radical candor,
meaning people who I also got like what some people call ruinous empathy,
meaning they cared so much about me, but weren't willing to challenge me.
They would just not tell me that I suck.
Thankfully, it was actually a lot of either people that were fan of the military or support of the military or prior service that would just tell me a spade as is a spade and be like, Kyle, you suck.
I don't know what you're saying.
Can you talk to me like, tell me like I'm five, what you're doing?
And enough stumbling, by the way, like I would rather not fail.
It's just faster.
But it turns out if you're going to fail, do it really quick and how people give you.
And so, again, I just was blessed with failure.
And I had the time to, by the way, like this was real early.
So I got those out of the way.
So when it came time for me really needing to know this, all that military skills of
being used to like in this fast failing environment, just like a hacker trying to break in,
9009 times I fail.
I don't care.
It works on the thousand.
That mentality helped me, actually.
My hacking skills literally helped me be a better entrepreneur.
That's phenomenal.
You know, Udo Loop, you know, yeah.
Yep.
Yeah, it's funny you, so one of our sponsors, I'm going to say it, because I like the company, I like their product, but Manscape used to sponsor us.
And it's a great company, and even though don't sponsor us anymore, I'd recommend everybody to get one.
But they'd send this copy, and we see this a lot in copy, right?
that the copy
it mentioned like how many
RPMs this motor runs at the little basket
motor and I'm reading this like nobody
nobody cares about that actually that scares me when I
if I'm shaving my junk right right
I don't want to know how many RPMs
I want to know that the guard isn't going to
right that's what I want to know right
you know and and it's like
but it's that type of thing that somebody
some engineer who is very proud of getting that
you know the RPM off it's like
You've got to add this.
And nobody said, we don't need to add that.
I mean, that's unlocking my fear.
I will tell you, I would, there was this analogy, my first sale, very first sales guy told me,
he called it painting seagulls.
It was this idea, like, imagine you've got a beautiful family on a beach and they asked you
to do a portrait.
So, David, you're just painting this portrait.
And you're like, man, the sky is missing something.
I'm going to add some seagulls.
That moment right there, you are inserting.
risk, you don't know. Maybe that wife is terrified of Seagulls.
Right.
Attack her when she was six. The amount of like sales objections I would immediately add by thinking
I was being so transparent. Right. And I wanted to have integrity. I was terrible. I could
never even get like in the Oudaloupe to the point that I was deciding and acting because when I was
trying to observe and orient and educate like I never even got to this point. And so I ended up having to
learn from my lessons, really the hard way of how many.
I just often would add so much information that I had sold myself out of the deal that if I would have just shut up.
Right, right.
Don't tell me about the RPMs next to something that I care about.
I just want to get the job done.
Right.
So, you know, you're dealing with, you're dealing with like the business side of this, with, you know, civilians who have a risk.
Was there any side of the NSA or the military that ever?
looked at you and said, what exactly are you doing with this business? And can you assure us that it
in no way relates to anything that you were doing with us? So I had a little bit during the
National Guard side where they, look, we definitely had to de-conflict to make sure. Like,
there's always this problem of like, what if we as a company find U.S. tradecraft? Right. Right.
Would you burn U.S. tradecraft? And I am an elitist, very hyper-competitive bastard. So my rule
a thumb is, I don't care who you are. If you're weak enough for me to catch you,
hack harder. And that gets around that, but I will tell you, for a little while, there was
actually some of that conflict. Like, I left the service, I think, in 2018, but I found it Huntress
in 2015, and I had to navigate that for about three years. Yeah. Ken, you know, you told us a story
about, you know, falling flat on your face and trying to pitch these little businesses and not working
out so great. But could you tell us about like the success story, a little bit of the aha moment,
closing your first big deal and, you know, how that came about, lessons learned from that?
Yep. I'm going to give the pitch that I used to raise $150 million and then translate how
that pitch happened. And I'll do it very succinct. So what I learned from my time at NSA,
we were a team that believed in using very small compartmented teams, an insane amount of automation
to deliver value.
The value at that time at NSA was largely finding intelligence against our foreign
adversaries or saving life in the counterterrorism mission.
At Huntress, I went and took that same very small compartmented teams.
I used so much automation to be able to bring this product to people that don't have
the budgets.
