Be a More EFFICIENT Penetration Tester (John Hammond)

I always kind of joked that I got into cyber like the most formal way I think anybody can, right? Most people did not get into cyber the way that I did, but rubbed some shoulders with some really brilliant people over at NPS and then started my career in the DoD ware a lot of different hats in those early days, just building out security programs, so doing everything from volume management to instant response to penetration testing. And that’s kind of where I started to find my niche. So I really liked the technical puzzle problem solving that hacking brought and then obviously enjoyed being able to get paid for it. I was never one that actually just kind of just did it to do it. I just did it. It was fun and I enjoyed this is a cool job, right? So I did that for several years. My focus was a little more on app SEC and mobile device security and embedded systems, things like that.

And I got the OSCP, which was a great challenge for me. This was gosh over ten years ago now, which is crazy.

I was a principal pen tester with the team at Veracode for several years and just was doing my thing and just really started to notice pain in the pentesting engagement lifecycle, specifically in a couple of different things. I hated writing reports, which every pen tester will tell you, hated how much time it was taking to format a document and resize screenshots and all this jazz. So that led me to like, okay, there’s got to be a better way to do this. And then the other side of that coin that I hated was I hated coming back a year later or whenever we’d come and re engage with the customer and basically rewrite the same report. None of the things that we had reported had really gotten fixed. And from a consulting perspective, hey, that’s fine. I mean, whatever, your money is still green, you’re still paying us to do this.

But from a core value and mission perspective, I’m like, this isn’t working. Like, we need to be actually getting people better at doing better security. And so something’s broken here. Right? So that’s really what started me on the trail or the path for PlexTrac was one help automate that report writing process as much as possible so that you can spend more time actually finding security issues and then have a better collaboration mechanism for the remediation lifecycle and actually providing more visibility into how these issues are getting resolved. And so that’s really what started my PlexTrac journey. Right.

I started as a side project with the intent for it to be a business, bootstrapped it for a few years, started to get some early customers and then dove in full time and was fortunate enough to raise a seed round in the summer of 2019. And so that kind of got us into the mode of growth and really being able to hire folks and start to scale.

Everybody models a startup with that hockey stick model, right? And our shows are starting to hit that hockey stick curve right. In March of 2020. Right. So we’re like, oh, this is an interesting timing, but a testament to our product and to our team for really just continuing to grow strong through the early days of the Pandemic. Right. As an early stage startup, that’s always nerve racking. Right? Okay, how are we going to manage this? Because you’ve got some cash, but you still got to be careful.

Right? And we were fortunate enough to grow strong through the early part of the Pandemic and that empowered us to raise some more capital in 2021, early 2021. We raised our A round and then had an Opportunistic Series B at the end of last year. So we’ve been on a fun journey. Right. I guess that’s kind of a mix of who I am and who PlexTrac is or how we got started because it’s very intertwined. Right? Well, hey, I am ecstatic and I love to hear it. I’ve been chatting with Dallan and Angie, some other folks over on your team who have been phenomenal and incredible in helping me get a little bit more integrated and all that you do and all the incredible thing that PlexTrac and the platform has to offer.

But first of all, kudos to you, if I may. I think you truthfully and again, if I may have achieved and accomplished what a lot of people strive to do within cybersecurity, within the industry and that, hey, you solved a hard problem and made it accessible and approachable and marketable to the point. Like, this is a product, this can be a real venture here, and you’re moving and shaking, doing all the right things. Thanks. Can I ask again if there may be sure. We have plenty of geeks. We have plenty of nerds.

We got the pen testers and hackers in the room. But even the folks that might have a little bit more of that entrepreneurial mindset. Other things that you learned either about you or diving into that. Learned about yourself or learned about the whole outside that has helped you grow and made that evolution so successful. You mentioned. Hey. You got some rounds of funding in 2019 and Series A.

Series B. When did you breathe life into PlexTrac first? What year was that? Yeah, so 2016 is really when I started putting what I call pen to paper. I started actually writing code. And yeah, I would say on the entrepreneur side of the house, I’ve always been a perpetual student, right. I love learning, I love figuring things out. And I think personally, I just challenged myself. I was like, hey, I can try this, I can do this, for better or worse, right? Maybe not knowing what all the pain will ensue.

