Skip to content


Reduce Risk Faster

With more findings than there are resources to remediate, how do you prioritize what to fix from your pentests, offensive assessments, and scanner data without wasting efforts on low-impact risks? That’s where PlexTrac comes in. The new PlexTrac Priorities Module is the industry-first configurable contextual scoring engine, designed to help you organize findings based on risk. PlexTrac David Rushton and Offensive Security Director Dahvid Schloss from Echelon Risk + Cyber, early adopters of Priorities, demonstrate to reduce risk faster to make and measure progress.  

Category: Informational Series



So as we do this, we are going to talk about PlexTrac’s new Priorities module today. Before we do that, though, I think it’d be good to have some really good introductions as to who we are actually today. I know Jess was able to do a nice soft introduction, but Dahvid, why don’t you go first and then I’ll go next, and then I’ll get us going into the webinar today.

Sweet. Yeah, sounds good. Thanks, everyone, for joining. So, my name is Dahvid Schloss. I’m the director of offensive security at Echelon. As Jess and David both mentioned, I like to jokingly describe my job as the emulated mob boss of a group of emulated criminals. Right. I don’t get to do the fun hacking and breaking into things anymore, but I come from a background in doing this for real. So it is quite a fun job, especially within the commercial and consulting markets.
But yeah, that’s me. In a quick nutshell, I’m the guy with the crazy hair. So let me pass it over to you to do a little quick introduction as well.

Yeah, thank you, Dahvid. I appreciate you having yourself on today. So, my name is David Rushton. I’m the sales engineer here at PlexTrac. I normally cover the EMEA region. Really excited to walk you through the Priorities PlexTrac module. My experience in cybersecurity has really been in the proactive security side. It’s been pentesting, vuln management, attack surface, and even a little bit toe dipping into the threat intelligence world and scraping of the good old dark web that we love so much. I can imagine. Right, David, you’re nodding your head there. I’m sure you’ve had some wonderful experiences with it.

So today what we’re going to do, we’re going to go through the platform itself. So I’m going to do some cool things. I’m going to share my screen. I know everyone loves a good screen share, and we’re going to click through the platform. The key things we’re going to focus on today is obviously reducing our risk faster, but we’re going to break that down into kind of helping time to value, to really be able to communicate the risk that is currently going on within a network with web applications and really telling people, hey, this is what you should be focusing on. And we’re going to be doing that for our new scoring equation.

The second thing is we’re going to be helping with is continuous validation. So basically picking out themes, turning them into priorities. And how does that work? How do we process that? How do we track that as well? And then the last but not least is really painting that picture of, hey, are we working on the right things? Did we work on the right things? Did we actually get better from what we did as well? So how do we know? Measure that on an ongoing basis as well? David, does that sound good to you?

Yeah, it sounds perfect. I like it.

So first things first, let’s lay the foundation today. So I’ve said numerous times, and you’ve seen in the title numerous times, we’re going to be talking about PlexTrac’s new Priorities module. The Priorities module is basically built off the fence that we want you to help you automate and aggregate findings and assets from reports and scans and pentests that you’re doing for your customers or that you’re doing internally today as part of your cybersecurity program. We want to help you get more focus by focusing on underlying themes and critical aspects, or even just separating it based on maybe an application aspect, business unit, regional compliance, risk, industry standards — whatever you’re trying to do, whatever you’re trying to feel, be able to group it accordingly based off what you’re seeing as well.

And on top of that, we have a nice little special feature where each priority can have its own custom equation to make sure that you’re scoring that priority based off your own context. I’ve got a lot of experience with working with different scorings, and the biggest thing they always fall down on is that they never take in the customer’s context or scenario — situation, you could say, and there’s a lot of great scores out there, but some customers definitely need that ability to apply their own context to their own scenario so they can better prioritize based off their own situation and what they’re trying to do either in the moment or strategically as an organization as well.

So, David, anything you want to add to that before we get into it? Because I’m going to do that exciting thing. I’m going to share my screen and pray to the demo gods that this is all going to be perfect.

Yeah, no, that’s what I was just about to mention, that we need to pray just beforehand. But no, there’ll be more to kind of talk about, especially once we start to share the platform and showcase Priorities.

Absolutely. So let’s do the nice little check. Can you see my screen?

I indeed can.

Look at that. Brilliant. Brilliant. So first thing first, Dah, we’re going to focus on the time to value.
When we say time to value, we mean it in the sense that we want to be able to able to contextualize and be able to measure what you’re doing. So what I mean by that is if you do a scan today or even do a pentest, you have to rummage through it and kind of figure out where do I focus, what do I do? You know, there’s the CVSS scoring, there’s a lot of risk scores out there, a lot of intelligence scores out there, but you still have to kind of rummage through a little bit and figure out, is this actually truly a risk? Is this actually relevant to me? And so what PlexTrac wanted to do, we wanted to quicken that motion and create what you see on the screen today.