And the thing we obsess about at Huntress is a very small but measurable, valuable thing
that prevents people from getting wrecked by hackers.
that pitch took me like nine years to get right i'm 10 years into it that's how new this pitch is
right what it turned out that i ended up learning is i had to get so simple i had to be able to speak
in analogies i had to learn that people like to hear the story but they don't sometimes need to hear
the seagull in the depths and i iterated on that pitch so freaking long i think it literally took me
four years before I had a version of our pitch that actually like resonated to the point that
people were giving me cash. So you can imagine just like the cybersecurity mission I mentioned earlier,
it's not like the movies. It's usually like months and weeks of like gruesome, you know,
hard work to get two minutes of like success and then you're back at it. That prepared me for all the
failures that I'll tell you like grit matters. Also what's that country music selling? You get a no
when to hold them, no one to fold them. The gambler by Kenny Rogers. There you go. I was probably
foolish enough that at times I probably should have folded them, but that grit actually allowed me to
see it through. So I can't tell you there's any one path for anybody. But for me, I was so obsessed by
just delivering a small little bit of value. And we used to do this by the way in the intelligence
world. You don't got to get bin Laden. Right. Get this, you know, small person in a Q, right? You know,
some sort of al-Qaeda type personnel that allows you to go to the next level,
that allows you to go to the next level, that then allows you to find family,
that allows you to be able to do the DNA swab, that allows you to be able to get into the phone,
that allows you to find the court courier, that allows you to be able to have a team
that drops bombs on bad guys or breaks doors, kicks him down, and eliminates terrorists.
Those were all very small iterative moments, but they all built on each other.
Right.
I don't think people appreciate how much you can do that involves small iterative success,
instead of if we would have just went 10 years to hatch the master plan,
bin Laden would still be elected.
Right.
I don't think people are okay with that idea.
And the one thing I would share with the audience,
it turns out, like, it's better to not fail.
But if you're going to fail, fail in a way nobody else has done before and do it quick.
Yeah.
And here's kind of a question for you.
Obviously, in coding, or like not coding, but,
like in hacking or whatever,
you probably know when you fail,
like when you don't get entry.
But like in business with these ideas,
how do you know when you failed
and how do you know when to keep on like pushing?
I'm giggling because when you pitch somebody in real life,
especially like me who's used to this little like,
even cyber was fairly hyper-masculine.
People only code.
It's a lot of dudes, military, a lot of dudes.
I remember the first time pitching a woman CEO,
and she was like, Kyle, I have no idea what you're talking.
I could see it across her face before she was even kind enough to tell me.
Like, if you don't have that social awareness,
and I'll say other parts of it, when I started, like,
if I missed that social cue, to be honest,
if I was like some of my other NSA compatriots,
and I didn't have that, like, it's not just about IQ.
Sometimes the intelligence, right,
only goes so far in the emotional quotient,
EQ picks up.
If you can't read a room, I dare you to start a company and then look back in two years and
find success.
It's just not going to happen.
But I was kind of blessed enough with that middle of skills that even when I didn't have it,
like my co-founder John, he is the quietest guy in the room and will wreck you.
But he couldn't do what I do.
And my co-founder, Chris, there's three of us.
He is when some people talk about what one engineer can do.
Chris is like a Hulk.
He can do what 100 engineers can do.
We offset our balances,
but you remember that whole conversation
we brought up earlier
about like team dynamic
and sometimes having the right team
and we have to be able to cover each other's gaps
but also complement each other's gaps.
These skills turn out like you can change worlds.
You can build billion-dollar companies
on the same tactics that six-person military units
or six-person intelligence units can do.
So I just, if you can't tell, like, my military time was pivotal to teen me up to make a big difference.
You know, it's interesting, too, because you have a team, you built a business with a team.
And I think a lot of veterans go out there to build business by themselves and are very dissatisfied, even if they're successful, because we're used to working in those team environments.
And when we're out there on our own, it's like, I mean, I'd rather, like, who's my team?
You know, my employees, are they my team?
Like, I think that that must have been, in my mind, I think that that must have been very gratifying for the three of you.
I mean, think about the use of the word team, team room, right?
My team, my teammates.
I actually think a lot of this starts with good old-fashioned psychology.
I don't think we realize, like, I know there's all these corny, you know, there's no I in team.
Corny or not, I actually think some of these things that if you get them right from the beginning,
they just get your head right.
They help you think about that like,
there's like that old African proverb.
I think it goes something like,
if you want to go fast, go alone,
if you want to go far, go together.
There's nothing wrong with going alone.
There's nothing wrong with starting a very small business
and a lifestyle business that can still make big differences.
Right.
But if you want to move mountains,
you want to go far,
you are not going to get there.
You could be the greatest cyber warfare operator
or greatest, you know, grunt or greatest
pilot or whatever you do, you're going to be able to move what 1X does. And I will tell you,
like, I now have the point where I think I'm in U.S., Canada, UK, Australia, New Zealand, right,
some Ireland in there too. I've got 500 plus teammates. And we move not just paddling in the
same direction, but we're in the same boat, in the same direction, at the same cadence. And that
allows us to go both fast and far. So I think the word team and team, and team.
team room actually has a lot more to do with success of just getting that right in the
beginning. And if you get it wrong, I just would challenge like how far can you go solo.
So let's, I want to ask you about Huntress, uh, real quick because, you know, my vast time,
the whole eight months that I was in cyber, like Huntress is a name. Like it is, it is a name
that is known in the community. Um, you know, people outside of the community, um, you know, people outside of
community may not have heard of it, you know, may or may not. But it's, like, it's known.
What are you? What is Huntress? What was your original mission? Has that morphed?
