483 Is Automated Pen Testing a Thing?
483 Is Automated Pen Testing a Thing?
Vonahi Security is a cybersecurity company that offers a SaaS platform called vPenTest, which automates network penetration testing. Gues…
March 30, 2023

483 Is Automated Pen Testing a Thing?

Vonahi Security is a cybersecurity company that offers a SaaS platform called vPenTest, which automates network penetration testing.
Guests: Ky Tran and Sean Lardo

We answer an important question out of the gate, can penetration testing really be automated? The short answer is yes. 

Vonahi Security is MSP (Managed Service Provider) friendly. They provide a platform that allows users to perform penetration tests on their network whenever they want and as often as they want. They offer a platform called vPenTest that makes automated network penetration testing easy, scalable, and lucrative. 

=== 

Vonahi website: Synco Ask Me Anything: https://syncromsp.com/webinars/ask-us-anything/

ASCII Edge, The MSP Conference 2023: https://events.ascii.com/

Pax8 Beyond Conference: https://www.pax8beyond.com/  (June 11 through June 13, 2023)

Miami Heat Could Play in Kaseya Arena: https://tinyurl.com/2npjc7e3

Florida Man Loses Fight, Runs Over Opponent with Corvette: https://tinyurl.com/ye26dct9

 

Transcript

Friends, Uncle Marv here with another episode of the I T Business podcast, the podcast where we try to help you run your business better, smarter and faster. This is the Wednesday live show. It is the last Wednesday of the month of March my birthday month and that is significant because one of the guests coming up also shares not only his birthday in this month, but the same date is mine and he tried to hijack the show last time by drinking.

He'll probably try to do it again. But that's gonna happen. Sean Lardo will be joining me in just a few minutes.

We also will have a visit from the Chief product Officer over at Vonahi. They were one of the finalists in last year's pitch program and we're gonna talk about that in that of course, is why the title is t is uh well, whatever the title is, is automated pin testing uh thing. So, they will both be joining me a little bit later.

I'm gonna start by giving you my little tech tip for the week. And for those of you that have followed the show over the years and I've shared just a little bit of snippet about my stack. One of the things that I've shared starting in COVID was that as supply chain became a little sporadic. Uh I wasn't able to get my H P switches or I wasn't to get my, a, able to get my, er, switches from snap a V whatever. There's snap one. Now, uh I came across ingenious as a provider of managed switches and I love them because not only were they managed switches at a reasonable price, they were fully PoE and you can get them partial P O E or full P O E blah, blah, blah. But the bottom line is, they were P O E and they were good.

They worked with not only my Domotz, but they also worked with my NetAlly tools and they were fantastic. Well, I might need to adjust that thinking a little bit because as it turns out the last year or so, they've been bringing out new models doing some upgrades and normally that's a good thing. And the products have been good, but I just ordered three new switches for a client that were moving at the end of April and I went to go set them up and they are completely different in terms of set up from the previous models. They have models where you can manage them either locally or in the cloud which I have.

No, I, no, no problem with. I've managed some in the cloud, but the cloud platform has changed and there are now three different places where you can manage some of the devices and some devices you have to manage in a cloud app called in in Wi-Fi. If you're doing the access points, there's some that are in the partner cloud, there's others that are in cloud to go. Uh It, it's I'll be honest, not really happy about it.

I consider it a mess when you start dinking around with all the different places to manage stuff. So, I thought that ingenious was going to be a MSP slash cloud friendly uh provider. And if they keep doing this, I'm not gonna consider them MSP friendly anymore because right now I've got switches that, you know, are here in Fort Lauderdale, Pennsylvania, uh the other side of the state and I have to go to multiple places when I want to do these switches. Uh Not very nice, uh in genius. So, thank you very much.

Not really happy about that at all. And let's see, I do want to share one bit of news. So, we're gonna bypass the regular news thing that I do and talk about.

One of my, well, one of my staff members is KASEYA and Kaseya is actually headquartered down here in Miami and they've been trying to get me to visit. Apparently, I'm not allowed to visit unless Matt Scully is in the area. So, Matt reach out to your boy Spence get that set up so I can come visit the mother ship. But in terms of news, I read a statement that actually started last week and the statement basically in the news read like this Miami Heat could play in Kaseya Arena.

You heard that correctly, negotiations are underway for the stadium that the Miami Heat plan, it was previously called the American Airlines Arena. Uh it was supposed to be done uh done with the company FTX, but we know what a fiasco that has uh become in the last couple of months. So now Kaseya was recently named as the mystery tech company seeking incentives to add 3400 high paying jobs to its downtown Miami headquarters and they are looking for the naming rights of that arena. Um And I'm just thinking, why are you spending my money on the Miami Heat Arena?

So, first thing I'm gonna say if, if you think I'm just, you know, busted on the Miami Heat. Well, you'd be right. I don't like this, but I'm thinking that's a lot of money to just to be spending on a stadium. But hey, I don't wanna say too much.

I know that people will make comments about their contracts and this, I still have a couple of products with them. IT glue. I'm sure I have something else with them, but uh just interesting. So, we'll wanna keep an eye on and see if they actually do take over and, uh, the Miami Heat play basketball in the Kaseya arena. I don't even know if I like the sound of it doesn't roll off the ton, but I'm gonna bring in my good friend Sean Lardo. And, uh, how do you? Hello, Sean. Why don't you tell me why?