But definitely it was something that I’ve always had an itch for in terms of kind of the entrepreneurial spirit. And so it definitely was like learning a lot, talking to a lot of other folks just in the startup realm. We’re based out of Boise, Idaho, and so it’s an emerging tech scene for sure, right. But it’s not like the Silicon Valley or Austin, Texas, and some of these bigger, bigger hubs. But what’s nice about Boise is there’s a lot of people just willing to take you under their wing and just give you some advice and mentorship and things like that. So I was able to just really learn from some folks on some of the ins and outs of getting a start up off the ground. But at the end of the day, one thing I really learned I think most people will say this, and it seems fairly obvious, but it’s like you do have to have that sense of grit, of just like I believe in this.

And I really do think it’s going to work because there’s always going to be days when you’re like, man, what am I doing? This is tough, this is not easy. Right. And you’re always going to have those ups and downs, especially in those early stage days, right? It’s been fun. Hey, I think again, I’ll sing your praises because if that’s all right, I listen to a whole lot of folks because I personally am not a startup. Just as well. I mean, what we might consider start up, although we are cruising through just a series A, Series B and keeping that growth up and to the right. But I always hear whenever you want to bring out something valuable to people and to a lot of people and to make it the most effective, you’ve got the product market fit and all.

But the best thing, even for nerds and hackers and pen testers, when you build a tool, when you put out something, some new utility on GitHub or what you’re building for a business, you want to give people Aspirin or something. You want to solve a hard problem that pains them and quickly and easily. You don’t want to be giving them their vitamins. Well, sure, vitamins are healthy, but it’s over time and it’s not the most immediate attractive, hey, I want to go use this right now because I feel like I need it. That’s where Aspirin comes in and report writing the dull, boring drudgery of carving out like your homework that you have to do after having a fun day.

It’s so true. Yeah. And I like that analogy because I think we kind of help bridge the gap in general, right. We help ease immediate pain of making teams. We get the commentary a lot, just improving the morale of the team because I spent way less time having write that report, which is great. But at the same rate, we’re also kind of in that vitamin mix too, of like providing the teams that are now getting these results in a more efficient fashion, but also better visibility into like, well, who’s fixing these things? How are we actually doing? Are we seeing the same things get reported time, time and again? What I love about it is it’s kind of that mix, right. We’re able to not only ease some immediate pain, which is great and important and keeps people because we’re always going to have a talent issue, right.

There’s always going to be hard talent to find. And so you want to keep the talent engaged and as efficient as possible, right. So that’s important. But then also being able to see like, hey, are we making a difference in our program through the results that we’re continuing to track? So it’s fun. That’s a great analogy. I like it. It’s funny.

I always kind of envision and think as a kneejerk reaction when you’re writing reports or getting the deliverable over to the client. I tend to think of it and sort of the traditional penetration testing circuit. You do offensive security, you emulate the adversary, you find bugs, vulnerabilities and exploits, and you put it on the table. But having more and more conversations with you and your team and it’s cool to get this sort of eye opening moment where they say, hey, there’s a wider scope in this and we do this for Blue Teams just as well. And we kind of bring the two together and you blend and mix and you’ve got Purple Team, which is a term you tend to hear sometimes, but not always. Can I ask you if that’s okay? What would you capture purple timing and then what is going on in the industry and how can you augment and supplement that with PlexTrac? Yeah, that’s a great question because we do a lot of marketing around purple teaming, right. And we tend to abstract that concept a little more and that’s why we’re a little careful around it because I know some people can get really what’s the right word concerned around terms, right? Or definitions of terms and get a little bit excited around what we define things to be.

Like red team versus pen tests. Right. It’s funny, but at the end of the day, we really abstract the concept of purple teaming to be in that true collaboration between the Proactive or the Offensive Security Team and the Reactive or the Defensive Security Team. So whether both of those teams are internal to an organization or whether it’s a consulting type relationship, we facilitate the ability to collaborate during those engagements. We have a module called Run Books, and actually, I think we’re going to be renaming it to more like test plans, but don’t quote me on that. I’ll have to clarify what we’re actually going to call it, but we’ve called it Run Books for the predominant amount of time that we’ve had it. And it’s that true purple teaming capability in terms of at least for documentation of results and collaboration, right.