Yeah, I'll start with the embarrassing. Why are you guys so badass is what I want to know.
Why are you guys so badass? Yeah. Yeah, we started with a mission that we were like, all we want to do is
fuck up hackers. That's not a good mission statement, by the way. Don't start a company on that mission
statement. But it was a good North Star.
told us like what we were there it ended up becoming a mission statement that was we had to figure
out who we were doing it for and how we were doing it right that's the why start with why moved to
how and who and then finish with what so at huntress our whole mission is to elevate
mid-sized businesses small businesses and these folks that don't have a budget we do that
by leading with education and community.
And we end up delivering this one hacker at a time.
That's a double entendre talking about taking down one hacker at a time.
But we also do that growing one ethical hacker at a time.
Notice nothing in there talks about making money.
Nothing in there talks about making cybersecurity tools.
We just happen to build cybersecurity products.
Our whole mission is to elevate people that are underrepresented in business
because cyber criminals love direct small businesses that are underrefertilies
that are underrepresented, they stored them for $20,000, $50,000.
And that's usually enough that you can't run payroll for six weeks.
Right, right. How many Americans can go six weeks without payroll?
Not very many. It's really, really low, unfortunately.
And the part that I'm talking about is when you get your mission right and you start with the real why,
everything else falls in place. That one hacker at a time, it turns out we realize that if we
lead with education, growing other hackers to be able to join our mission,
and doing it with a community not by ourselves,
we could go far.
And so, like, what I do is I sell security products,
products that allows my shady team of hackers
that if anybody tries to get in,
whether it's your computer,
your digital identity,
like your Google or Microsoft account,
maybe it's trying to get into your data.
We're not only going to prevent them from getting in,
but when they do get in, we wreck them, right?
That's the whole idea.
And it's not perfect.
Just like health, you can get sick.
But notice what I'm talking about
is it started with a mission,
everything else, the stuff that we do afterwards, building it, how we do it, that's the minutia.
And I think that's what I like most about hanging with you guys, is you guys expose stories for
the mission first.
And it turns out everything else can fall in place.
And you can learn it, you know, after 10 years.
I can sound crisp because I iterated with small successes and I can eventually take down
much bigger targets.
So you can't tell I owe a lot to what I learned during my time in the service.
Yeah.
It's amazing.
You know, so
the cyber community is,
it's very interesting because you have the government.
You have the government that is working on,
you know, these, you know, national,
or nation,
actors or, you know,
nation threats. Yeah, nation state adversaries, stuff like that.
Yeah, advanced persistent threats.
Yeah, yeah.
And then, you know, you,
then you have a bunch of security companies.
And then you have, like you say,
These companies that can't, they're not going to have a couple of, you know,
cybersecurity guys.
They're not going to have a simple, you know, they're not, they don't have these things.
And a lot of the tools out there are out of reach for them, but they are also the ones
who get hit often.
And, you know, and so they get ransomware, then they have to hire a DFR team.
And the DFIR team, well, they hire lawyers and the lawyers get the DIA.
Because the lawyers are basically.
like, this is your exposure.
Like, this is the risk that these people might sue you, you know, the people, your clients
or whoever.
Yeah, you're in business to make money.
Right.
You've got to limit your liability.
Yeah.
Yeah.
And, you know, and then with the forensics teams, these are civilian companies that are being
paid by the, you know, to find what, to find really one thing.
And that is, what is the company's exposure, right?
And maybe do some ransomware negotiations.
but they're not paid the hourly to go in and find out the code or the who the actor was.
And so a lot of these DFIR teams are actually on the cutting edge of like seeing a lot of these threat actors for the very first time.
But they're not sending that off anymore because they're not getting paid the hourly to do it.
So you have this really like disconnected community.
in a way of where national because the national security it all plays like a lot of these threat actors
are part or at least not necessarily sponsored by but maybe like giving permission by nation state
actors loosely supported loosely connected when it's favorable you know hey i don't want to do something
as a nation why don't i allow this slightly shady proxy that i give permission to do it on my behalf
because my hands are clean.
You're nailing it.
But if one of these DFR companies
comes across or is in chat
with a brand new threat actor
that nobody has seen before,
they're not reporting that to anybody
because they're being billed hourly.
Or they bill hourly
and they're just going to give these attorneys
and these companies what they ask for.
And so it's sort of like,
how does the government
incentivize these smaller companies
to
to pump this information up,
and then should the government
or state governments pay companies like yours
to cover everybody
in order to, you know, basically
as part of the infrastructure of our country?
We all have bias, and I'm going to show my cards first.
I'm a big fan, for instance, of there is great places
where the federal government should enter
sometimes local government that's closest to you should be able to help.
I will also share that I'm a firm believer.
We all have an obligation to take care of each other.
It's just kind of what's got us to be humans in 2025.
I'm giving that up front because I want to like caveat that there is some places,
for instance, the government's job is to facilitate and allow companies to be able to go
to toe to toe with cybercrime.
to go toe to toe with terrorism,
but we don't need companies, for instance, being vigilantes.
