How to be Kermit in a Gonzo World: Improving Purple-Teaming by Understanding Tech and the Business

Okay, so I have a couple things to warn you about as we get started. Some of you have probably already noticed. Um, I have been told that I speak fluent trucker with a sailor accent. I will do my damnedest not to say [ __ ] too many times. I have Tourette's. I really do. But that's not why I say [ __ ] It's just a convenient excuse. So, you know, you got to be honest with things, right? Like, I can blame it, but it's not true. So, the first thing is, uh, if you're offended by language, uh, [ __ ] you. But, um, and not really. I'd like you to not be offended by language. I'd like you to

question why that word bothers you so much. But the word palindrome doesn't right I love I'm ser like seriously right palindrome is a [ __ ] up word palindrome pisses me off the reason it pisses me off is I love palendromes why the [ __ ] is palendrome not a palendrrome right shouldn't it be for the people who don't know a palendrome is a word or phrase that's spelled the same forwards and backwards like Tom, race car, Taco Cat, a man, a plan, a canal, Panama. That is You're thinking about it, aren't you? Like, is it? It is. But the word palendrome is not a palendrome. It pisses me off. Other thing about me, I have a sense of

humor. Now, I'm going to warn you, a few of you just heard, I have a good sense of humor. While I appreciate you adding that word, that's not what I said. What I said was I have a sense of humor. I'll give you an example of my level of joke. I made up this joke. Do you guys know why Walmart wasn't hacked? They're not a target. Ah, right. I actually got to introduce the CISO of Walmart at an event and I told that joke and he wouldn't shake my hand. Like I introduced him. I went like this and the [ __ ] went and walked around me. I'm like, "Damn it, man. You got the good side." Oh,

right. So, so I have a sense of humor. I like to make dumb jokes. I'm also full of tangents. I will attempt to uh make the tangents relevant. I don't promise that. I'm full of tangents and lots of other things and my eyes are brown. Um I will also forget quite often as I talk about this. I'm going to talk about breaking into [ __ ] Um you'll hear me say things like when I stole $25 million or $2 million credit card numbers or blah blah blah blah blah blah whatever. Please add the words with permission to the end of any of those stories, right? because I forget those words. Um, I am a professional hacker and the professional

means I only do it with a contract, right? It doesn't mean I always get paid. You know, sometime you got to fight for that. But it does mean that I don't do it without permission from somebody authorized to give me that permission. You can't say, "Can you hack my bank?" Well, I mean, you can say it, but you can't authorize me to break into your bank unless you own the bank. Okay? So, that's what I mean by professional. A lot of people use the term ethical hacker. I don't like that term because all hackers have ethics. Their ethics may not match yours, right? Um, you know, I'm right, right? So, we got to think about the words we use. This is

actually part of what I'm going to be talking about today. Uh, we're going to be talking about, uh, how to be Kermit in a Gonzo world. I have been told I resemble Kermit. I have a round oval-shaped body and long gangly limbs. I took it as a compliment. I think Kermit's kind of cool, right? So, we're going to talk about some stuff today. Um, I don't like monologues. If you have a question, ask it. Don't do the [ __ ] I got to raise my hand, wait to be called on. Like, don't do that. We're not in third grade. You got a question, just ask the damn question. Okay. So, uh, you probably should turn

this on to get it to work. Buttons, they suck, right? So, I'm Kevin. I'm the founder of Secure Ideas. We are a consulting firm out of Jacksonville, Florida. I like to say that because we're actually around the country. Uh our world headquarters is in Jacksonville. Uh it is a world's headquarter because we have one staff member who lives in Canada. So we're an international consulting firm, right? It's kind of like the Jacksonville airport is an international airport because it's got like one flight to the Bahamas. You want to piss people off in Jacksonville, tell that joke on stage. had a guy on the audience like argue with me. He's like, "We are too an international airport."

