Chris Johnson sits down with Ido Green of Espresso Labs to explore how AI and local agents can reduce cybersecurity noise, offload Level 1 work, and continuously enforce compliance, without losing human control. They discuss guardrails for safe automation, multi-vendor telemetry, drift detection, evidence collection at scale, and why “reporting gaps” isn’t enough if you can’t execute remediation and preserve proof. The episode closes with a roadmap for frameworks, partnerships, and insurance-ready visibility.
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges solutions, a journey together, not alone. I'm speaking by Ido Green of Espresso Labs. Welcome to the show. Happy to be here. Thank you for hosting me.
[00:00:29] So we don't often have vendors on the show, but it was presented to me, Espresso Labs, I thought it was a super interesting exploratory path of how leveraging AI to help with cybersecurity challenges and even IT operations. Like really, I would love to hear, you know, kind of a little bit of the backstory.
[00:00:54] But, you know, one of the things that you said to me off the show that really piqued my interest is the space is oversaturated. We know that there's only so many different ways to spend RMM and MDM and some of these other things from a management of assets. But one of the things that I took away from our brief conversation earlier and just even looking at some of the things in your website
[00:01:16] is this approach to help solve for particularly in the smaller business spaces where tool infrastructure, forget tool overload, but just the sheer cost of not necessarily the tool, but the cost of staff resources to manage that, to maintain those visibility. So, you know, if you would give me a little bit of a background around Espresso Labs and how it came to be.
[00:01:43] Absolutely. So we started thinking about the problem, I would say, three years ago, but two years, one and a half years ago, we actually started executing on it. And at the beginning, we had the luxury to have Nirsuk as our main investor. And Nirsuk, of course, did Palo Alto networks, but it's more enterprise focused.
[00:02:07] And we saw that there is huge need in the SMB to have the certain higher level of security like enterprise could afford themselves. But with all the different toolings that are not talking with each other and all the complexity of the new world, and we could touch about it later with new AI capabilities that are for the attackers and the defenders. We thought that a one stop shop or one platform that could give SMBs all their needs around security and IT is making a ton of sense.
[00:02:37] And that's why we started Espresso Labs. So that's in a nutshell what we are doing. So a couple of things that we talked about, and I think are important for our audience is kind of touching on, I'm just going to call it the scary part of AI right now. And I thought I'd ask you just kind of your thoughts, not to put you on the spot, but what we saw happen with Pocket OS. And I want to kind of keep it high level. I don't want it to be like, we're digging in and scrutinizing the practices of the business.
[00:03:07] I think it's more of just kind of maybe a reality check or the rose colored glasses, if you will, of like kind of what happened to what we kind of saw in the media. And like thinking about how that translates to what you've done with an AI agent, which in some respects are similar in the construct in our heads. You know, what were your thoughts when you saw that come out? Yeah. So I would say that there are many things that are really scary and, you know, you can see the full half part of the glass or the empty one.
[00:03:37] But when you're talking about security, you don't want to leave anything to a chance. And that's exactly what we are doing with our local agents and the Chrome extension browsers and everything that we are providing our customers. You want to put the right guardrails in place. Yeah. In order to leverage the fruits of, you know, the great capabilities that the LLM are giving and are getting better and better by the hour, by the day.
[00:04:01] Yeah. But on the other side, you don't want it to erase your DB in production. Never ever. Right. And you don't want it to, let's say, touch any sensitive information that you don't allow it. And that's exactly what our agent is doing. So one of the things that actually we haven't spoke about it publicly, but I could share with you very in our next version, we'll introduce it.
[00:04:24] But if you're running an open claw, which is wonderful, but from the security aspect, it's pretty narrowly, our agent will give you a ton of capabilities to make sure that it's encapsulated in its own realm. So those type of things are extremely important. And especially when we're talking about security, you don't want to leave anything for a chance. You don't want to leave anything for a bad prompt or maybe a vague prompt that might cause such a drastic event.
[00:04:52] And that's exactly what our platform is helping you achieve. So one of the things that, and correct me if I'm wrong here, because I'm not an expert on Espresso Labs, but your AI barista and kind of the model, I love the model, by the way, I love coffee. So therefore, I love the model. That's pretty much a given. But one of the things that I found really interesting is it's almost like you are removing the necessity for level one support.
[00:05:19] Because when things get really bad, you have it structured so that it would immediately escalate to actual humans. Yes, exactly. So I would say what we did with Manage Sock and all the other benefits that other companies are providing, it's the main cost there is the human labor and what our AI is able to do.
[00:05:43] And it's not 100%. It's maybe 80%. So it's managed AI and people, but far less people need to look at it because exactly as you said, level one is all being taken care of by the AI. Sure. All the simple things that we know about, and obviously the AI is learning and getting better by the day. But you do want a supervision of people, and that's exactly what we have in our team. But luckily for us, we had the pleasure and the luck to build it from a clean page.
[00:06:09] And that's why it's so efficient when we're coming to talk about security events that, as I'm sure most of your audience know, most of them are the trickiest part is that you have a ton of false positives. So you really want to look at the ones that actually meaning and have some meaning. And that's, of course, the human aspect that is doing it right now. But we could see it very clearly that in 12, 18 months, this level one will grow and grow in the depth of what we could provide you. Sure. So thinking about that for a minute, and we see this a lot, right?