Imagine if we just allowed, like,
the local person to provide security at the, I don't know, bank.
You don't want that.
You need some level of professionalism,
some level, heck, the person who cuts my hair
has to go through a certificate.
I want the person guarding the bank to go through some bar.
I don't want a vigilante.
But where I'm going with this is their job is to be able to enable this.
Just like the story I told earlier,
that when the early days of cyber,
kind of as it started mature into 2010 to 2015,
the real heroes were the lawyers
who allowed us to do more of this preparation of the environment,
right, to be able to do the effects
that could actually stop terrorism or stop nation states.
I actually think the role that we have right now in 2025 in the government,
and this is global, I'm not making it about the U.S.
Some of it is about facilitating companies
that are of the right qualification and the right standard,
why are we not doing more to take defense and not lead by defending waiting for them to break down our door?
Right.
But if there are qualified people, and I'm not saying spin up vigilantes, there's going to be people who interpret this wrong.
But private jurors maybe. Qualified letters of Mark, cyber letters of Mark.
I mean, I'll tell you, Huntress itself, $2 billion company at the risk of, you know, liability.
When we find, for instance, a threat actor who is just,
for instance, a lot of times people come to us after they're already hacked, not before.
We try to prevent it.
When somebody comes to me that they're hacked and I find that this cyber criminal has stolen
their data, these, I'll call them what they are, bastards, accidentally leave their credentials
exposed.
Just like how we get credentialed, I would be a liar to say it is not, you know, I could count
on more than one hand the times that, for instance, we said, oh, they left their credentials
exposed. We took a look at the risk. We realized it was some shady hosted server and insert shady
country here that you have quite a good idea that it's malicious. We have been more than happy to
rendition that data back for somebody. We have been more than happy to dump their logs and more
than happy that when we find a mistake that they make, they use software vulnerabilities to get
into people's systems. We have actually found vulnerabilities in the same systems that they use to steal
and encrypt and hold data for ransom,
that we exploit their system
and make their software no longer work.
That is not always in an area that's clearly defined.
I'm not talking about hacking them back.
I'm talking about using our offensive skills sometimes
to be able to make their software not work.
And the thing that I would go back to
without ever getting political,
sometimes you can make a big difference
by just carrying a big stick, right?
And if you have a defensive company
that's led with a very offensive mindset,
that also believes in following rule of law,
who is happy to explore not just the black and the white, but the gray.
I think it's government's job to facilitate that.
And when lines are crossed, let's hold people accountable.
We can't do illegal things.
We all have to be accountable for our actions.
But I do think that version is a lot easier version that we can let capitalism do its thing.
Let's let businesses protect against hackers.
But let's not like think about health care.
If my only job was, I wait till you get stage four cancer, tell you, like, let you know you're going to die.
That's too late.
Well, I got to be doing everything I can to find it as early as possible.
And if I can, if I can possibly stop cancer from happening, no one would say don't do that.
So why are we not making similar analogies about stopping threat actors and treating them like what they are?
They're criminals.
And they should be stopped.
And that sometimes should be law enforcement closely partnered with.
commercial businesses. Well, I was going to say, like, we've all deployed to the, you know,
the GWAT in some way. And it's sort of like it, the U.S.'s cyber policy seems to me to be like,
we're getting attacked. So let's keep building our base defenses. Yeah.
Let's just keep on. Let's add more sandbags. Let's add more Hesco's. Let's, uh, let's get to some
I was saying, Jack, are we ticking you off yet with all this nerd stuff here in hackers kind of going
unwrecked? Only mildly. But we're going to jump to some user questions because I know some of our
viewers had some stuff for you as well that we want to make sure we get to. Let's do it.
All righty. From the count of Kohiba, did you see any differences in people who had shady
backgrounds growing up for straight-laced kids? Yeah, I actually would say my general rule of thumb
is bad decision makers, stay bad decision makers.
However, if you can't understand the nuance between what is a, think about fruit, I'll
choose strawberries because why not I like them.
Sometimes fruit molds because it's next to bad fruit.
Sometimes fruit molds because it is truly the one that starts the molding.
I would say generally speaking, I've seen rare cases where people who make extremely bad
decisions change making bad decisions.
not saying people can't change. However, I think sometimes separating what's molding because they're
surrounded by essentially a bad environment is very different than, for instance, a bad egg.
So what I'm saying is I've seen plenty of people. I mean, look at my, I started this whole thing
admitting. I've been some things that when I was poor that are pretty crappy. I kind of wish I could
undo them. They were circumstantial and I've given back a lot more than I've ever taken.
And so I don't think this is a case that you can just say, if you've messed up, there's no
forgiveness like that doesn't mimic life so I appreciate that question because no I don't think just
because you made a mistake you're wrong but I think there are degrees and it's the spectrum and if you
cross a line you're probably going to keep crossing a line not because it's wrong or right but you
probably have something wrong with judgment do you think that motivation because I feel like in in you know
the cyber world that there is a lot of this there's a lot of crossover with the soft mentality right like
when we take an MMPI, like we have certain traits that we share with criminals.