Like, "Cool [ __ ] Answer this question without the word Atlanta and I'll believe you. Where's customs?" Like, it's in Atlanta, but it's like I don't know. So, I we're a pentesting company. We break into [ __ ] tell you your baby is ugly, and go home. That is our job. And the reality is all babies are ugly. We lie to new parents. They don't have kneecaps. Their skulls aren't fused together. They're squishy humans. It takes like two, three months for that kid to be like, "Oh, it's adorable." But you don't tell new parents that because then they won't reproduce the species. I also have kids and they know I feel this way, right? But the reality is when I go in

and break into stuff, when my company goes in and breaks into stuff, we are literally coming in and telling you your baby is ugly because very rarely are we testing something that nobody cares about, right? Somebody built it, somebody designed it, somebody architected it, somebody manages it, somebody controls it. And I get asked all the time, do you ever fail to get in? And the answer is yeah. If you don't have a good enough scope, we could fail if you limit us to the points like we've literally had people say that IP address is the only thing you can test. It's not really a pen test, right? You're an idiot. I'm sorry. I just plain and

simple. But we get in all the time. Why do we get in all the time? I'd like to tell you it's because we're [ __ ] wizards. We have skills. The reality is we get in because we figure out the ways you made a mistake. We figure out a way that your business does something that I can abuse. Right? It's that simple. You can't make your systems secure. I don't give a [ __ ] what the sales guy from Threat Locker keeps saying at the booth next to me. Ring fencing. You made that [ __ ] word up, didn't you? Right. And I'm sure the threat locker guy is really good and awesome, but I've heard

his pitch 15,000 times already. And it I'm amazed he hasn't said AI, Bitcoin crypto venture capital money falls out of the sky. You don't have to actually produce something. You just say zero trust AI and the VCs people pop out, right? So, what are we going to talk about? I don't even [ __ ] know. I You know, it's the way it is, right? They I submit a talk, they come back, they go, "Kevin, you want to speak?" I'm like, "Sure." I'm actually petrified of public speaking. I really am. I didn't throw up this morning, so that's good. We're going to talk about purple teaming. This is a really hot button topic for people. People love purple

teaming because we love colors. We're nerds. We have two things we like. Colors and acronyms. We do, right? Like, yeah. You get into conversations with a nerd, all the acronyms come out and we overload them. Like, can you tell me what TCP is? Transport. Ah, nice. You'd be wrong. I actually did a pentest and the this was for a previous company I worked for in Guardians and my boss scoped the job and they kept talking about TCP and so he assumed it was a network test and it was an app that they had deployed that they had built and they named TCP. Are you on drugs? Like what is that? People say to me, I

love it when people come up to the booth and they ask questions cuz I man the booth a lot. I don't know why I hate people, hate crowds, right? But I'm at the booth all the time. People walk up to me and they'll say things. We had a guy say it earlier today. He walks up and he's like, "Do you know what?" And he rattles off an acronym is. And Britney, who was at the booth at with me, she says to him "Maybe." Like, could we get a little more context than three random [ __ ] letters, right? Like we have so many acronyms we've come up with TLA's which is an acronym that stands for

threeletter acronyms but purple teaming has grown a lot right we're going to talk about it and I'm going to tell you why I think most of us are doing it wrong and most of people are hiring pen testers are doing it wrong right we as an industry have built out this idea that pentesting is the beall endall I literally have people say to me when they're when we're scoping a job, they'll say, "Okay, when you're done pentesting us, will we be more secure?" And the answer to that question is, "Fuck no. When I'm done pentesting you, you will have no more security than when I started pentesting you, but I hope that you have a better idea of where you

should focus your resources. Then you might make yourself more secure, but I can't pen test you to security. I can't. Sorry. I don't fix [ __ ] I tried fixing [ __ ] They break. If you fix computers, like that's the best thing with family. I know you all have this problem, right? Your family, you know, it's like holiday dinner and hey, my phone's not working. Stop serving porn on it. But I don't want to need to know that about my grandfather. I just tell him I break computers. You give it to me, I'll enjoy it and I'll give it back. But pen testing, right, has been become bigger and bigger and bigger. And don't get me wrong, I think

penetration testing is very important. I think if you're not doing real penetration testing, right, because we're not Horizon 3, we're not Nessus, we're running an actual pentest. And I don't look, you can hire Secure Ideas, whoever the [ __ ] you hire, if you want to know who, we've got a web page that lists the seven companies we recommend that aren't us that do real pentesting. But the reality is, if all you're doing with pentesting is letting me hack in, tell you you suck, and go home, then you've wasted your money. Now, if you're going to waste your money, send it to me. But I don't want you to waste your money. I want you to get something good

of it. So, a number of years ago, the idea of purple teaming came out. And purple TV is something many of us had already been doing. We just didn't have a name for it. As a matter of fact, I did a talk at UF called blue team testing, which was the idea of purple teaming, right? And that is not me saying I invented it. I want to be very clear, right? I just gave a talk about it. And the idea was this is pentesting but focused on collaborating. This is pen testing, but understanding what you're doing on the blue side as I do my pen test. Because the reality is I can do really cool [ __ ] I can I have