Some, how you really feel it in the middle of a puff there, the, to put it down. But I'm, uh, well, I mean, it's, it's one of those things where it's a little too close to home, you know, American Airlines. I don't, I don't have any personal, you know, stake in American Airlines. I don't have a stake in a lot of these other companies that get naming rights to arenas. But that's, that's in our, that's in our purview, man. I don't under, I don't understand why would want one though or, or ConnectWise for that matter either because, um, stadiums are usually a B to C promotion, right? Business to consumer. And so, I mean, I, I, I'm sure maybe, maybe they have the reason, they sure they have the reasons that are doing it right. But I, but I'm surprised, like in general, because I wouldn't, I wouldn't think I'd be what I, what we, we, we would do what we would do in general, any one of us because none of your end users know we exist.

They will not, we're not, IBM, we're not, you know, we're not Dell, we're not Microsoft. We don't have a, a, we don't have a play from, you know, business to consumer. Yeah. But I think a lot of our vendors now, for instance, let's just say, enable, who is a product that I use?

I found out that their backup product Cove is something that regular businesses can get. In fact, a client that I took over just a few months ago already had cove backup that they were using and they were not obviously an MSP. They had an inter internal I T guy and that's what they were using. They didn't get it. Yeah. But that, that could be the anomaly. Right. That would be an outlier.

I'm just saying that large, I don't know, I don't know anybody that I know that even knows ConnectWise is a company unless they use screen Connect and they see that ConnectWise is otherwise they don't really know. And even when they see that they don't even know it's a company name. Sometimes they just think it's whatever, it's just some sort of jargon, you know. So I am, I am going to start my pitch. I am going to have an Uncle Mar of something, not just the I T Business Podcast.

All right, I'm gonna put my name on something. So, I want mine on like, I want to put mine on like, uh like barbecue sauce because I really like to eat. I like barbecue sauce. And everything too. So, I think it'd be great. Largo's barbecue sauce. Hell, yeah. Extra spicy. That has a ring to it. Extra thick and spicy.

Um, I did all right, my friend. Well, let's dig into some tech here. We've got some listeners, uh, viewers watching the show and I'm sure they're interested in what we're gonna talk about this evening. So, before we do that, let's talk about how you've been, it's been a couple of weeks. I know. Right. It's our birthday. Yeah. Yeah, that was the last time we saw each other, it was a birthday. I wasn't allowed to drink until the end until the end. What are you drinking there? Ok. We'll move on. Oh, all right. Which is a, you guys, I don't know.

Everybody has all these exotic drinks. It's so exotic. It's Angels envy. They sell it everywhere. It's angel’s envy. I, I don't know what that is.

It's, it's a, it's a bourbon. It's sold everywhere. Like it's not like, but it's not everywhere.

But, yeah, actually in Florida too there's a lot of it. I drink it connecting and it's secure and everything else. So, yeah, it's there. Um, but this is the, this is the rum cask one which is the, the best. It's phenomenal. It's just good. Don't take your word for it. I'm not a bourbon guy. Although everything else is great though, by the way, I, uh, was that ask last week in Atlanta?

Which I will, I'll leave that part for you to talk to key about when you bring him on because he was there for his first ever ask. Um But uh yeah, and I'm getting ready to head to Chicago next week for the uh the ConnectWise user groups meeting. Um It should be this will be a big one.

This will be one of the bigger ones of the year. So, all users, that's all it is. All partner led the entire agenda, all the speakers, everything was asked for from the partners. And where is that one gonna be held? It's in Chicago. Well, outside of Chicago, it's never in the city because it's like a pain in the ass to get rooms there and, and then keep everybody together. Hilton, the Hilton is a place man.

Oh, I know we were there together. I know. I know. I like it there but it's, you know, it's uh so it's um I forget what the name, the name of the hotel.

It's like five minutes, it's like five minutes out of the city, but it's Chicago, nonetheless. Um we are all meeting there next week. And so it's literally a full day of everything of workshops, panel discussions, every network, it's a single day. Hm. Well, we get there the day before and then we do an evening event with everybody. Hang out network. Get to know each other the next day, all day. Uh content, stay another night, talk about everything.

Digest, get together, do stuff like that and then the following day at home, um, like I said, it's, and it's all partner led. That's, I think that's the important thing. It's the users and it's all partner led. That's the important piece here.

That's something we want to stress. We, we wanted to be able to capture that and that's what we have and I like that in and out. Absolutely. And, and find time to be with your friends because you don't get to see too often, right? And so, if you get some time, so, so we set aside, set aside enough time that everybody gets to be involved with something, learn some things, but also get to hang out. Sweet. All right. So I've gone ahead and put up on the screen for those that are watching live, the link for pitch it. And for those of you of you that are listening, I will have the link in the show notes, but we are here once again to talk about pitch it.

2023 the applications are open and you can sign up if you are an emerging vendor and you wanna be a part of this uh sign up is through April 30th. So Sean, for those who maybe skipped a few shows have their head in the ground. Haven't done anything for a few months.

Why don't you tell us about what pitch it is easy pitch. It I get yelled at all the time for saying this, but it's like Thunderdome, right? You enter one man leave. Um No, it is ultimately. So what it is uh it is, it isn't a, it is a, it is a program and contest created from ConnectWise.

We're going on six years now. Uh And what we did and what it is we're looking for all the emerging technologies that are going to be complementary to the ecosystem of the community that are able to be able to be partner first friendly, right? Um And as I said, it's a competition. So, at the end of this all, we're looking for the three best companies to compete live on stage at I T Nation in November um for the grand prize of $70,000 for first place and second place is 30,000. Um But yeah, it is a big ordeal for us and hang on. What's third place? Is that a set of steak knives? Um Yeah. Yeah, nothing last year.

No, they, you know where they all get. So they all get free booth space at connect at in November after a finalist. So, we already got that. So that's already, that's already a pretty big prize regardless, right? Um Because it's not as if our conferences are inexpensive, we know that.