So the Red Team can come in and they can say, hey, we’re going to execute this test plan here’s. All the procedures we’re going to execute, they can create their own. So it really serves as a methodology checklist as well for the Red Team side. So you don’t even have to have the Blue Team come in. But for larger pen test teams, they use it quite a bit for just, hey, these are the things that we know we’re going to test and then we can document the other procedures from the Blue Team side. They can come in and say like, yes, we saw evidence of this, right? We got alerted by this, or we saw evidence of this, or no, we didn’t see this at all, right. So it really helps document what the context of the entire engagement, what procedures were executed, what procedures were seen by the Blue Team.

And so that’s a really important concept that’s that true purple teaming notion.

The other side of the purple teaming aspect is that collaboration during the remediation cycle, being able to have a mechanism to just dialogue on results. We call it the status tracker, where the Blue Team can ask questions and the Red Team can come in and say, like, okay, here’s how you reproduce this, or here’s how we would recommend you fix it. We always provide recommendations, but there’s always kind of that back and forth that you want to facilitate. And so now you have that historical log of all the activity that was gone on around certain findings. And so that’s important too, because if it comes up again, the next assessment, people can look back and say, like, okay, here’s what we did for it to try and fix it last time. We either should do that again and we just missed something, or no, we need to go a different route. So it really does help in that continuous mindset of, hey, we’re on a journey to continue to improve our security posture.

And it takes a village, right? It takes the entire Red and Blue Team to make sure that this works. I’m super glad you mentioned that last bit there. And that it takes a village. It takes everyone playing in concert. It takes the whole team effort. And again, hey, I’ll expand that scope and think a little bit more outside the box, because another thing that I love to see is your involvement in Plextracks kind of engagement with the community. Like when I’m seeing webinars or I’m seeing, hey, what’s happening on the Twitter verse or going on on LinkedIn, right? I’m always saying, hey, there’s another webinar that Plexrec’s hanging out with Echelon, Risk and Cyber.

I have some great colleagues and peers over there, or we’re working with sites and we’re chatting a little bit more about purple teaming or we’re breaking down the walls and dispelling some misunderstandings or misinterpretations. So with that, I’d love to kind of pull on that thread. Are there other folks, are there other teams? Are there other companies that you’re jiving with? Whether it’s integrations or whether it’s like, hey, we’re hanging out, getting ideas back and forth. I see sites in the community and I see them at trade shows and events, and I always love to see they’re just so many incredible people, like Wildlife Hacking Fest. I know you’re helping out and we’ll be there.

Yeah, that’s great. It’s important. I think we all say, like, hey, we love giving back to the community, and it’s true, and whatever we can do to help, we want to help, right? Yeah. We’re building a business and we’re trying to grow business, but at the end of the day, we have a deeper mission of actually, our mission statement is we empower security teams to win the right cyber securitycurity battles, right? So it’s like, how are we helping them identify what they should be working on today? Right? The war is long, it’s a journey. What are they supposed to be focused on today? And so how can we help in any capacity to really identify, just help everybody understand here’s the threats of the day or here’s good techniques to take back. Right? So we love doing that and we love working with partners as well. You mentioned a couple.

We love the site team. We have a really good relationship with them. We integrate with a lot of products, right? And so we have some really great integrations. We have an integration with Site, the PenTerra team, and the Horizon Three teams. So some of these more Pen test as a service platforms that are emerging, we really have good relationships with and we’re continuing to build those relationships with a variety of other, like, breaching attack simulation tools as well. One of them, another good group of folks is the on defense team and they’ve written a product called Blind Spot.

We really view ourselves as that intermediary between all the manual and automated testing that goes on and being able to aggregate that together. So you have a good view of like, okay, here’s a pretty good collection of the higher risk vulnerabilities that are getting reported out of these things and how do we go track them along that last line? We love just working together with other players in the field and we have a great relationship with the Red Canary team as well. Right? So we’ve done some webinars with them and just any ways that we can help give back. We try to I love to hear it and I think I’m trying to think of, hey, what are the other sweet stuff to chat about with PlexTrac? I think we’re trying to get some cool whole picture view. You’ve got the report writing, you’ve got carving through the collaboration platform, doing the grunt work, being in the trenches and the compliance aspects and the run books that you’re doing for Purple teaming. I think there’s one last and maybe there’s more. So please help me fill in the gaps here.