So, Dahvid, I know you’re really excited, but let me just give the audience a little walkthrough of what they’re actually seeing. On the screen right now. So what you see on the screen, everyone, audience, is the ability to build your own equation. So we’ve got all a bunch of variables on the top left. This is actually the equation we’ve set. It’s a drag-and-drop feature where you can drag and drop the variables. You can add additional variables as well. And the cool thing is, for each variable, you can control the weighting that makes up that score. And you can also apply rules and conditions which can actually control how many of that weighting will be applied to the final score as well. So the exciting thing here is that, for example, if you want to take in the asset criticality, and if you see an asset criticality that is critical to your organization, you can make the score do something depending on your condition or rule that you are creating for it as well. So the idea here is to give you creativity to be able to apply to your own context against the priority itself. And we want to start here because this is kind of the foundation.
Right, Dahvid? This is the level playing field that you do to compare between different areas of your network to check, hey, are we doing good over here? Are we doing bad over here? Where do we focus our work and resources on as well? But I’m definitely keen to hear your thoughts and views on how you guys are looking to use this or using this today. And some vision stuff you guys have, right.

With equations. I think it’s really important to kind of note what you noted earlier, right. Which is the context for how you score something is entirely different depending on what kind of engagement you’re doing or who the client is, if you’re a consulting firm or what the product is, if you’re an internal team. And this gives you that ability to really look at the context of what you’re working with and make it so that it’s relevant to the parties that you’re trying to explain the risk to. Because we’ve all been there, especially as pentesters, red teamers. CVSS, CVE, these kind of scores, they’re great, but sometimes they don’t make any sense, not for what you’re trying to explain, especially when it comes down to the greater aspect of the priority of like, hey, we need to fix this because of XYZ, right? So being able to create your own scoring equation, how do you want to put it in English?

Say it in a different language.

Nobody will understand. Yeah. I mean, it’s like my own language right in my head.
No. So it’s like, how do we frame it that way? So that our senior leaders are actually understanding exactly why this is a critical or why this is a high, because nobody really understands, at least at the executive level, as I’ve slowly learned, being in this position for the last couple of years now, it’s like people don’t look at that. They don’t look at the CVE score and go, oh, okay, so it’s a high. Sure. That makes sense. In the same way that they’re going to look at a Nessus scan that tells you an SSL cert is a critical finding.


This gives you the ability to facilitate that communication, or not that communication, but that conversation in a way that will make sense to those leaders and customize it further from what is already an industry standard. You can make your standard at this point.

I think that makes sense. Yeah. Because you mentioned the executives’ understanding the cause behind a score. I feel like that’s the big, you know, when you try and play in CVSS scoring or you try and play in any score in a market, say it can be quite complicated, it can be very technical, and at the end of the day, they just want to know one, is it bad? Is it good? Is it important to us? And when you reply, maybe it’s like they don’t like that answer. So I feel like, what do you reckon executives care about then from a scoring metrics? Because they obviously like a score. I’ve met many executives who love a good little quantified score that tells them if it’s a thumbs up or down scenario, because of that, because they’re so time consumed, aren’t they?

Right, right. And they’ve got a million other things to think about, and you just got to communicate the best you can. So what do you think an executive would care about from an equation standpoint?

So I think a lot of executives really enjoy the absence of, why am I blanking on this word? Where you forget that one word specifically, essentially your own opinion. Right. They don’t want an opinion of is it bad for x, y, z. Right. They want to know why is it bad. What is the exact reasoning here? Right. So by providing your score equation to an executive being like, all right, hey, based on the finding severity from CVSS and the likelihood and impact of whether it can be exploited and what is the actual exploit.

Right. Taking away that bias or that opinion and starting to back it with fact, that’s really going to force into their mind, like, okay, this is important because there are other factors being played into the finding or the score that you’re coming up with.

Right. I think the biggest issue with most scoring systems is a lot of it is backed by the bias of the individual. We’re all technical people and we’re very good at understanding the technicality of the risk. Right. But when we start to go, oh, hey, this is a risk, because we know it’s a risk.
Right. The impact or likelihood, and that’s the only thing that you’re taking account of, it’s being able to also go, hey, our finding count of this particular finding is pretty major. Right. Let’s say we wanted to bump that up to something like 30 or 40% or this is a larger business share of our business through the asset count. So just having the facts to back up the score from just having other categories to base it off of is really what helps kind of build that narrative that they can understand and trust what the score is. Instead of going, oh, well, there’s a bias here, they think it’s a high because they’ve seen it in the past.

Yeah. And what about operationally? So we talk about executives, right? And they’re just getting flashpoints, board meetings, quick little snippets, like, hey, how’s it looking? How’s it going? But operationally, when you can create your own contextual score, how much difference does that make to an everyday life scenario of the people you’re on the ground doing the work, fixing, tracking, analyzing. What difference does it to make them? How did they make their life easier, would you say?