So, um the, the, the important thing about this all though is, and actually when you talk to key about it, tell you how is how, how they went through the program. Um But it, we turned it into a 16 week accelerator incubator program where they are in workshops every single week, learning new things between sales and marketing, business, uh business consulting, mergers, acquisition. Um Anything creating a new channel program, product market fit how to actually pitch, how to do an elevator pitch, you know, you're learning all these things over 16 weeks from people that are really experts in the field.

They are the practitioners. Um So, and then during the course of that, they're also doing webinars with you now, you know, and them doing podcasts and POA Lebron doing it. So, they're getting exposure, but they're also working on their speak while they're on these things too because a lot of them or technical people and engineers and they were M SPS or still are M SPS. So, they really don't like it. So we have to bring my company in a little bit, get them some exposure.

The goal for us is, you know, hopefully we love multi winners but they can't all win the prize, but they all end up winning because they end up getting more business. They get that, they get that staying power they didn't have before this, they get to learn how to navigate the ecosystem. They get to meet a lot of people that make great connections and it helps them. I mean, you know, it helps you with your prosperity. If you do this? Yeah. So why don't we go ahead and do this.

Let's have you introduce one of the finalists from last year. Yeah, getting in the green room. So, introduce him and I'll bring him up. Yeah. So actually, I got to hang out with this guy last week.

He ask you, like I said, um which you were more got them, they, they focus on automated pen testing, which we know is a dirty word in this industry, I think, automated, especially pent test. Uh But also they were the second place finishers last year in pitch it. And they have excelled tremendously and my good friend, how are you doing, buddy? Hey, hey, what's up guys?

Thanks for having me. How are you? He's having, I'm, I'm just here. Just hanging out. Yeah, I am doing great man. Thank you. All right. So, Kate, you are with and before we get too far along, why don't you just quickly explain what VHA is who they are and that way that will help explain my title of the podcast this evening. Oh, no, absolutely. Sounds good. So high security, right? We're based in Atlanta, Georgia.

I been around for a little over three years and we have a, a platform where we give MP the ability to deliver network PIN testing to their clients. Um But we also have a services division which basically we have, we do red team assessments, web app PIN test. Uh And basically do consulting gigs as well. All right. And you went through this, uh, this program last year, the, the whole incubator thing and the pitch thing and, uh ended up as a finalist. How was that? It was, uh, to be honest, like, so Sean, it was great experience, right?

We learned a lot. Um It's, it was an incredible journey, to be honest, it was a lot of work. You, you have to put in the effort, you have to, you know, treat it as, as, as a real competition and really put your heart and soul into it. Um If you wanna be successful with it, uh and I will say, you know, and it, it never really clicked for me until we went to I T nation.

I actually had people come up to me and said, hey, you know, I, I came across you on the internet, across the forums, across, you know, social and I was like, yeah, no way, no way those guys are legitimate. And I was like, you know what I never thought about that, no one's gonna download anything that says automated pin testing if they don't know who you are. Um Right, because it's nefarious but potentially, right? So, the fact that like you were in this program, uh now I can see a face where I can see your team here, you're legitimate and I want to test it out. And so, it's about building brand awareness, building legitimacy. And getting, getting to network, you know, with, with key people in the space, navigating the ecosystem like Sean mentioned and uh learning, learning all the ins and outs of how M SPS really operate. All right. Well, we're coming to that time.

That was so well put, I just want to say that now it was better than I could have said it. So, thank you. Yeah, I learned from the best I learned from the best I went through your program. Yeah, that's why it's time to kick you out Sean. So before I do that, is there anything you wanna say before we uh put you back in the green room? No. Um One thing I'd only say is that uh you know, anybody's what that ends up watching this, that's gonna see this uh key and one eye team did phenomenal in the program.

They actually took, they leverage the shit out of it. They did. So if you guys have, if you are thinking about showing up, reach out to these guys, ask them what they did, ask them how they did it. They had great results in the end and, and you know, and it was fun. They actually helped us boost, boost the program. So, I appreciate that completely. But that's, that's it. All right. Well, it's time for you to head back into the green room as we do that. We're gonna take a quick commercial break and uh key and I will be back right after this. Are you an it business owner looking to take your business to the next level?

Join us at tech unplugged a conference for it. Business owners this September 7th through the 10th at the Delta Hotel's Woodbridge in New Jersey. Get one on one time with peers facing the same challenges as you and walk away with concrete items to help your business thrive. Don't miss out on this opportunity. Head over to W W W dot tech to unplug dot com.

Now, the IT business podcast is presented by Net Ally, the number one ally of network professionals around the world. With over 25 years of experience. Net Ally provides best in class tools and software that enable teams to plan, install, validate and troubleshoot both wired and wireless networks. Their handheld networking tools can help your front line technicians validate network connectivity in less than 10 seconds. Visit net ally dot com to learn more.

Our live stream is funded by computers done, right. Are you tired of dealing with slow and outdated technology? Let their friends over a computer done right in Venice Florida, help their expert team provides top notch computer repair, virus removal and technology support for both residential and commercial customers. Don't let technology frustration slow you down. Get your tech done right with computers done, right.

Contact them today at computers done, right dot com. And thank you so much to our patron supporters, Tom Kyle. Clark and CC. I appreciate you and your contribution to the podcast.

Your support helps me continue creating content that I hope you enjoy. All right, we are back live with the show. I am joined by Key Tran with a high security. So, Keshawn introduced you guys as uh the runner up to last year. Correct. That, that's right. That's right. Right. So, it's kind of bummed that you didn't win. You know, it is what it is.

Take your wins, take your losses. No, but in all seriousness pitching was great. We still won. Right. And the, the team that came in first place, they're, they're a great group, you know, we had fun working with them as well. Ok. Now, I should probably go ahead and get this out of the way.