the world's best job. I get to come in, find all of the problems, and have zero responsibility to fix it. Right? I come from an IT background. I got my first job out of high school writing software to control the power grid, which should scare the [ __ ] out of you because that code I wrote in 1991 is still running in parts of the power grid today. And I'm not that good of a developer today at 52, I damn straight wasn't that good at 18. I got the job because I knew Pascal. The code wasn't written in Pascal. It was written in C and assembly. The guy that hired me said they're similar. He gave me a Borland C compiler and a

book. Code still runs. That's all I can say, right? But we come in and we break stuff and then what do we do with it? And if I come in and I break stuff, does that mean you failed? No. This is not a pass fail thing. I talked to somebody this morning, uh, young man came up to the booth and he said the thing that I hear from so many people, oh man, I want to be a hacker. I'll be honest, if your phrase is, I want to be a hacker, you're not going to be. Cuz being a hacker is a mindset. Now, what he meant was he wants to be a pen tester, right? And anybody could be a

pentester. It's not that hard. I'd like to tell you it's hard, but it's really not. Right? But I talked to him about it. I'm like, why? And he said, oh, and and and I want to be clear. I'm not making fun of this kid. So, if he's in the room, I blind. I can't see. So, if he's in the room, I'm not making fun of him. His mindset is a valid mindset. He said, "Yeah, I love the competitiveness, the ability to test something and beat the other side." And I said to him, I say this to a lot of people. I'm like, "Hey, how blunt do you want my response to be? Because if you're not in the mood for a

blunt response, I'll go, "Oh, that sounds awesome. You're adorable." And move on. And neither of us give a [ __ ] But if you want real feedback, tell me you want me to be blunt. And he said, "I want you to be blunt." He then regretted that, I think. And I said, "You don't want to be a pentester." He's like, "No, I do." I'm like, "Yeah, you think that?" You understand that like twothirds of our [ __ ] job, if not more than that, is writing a [ __ ] report. Like, you know, I'm right, right? Like, oh man, but don't you use templates? [ __ ] Kind of. Like, yeah, we've got some stuff. How to

describe SQL injection? I'm only going to write that [ __ ] one time. But how do I describe your SQL injection? That I got to write custom, right? And I know some of you in the room are like, Kevin, it's 2025. There's no SQL injection. And I'm going to say you're a [ __ ] [ __ ] Of course there's SQL injection. There's probably SQL injection in that projector. Okay, maybe not the projector, right? But it still exists. Absolutely. And here's the problem with that. Do you understand that we discovered SQL injection more than 20 years ago? And when we discovered SQL injection, we discovered the solution. And it is the only security control that actually

makes the application perform faster and yet we don't roll it out. Pentesting is not a competition. Pentesting needs to be a collaboration. That's what purple teaming is. And bluntly, all pentesting should be purple teaming. There are very few instances where you coming to me and saying,"I want you to do an unannounced test so I can test my people is a good idea." Very few. There are some. There are some reasons to do that, but there are very few. I tell people all the time, if you don't trust your sock to notify you correctly, get a new sock. Because the idea is you don't trust them. Well, I want you to test them. Okay, but that's a waste of [ __ ]

money cuz you don't trust them. And if they detect me, does that mean they did a good job? Cuz I'll tell you a story. I was doing this pen test. It was a purple team exercise. And I had the security team. I was in the office in this cubicle. Okay? So imagine a room 75% bigger than this room. Okay? And I'm in this corner in a completely [ __ ] glass cub like conference room. And it's day one of the test and they hand me a laptop because we're going to use one of their laptops to live off the land as part of the testing. I say, "Thank you." And I open it up and I set it down.

That's it. I bloop and I set it down. Okay. And we're sitting there talking and diagonally across the room, all the way across the room, I can see the sock, which is like these two surfer dudes and a bunch of monitors. Okay. And I see the one guy, he does this and I'm dead serious. He's like, and he jumps up. Now imagine we're in this corner and coming this way are three rows of desks, people on both sides. Okay, so six groups of people all the way across. And this guy jumps up and starts to climb over [ __ ] to go and literally over the [ __ ] monitors, over the desks. He comes diagonally across. He walks up the

door. He slams open the [ __ ] door and he goes, "I got you." And I'm in the room. You may not know this, but I'm slightly sarcastic. And I look at him and I said something like, "Yep, you found me in the classroom. Who are you? I got you. I detected you. I saw you hacking my [ __ ] I got you. I win." Dude, I don't know what the [ __ ] coming out of your face. He's like, "I saw you. You're attacking my semantic server." And I'm like, "No, I'm not." He's like, "Yes, you are." like, "No, I'm not. I'm literally having a conversation right here. That machine right there hacked me."