But I do love the visualization and analytics aspect because sometimes you need to communicate the trouble that was found or vulnerabilities or things that needs to be fixed and cool. You’ve spat out the 60, 70, however many pages report, but you still need to get some captured picture to tell upper level management leadership and executives. How was that? Was that sort of the inspiration for visualization analytics? Where did that come along in the process? Or do you mind riffing on that one with me? Yeah, absolutely.

You’re absolutely right. The analytics was always part of the plan for the product because one, yeah, you can help automate the workflow, which is really important. I think we get a lot of good feedback on people just come and say, hey, I can tell that you used to do this, right? Because it’s like, you know where the pain points really are in the process.

That works for Pen test reporting, Purple Team engagement, as well as more compliance based questionnaires. So that really helps. Okay, well, now what am I supposed to do with this data, right? And so, like, okay, well, I need a way to be able to track and remediate these issues, like be able to prioritize them within the context of my environment. So that’s kind of the middle hub of PlexTrac. And then, well, now I need to actually show what the progress that we’ve made to the stakeholders, right? Because we’ve really tried to facilitate the entire workflow around this, so that whether you’re a security director, a CSO, or a security engineer, you have the mechanism to be able to identify, like, what should I be working on, who’s doing what? And are we making progress, right? Are we getting any better? And so that’s really the analytics portion of our platform, which is really exciting to see. I love seeing the new visualizations that come out as we release them, but we really try to facilitate a way to slice and dice that data to not only identify, hey, what are our critical issues? Are we making progress? Are we meeting certain SLAs that we might have either internally or externally, like, if a critical get reported, or are we fixing it in a certain amount of time? And so you can visualize those trends. And that’s really important to be able to say, like, okay, where are the gaps? Who’s struggling in terms of a business unit or what subnet? It seems to be the problem child right.

So that’s important. And that’s a really important piece of the platform, is being able to not only visualize that, but also have a mechanism to provide that data to other people as well, whether that’s the board or the executive team or even external auditors or something like that. So that’s an important piece, and I think that kind of wraps everything up together very nicely because you can do all the work, but then if you can’t really report on how we’re making progress, it makes your day still more challenging. Right? Well, hey, yeah, I love having it all kind of tied together and wrapped and bundled, because that is the package, that is the platform that is PlexTracing its entirety. And with that, I’d love to kind of ask if it’s again, all right, what’s next? Because, hey, you knocked it out of the park with this thing as it is, but what’s on the horizon? And I don’t want to get into, hey, any inside baseball or secrets? You’re not trying to get out yet, but is there anything on the road map that you’re super excited for or I don’t know, what’s next in the kitchen? Yeah, no, that’s a great question. So, one I’m always excited for all the integrations that we’re continuing to pull out because the more data that we can get collected and aggregated, the better we facilitate those workflows. Right, so we’re continuing to release integrations.

An integration with Edge Scan is coming out and there’s a lot more coming out. I don’t have the full list, but that is one that’s exciting, that’s right on the horizon. Mandian Security Validation is another one that’s right really close. And we have a good partnership with Mandiant as well. I forgot to mention them. I’m always excited for the integrations because it just helps facilitate more Workflowing and get better visibility from all the different sources of risks that are getting identified. We’re continuing to improve our analytics capabilities and being able to provide more visualizations and more customizable dashboarding.

So we have what we call shareable analytics coming out here really soon where, hey, I want to get a dashboard looking and I want to basically notify our system. These are the things that I really want him or her to see. Right, so we’re constantly improving there. And I think one of the bigger things that’s on the horizon that it’s not getting too much into the forward looking aspects, but we really like the idea of being able to aggregate things into higher level, what I call security program initiatives. Right? So there’s one thing to have like, lots of vulnerabilities around a certain area of risk, but then it’s another thing to say like, okay, these are clearly symptoms of a bigger problem and that’s really being able to aggregate those into a more prioritized list of program initiatives. That’s what we’re calling it internally is security Program initiatives. We’ll probably have a little bit more of a marketing buzz term around it, but that’s exciting to be able to actually see like, okay, because I have a ton of vulnerabilities in these areas, it really bubbles up into a more prioritized list of program initiatives like, hey, I should be working on identity and access management and things like that.