And, you know, but I think that, that it's, you know, we have sort of the same adrenaline,
sort of same compartmentalization, the same desire for challenge, but we don't have, we,
we don't have the selfishness or the desire, you know, the desire to profit.
And so I think maybe on cyber, there's a difference between, you know,
that 13, 14, 17 year old kid who wants to hack into a system to see if he can get into the system
and the kid who wants to hack in the system to see what he can take.
Yeah. You mentioned the selfishness, right?
One of the core values in the Air Force was service before self.
Why are you doing it? Are you doing it because it's experimenting? And I've had, I've been
selfish before, right? It's a, you know, but when I look back in hindsight,
a lot of it was an ends to a means that was in a way that was in a way that was
inconsequential. Did anybody get upset back in the day that I was using their unlimited
minutes AOL account? They probably never even noticed yet they were giving me a chance to learn.
That is so gray, but that's very different than I tried to get their credit card number.
And then I used their credit card and racked up all kinds of gift cards with it.
That's a very different version. And so the gentleman or, you know, a lady or person that asked
that question, like that's a really astute question.
to be very frank, it's all a spectrum.
And I think the answer is somewhere there in probably the middle to dark gray.
I think that's still okay.
Yeah.
We got another question.
V, due to places like China having an internet as opposed to an internet,
could regular Americans actually do any kind of hacking in places like China?
So the thing everybody forgets, right, think about a castle wall.
and even if you have the world's greatest, you know, moat and you have all the walls in the world,
some people have to bring food in and out of that castle.
So China does with the great firewall, for those that don't know,
it's an actual logical layer that prevents certain traffic that only operates in China
and certain traffic that, for instance, allows outgoing.
So it's not as easy as just walk into a place with no castle wall,
but they're not on their own.
And as a result, sometimes you have to be.
be able to find just like the think about the old stories about the trojan horse right sometimes
you got to be able to get things in and you know if they were truly like a hermit kingdom that
nothing could come in or out uh they wouldn't be the nation state that they are so where i'm sharing
with this is i think that there is some value in having castle walls but let's not BS ourselves
no castle wall is permanent because unless you're self-s sustaining from the inside stuff's coming from
the outside in.
And as long as that's coming from the outside end, someone like me is trying to exploit it.
Yeah.
Do you think that there's ever any future in which, like, a standard defense is just basically
to, like, learn how to, like, create a poison pill for people's, like, data that, you know what
I mean?
So I've gone back and forth between should we have data that just, you know, deletes itself
or, you know, kind of like Mission Impossible, this message will self-destruct.
Right.
I've also balanced with the such opposite side of the spectrum.
of do we care way too much about what data gets leaked?
Like, no offense, at this time,
I think I've had like 96 times my social security number.
I probably have like nine overlapping credit card
for policies right now.
Right.
I get by every day.
I'm a super nerd.
I've got Alexis in my house.
I could probably talk to my phone right now and ask it to do its thing.
There is some level that I think we kind of got to dial it back and say,
like look at, do you remember that movie Catch Me If I Can?
That's that guy, Frank Abbock.
nailed it forced the checks.
It's 2025.
Check fraud still happens.
We never solved that problem.
Why do we think we're going to solve the cybercrime problem?
So I think some of it, we just got to tone it down and realize you get hacked in 2025.
What's important is can you find it before it becomes like deathly, right, before they drain your account?
And when they drain your account, is there some sort of way that we can, you know, ease the burden?
because that's pretty extreme to have like no money to pay for bills, you know.
So my point behind a lot of that statement is I think that there is a level of I wish
sometimes data would self-delete.
We'd be a little bit smarter, you know, minimize it.
But I think we should also not a but, but an and we should also just chill out a little bit
and be okay with certain things is going to leak in 2025.
So when I say poison pill, I don't just mean the data is self-deleting, but, but basically
installing Malwell or, you know, basically destroying whatever that data goes to.
Ooh, see, that's a good one.
I don't, you know what's unfortunate?
I don't think that we're quite at the level that people are playing that four-dimensional
chess yet.
Should we have things like, we're getting better, like, even though I'm not a huge
crypto fan, we're getting wallets that are like better, resilient.
They try to prevent people's data from getting stolen and they have some of these built-in
protection mechanisms.
I, I'm never a naysayer.
think glass half full unless it's bourbon.
Right.
But I actually think we're still playing in many ways checkers, not even chess, let alone
four-dimensional chess.
So I think what you're getting to, we'll get there.
Yeah.
We're just not there yet.
Like we still can't keep people from stealing my darn SF86 data alone.
We've talked about that before.
Yeah, our OPM file.
Yeah.
So, yeah, I wish.
That's my long way of saying, I hope we get there.
Yeah.