I said, "Sir, I don't believe you're detecting something correctly." But let's say you are. If you're really seeing a hack from that machine against your semantic server, your build has been compromised because that machine has been built on your build process and all I did was open it. Well, it hacked us. We dug into it with it, right? What had happened was the machine booted up and semantic reached out to its control server to get its config and its signatures. This guy had known we were coming. He had decided to tilt the deck a little bit and he had gotten the build people to give him the laptop ID and he set up a monitor for any traffic

from that workstation and he felt that was a good way to test. I will tell you this is one of three times in my career that I have literally recommended fire that dude. Okay, normally we don't. Normally it's like, "Yeah, man. I tricked this guy. He [ __ ] gave me everything, but it's not his fault. I'm gonna use you as example." Okay, you sat in the front row. And right, but it's not his fault. It's the system. It's the process. It's this. Fix that. This guy said, "Fire that guy." Because he didn't understand the problem. Because the idea is we want to test detection as well. And setting up a monitor for my workstation ID is not

really testing my stuff, right? That's the problem. we see these collaborative exercises. Uh let's be blunt and this is something we don't do as often anymore, but in person is better than remote. Uh at Secure Ideas, what we do, we'll either fly butts and seats to your offices, but what is more common nowadays is we fly your team to us. We have an office in Jacksonville, we have a conference room that we can sit in. The reason we do that is most of our customers nowadays, their security teams are remote. They're not going into an office. And even if they do, by having them come to our office, they can work with us in person and they're not

getting the driveby ticketing that happens, right? How often are you sitting at your desk? Somebody say, "Hey, can you help me with uh right, I'm busy. I don't I need this." If you're at my office, you're separated from that. Okay? And we sit with you and we start testing stuff and we work with you to evaluate it. We start low and slow. Hey, what did you see? What did you see? What did you see? What did you see? Okay, you caught me. Is that the right point to catch me? Is that the right threshold to catch me? Right. Do you want to tune that a little bit? Why did you catch me? Oh, you caught me because of the user

agent that that script used. Okay. What happens if I change the user agent? Did you test it? Right. And so by doing that collaborative approach, which I want to be very clear, if you're doing a purple team exercise and what I just described is not happening, you're not doing a purple team exercise. What you're doing is a pen test. they added more money on. Okay? And you're getting ripped off, plain and simple. And I'm not going to name any companies Optive, but um what I'm just going to say is that you need to work better with their company. I'm only making fun of Optive because it's a name everybody knows. That's all right. Rapid 7 is really who I should

have made fun of. But [Laughter] so the reality is we've got to do this type of testing, right? So, as we move around and do this, right, how do we determine the success of this thing? Because all joking aside, and and honestly, those are all jokes, right? But as we we look at it, how do we determine whether we detected correctly? Because like I said, this isn't a competition. This is not a hey, I got you. Haha. This is a did we tune things correctly? Right? Where did they detect it? What did they detect? Because I'll tell you right now, a lot of socks, they don't look at applications at all. Right? They can't in the way they're set up. I was working

with one bank and we were testing their stuff and the bank is like, "Our biggest worry is, can our sock detect the attacks?" We started slow, they didn't detect anything. We got louder, they didn't detect anything. We got louder, they didn't detect anything. We threw [ __ ] at the wall and they did not detect it. We walked in going, "We're hackers and they didn't detect anything." So, finally they let us talk to the sock. It was a third party, right? And that that's one of the problems. A lot of times they won't let us talk to the third party. I hate that, but I understand it. But so, we get with a third party and they're like, "No, we're

monitoring." We look at it. What it turns out is this bank had had a primary connection to the internet and the sock had put a tap there. Not really a tap, but let's go with tap, right? Like because I'm old and uh and they were monitoring it. And about three years before our test, three years before our test, they had brought a faster connection in. And they had converted the old connection to the backup DR connection. If something happened to the big one, the slow one. So there was a little bit of traffic just as a keep alive going across that. In three years the sock did not notice that they had gone from megabytes an hour in data