Right. So I think it falls back on that idea of bias as well, right. As IT admins, you want to focus on the things that sound the most impactful or the most likely, but there could be something that, let’s say, isn’t exactly a very high likelihood, but a high impact and affects a larger asset count, that should be your priority. That should be the remediation, especially considering, like if the impact is high enough to facilitate a higher score, you want to make sure that you’re fixing the things that are going to cause the most issues within your organization. So by being able to provide other elements of focus so that you can pull the IT admins or the security personnel out of the tunnel focus that they may be in and show them a greater picture, it really does help build that remediation plan in a way that is going to be not only effective but much more efficient in ensuring a risk reduction strategy across the board from a pentest.

I like that.So what you’re saying is sysadmins and security people will bump heads less with this equation is what you’re saying, right?

Yeah, because we all get there as security guys and gals. We all do the same thing where we look at this and we go, hey, this is important, right? Log4j. Everybody knew about log4J and we focused down on log4J, right? Granted, very important vulnerability to fix, but let’s say you had one instance of log4J within your network and 50 instances of bluekeep, right? While bluekeep is a little bit less of a likelihood of exploitation, considering they have to be internal to the network, the importance is still pretty high considering if somebody does get in, then there’s a much larger swath of exploitability, right? And so it kind of pulls us out of these hyper-focused ideas of what we see as being likely, especially around the celebrity vulnerabilities, right? Where we go, oh, we need to fix this first because it is the CVSS of ten. Whereas yes, it’s important, but there may be a priority to focus on the remediation efforts towards patching windows and bringing them up to speed because we’re missing large portions of patches.

No, I like that. I like that. And do you know what? We just had a question come through. Paul asked, to what extent are the filters in the Priorities module adjustable by users to reflect very fine-grained organization priorities? And I kind of like that question because in my head, organizations start a year going, these are the things we’re going to focus on, right? And some of them you say that was smiling like it never actually happens because, don’t we? But you should be focused on those fine grain things so you can adapt this equation in a way that can help impact and prioritize and lower ones as well. And Priorities allows you to kind of group the findings and group the assets from your reports, from your scannings, from your pentests. And then you can also have custom equations based on that specific priority as well. There’s a way to actually soak down this equation, not just across it, but you could have different equations for different scenarios as well. So I’m keen to. What’s your opinion on that device? Would it make sense to have different equations for different scenarios in your company?

100%. And I think that’s something that could be taken into account greater on the platform as well, is the usage of asset tags. Right. Categorizing your assets as a high priority, medium priority, low priority, or however you want to put it. Right. And that can really help communicate how that finding is going to be rated, especially considering something that may be pretty, I wouldn’t say minor, but we’ll call it a medium impact to a high-priority asset should score and should be scored higher, especially considering we all know that business-critical assets are going to be the most protected within an environment. So we need to ensure that any sort of finding that comes from that or is related to that is contextually scored in that way.

Absolutely. And I think that could also help with different countries, different regulations as well, different compliance needs. If you’ve got a PCI-compliant asset versus maybe, or even if you just do NIST assessment, anything really, you could adapt it and have your data segmented in different priorities with different scores against that as well. So you can kind of get the fine, but you can also have that equation that’s generally default as well. So I like that. Fantastic. Fantastic.

So I think we should move on to the next, unless you got something else you want to add under here. Dahvid, is there anything else you would want to talk about?

Well, I’ve seen some of the cool stuff that you guys are working on on top of this, but I know that’s later down the line, but I know people’s questions will come up, like how can it expand and whatnot and more is definitely coming to be excited about, for sure.

Audience, there’s a lot of exciting things that we can do. I just don’t want to annoy the product owner right now.

Yeah, we’ll keep them happy. Exactly. Yeah. No, I mean, what’s here right now is already superb.

Exactly. There’s a lot of functionality, and this is a step in a way that really can help a lot of people improve in how they see their findings. And I think that’s the big thing. There’s an application manner to this, but there’s also a psychological manner to this as well, is how you’re grouping, how you’re focusing, and how you’re scoring can really realize how you’re managing your data and pushing into the areas you want to push it in as well.

All right, so the next thing is kind of like the validation aspect, right? So what you’re seeing on the screen right now, is the list of my priorities. So we’ve talked about the equation, which is a contextual scoring column that you see on my screen right now. So it’s being applied as we speak. And you can also see the linked findings and the linked assets to each priority as well.
So you can link specific findings, or you can link specific assets. You can do it in any manner you wish. You can bring in the assets and then bring in the findings that you want of those, assets. You don’t have to bring them all in because, remember, we’re trying to have a focus here. Or you can just bring in findings as well if you want.