All right, M. Corbyn, how do you feel about the fact that Chinese cybersecurity organizations or cyber organizations openly acknowledge and publicize their partnerships?
Does it result in better collective action?
So I think that some of the things that's needed, and by the way, remember when I started this story, I said all the people that were in decision makers were former tank drivers, pilots, subdrivers, ship, you know, admirals.
turns out in 2025, some of the people in office now are people who started their careers in
offensive cyber. So what I'm saying by this is if we go back to the root question, we've actually
got some really well-informed people that are helping make better decisions that allow us to
kind of be more public. And with more public, like I can tell you publicly, Hunterist collaborates
with all kinds of law enforcement, less about government, but all kinds of world.
law enforcement, sometimes in countries you wouldn't expect.
Like, you know, people forget that sometimes on what you read in the news, you read like,
oh, we're going to trade political prisoners.
Behind the scenes, sometimes cyber criminals are traded.
These nation state governments, for instance, that protect some of these, sometimes use these players
as chips.
And believe it or not, law enforcement is some of the people that we've actually had the best
success of collaborating.
We've worked on raids that have brought back millions of dollars.
of stolen money from cybercrime takedowns.
So that's my very long way of saying we could do better.
And I will wholeheartedly argue some countries are challenging us of how well they do open
collaboration.
But don't underestimate how much dope stuff goes down in the shadows.
Like we're not playing from a position of weakness.
We use this term in the intelligence community that we call everybody else not peers.
We call them near peers.
It's not by accident.
It's not by hubris.
We do a lot of stuff really well.
Don't underestimate what the U.S. can do.
I have a question.
Out of all the state actors, who's the best at hacking?
That's such a good.
And best is such a loaded.
Do you know who I like and who I,
I'm not going to use the word admire because that'll be like,
that'll be on like, I go, I file for IPO and that'll be used against me.
North Korea knows.
what they are and they know what they aren't. And what they are generally is very dependent on China
for certain things. And they are also pretty darn broke. And this is a country that is more than happy
to use their very, very stringent economic sanctions that are against them. They have no problem
going after your crypto wallet, going after Swift. That's the payment systems behind credit cards.
and they have made millions, maybe even there's some estimates that go into the big B word,
that is not playing around.
Can you imagine, like, as a business, and if you think about what some of these nation states are,
their biggest businesses in their country are actually their hackers bringing in revenue.
That's wild.
That's pretty crazy.
And we don't do that in the U.S.
We don't do economic, you know, espionage this way.
Some people will split hairs.
I'll tell you, 99 times out of 100 unless there's some weird accident,
We don't do that.
The way we play with economic espionage is through things like immigration.
We'll just steal your best and brightest and make them U.S. citizens.
Not going to open that can because that's a whole different other thing.
But we play at a different level of 4D chess.
And I admire North Korea knowing how bad they are at some things
and being able to make a whole lot of money with a handful of people.
They're not us.
They can't keep up with us.
But that's pretty dope.
Before, well, not before, but during.
I mean, they were also involved in the whole super notes thing.
Oh, yeah.
Oh, yeah.
I mean, they're like, like, you know, a counterfeiting physical U.S. dollars.
So this is just a criminal regime.
Like you said, they know who they are and what they do.
Yeah.
So, I mean, is there not something to admire where they're like,
yo, it's getting harder to recreate and forge and create counterfeit dollars.
So let's just not counterfeit as hard.
And let's go after this new emerging digital.
Let's go after people behind crypto.
let's go after some of these core systems.
Like, they know how to get paid.
And I know it's so easy to, like, throw a Kim Jong-un meme out there.
But, like, they're scrappy.
They're hustling.
They remind me of a startup.
They got startup energy.
Well, you know what's wild is, you know, the same scams that worked in the 1800s,
like the snake oil says, like the Nigerian prince, like this,
with these crypto drops, you know, like, they're, you know, like, they're,
using the
somebody wants something
confidence man confidence yeah exactly
somebody wants something that's too good to be true
and they believe that they just might be the person to get it
and they give people access to everything you know it's it's wild
and people forget when they're succeeding they don't have to succeed big
it doesn't have to be billions when you have such an disproportionate
exchange rate a $50,000 ransom could be significantly bigger for folks in
economic sanctioned world.
So I just sometimes think that we,
just like how we're really bad as humans,
like comparing how many like stars in the sky
or grains of sand on Earth,
there's a different law, right?
A different set of physics in North Korea
or these other, you know, world regimes,
even Iran, who's like much smaller,
they are winning.
Right.
Just at their scale.
And I don't think we necessarily, like,
we talk trash against them.
But you got to watch out
because startups sometimes disrupt big environments.
And I'm not saying North Korea is going to become a nation state,
but a nation state, for instance,
that we have to worry about like a China, Russia type scenario,
but don't sleep on their ability to deliver bigger bang for the buck.
That's what I'm saying.
And the simple fact is a lot of these countries
will play by rules that we won't even consider.
Like, look at human espionage.