whatever the number is right to bytes a day. I would argue that that's not good doesn't cover it. I would go with negligence, but I'm not a lawyer except on Twitter where I pretend to be one. And um fire that guy. I'm sorry. Second time you said fire. Nope. That was a company we said fire. But right, but this is the problem, right? Were they detecting at the right place? Were they looking at the right place? If you've moved all of your systems to the cloud, but you're running agents on servers in your de data center, then you're not doing a good job. And that's okay. We can fix that, right? But that's what we're doing. But it's not

just important to know what they detected. It's important to know what they didn't detect. And should they have detected it? Right? Should they have? I don't know. Depends on the attack, depends on the business. Because this is where we start seeing the mistakes. And I see these all the time. And I want to be very clear. I'm going to say here are the mistakes. And I'm not going to tell you I've never made any of these. I mean, I will tell you that, but that would be a lie. Right? We start seeing people, oh, okay, here's the provided scope and they don't look outside of that. And I want to be clear, I'm not saying attack [ __ ] the customer

didn't tell you it was okay to attack. I'm saying when the customer gives you a scope in any pentest, but especially in a purple team exercise, one of the first things you should do is reconnaissance to see what other things might be in scope or should be in scope. Then go back to the client and say, "Hey, Eric, you gave me these ranges. I found this other stuff over here that looks like it's yours. should that be tested? And then evaluate their answer. If they say no, ask them why not. I don't mean to argue with them, but do you know how many times I've had customers say to me when I say why not? And they go, "Well,

that's really insecure and I don't want it in the report. That's adorable." That more than likely they forgotten assets, right? Being loud too early. How many people here? God, I'm a pen tester. I run Nessus, right? You accidentally run mass scan wide ass open. That's a technical term. Wide ass open. It's actually a flag to mass scan. Okay, it's not. But right, the other big one I see a lot of times is people fail to communicate, right? They think they are. My favorite is here's what we're gonna do. We're gonna have a meeting every day for the next three weeks at 9:00 am with everybody involved and then at 4:30 we'll have another one. And we do have some people in England.

So, can we get together at 700 p.m. And you think, okay, I'm talking to these [ __ ] people three times a day every day. I must be communicating enough. No, you're just talking a lot. How many of those meetings do you all get on the meeting? You go, "Got anything to report?" "Nope, we're still testing." "Okay, cool. Thanks." That's not communication. And oh, by the way, when you get to that 4:30 meeting, do you remember what you did at 11 specifically? Do you remember what what was happening on the other end? Do they know exactly what was happening at 11? Right. The other one we see a lot of times not engaging with the right teams. Right.

Well, I'm talking to security. Do you know what security knows? security. Do you know how many times I say to security people, "Hey, I found this thing. This seems bad." Oh, you're right. That does. Do you need that? [ __ ] I don't know. Maybe it's running on the server, right? Turn it off. See who complains. So, how do we fix this? In my mind, the way to fix this is to shift our focus. And this is actually something I've been ranting around and about for a long time, and I'd like people to start [ __ ] listening. Do you know how many times I talk to pentesters and security people and IT people and I hear [ __ ] bitching about

the business and the users? How many people here have heard users are stupid? Yeah. You know your users, right? Seriously, do you know how many times I break into companies because the infosc [ __ ] something up? How many people here are professional infosc at a company like not like a consulting firm but like a you know you work at a bank or right so you're a professional infosc keep your hands up keep your hands up come on okay now how many of you do I saw you put your hand down you thought you could be subtle okay now how many of you do part of your job or all of your job with administrative rights

liar I believe you this time. That's You can put your hands down now. Do you know who I attack first? The people with administrative rights. Do you know the number of times that I have plugged one of my devices into your network and the first thing you do is attempt to connect to it with enterprise admin credentials to verify that I'm locked down correctly. I just proxy those to the closest server I can. I'm now an enterprise admin. Thank you. Do you know how many times we walk into organizations and we're talking to infosc and we're like, "Hey, this is how this works." And then we get in and we get their SharePoint share and there's this cool passwords dox.