You actually mentioned it before where the whole idea of automated pen testing. Now, I was part of a group yesterday that this came up. I did not tell them that I was doing a show about this until the very end, but there was a comment where they were like, you know, automated and pin testing shouldn't even be used in the same sentence. And that has been probably a thought in the industry for quite some time that there's just no way to do it. It's, it's too complex. There's, there's a personal aspect that you have to be able to adjust and do stuff. So why don't we start with that? And talk about this whole idea of an automated pin test. Yeah. Yeah. So, I usually approach this conversation a little differently, but I'm gonna try something different this time. Ok. Have, have you used chat GP? T? Wow. I was a little late to the party, but finally, yes, I have. Ok. So relatively speaking, the fact that GP T exists and the ceiling of what's capable with technology has been blown off.

What we do is relatively simple compared to that. So, yes, automated pin testing is a thing and we've done it now. You know, I'm not saying it, there's only four companies in the entire world. Uh We, we actually keep track of our competitors quite a bit and there's really only four and the entire world that does truly do a, a network pin test that's automated. And it's because these companies like us, right, we didn't build this, you know, it wasn't a businessperson that built it. It wasn't ac admin that built it. It's a team of hackers that built it people with that's been pin testing for over a decade that built it. So for someone to come and say, hey, it's fake news. I'm like, yeah, but I mean, are you a pint test or have you tried it? Have you tried it?

If you're not a pint test and you haven't tried it then right off the bat, you know, it, it's kind of, it's kind of hard to have this conversation because you might not understand how we were able to do it, but we were right. So our, our team is primarily engineers and developers with decades of experience of PIN testing. I mean, we've taken that knowledge, taken that that methodology and we've found a way uh to, to build out awesome logic and a, a platform that truly delivers a network P test. And so for, for anyone that says, hey, it can't be, you know, it can't be true.

I will agree that not all pin testing can be automated yet. So for example, web app pin tests, very dynamic, very, very complex, you know, uh we, we would never say that but we we've automated, at least not right now, but from a network perspective, going after ad going after you know, printers, workstations, anything on the network with an IP and a port. Yeah, absolutely. We've already done it.

Please come check it out. Now. Is the pin test that you guys are doing the automation? Is it similar to what most people would say is a vulnerability scan? No, so that's I love that question too because very, very vastly different uh types of scans, right?

A V scan and, and that I agree with 100% there are a lot of V scan vendors out there that just abuse the term penetration test. They don't even clarify what kind of penetration test. They just straight up say automated pin test and it's just a V scan. So a V scan, right, I it just has a, a signature database. It's basically a database of known vulnerabilities. And you're, you're looking at what potentially could be exploited.

Some of those don't even have exploits available. Whereas a pin test, you're, you're trying to exploit those vulnerabilities, really trying to break down the doors um gain access, you know, make lateral movement, get access to sensitive data if old would never do that. Now, are these a lot of the tools that we know about where people are just taking?

What is, I don't know in map, I'm not a hacker. So, I don't, I'm just what these words are. Um And you guys are just creating scripts that, you know, have that A I capability to adjust and stuff like that or, or what exactly I mean without, you know, giving away the farm.

No, no, no, trust me. I, I'm, I'm actually, I'm not even worried about that at all because I, I've seen how complex our, our coding is. So not, not too worried about that at all. Um So if, if you look at it from a methodology perspective, right? So, so someone who's done PIN testing quite often, it's, it's kind of a, a very similar flow, right? At least on the network side, right?

They, they follow a, a kind of a somewhat of a specific methodology and then they repeat it for the next client, the next client, the next client similar to an MSP. If you're gonna go out and deploy office 3 65 to your standard best practices, this is how I'm gonna do it for every single client, right? Um So from a pint test perspective, at least from a network pint test perspective, a lot of times some of what they do, it's very repeatable. So whenever you think of it from that perspective, um if things are repeatable, you can automate it.

Now, obviously, with PIN testing, there's certain decisions that have to be made based on certain findings that are discovered. And that's where the tricky part comes in is, is, is developing uh good, good programs and, and good logic to figure out and make those decisions. And that's what we've pretty much overcome as one of the challenges in, in automating this. All right. Well, before we get too far into the tech and, and uh just, just so, you know, we, we are streaming live, we're on YouTube LinkedIn and the Facebook. Uh Yes, the chat's been pretty quiet so far and, and I'm, that's good.

At least we're not getting hammered with uh too many. But, but let's go back and talk about you guys started three years ago. So let me ask the question as to who is a part of Vonahi in terms of you mentioned that you were a hacker. But uh tell me about the type of people that, that make up high. Yeah. Yeah, they built on. Absolutely. So, our founder, Alton Johnson, he, he's actually the brains behind it all. Um So he has to like, he's been PIN testing for massive PIN test companies again, well over a decade. Um So he leads our PIN test team pretty much leads the in the entire product side. Um And he's the one that developed it, right? Is his methodology. Um His, his, he learned how to code. Uh and the funny part is whenever he was doing PIN testing, right?

He was basically using the platform. Uh This was before it became a thing. He was using the platform as a way to make his job easier and faster. Kind of what we talked about at the very beginning of the podcast, right? The goal of, of this podcast is to make your, your business easier, faster, better, right? And that's kind of what Alton did. And then he kind of realized, wait a minute, I can, I can deliver this to the S M B market, right? And so there's an opportunity there. So next up, we actually have a really, really good uh U I U X and marketing strategist. Her name is Tray Anderson.

She's a Chief strategy officer. She comes from like I said, 11 of the best designers in the industry, one of the best U I U X. Anyone who's used our platform. If you haven't seen it, check out our U I U X. It's, it's incredible. Um It is built for the MSP market and as soon as you look at it, you'll see that. Um then we have Jason Wells.