There are countries that will still honeypot,
and the United States will not honeypot.
I mean, look at the Khashoggi, you know, the situation, right?
The reporter.
When's the last time the U.S. was accused of hacking somebody apart in an embassy?
Like, we play on slightly different rules, both in the physical and digital world.
Right.
And I think that's something like to be.
Microwaving intelligence officers abroad.
Exactly.
We don't do those kinds of things.
You know, and there is a level of like, I will say there's a weird thing about espionage
that it's a very gentleman's, gentle person's game.
But we got to understand that we have to play smarter and harder
because some people just won't play by our rules.
And that's not an excuse to play by the rules.
Like you don't want to fall into that, right?
You got to protect some level of humanism.
Like even adversaries, they wake up and they probably have back pain
the same way that my aging, you know, aging, you know,
ass is starting to feel back pain.
Like something generally connects us.
They're still humans.
So I think it's important that we can't.
We can't lose that, right? At the same time, let's not let them take our kindness for a weakness.
Let me ask you a quick question, because I feel kind of strongly about cyber crime. And I feel as though our government gets wrong that it's not breaking into the bodega and stealing their cash.
It is that I'm all for presidential findings. I am all for the cyber terrorism. If you shut down a hospital that,
now you become a Title 50, Title 10 target that you're not,
it's not a law, you know, an FBI case anymore.
It's not law enforcement.
I would like to see consequences.
I would like to see these things elevated
in our sort of warfare or in a new domain,
a new warfare domain.
Yeah, so David, I think there's nuance in what you just said,
but I will tell you, so what, we've been hanging out BS in
for what, two hours or so?
I will tell you like, we protect,
150,000 businesses worldwide.
Even with all of our skills, all of our prevention, et cetera,
I'm sure there's probably a half to a couple dozen
that have been wrecked in the last two hours,
even the ones we protect.
It's like saying there's perfect prevention against cancer.
It's not real.
Sometimes it's about just finding it early.
And the point that I'm getting across,
the whole idea is finding it before it kills you.
If you look at things that way at that scale,
that even just during this two hours that we're hanging,
You know, just there's companies that are not going to be able to deliver food tomorrow.
There's going to be companies that can't run payroll.
There's going to be companies that can't schedule logistics meetings.
And there's going to be people that's causing stress on real people.
I don't think we equate cybercrime with real crime.
And I think in some ways, we even victim shame.
Oh, you got hacked.
Right.
You don't blame somebody for getting robbed at, you know, knife point in New York City.
Right.
You just flat out say that's crap.
Get out, go after the criminal.
and I think some ways that we need more support to like, let's treat hackers, and I don't mean all hackers, not ethical.
Right.
The people who are threat actors, cyber criminals, let's treat them like they are criminals.
And it should come with some real consequences.
And let's be willing to handle the gray areas.
Maybe there's some places that we have to interpret.
Maybe there's some people that aren't quite the same level, right?
Just like how we're having the conversations on like recreational drugs and stuff.
let's be smart humans and understand there's gray.
Yeah.
But I'm telling you, when it's very clear that you're out to ruin people's lives,
why are we not considering more, and I'm not going to all the way to the extreme of use of force?
I will.
There is some level of disproportionate force that I think, imagine if, for instance, somebody drone
striked a group that was doing scam calls.
That's the most extreme example I can come up with here at night.
And what I'm going with is it probably doesn't take too many of these things to have real repercussions.
And I would not advocate for like loss of life.
But maybe when it hits a certain level that you're willing to attack a hospital,
let's call it what it is.
It's no longer cybercrime.
It's much closer to terrorism, if not split out terrorism.
And I just don't think there's a whole lot of this willingness to have this hard conversation yet.
Yeah.
For me, it's like even talking about scam calls.
I mean, do we measure how many Americans kill themselves because they've lost everything through a scam call or through ransomware?
So have they sort of taken that life?
I don't know.
I feel like you, you know, you send a Tomahawk to one or two threat actors and you'll separate the wheat from the chat.
You'll see who's serious about, you know, ransomware.
There will still be some that don't care.
You're darn right.
Sure. Absolutely.
Absolutely.
And there's versions of this, right?
Like jail time, I've seen some of these that are like responsible for millions and they still end up with four to six years when they finally get extradited.
I again, I think there's difference between people who rob banks and people who shoot people while robbing banks.
That's logical.
That is a difference between that.
But I don't think for instance, we do enough to look at the blast radius.
We don't look at the collateral damage.
And I do think we will get there.
I really think that now we're starting to realize.
But I will also say, guys, to not to like maybe tone down some of the rhetoric.
There's a lot of incidents, actually, that businesses do get hacked.
And they go back to business in six to eight weeks as well.
So I do think that we got to make sure that like when it's extreme, let's treat it more extreme.
Right.
And when it's chill, let's normalize that some people get their car burglarized.
And let's just go back to work the next day, you know, get the window fixed by USA or whoever is your car insurance.