It's not a text file though, so it's okay because that's always the example. My favorite is passwords. PDF because that means you don't change them often enough to need to edit the file. You think I'm kidding. I like it blows my mind how many times people say to me, "Oh, you found those credentials, but we haven't used those credentials in years." How often have people made honeyots to have you fall for those to use the credits and How many times do somebody use a use fake creds as a honeypot? Those would be more of a honey token as the actual term, just so you know, right? How many times? All the time. But here's the

thing. If you're having me test your system and you don't tell me about your honeypotss and your honey tokens, you're wasting your money. Seriously, because you know that that detection works, right? So why have me fall into it? If I spend, let me let me let me Okay, you have a really good honeypot or I'm just having a really stupid [ __ ] day and I get stuck because either works, right? And I get stuck in your honeypot and I spend an hour thinking that I'm a domain admin on your honeypot and I'm like doing the root dance, right? You know what I mean? What did that benefit you? Seriously, what did it benefit you?

Right? Nothing. You tricked the pent tester. Do you feel better? If you feel better, cool. Go talk to a therapist. They'll help you feel better all the time, right? They might even have meds. You might need them. I'm not saying you don't. I'm not making fun of need meds. I'm just saying if you're doing that so you feel better, you're doing it for the wrong reason. The goal here is not to win. The goal here is to understand if your controls work well. Having fake credentials that I stumble across works well, thinks canaries are awesome. I recommend them highly, but don't use them to fake your pen tester out because every bit of time I

spend using the fake [ __ ] is time I'm not finding the real problems you're not aware of. So yes, they do happen, right? But it's a waste of time and that means it's a waste of money because while I'm not that expensive, I do cost money. There is an invoice attached to my report. Use that resource. Well, unless you have unlimited budget, and if you have unlimited budget, call me. I'm looking for that company with unlimited resources. Right? But we see this all the time is that the security team doesn't understand how the business works. How many people here I just had this discussion on LinkedIn yesterday. A friend of mine who's really smart

reposted some other person's post. I don't know the other person, but the other person is recognized in the industry as an expert at stuff, right? And the person was saying that we should change passwords two or three times a month. I think is what he said. It might have been one or two times a month. I might be exaggerating. I don't remember. It was either one or two times a month or two to three times a month. He also was saying that we should ensure that nobody clicks anything. [ __ ] you. Let me ask you a question. How many people here take annual security awareness training, right? How many people here take annual security awareness training that tells

you not to click [ __ ] Probably says it politer than that. How many of you got to that annual security awareness training by an email that had a link on it that you clicked to get to the training? I'm going to save you some money on no before. I'm only picking on Eric here. Here's how you do security awareness training. Build a web server. Put a web page on it. Send a link to that web page to everybody in the company. When they click it and it opens, the web page should just simply have the words on it, "You shouldn't have done that." That meets most awareness training requirements. Not really, right? But like we do this

all the time like, "Oh god, they click shit." Yeah, you built systems that require them to click [ __ ] Your entire organization is wrapped around clicking and users are supposed to recognize the clicking they're not supposed to clicking. I know that's not grammatically correct, but that's how I like to say it, right? The reality is people will click stuff no matter what you do. So, what you have to do is build the other [ __ ] I'll pick a no before because of Eric being in the room, but they've got some good stuff out there. They don't tell you don't [ __ ] do it. They tell you pay attention to why you're doing it. Think about what you're

doing. And that's what I tell security people. Do you know how many of us are social engineered all the time? I got socially engineered last year. Year before. Year before I was elected to the OS board. I got the notification that I was elected. I was also told, "Please don't tell anybody until tomorrow at 5:00 p.m. when we make the public announcement." Right. The next morning, I get up and I have a signal message from Alyssa Miller. If you don't know Alyssa, your life isn't as good as it could be. Alyssa is awesome. Alyssa sent me a signal message and all it said was, "Congratulations." And I wrote back and said, "Wow, thank you. Who told you?" and she wrote back,

"You just did." Nobody would tell her who won, so she texted me, "I got social engineered by Alyssa Miller." Right? And I'd like to believe I'm smarter than that. I'm [ __ ] not. We fall for [ __ ] all the time, right? We need to make it better. Reconnaissance is critical. Understand what you're targeting. understand why you're targeting it. The biggest thing is we want to be Kermit, but we really want to win over Miss Piggy, right? You guys have all watched the Muppet Show. You haven't? Get the [ __ ] out. Damn. Don't admit that. I haven't watched the Muppet Show. Your life sucks. We I having five virtual machines doesn't mean you can't watch the Muppet