He's our coo um he comes from, he, he used to be a CEO at a cybersecurity company. So he knows how to sell pin testing. He knows how to sell cybersecurity services. Um He runs operations and then finally, I come from the MSP world, I have over well over a decade running leading operating massive M SPS right to smaller M SPS. And so my, my goal at mona High is to just make sure our product meets that market.

Now, behind all of us is a team of pin testers and a team of developers and some, you know, back office people. OK. Now, from a MSP perspective or even just a regular I T professional, is this a product that is available to all of us or is this something where you really need to be of a certain size in order to, to utilize this?

Now, that's, that's actually a great question. So uh that's where I think Vonahi has really found such a great spot in the MSP space, our competitors. They, they built their solutions from the mindset of, of a, of a pin tester. So you kind of have to be a pin tester to understand how to use it and therefore it's complex. It's very expensive. You've designed it for the MSP. Space is so simple to use your, your, your tier one guys could do it because the only technical piece of information that they really have to know is IP addresses what IP S do you want us to go after? That's it. Um, as far as scheduling goes. And so, and then as far as pricing goes, we, we are priced for the MSP market. Um 100%. All right. And from a, from a pen test, this is purely external. So you're gonna give somebody your external IP address and click test and it's gonna go, you know, now, once exploits are found how much is done to discover, like what's behind the IP. Yeah. So we actually do two types, we do external pin tests and then internal PIN tests. So from the external side, right?

Basically, it would be give us your way in IP S and we're gonna try to break through whatever is, is on that perimeter. Um And for our pest, the goal is always how, how far can I get? Right? Like what's the highest level of privileges I can get domain admin? Can I get through that firewall? Can I break through that firewall? Can I take over that firewall? Um Can I get sensitive files because that's really the goal is if I, once I get to all your data, right?

All your sensitive data let's game over. I got it all. Uh That's, that's what, that's what the bad guys are after, right? Is what's exploitable that will give me money. Um So from an external perspective and try to get through that firewall on the internal PIN test, uh we go after again, anything that has an IP address with open ports. And again, the goal is to, you know, make lateral movement, escalate privilege, uh really get domain admin, right?

If any an ad environment, we're trying to get that domain admin account. Um and then we're trying to get access to all your files. All right. So the question I'm gonna ask this from a client that asked me a question. So I do have a product where we'll do vulnerability testing uh for them. But we've not done anything where we've done a penetration test and the one time that we got almost to the point where they're like, yeah, let's do that. It really came back to, well, if you can break in and you can get my stuff, what happens to my stuff? That's fair. That's fair. Worried about it's like, well, if you can get it, who's to say you're not gonna take it? Yeah. Yeah. No, that's actually a uh that's a really good point and that's why I actually love our solution and the way we've designed it because we get that question quite a bit. Um So obviously we're, we're United States based business. And the last thing we want is to hold on to a bunch of li liability. Right. It's dangerous. We, we don't want that liability.

So, a traditional pin tester. Right. And, and I'm not, I'm not trying to knock on traditional pin testers here, but this is kind of the nature of how it works. Right? A traditional pin tester.

You, you, you, they, they, they might come on site, they might do it remotely. Ultimately, they're using a machine that you don't really have any control over and then they're doing the pin test, they're grabbing data to create the report for you and they give you that report. Now, who knows what they're doing with it, you know. Yeah, they'll tell you, they deleted it. They'll tell you they, their purge policy, right? Who knows? You don't control that device. Um Now I could argue you don't necessarily control some of our stuff, but this is how we approach it.

Whenever we do an internal PIN test, we ask that you, yeah. Well, you don't want, we don't ask you have to do this, but you have to deploy a single agent, a single probe on the network and it's gonna be running UTU server. Now, it doesn't have anything crazy on it. We're not opening any ports inbound. The only port we need is 443 outbound, which is pretty standard, right?

Just, just web traffic outbound. Um It's just a ubuntu server. The only thing that's loaded on it is a couple of dependencies that's for software that we need. And then the only call out is 443 back to our platform.

Once that assessment starts, it pulls down two containers. One's Cali one's open for the side. Uh Once it starts, are those two products, by the way?

Oh, yeah, they are. Yeah, they, they, they, yeah, so, so sorry. No. So, Kaseya Linux is a, is a very well-known like operating system with like a ton of tools uh used for pin testing and you know, for, for assessments. Yep. Um But those two containers uh will, will do the entire assessment and it will house all the data right that we collect uh to do the reporting anything leaving those containers back to our platform encrypted uh in transit at rest. Um and then also automatically obfuscated. So if we're able to get, you know, password hashes or like plain text, passwords, sensitive data, sensitive files, names, all that get obfuscated programmatically on the way out into our platform. And then the only data we keep on the platform is reporting data as soon as the assessment is done, those two containers destroy themselves immediately. So all in. So now that Ubuntu host doesn't hold any sensitive data, the only data on our platform is gonna be reporting data that obfuscates the sensitive portions and it's also encrypted. And then if you don't want us to have it, you can delete it yourself right there on our platform. And it's funny because we have actually had some partners say, hey, I need you to restore the, the report. I'm like, I can't, it's gone like, well, I mean, can't you restore it?

Like, no, it's gone, like in our documentation that says if it's deleted, it's gone forever. Uh And yet you don't have a way to restore it. So, all right. Well, that's good. Uh The other question that I got and I didn't know how to answer is, does it put a load on the network? Meaning am I gonna notice the network being slow because there are products out there that if you're just doing a simple network scan, people notice that their computer is slow for whatever reason and they're like, what are you doing? Um Does this, I mean, even though you're bringing a machine and it's doing it searching, is it doing any sort of a load on the network? No, not really. So, it, it's actually quite, quite minimal. Um There's been pretty much like from, even from the external or the internal side, right.