In PlexTrac, a finding can also be anything you want. I was talking to a customer last week who was saying like, oh, I do a lot of social engineering tests. Could an asset be a person and then a finding be like an account takeover of that person and then make priorities around social engineering and training needed? I’m like, absolutely. You’ve just done my job for me. So I think that’s something that’s really exciting about that is customers are going to be very excited about the way they can facilitate different workflows and try and really create focus around things that they want to create focus around as well. I’m definitely keen to hear your opinion on this. Dahvid, have you got an idea in your head of what this means to maybe, let’s be more specific to your customers, right? When you deploy this out to your customer base, how would it benefit them? How would you deploy this for them as well?

Right. So a lot of the ways that we have looked at using Priorities has been at, I would say, more focused on the continued aspect. Right. A lot of teams, especially with larger, more mature organizations, are starting to move to a much more consistent testing schedule, which is phenomenal. But the hard part with consistent testing is then you have to wade through the consistent amount of reporting. Right. And to our earlier point, execs are trying to get to the point. They’re trying to figure out what is the risk, and what is actually something that we need to prioritize. Hence the Priorities module.

Good naming if you put it that way. But it’s really an opportunity for us to be able to look at if we’re seeing a trend within the organization that needs to be resolved because every finding is an issue that needs to be resolved at the end of the day. But there is a correlation between findings, especially if you have missing patches or to your social engineering example, a lack of training. We do a lot of red teaming, so we tend to encompass a very large swath of physical, logical, and social, and sometimes those intermix with one another. A lack of good standard operating procedures could be a trend that we want to point out that isn’t readily available through just a finding itself. You can extrapolate that from the report and from the narratives, but providing it in a smaller, more condensed, ingestible format like Priorities just makes it so much quicker. It streamlines that process and gets right to the heart of the problem instead of trying to explain it or sit down over multiple conversations, which is fine, but the quicker you can resolve something, the better.

I don’t think the customers enjoy going through 200 pages of pentest report findings either, do they? And extracting and trying to figure out what matters.

Yeah, absolutely. If you’re using some of the other ingestion tools, like through Nessus or other items to amplify the report through some sort of vulnerability scanning, you can start to point out exactly where are these core issues and focus on those and remediating.

Absolutely. I like that. One thing I was thinking about with you is, are you starting to do a client portal with your customers already today? And are you looking to use this as a way to communicate that to them in a different manner? So they come into the platform, they look for their result, and they can click on the priority that applies to them and then kind of go through it as well. And I think that works out really nicely because now you’ve got that middle person in between a customer and in your situation, MSSP, as a means to have communication together in a standardized, central manner. Are you seeing that benefit with your customers today?

Yeah. So on our more continued basis. Right. Because for the pentest team, especially when it’s just a one-off report, it’s really hard to drive out individual priorities at times because there isn’t a continued piece. But that doesn’t mean that there can’t be priorities in that case.

Right. Especially if it can lead into a better remediation plan. Because one of the hardest things about pentesting is you get a bunch of offensive security nerds like myself, and we look at this and we go, okay, here are the issues at hand, but we’re not able to sufficiently communicate at times what needs to be a priority to be fixed. Right. And so utilizing other experts within our field, especially here at Echelon, we use our defensive engineering team pretty extensively within our engagements. They’re able to come in and look at it and go, hey, these are grouped. We could definitely group these together.

Let’s showcase that. Right. On a continued basis, it’s a lot easier because the clients are a little bit more involved inside the application as a whole, because it is being consistently updated. But, yeah, this is something that we’ve started to strive towards to work into at least as a base part of the offering to where we can showcase, like, all right, here’s how we build a remediation plan. Here’s what we need to prioritize for you guys. The Priorities module does a really good job at just making it so that I don’t have to write a whole plan. I can just pull it from what’s already built.

Exactly right. Build it once, use it multiple times. Do you know what I liked about what you said then? You were kind of starting saying, when you do a pentest, you start to notice themes. I think that’s something I always notice myself. And sometimes the customer, or if it was internal, would come to me and go, I know you did it, and I know you’ve got my little PDF and it’s great, I love it. But how do we do it? There are things that we should focus on. And I would always say, like, yeah, you’ve got some client-size servers, I see some old packages. I did a couple of cross-site scripting on you. I’d recommend doing this and this and this, and I would say it very casually, and maybe it would be in there in a security recommendation. But what you’re saying is that stuff would become a priority that can now be measured and have a plan of action against it. And the relevant findings can be continuously linked to it as well, is that correct?

1000%. I mean, I like to use the example of eternal blue or bluekeep because these tend to always show up, no matter how often or how far away we’ve gone away from their initial release. But in a pentest, we’re not going to exploit every host that has eternal blue available to it. Right, per se, just because there’s not enough time. And really it’s not going to result in a meaningful next step, though we might identify it. And I think a really nice thing here is, especially within PlexTrac and the simplification of reporting, it allows us to take all of those and go, hey, we saw eternal blue, probably vulnerable on half the hosts, right? Let’s create a priority out of it and create like a patch management program from that, find out why this is a finding across multiple assets. Create a priority. That priority leads to some new standard operating procedure or some new policy within the organization, which then leads to better maturity within the organization. And then next thing you know, next year you’re doing a red team because you’re ten times better off than what you were the previous year. Right? So this really helps simplify, but also amplify the speed in which you’re able to remediate, because now you’re focusing on what is actually the root of the problem. The root of the problem isn’t eternal blue. Right. The root of the problem is patch management is not working properly. And so you can showcase that here.