So it kind of brings together the security program aspects with the proactive side of security. That’s all exciting. I am looking forward to it and I can’t wait to see when that’s all coming down. Yeah, great. Well, hey, I for 01:00 a.m sold. I think, hey, some folks listening in that might be thinking like, yeah, you know what, PlexTrac sounds like they’re doing all the right things. They can solve my problem rapidly and easily, make myself and my team more efficient, more effective.

How can someone jump in? How can anyone go take a look at what PlexTrac has to offer and go chat with some folks and get the ball rolling? Yeah, absolutely. So if you just go to our website, Flexstrack.com, we have a lot of information there about our solution and platform. You can book a demo, we’ll chat with you and really talk through like, what the use cases and the problems that you’re trying to solve and how we can help. We definitely take it seriously. Like we’re going to be honest about the things that we can do and the things that we can’t do. I’m sure you know this as well. In a startup, like, people want you to be able to do everything.

Like, hey, that’s a great idea, we don’t do that anyway.

Growth mindset, right? But we love talking to people and we really view our relationship with our customers as partnerships. We have some great partners and I think that’s an important aspect to our business is that our customer success in our support team is second to none, right? We really treat people as if they were part of our family and so really we make sure that we get them to success. But anyway, go to Plextrack.com, book a demo, you can always reach out to us on LinkedIn or Twitter or all the social media channels. And so we’d love to talk to talk to folks and get them into the platform. One other thing I forgot to mention that is a question that comes up a lot on the reporting side. We do support custom export of document templates, right? So there’s always going to be that case of like, okay, well, I love the platform idea, but I still need to deliver a document in my look and feel to somebody, whether that’s an auditor or a customer or something like that. So we do support that as well.

And that’s an important piece of that puzzle because that question comes up all the time. I forgot to mention that and that’s a good feature of our platform as well. I’ll work on that for just a little bit more if it’s okay to help footstep and emphasize. I absolutely agree and it’s something that we even at my own shop tend to get the questions for. Like, I want this to be branded and design and look like my own product because it’s managed service providers and they’re doing the reseller efforts and shenanigans like that. But especially for a report and for hey, here’s the validation after a Pen test or an engagement, as much as I love Plex tract, I’m going to have their logo over there. I kind of want my logo over there.

Yes, exactly. Totally understandable.

You can white label it, you can customize it not only in the platform, but also in the document export itself, right. So you can get it into your look and feel if you have a standard template. Now, I will say we also have a really cool thing called we call it our template library because we’ve seen thousands of Pentest templates and report structures.

We did an internal research effort called Research. We did kind of an internal exercise where it was like, okay, what are the common things that you see across everybody that’s writing Pen test reports, right? And so we use that data to really generate a set of standard templates that people can come in and say like, hey, I can change the color scheme, I can add my logo, but I don’t have to do a lot of more work than that. And I have a really nice looking document template for any kind of report.

That white labeling concept is definitely available with InPlexTrac as well. Excellent. Well, hey, I will again continue to sing the praises and have been chatting with Dallan and Angie and some of the great point of contacts on your team and they’ve been super duper generous and sort of our partnership. So, yes, absolutely. I would point folks to Plextrack.com, but I’ll include in the description of our videos hey, here’s kind of a shorthand link even just to hop through my own stuff. Hey, the JH IO domain that can bring you to one of the cool, dedicated pages where they’re showing some love for everything that we do here on this channel. I believe we’ve got conversations for like, hey, if you want to reach out to PlexTrac, you can get the demo scheduled, but you can even get one free month of access to the platform.

That’s true. The tires on this thing. That is correct. Yes, absolutely.

Always happy to work with folks. Thank you. We’ve really enjoyed I’ve heard nothing but great things from Angie and Dallan in this partnership, so we’re excited to be working with you too. Well, thank you, Dan, again and again, this has been awesome. I super appreciate getting the low down on all the great stuff PlexTrac is up to. I know you’re a busy man, so I want to be cognizant of your time, but thank you again and again and I’m looking forward to seeing you and the whole team at Maybe. Hey, the next event we’re off to, I know we missed each other at Black Hat or Def Con, but hey, we’re always excited to see each other at the next community get together.

Yeah, absolutely. We’ll have a presence at Wildlife Hacking Fest. I’ll be there, I think. I’ve got to talk on Thursday afternoon, so it’s going to be fun. Thank you so much. Until next time. Alright, thank you.