At most that we've really typically seen as about five megabits per second. Um It, it, yeah, so we, we, we do a lot to try to control um the sense of like, I, I guess the stealthies of our approach. So for a couple of reasons, right?

One, we don't get detected because the whole goal for us is let me skirt underneath the radar of detection tools. And then the other approach too is we do not want to cause disruption to the business. I it would be no good to anyone if you know, I'm gonna do the test. So then now the MSP just took down this client's network and everyone's just mad. Um Yeah, very, very, very minimal load. So you talked about being uh MSP friendly and I guess the question with that is I assume that there is a dashboard that you can go to and see clients and see how many times you've run a test or see the results unless you delete them and stuff. Is that how it works with you guys? Is it a dashboard? And is it something where M SPS pay a monthly fee? And then we can, because what I saw on the website, you can run them as many times as you want, you know, is that how it works? Yeah. Yeah, that's exactly right. So it's a, it's a software platform, right? So it's a uh so there's a web interface, the M SPS would log in. Um Now it is MSP Friendly in the sense that it's multi-tenant. So you can, you can add companies to it and you know, as many companies as you want and then you can manage those companies all directly within the platform.

You can also white label the solution. So you can white label the platform, you can white label the reports. Um And then the other thing too is we, we're starting to integrate with a lot of different like ticketing tools right now, we're integrating with ConnectWise. So if, if you have ConnectWise Manage, right, we can pull in your companies. Uh you could perform the assessments on those companies and then have tickets created for the pint test findings back to the uh back to a project board if you're choosing and that way your team can work on remediation. Um Now as far as, yeah, and then as far as like kind of like how is price, it's based on the number of IP S, you, you, you think you need per month. OK. Uh Yeah, that's how kind of how we license it. I was gonna ask that because I was gonna say, is it by the number of clients that you're testing? But you're saying it's by the number of IP S so you could have one client with. So for instance, I have a client with seven locations.

I may want to test all seven. So that's what it would cost me. It's my idea, right? So um if whatever, like for that, for that particular scenario, right, let's say you have that client seven locations, what we want to do is figure out how many IP S are they using uh both external and internal across all seven locations yeah, and determine like how often do you want to scan them? So this couple is kind of flexible, right? It depends on how you want to do it.

If you want to do a monthly uh assessment for all seven locations every single month, then we need to figure out that aggregate value. So let's say they each had a slash 24 but um you know, a slash 24 with maybe 11 external IP apiece. Um We would basically add all that up and then we need to figure out how many of that slash 24 is actually used because we only count IP S that are active with open ports. So if you have a slash 24 but only using 10, 10 of those IP S then you only need a license for 10, not the full 2 54. OK. So this is all IP S internal, external. So this is every device on a network, desktop printers, servers, iPad. Are you going across V lands?

Yeah, yeah, we, we'll definitely go across V lands too if you want us to. So when, yeah, whenever you go to schedule it, you can, you can tell us like, you know, if, if, if you want to only do a certain V land, you can do that if you want to include all V lands, which we would recommend definitely do that as well. Um It, it's a good way to test isolation as well, we've actually had partners do that, right. Like they're like, hey, I have a pretty micro segmented network but I wanna, I wanna make sure that it's truly segmented. Right. And, uh, well, that's why I asked that because for instance, so I'm, I'm looking at a client here.

I'm, I'm looking at my Domotz portal. I don't know if you know dots but it's um, a box where I can detect, you know, IP S uh all devices, if the new devices come on the network, that sort of stuff. So I'm looking at it and I've got 222 devices now it is after hours. So 68 of them are offline, which is, uh, probably desktops have gotten turned off notebooks and stuff like that. So I would need to get a license for 222 IPs. Uh, is that how many devices are actually online? Like when, when in full production?

Um, I mean, it's probably gonna be about 200 but it's yeah. Yeah. So, yeah, it would, it would be, you would, you wouldn't want to buy an IP pack for about 250 IP. S because that way it'll be up to 250 IP S. Um, and yeah, I mean, that's, to be honest, that's, that's actually a, a small, a small IP pack. Um, and it's pretty low. Correct? Ok. Yeah. Um, all right. And we talking like three digit friendly, four digit friendly and price 44 or four digit friendly. But, uh, a comparison, right? So if, if you were to go to a traditional pin tester and say, hey, I need you to do AAA traditional, like manual pin test, a network pin test on this network with two, about 200 IP S. Right.

You're, you're probably looking at close to, like, I don't know, anywhere from like 15 to 20 grand um through us as an MSP partner, you know, you, you'll be paying about 30% of that. Ok? And this could be used when you say packs is this, you just did a pack and you use it a munch to your clients as you wish or you designate a pack to a client or to an IP. Yeah. So we actually have 2222 pricing models. One is where you, the MSP would have the pack, right? And we don't care how you decide to use that amongst your, your client base. So maybe this month you use, you use a section of it to, to do five clients and then next month you use all of it to do prospecting. Um again your, your IP S each month you do whatever you want, right?

The other model would be we, we call it the per client model, but that one is where you, the MSP would sell it to the end client. It's still managed through the portal. You still own the relationship and everything, but you basically sell the IP pack to the in client and they have the subscription for the entire year and that way they could do 12, uh, 12 pin tests a year. Whatever cadence makes sense for them. But that's still under your MSP portal. Exactly. Yep. And you manage that and give them permissions and all that stuff. Exactly. Yeah. Nice. All right. Then they have to talk after the show.

I was gonna say, man, we'll hook you up too. So that sounds nice. All right. So let me go pull this up here.