No, I like that. What I think you just said was really then is that a lot of times the findings themselves, it’s just a part of the problem. It’s a result of the problem that you already have. Right. And you need to find a way to figure out what the themes are, to figure out what actually needs to be fixed. Like you said, the external blue is not the main issue. There’s actually a bigger issue at hand. How can we identify that to really reduce that risk overall as well? And how can we measure that over time to reduce it? It’s one of the things, if an executive saw that you only have four priorities, maybe they’ll be happy. Maybe. Or maybe they don’t think you do a new job. It’s one of the things you want to approach it. Right.

But is that the thought process you’re kind of going out there, right?

Yeah, I mean, it makes it more manageable. Right. A pentest report with hundreds of findings. Well, I don’t have many pentest reports where unless they’re really long, you get hundreds of findings, but you get 1520 findings. That looks like a ton of issues, really. But the root of the problem is maybe one or two items. And so this is streamlined to the executives in a way that is manageable so that they can look at this and go, oh, hey, now we have a plan on moving forward. And then the next year you’re not seeing the exact same issues pop up in just different regions right now. The actual root of the issue is resolved.

100%. You’re in control. Right. I think that’s the biggest thing as well. Exactly. Because one thing I’ve seen in the industry, and I’d love to know your opinion on this, is the industry started CVEs, like the first ever one came in existence. And then vulnerability scanners started slowly coming, after was Nessus and everything. And they started making signatures, all the fancy ways to identify them in your thing, and standardization and this and all these amazing things came. And most organizations just had one scanner, and they didn’t really need this consolidation. They could just see and they didn’t really have many assets, et cetera. And this was before my time, by the way. So, audience, you’re welcome to correct me here, but the other issue then what came along is multiple scanners started happening, cloud hybrid web apps, and coding started getting more serious. We want to scan that, Das, SAAS, all these fun things we need now ten scans instead of one and then we just start doing it all.

And there’s a lot of products really good on the market today that’s really good at bringing everything into one place. But then you still have that other problem of now we need to prioritize. And then CVSS came out and a lot of other scorings came out. But again, it doesn’t mean much to you at the end of the day because you’ve just got all your vulnerabilities in one place from your pentesting, from your scanners and everything. But you’re still overwhelmed because now you have ransomware screamed in your face, you’re having all this scream in your face and you’ve got these nines and these ten CBS scorings and you’re trying to figure out which one you should start with. But this asset is over here and that asset over there and you just need a way to organize it and apply your own themes, i.e. your own priorities, and also apply your own contextual scoring against that as well. And I think that’s the next step in the industry today that people need. And would you agree with that? Like kind of my little history, little thing then?

No, I think you’re right on point, especially talking about how prioritization is an absolute need.
Ask any executive if you hand them a Nessus report, right — especially in a mid-sized to large organization today — they’ll probably freak out because there’ll be hundreds upon thousands of findings there and their first thought will likely, if they’re not technical, will likely be, oh crap, right. We’re insecure, we have a lot of problems, right. And the focus will be on the wrong aspects.

Whereas if you have something like Priorities or you’re able to consolidate all of those into one manageable finding or multiple manageable findings, sure, it’s not any less, right, you still have 1000 vulnerabilities, but now you’re able to focus exactly on what is the most important at a time. It breaks it up so that you’re able to digest it in a way that is going to garner support from your leadership if you’re an internal team or from a client organization that you’re working with.

Because something that I see a lot is repeated findings over and over and over. Right. And it generally just comes down to the root issue not being resolved. And is that partially a consultant’s fault in reporting? One could argue that, but ultimately I think it’s really just the way that the information is presented. The fixed actions happen, right? Nobody just takes a report and tosses it to the side. Right? You don’t pay the money to do that. But the root issue has been resolved by providing something like Priorities.

Absolutely. Absolutely. No, that’s fantastic. I do want to finish off on the analytics side of things. And how is that important. So PlexTrac does have analytical capabilities. Audience, I’m showing you some little sneak peeks right now. You can see a finding status, you can see breakdown by a client, you can see severities, critical findings, and you can have filters as well. This is same across assets as well, in addition to trends and SLAs. One thing I’m keen to hear from you, Dahvid, is how does this help one? Maybe with how you guys deliver and provide value to your customers, but also as a cybersecurity organization internally, how would that help them as well? From prioritizing, being focused, and ensuring that they are actually making progress in the right direction.