And so if you can't tell, I'm like this weird version of where I'm simultaneously.
saying wreck them. Right. And also chill. And I think that's okay. Right. We have any more
question? One more question. Do you have any thoughts on cyber having kinetic effects in warfare
like hacking medical devices and altering device functionality? I think if laws support it,
do it. And I don't mean that laws can't take it down. But for instance, if I could take your
internet connected car and I have everything against you that you are an art.
dealer that's taken life, if I have the same war power, for instance, if I was there to actually
take life, why does it matter if it comes from a bullet or your Mercedes swerving off the bridge?
I know that's extreme and I'm trying to make a point with it.
But my point behind it is let's not go too extreme on either side, but let's keep things proportional.
Does it really matter?
And so I come from a world that my job has literally taken life because of this.
And it wasn't against people who just did a little bit of credit card fraud.
They were people who blew up 10, 15, 20, innocent people, some of their own citizens,
some foreign.
I, again, I think the nuance matters here.
So I'm trying to give these edgy points to like make sure people have a sound bite that they can like jolt them to think.
But I'm also trying to bring it down to the nuance matters.
So for me, there is definitely situations that exist that we should be able to use cyber to deliver
kinetic effects when the juice is worth the squeeze or when we would have done the same thing
if it was a physical situation.
Right. Yeah.
Kyle, tell us about where can people find you?
Where can they find Huntress?
What types of companies should contact you and try to procure your services?
I mean, who needs to find you?
Yeah, so I gave all the embarrassing stories earlier.
When I was small, we serviced businesses that were small businesses.
It turns out now we're cybersecurity.
for all businesses.
And it's not just a tool where the full team that actually does all the development
and the same team building the tool is the same same team hunting these cyber criminals.
Huntress.com is obviously the website.
But it turns out some of our spiciest stuff you can find is on stuff like LinkedIn,
on X, right?
On Facebook, we actually show on a daily basis what we're wrecking.
And that goes back to that mission statement I said earlier.
if you lead with not only transparency and integrity,
but educate these companies that don't have resources,
maybe like yours,
with community and with education,
you can kind of make a real big difference of the world.
So again, the website's cool.
You can learn about us on a website,
but if you want to see the real kind of like deal
that you've got to experience tonight,
find us on LinkedIn.
Find us on one of those social networks.
That's where we actually talk just like we talk today.
Yeah.
Awesome.
Yeah, that's been fantastic.
We really, really appreciate it.
Guys, well, again, I appreciate it again.
We got to touch a lot of topics that some people shy away from.
We got to be able to play both sides of the fence.
And I just really appreciate it.
I know it took us a handful of years for both of our schedules to work.
But I don't know, two and a half drinks in.
And I'm feeling like we succeeded.
So cheers, guys.
Outstanding.
We'll do it again sometime, Kyle.
And thank you for your time, spending some of your Friday evening with us.
Yeah, this was awesome.
Thank you so much, guys.
Kyle, I got one more question.
What are our countries does hunch us service?
So we actually service all of them, right?
There is a, you know, when it comes down to like we have some legal obligations,
like I can't service Syria today if they're sanctioned away.
But when I say 150,000 businesses, I'm not talking about like in the Atlanta or Baltimore,
or D.C. region.
There are 150,000 businesses that some you would know and some that just provide all the power
and electricity that you don't know across the entire globe.
So no joke, we are a proper.
global company wrecking hackers no matter where they try to go after.
What would be your like five-year dream for Huntress?
Dude. So I asked this question or I get asked this question a lot too, meaning I
ask my teammates but also get asked. And what's nice about it is hackers are so innovative.
They have to be respected just like for instance adversaries. They're smart humans.
And the one thing that I love is think about launching a rocket to the moon.
Physics don't change, right?
If you know the physics, you know the Earth orbit,
you can take a rocket, go around the moon,
slingshot back, land it on a drone platform, you're done.
But cybersecurity is brilliant, shady humans
against brilliant ethical humans.
And the part that I would share is,
I hope more and more and more through like our conversation we shared today
that the ethical side can, you know,
not just cat and mouse this, but disproportionately win.
We're not going to win at all.
But I think we're on the cusp of you.
using our offensive skills to support defense that could finally change like so cyber criminals
are making less money than the company's protecting them.
And I know that sounds like so capitalistic.
You want that.
If companies like this are making money, you are just doing whatever you do, dry cleaning,
delivering paint, right, services, shipping things, whatever widget software, you want that
to win.
And for me, I would like no matter where threat actors go, I would love for Huntress to be
one step ahead. That would be a really cool place that I could like pass away and feel good about.
That's awesome.
Kyle, thank you again for taking the time to do this interview. And maybe we'll come back to
you again at some juncture in the future when we need your cyber expertise.
And we will see all you guys next week. There's some links down in the description for you'll
find Kyle, you'll find Huntress. You'll also find our Patreon. Thank you everyone who subscribes.
And we have new merch also, so you can find that down there.
And thank you, everyone, and we will see you next week.