So, so Vonahi dot I O is your main website. But I also, where is it? The uh the pen test dot com is the actual, now, is that the commercial product that people see and, or how does that work?

Yeah, I think uh I guess we kind of made that slightly confusing. Uh So, so, well, and it's so high security, right? We, we, we have technically we have two products or, yeah, well, one product and a service. So the pin test is our product.

It's our platform, excuse me, platform and M SPS use that um to, to deliver pin uh you know, network pin testing to their clients. But then we also have a services arm to our organization. So, because, you know, again, we have a team of pint tests. We're like, man, we're gonna, we're gonna put these guys to, to, to, to extra use here. So we do network pin testing automated through our platform. But sometimes we come across web apps and if you need a web app assessment, like a web app pin test, we can provide that as well, but it would be a separate service um through, through our red team. Yeah. Right. So for all practical purposes, we need to tell people that are listening to this, They want to get in touch with you. Go to dot I O. Correct. Correct. Yes. So forget, you know, forget what I just said about the other site drove from there.

Yeah, because it's actually, it's actually V P test dot I O too, not, not vest dot com. I, I just went to where, I don't know, I don't know why my research team did that and we did that. Alrighty. So uh anything, I mean, I know, I, I, I asked a few technical questions but um again, from an, from an MSP perspective, you talked about pricing, which sounds very nice. If you could just buy packs and use them as you want. Uh You've got the, the ability to white label. That's cool. Um especially uh now the white label is full white label, meaning reports. Uh If, if we resell a pack to a customer, do we white port uh white label, that portal that they could see as well you can. Yeah. So if, if you wanted to give your, your, your incline, if you will access to the portal, you can do that that way they could, you know, pull down their own reports.

Look at their own assessments and whenever they log in it would be branded as you. All right, because I do have one Yahoo that would, you know, always want to see it all day. I'm like, I'm like, look, just, just don't worry about it. We'll take care of you. Oh, no, I wanna go in and what if I wanna run it? I'm like, why would you? Yeah, I was like, that's what do you have me for? Yeah, so. All right. Well, uh key. Thank you very much. Uh That's a pretty good overview.

We're gonna go ahead and bring Sean back on. Uh Is there anything you wanna say before we bring Sean back? Yeah. No, I just say happy belated birthday to both you and Sean. Uh Thank you so much for having us on the show. Um Definitely check out pitch it.

It's, it's, it's an incredible, incredible program for emerging tech and then obviously please check us out as well as I know there's a lot of uh a lot of, you know, ambiguity in the, in the marketplace with automated pin testing, but please try it, try it out. We do free P O CS for that reason. Right. Right. Thank you. All right, folks. We will be right back after this.

We've always defined ourselves by our ability to provide solutions to do more with less, build something nothing to make the young. But we've only just begun and we must never forget that our greatest accomplishment cannot be behind us because our destiny lies beyond. All right, ladies and gentlemen, we are back.

That was a commercial that's like dude Pat say they just have really good video content. I'm so jealous because they got the godfather of the channel working with them now man, Rob Ray is there. Yeah, but he wasn't known for like great video things. He was, he's not, that's not his like that's not his M O I I don't know. All I know is that dude showed up video showed up and he asked me to attend. So I'm going to announce everybody.

I will be traveling west of the Mississippi again and uh I will be headed out to see them June 11 through the 13th in Denver, Colorado. The spot that is Denver. I like Denver. I like Denver and, and I wanna touch on the last thing key was saying first off, there's not just ambiguity and, and pen testing marketing jargon. It is in the entire space.

Oh, especially of cybersecurity at this point. It's only a couple of real phrases used which is protect your data or protect your people. Kind of like that's like that's like it at, at what level what degree there's no way of telling that's where you got to do your due diligence and look into things like this.

That's why you got to take up, take you up on a P O C and other companies and ask them what they do. Get a deeper dive, get demos, ask for everything. What, where what part of the cybersecurity stack do they make up? That's the facts. So yeah, ambiguity is like the king here. We agree. Thank you so much.

Which is why, which is why I had to ask a question. But you know, we know that you get asked all the time. You know, what's the difference between a pen test and a vulnerability test or, you know, sort of stuff? Oh yeah. So, so let's talk a little about this during the course of us being on this show.

This is what I was saying about how good that is done. They literally are posting. Um Don't forget to check out the webinar, the live stream happening right now on Uncle Mo's podcast. Not many of the vendors ever do that.

I do, I post while I'm in. But yeah, no, I, I don't know many that do it. And so it's impressive and that's good for an emerging vendor who, you know, a lot of them don't know what to do. And I'm as I'm assuming a lot of it has to do with going through the program last year. You're talking about, you know, pitching yourself properly to the channel to the MSP market and, uh, putting forth the right message and the fact that, hey, we're out here, we're listening, we're paying attention and we're gonna do right as best we can. Absolutely. Um, it's, well, it shows he actually touched it a little bit, um, for emerging vendors.

When you come out, it's very difficult to, to get your footing for people to give you the time of day sometimes. Right. It is a, it is a long haul. Um And it's expensive. So really what it, what it, what it turns into is, um, if you look at the evolution of businesses, at one point, if you didn't have a brick-and-mortar store, you weren't nobody, you were nobody, right? It was, it was, it was, you know, nothing. But then it turned into you, they have business cards also, then you have business cards, right? And then you're, then you, then you were something and then I was like, do you have a website? You were, unless you had something, right? So all these years, everything, there's always been some sort of peace. That was the anchor to you being credible, right? Um Perception wise. And it's about who, you know, sometimes, you know, as far as who you're co-branding with, who you're coworking with, who's, who says you're good, who says you're worthy and that's a challenge. And so it's like I did a great job navigating space with us when they were in it. Um And I, I know that they, they doubled their, their M R R during the course of pitch. It just from being able to, just from, just from taking advantage and leveraging everything we gave them. So it's impressive. Well, I will say this as an old timer in the industry and, you know, I would be one of those people that it's like you've been in business. How long? Three years? Yeah. Call me a few. You know, it's, it's, that's a legitimacy factor to it, right? Because they're like, uh I mean, I don't know, you might just disappear tomorrow or you might be doing a little weird stuff with, with, with my data.