Right. I’m not going to lie, this is probably like my favorite aspect of the addition, right? And it mainly focuses on the idea of the communicating to executives on a continuous basis. It gives a viewpoint in, I hate to say it, pretty colors, right? Where graphs and pretty colors actually do the picture though, right? Words are great. And we all do a good job at reading our reports and ensuring what is being found in a methodological way. But graphs and pictures tell the story at the end of the day. And so by being able to break it down over time, especially when you’re able to see these numbers slowly get closed up or removed over time, or even seeing the trends in SLA aspect, I think it’s phenomenal being able to know like, hey, it’s taken us 36 days to close a critical, right? I think most of us would agree if it’s a critical, it probably should be closed the day of. So that way you could start to adjust or figure out why that’s broken in a process, that can help in the process as well, but also over time.

Audience, by the way, this is a demo environment. Audience, this is not a real customer. This is a very bad score. Yeah, this would be terrible. An executive should be very worried if you see that number for critical, just saying out loud.

Yeah, if you fix your informationals in like 18 days, but your critical is in 36 days, the priorities may be flipped there, but, no, having the ability to look report over report, right? Hey, from report A on 11/1 versus report B on 12/1, how are we taking care of our own severity or our own findings? Right. How are we responding to these? Are we improving upon that? Also being able to see how many more findings are we getting after continuous reports. Right. That’s the aspect that I think that we like the most is the fact of being able to paint the story over time. 11/1, we had, I don’t know, 100 findings, but 12/1 we had 50. Right. You may not realistically fix everything, right. But getting through 50 is still a very good trend in the right direction.

Right. In general, the metrics piece is a huge game-winner for executives. Right. Predominantly who we’ve seen working within the platform from our client base has been technical. Right.
Because they’re the ones who are going in and they’re marking the findings open or closed, remediated, however they want to track the items. But this opens the possibility to showing the executives.

Exactly. Here’s what we had in our first test and here’s what we had in our second. Here’s what we had in our third. And here’s the trend, right? Absolutely. And really opens up the horizon of knowledge for them in a way that I don’t think any other reporting tool has done in the past.

Right. Not like in a pentest perspective, right. There are plenty out there for vuln scanning, but vulnerability management is only a small aspect of the whole tool and the whole security maturity. And so this showcases everything. I think you just hit head on nail then the other aspects of security have metrics and stuff out there with a lot of different tools and a lot of people build in-house tools for it as well. But I always feel like pentesters, even internally, have been pushed in that corner, like someone comes up to them and goes, I need a pentest yesterday. I feel like that’s the life of a pentestert, both internally and sometimes in your situation, who provides services for customers as well, is you’re just focusing on getting them out and getting them done. Maybe your company’s got a requirement to get a pentest done every single year on every single asset within a certain region, and that’s the pressure you have.

But at the end of the day, you need to show your worth. You need to show how you’re delivering value either, as in your situation, to a customer or either internally to your line managers, to your organization in general. Like, hey, I’ve done all these tests, this is what I’ve measured, this is what’s been fixed, this is what I’m helping you guys focus on with the analytics, with priorities as well, and that really shows your value and how much improvement you can make, because right now you’re probably making a lot of value for your organization. You’re doing it and you’re not even doing it without realizing. Tthe issue is the company might not even know the benefit you’re bringing to the organization. You want them to know, you want them to realize the benefit you have as well. And I think that’s where people really appreciate it. Would you agree with that?

Yeah. It’s no hidden fact that cybersecurity has a major dictionary problem. Right. We all call things different things at the end of the day, and that’s ultimately because a lot of the tools that are available for, say, vulnerability scanning are widely available. Right. And they paint a picture that is very well known and understood where for pentesting or red teaming, that really hasn’t existed. And having the ability to paint that picture now solves a lot of our dictionary problem because now we’re including individuals like the executive staff or the leadership staff in the conversation so that they can see exactly what is the trend going on from pentest to pentest. I’m assuming most people aren’t doing like back-to-back red teams, though, one would hope.

Yeah. I mean, if they are, that’d be perfect. Right? That’s the goal at the end of the day. But this does bridge that gap. It finally starts to facilitate communication to the leadership so that we can start to break down those walls of this communication problem. Because a lot of people do still believe that a vuln scan is a pentest when we all know it’s not. And it really comes down to what is the tools and the assets that they’re ingesting.

And now this is going to open up that viewpoint and saying, hey, here’s a pentest. Here’s what our actual results are. Right. And they can see that over time, which is going to be phenomenal. Yeah. And I really like that as a pentester, you’ve got to show the value and stuff. And I feel like it’s a powerful story that you can paint and it’s one that you should be painting.

So. All right, so, Dahvid, I have just stopped sharing. Can you no longer see my screen? Can you see the slides and everything?

Yeah, you can go and look at your email now. It’s fine.

Fantastic. Appreciate that. All right.

Instagram. No, I’m joking.