Show. The reality exactly one of them run the Muppet Show. The reality is we have to win over the business. Hacking for hacking's sake is fun and a blast and helps nobody. Our job is to help the business. I was doing I was working with this this uh um movie studio and we were doing u awareness training and I don't mean like awareness training like here's a video we were actually flying onsite and meeting with teams of people to discuss their business what they did why they did it what the risk was and talking to them about how to be better at being more secure and I'm in this room and it's like an auditorium and they're

there and I'm the question I was asking is what keeps you up at night? What's the data you're most worried about in your job? Not the studio at whole, your role. What is the data? And people, oh, credit card number, social security number, blah, all that [ __ ] This one lady in the room. Now, keep in mind, it's a room of like a hundred people and they all do the same job. They're all on the same team. This one woman says, "Celebrity cell phone numbers." And before I could say anything, the room erupts. A lot of people had to look at this on your face. Cell phone numbers of celebrities. What are you talking

about? That's ridiculous. That's stupid. That's not what it could possibly be. That can't possibly be the biggest thing. Do we have a fire? Nope. Okay, no problem. So, as long as we don't have to evacuate, I'm cool. Right. So, she's like, "Celebrity cell phone." And everybody's like, "No, that's wrong." Blah blah blah blah blah. And I stop them all and I'm like, "No, no, no, no, wait a minute." And I want to be clear. I'm not saying she's right. I'm repeating. Okay? And I said to her, "Ma'am," why why celebrity cell phone numbers? Like what why do you think that's the biggest thing? She goes, "Oh, it's really simple. In our job, we deal with

the contracts with the the stars, the the cast." And uh one of the things we need is we need direct contact information to the celebrity because like if something happens, we they're not on site or, you know, we need to call them, not their agent, not their admin, not their this, whatever. We need to call them. And so we have to have their cell phone. But a lot of celebrities, they're stalking, there's [ __ ] weird people, right? Like they, this is a problem. And so they don't want to give us their number because of that risk. We need the number. So not having it is a risk. So we have in our contract a penalty of

seven figures if we lose the cell phone number automatically. We don't argue it. We don't fight it. We just write a check. You know what? I can't vet anything that woman said, but if everything that woman said is right in her job, that is the biggest security concern because there's a penalty with cash assigned to it automatically. And let's be blunt, 100 people in the room, all doing the same [ __ ] job, and she's the only one that understood the ramifications of that clause in the contract. Right? That's understanding the business. That's understanding what keeps people up at night. That is understanding how to look at real threats, real attacks, real things, and associated to the thing

people are worried about. That's the idea of threatled pentesting. And I want to be very clear, that's now a marketing term now that Dora made it a requirement, executive order made it a requirement. But the reality is, if you're just doing a pentest and hacking random [ __ ] that's not threatled. You have to work with the organization, work with your contacts, work with your people to understand why they have the goals they have, why they have the controls they have, and then determine the best path forward to understand risk and understand where their problems are. And we as humans, I'm going to wrap up with this. We as humans suck at risk assessment. I know there many of us are

go, "Yeah, no, I do. I love I love risk. I know risk. I was out in Denver. I was keynoting an event out in Denver and I asked the people in the audience, "How many people here are afraid of sharks?" And the majority of the people raised their hand. And I said, "No, no, I want to be very clear. I don't mean oh sharks. I mean, oh my god, I could be bitten by a shark right now." And like half of the people in the room kept their hand up. And I pointed out that Denver was a mile above sea level. And as far as I knew, the only way they could be bitten by a shark is if

somebody was transporting a shark from one aquarium to another and you rammed the truck. I was educated later. The Denver Aquarium lets you pay some money to swim with sharks. So, you actually can pay to raise your risk level, but for the majority of people, shark attacks in Denver aren't a massive issue. Do you know what you should be more afraid of in Denver? Soda machines. Soda machines kill more people, injure more people than sharks. And I don't mean through diabetes. They shake the machine, it falls on and crushes them. Seriously, do you know how sad? I mean, it's sad anytime somebody dies, but to be died to be died. That's the new Wow. to be died

by pulling a soda machine on top of yourself, glutton. I don't know what to say to that. We have to understand risk. We have to understand what we're doing. We have to understand how we're doing it and why we're doing it. We're not here to win. We're here to move the needle. We're here to make things more secure, better off. If I come in and I test your organization and I leave and you're not better at understanding where you need to focus your time, I [ __ ] up. It's that simple. I [ __ ] up. And I try my damnest not to [ __ ] up. You should, too. Thank you very much, everybody. Enjoy

yourself.