Hey, clients did it to me, you know, when I got started, they're like, oh, it's just you and you and your little, you know, 1999 Dodge Neon. It's a reliable vehicle. It's not a reliable vehicle.

That is literally what I drove. It was reliable at our time and I had a client that finally one day said, dude, you need a better car. So I went, I went Jeep and never looked back. Really? Yeah, that was it. That's awesome. That's um oh Sean, you know that sound, don't you? It is time for Florida man. And uh man, I have a story for you tonight.

We're not gonna do Florida man versus the world. Um I will just read uh a story and I have to save some because, you know, those tech bar guys, uh, do a whole thing. Florida man or not. And I'm gonna be on their show tomorrow, by the way. Good for you. You know. You know, I'm one of the founders of the show. Really? Yeah, I, I saw you on there.

I didn't know you were a founder though. Yeah. I mean, it was Ray and I, that, that founded it. Oh, he, he, he dumped you, huh? Yeah. Oh, when I got to I, yeah, we were, it just made sense. He wanted to. Yeah, I mean, which is fair.

He wanted to keep the brand rolling for him. And you know, and, and also one thing he's done, he's always done very good at is uh the company and industry agnostic aspect. So to have the ConnectWise Evangel as the co-host would have been even though what he's sort of an agnostic. It's the, the optics of it wouldn't have been good for himself. Very smart. All right. So what I'm gonna do tonight is I'm just gonna read you a Florida man story.

The owner of an orange C8 Corvette is facing charges after allegedly intentionally striking a man with his mid-engine stingray this week in South Beach Florida. According to a witness who talked anonymously to 7 News, Miami, the incident started when a man walking, his dogs apparently became angry with the corvette driver for running a red light. And the two men subsequently engaged in a scuffle on the sidewalk. These two guys engage in a fight and the guy with the dog reacts. He punched him a couple of times, gives him the knee, the dogs tried to attack him. He pulled the dogs out. So then the corvette driver who can be seen in the video wearing dark red hospital scrubs, then walked off, climbed into his Corvette and made a U-turn on the sidewalk and that guy went back and tried to run over the other guy, his car. Wow. Yeah, that's one thing I always say about you got people down there is there are lots of love, there's so much love there. Um So much that you guys need to keep going after each other.

You can't get enough of each other. It's amazing. Now we're gonna be spreading our rain soon, man. We got, we got Florida man on Netflix. So watch out. That's amazing. That is amazing. You know, key. You've heard a Florida man before, right?

I actually have not. Oh my God. How, how, where are these people been?

Listen, here's the thing people have, they just for some reason don't remember. I mean, it's, it, it became like a, a national sensation when the dude did the bath salts and ate somebody's face. I mean, that was like the, that I've heard of that situation. That's when, that's when it like really hit uh, its national stature. Yeah. It, it, it's a thing. So key there has been so basically it just became this running joke that you just go to Google, go to the internet and put in a date in the words Florida man and see what comes up on that date. And they are gonna be some crazy, stupid, idiotic, crazy criminal activity. There's, there's gonna be something Florida man every day of the year does something. Hm. So I, I, so wait to, to your point. Right. I, I didn't know it was called that.

But, yeah, I, I've, I've definitely heard like, basically all the crazy shit happens in Florida. Yeah, I, I, and it's not just, it's just, it's stuff you think doesn't really happen. Like, you know, you know, you're, you know, like you're at the bar and you hear a story from some drunk person. It couldn't be real where you, like attack with the Loch Ness monster.

Well, the loch ness monster is real in Florida and it really happened and then some, you know, it's just an amazing, it's like this though. It could possibly happen. You're, you're, you're not real and it's all real. Yeah, it is. It is. It is. It doesn't matter. But it is, it's just another Wednesday. It doesn't make any sense. Do you have a, do you have a good one in Texas?

He, like, if Texas, man, uh, I don't think so. I mean, we have our own sets of problems but, uh, not quite that. Not, not quite that severe. How do I call it a problem?

I consider that a very fortuitous event and just something good to have. It's, it's a, it's a great party starter. Like, if you have to break the ice, just start talking Florida, man, you'll break the ice instantly. I like that. I like that. All right. Well, you learn something new here and of course, I, I learned something new with automated P testing.

I'll now go and share the news and again, we'll talk after the show here. So, we're gonna go ahead and end off the live show if you are watching live. Thank you very much and be sure to uh hit. I don't know whatever the button is, subscribe, like follow so that you'll be alerted any time we've got a video coming onto the show and when I say that I say it because tomorrow I'll be doing a very special diversity podcast. Uh It is during the day one PM on Thursday and it will feature Amy Babin and Don Seiser.

We're gonna be celebrating women of the channel. It is International Women's Month or something like that. So, we're gonna give them some love and talk about that. So that will be tomorrow if you're listening to this by audio and it's past the time you should have signed up for the follow thing, go to I T Business podcast dot com slash follow and be alerted any time we've got a show happening.

It's not just a live show. We do other stuff as well. So that's gonna do it for this show.

Thank you to my good friend Sean Lardo ConnectWise and Key with a high security automated pin testing is a thing. So, guys, thanks a lot. Thanks for hanging out. Thank you. Yeah, thank you. We appreciate it. All right. And for the listeners out there, we'll be back next week live show. Same time, same channel. See you then.