So, guys, I really appreciate today. So we are going to go to QA in a second. But before I do that, I do want to encourage you guys to book a demo. You are more than welcome to go to to sign up. You might even get me, depending where you are in the world, if you want to personally request me, I’m more than happy for you to do so. I’d love to have a conversation with you guys and see how Priorities can help you reduce your risk and prioritize high-impact findings within your environment. So Jess, I will finish off and hand it to you to kind of do some QA.

Guys, you have been keeping me in stitches this whole time. That was so much fun. What a great chat. I love that some really, besides being a lot of fun, some really great points and I think delivered with, as you said, pretty colors, Dahvid, which is always very nice. But I think hitting on that cross-section between psychology and technology is really interesting. And a lot of these more human stress problems is a really cool thing that you guys are addressing. I also really appreciate you’ve been taking a lot of our questions as we go. You’ve been asking and answering them. So we do still have a lot left and we’re going to dig into some audience questions right now. Are you guys ready for that? I think so. Let’s try bring it on is what I’m hearing. Okay, great.

Well, I want to start with this one here. We did get a couple of questions in about possible limitations, and I know you mentioned hybrid cloud is one of the things you were talking about earlier, David. So I just want to make sure there’s no limitations in terms of different IT environments across hybrid. But also I’d like to address another limitation that came up from a few folks around ease of use. So if you have a smaller team or if you have a smaller technical team. So if you need less technical people being involved in this process, wondering if you could address kind of those potential limitations that an organization might be facing. David?

No, I like that. So let’s start with the hybrid one, right? I think that’s a really important question. And Dahvid, I’d love for you to chime in here because hybrid is the new way, right? Every environment has some level of hybrid, and sometimes it’s multiple hybrids on one on-prem environment as well. And how you link them up is so important and it’s just curious to them is super valuable as well in how you’re connecting up and why you connect up. So PlexTrac gives you the ability to not just create priorities, but the initial phase. So what I mean by that is, as you bring the data in, it can come in multiple ways. Think scanners, think Vericode, Qualys, Nessus, etc., the list can go on and on. Also, we can have API integration as well, and we can do CSV upload.

So we’re there, we’ve got your back and getting the data in, and then you can adjust your assets and map it to different reports and group it and such, and then build in priorities off it as well. And then on top of that, each finding and priority can have tracking capabilities against it as well. And you can create assignments around it and make action steps. And what you’ve got to do against that finding to make it fixed and final, but final, is that every single asset can be tagged as such as well. So you can tag assets like, hey, this asset is in GCP, this asset in AWS, this asset is in this location of the world. Even you can go to that extreme. Or you could even tag it as such, which I used to talk a lot about asset management. You could be like, it’s in this room, in this specific rack, in this area of the building, for example, and you can tag it as such then. And then that brings us to the equation is that you can bring those tags as part of that equation specific to that client, and that client could be, again, in certain environments as well. So that’s functionality from PlexTrac. We can definitely adapt to their environments. But Dahvid, I’m definitely keen to hear your opinion as well. And then just the less technical thing, we’ll definitely touch on.

I mean, I tell people that we are the emulated criminals, right? We do anything that a criminal would do, at least in the sense of against an organization. That means we do physical, we do logical, we do social. It really doesn’t matter what environment that we’re going up against. Web cloud hybrid, it really doesn’t matter. At the end of the day, the way that you categorize assets is probably the most important piece of the puzzle. And to your point, you can be as granular as you need, or as generic as you need. As a consulting firm, we are a little bit more generic. We don’t know exactly which rack the assets are in, but we do categorize every finding with a specific tag, whether that be web app or cloud object or user object. So when it comes down to flexibility, it’s really dealer’s choice. And however you want to communicate those findings is really up to you. And it’s simplistic enough that even if you’re not technical, you can still figure it out pretty quickly.

And then on the technical side is, is this workflow accessible to the technical side of things? And absolutely, you saw a lot of pretty colors today. And that’s something that we do want to provide, is we want it for ease of use. Right. We want someone to be able to come in and drag and drop and easily go, oh, I’ll just do this and then I’ll add this and then I’ll add this condition and it’s all very easy done and it can easily be applied. There’s not big scary letters and big technical words, but you also have the ability to make it super technical if you want to because you have a very technical situation. So both scenarios can be very helpful. But then the other side of that is the very technical people can set up to make it really technical. And I’m using technical words quite a lot right now, but the less technical can come in and really easily understand exactly what’s going on as well. I love that. I also get stuck in word loops sometimes, Dahvid, and I realize I’ve said the word well. I think that.

Thank you for answering both of those questions, guys, and I do appreciate that. This might actually feed in a little bit with, because as we’re talking about the customization and the ability to kind of set it up in the way that you want. We did get a question that came in wondering if you change. It’s a bit of a long one, guys, so stay with me. If you change a basic variable for one customer, is that going to affect any other customers? How do you deploy the variables directly in production? Or are you doing some testing with the customer in non-production environment? And do you take backups before changing the variables? And do you encrypt if it’s critical? They sandwiched like seven questions into one.

They did, and I can give it a go. So overall, the platform can be deployed on-prem, so you can encrypt and do whatever you want when it’s on-prem deployed, or you can have it cloud, which obviously we take care of all that security. I’ll just level that right there. From the variable situation itself, the variables are taken from the fields within the platform itself. So being the fields that you get from a Nessus file and you upload it, they’re the variables themselves as well that we’re pulling from now from the cross-client aspects. The situation is you could have client-specific equations so that the variable that you’ve set for one customer will not impact another customer as well. And for the taking of the backups, you can save an equation as a template and then reuse it again if you want to as well.

I think you nailed that. David, anything you want to add?

No, these are all backend items. David’s going to know this better than I am. I can confirm, though, as a consulting firm, that different clients will not see each other’s assets or scoring. However you want to separate it, ultimately, there is a pretty good separation there.

Well, luckily, Dahvid, we have a question that’s directed directly to you, so I’m going to keep the mic with you for a second question. Dahvid, what’s your white whale? I talked to another red team guy with a goal of stealing a baby from a hospital. Okay. With appropriate permissions and with the intent of returning the baby. Good. Excellent. Yes. Good. He wants to show the technical vulnerability of the hospital’s birthing department. Do you have a white whale? Please don’t admit to anything that we’re all going to have to deny later.

No, I mean, that’s a great question, though. For us red teamers, we are very ingrained in what we want to do. Thankfully, I’ve had a lot of great opportunities and where I’ve kind of accomplished all of my criminal actions. Right. Legally, of course. I really wanted to rob a bank because who doesn’t? That sounds really cool. So I got the opportunity to do that. At one point we succeeded. It was a good time. At this point, it’s all about the stories and what are the quirky ways that you can get around security controls. To me, that’s way more entertaining than specific objectives per se, but I wouldn’t mind trying to do a red team for the military. Those guys, they do the full red teaming. They’re breaking into bases and seeing how they can get on.

When I was working in the military, like ten years ago, they did one on the base that I was at. They printed, your base belongs to us, to the wing commander, about 1000 times on his printer. So much so that I got in trouble because I was working on it at the time. So I would like to be on the other end of that. But that’s a pipe dream for sure.

That is a fantastic way to take over a base with very little actual danger or risk. Please don’t anyone get ideas.

Yeah, do it legally. No, it’s dangerous. They do carry guns.

Yes, exactly. They got to know, don’t do this to your neighbors either. All right, well, we’re getting pretty close to the end of time. As much I have to say, David and Dahvid, I could do this all day, and I wish we had longer for this webinar, but as we approach the end of our time here, together. I want to remind everyone in the audience that the questions that we did not get to, and there are a lot, are going to get sent to the PlexTrac team. So you will hear back from them and you’ll get a chance to get answers to all of those questions. But before I let you go, I’m going to ask you for two things. Things. One, I’m going to direct to both of you, and I’m going to ask you guys for a final thought, a key takeaway. If there was one thing that you would want everyone in the audience to walk away kind of thinking about or an action step you’d want them to be able to take, what would that be? And maybe we’ll start with Dahvid. And then, David, I’m going to ask you to end that one. And then when you finish answering that, if you can give us a next step to getting to know PlexTrac a little bit more.

So, David, if you want to start us out.

Oh, that’s a lot. I mean, PlexTrac has been a phenomenal tool in amplifying the speed in which you can accomplish your reporting. Right. It’s where they started off, and it’s done a phenomenal job at doing that.This is like the next step in the iteration in the communication model for reporting. At the end of the day, we’re always trying to communicate to our best knowledge how to resolve issues within either our organizations or our clients’ organizations. Priorities is that next step. And it really does help in the long run, especially in continued situations where you can showcase exactly what is the root issue. What David and I have been saying for pretty much this whole time, you know, really looking forward to it being rolled out now to the greater user base. The beta was fun, but ultimately this is the next step in communication. So we’re super excited to see where it goes. And thanks again for having me on.

Yeah, wise words. Wise words. What I always ask organizations is, does everyone understand what the priority is? Does everyone get it? And in nine out of ten, most people aren’t. And so, guys, I really highly recommend you giving us a reach-out at Like I said, you might even get me to do the demo for you and we can have a nice conversation as well. I always like it when someone says, I watched your webinar. That’s why I’m here. And I like that I always give an extra special demo for them people. Yeah. Thank you for your time. I really appreciate it.

I like that. A little extra razzle dazzle, if they’ve seen you in a webinar. Well, David and Dahvid, thank you both for bringing the razzle dazzle today. This has been an absolute blast. I loved the demo. I loved the conversation. I hope that we get to have you both on again soon because there’s clearly lots more to talk about. But thank you both very much for your time here today.