[00:06:38] I mean, knowing why you've got Espresso Labs in the equation is what vendor in the cybersecurity space isn't having some sort of AI language that's been built into how they describe their product, a feature that's been added on how it analyzes data. But for end all be all, end of time, we've had the challenges that are like when you turn something on in the SIM space, firewall space or any of that correlation of threat intelligence, it's noisy.
[00:07:06] And in fact, when I used to do bank audits, the one thing that I was always running into is in a lot of cases, they would be quick to say it's just a false positive because there were so many thousands of like patterns that, you know, it often took months of time to say. And that's one thing that the SMB space does not have is time. So to at least get rid of, you know, I love that you said 80%, which is so true.
[00:07:33] Get rid of 80% of the noise so that you're only having to filter through that 20%. That's huge. And we're just talking about one component of the space that the MSP world is navigating to have, you know, somebody navigating that alongside them, not necessarily with the MSP's best interest in mind, but within the confines of the best interest of reducing what is not relevant to any of those that are involved. Absolutely. And that's exactly the goal.
[00:08:03] So we aren't claiming that, you know, it's the bulletproof for everything and it's 100%. No, it's not. But it's really saving you a lot of headache and the ability to be more effective and productive when you're trying to find the signals in those, you know, huge amounts of noises.
[00:08:18] That's really beneficial. And the beauty with the AI is that very quickly, our AI barista is becoming smarter and smarter because, you know, any organization is a bit different than any organization have those a bit tuning or some things that are a bit unique to its own requirements. And that's the beauty of the AI that it's the barista that is able to learn very quickly and the noises that we're seeing.
[00:08:45] So let's say that, you know, the classic example, you're getting some alert for some process or some app. Very quickly, you'll get a notification and a ticket. And you could say as the administrator of the organization, this is totally fine. Don't worry about it in the future. And of course, you marked it and it will be fine. Or, of course, quarantine it and make sure that you don't see it again and we don't want to have it in our systems. So let me ask you a really loaded question.
[00:09:11] We all know in the space MSPs strive to standardize for the most part. Maybe they have one or two firewall vendors, but by and large, their RMM is not multiple RMMs. They don't have multiple, right? I would suspect that that's still probably a best practice, but I would think that because of what you bring to the equation, you know, your AI barista doesn't necessarily care that it's Fortinet versus WatchGuard.
[00:09:37] It just says, I can see what I see and I'm telling you what is wrong. So I would think that this actually opens up the opportunities for MSPs who are likely to come across a prospect or maybe it's even an existing client. Like, hey, it's not standardized. It's not the technology that they would normally bring into the fold. But because of leveraging, say, potentially Espresso Labs, they would have the opportunity to say, hey, 90 days or six months or your first 12 months, we can still bring you on.
[00:10:05] Here's the changes that we're going to put into the agreement. But, like, here's why we can. That two years ago or three years ago, we would have said, you're just not going to be a good fit for us as a client. Yeah. And we built a platform with the notion of, you know, it's not take it or leave it. So we're providing you an EDR, an AD solution, and basically we are working with Bitdefender on it. But if you already have, you know, CrowdStrike or Sentinel, of course, we will work with them. So it's not like, you know, take it or leave it or you need to use everything that we are providing.
[00:10:35] The beauty of using everything that we are providing is that you have one holistic source of true in terms of all the logs from all the different systems are going to be in one place. But, of course, if you have another EDR solution and you want to work with it, we will ingest it and we'll give you the same capabilities. Gotcha. And then I think that from the, you know, in the SMB space, I mean, you're probably seeing this already. Like, you know, they didn't make any changes. They just turned it on, right? They plugged in the firewall.
[00:11:04] We got the blinky lights. We're good to go. Unless the client complains about it and the lights stop blinking, we'll keep operating as is. And so kind of shifting gears, you know, you go beyond the IT operation side. Like, I know we're talking about cybersecurity, but like the things we're describing are just tools that do what we tell them to. They're not like some sort of special.
[00:11:27] They just fall into like a unique requirement that we now all have that 20 years ago we didn't talk about because we didn't have things phrased as cybersecurity. We just had firewalls. But talk to me a little bit about like kind of the broader picture. We touched on it a little bit, but like you go far beyond just like say the Bitdefender of the world. You definitely have a larger, you know, email security, security awareness training.
[00:11:54] Like talk to me a little bit about like your broader, like those are a lot of different things. How does that, is that part of like working with like the AI baristas? Like those are things that, you know, on the fly training because of what they're dealing with? Or is this more of like, all right, it's the last Thursday of the year. Here's your two hours and 45 minutes of videos to watch that you're going to just skip and take the quiz. Yeah.
[00:12:16] So we saw from the get go that, you know, SMBs don't have the luxury of having a CISO and a whole team to manage their security and IT like enterprises. Sure. On the other hand, they are vulnerable. So we decided, you know, to give SMBs the, I'm calling it the Pullman Enterprise Browser, but it's not really poor. And we have a Chrome extension giving you, you know, all the benefits of, again, in the 80-20 rule.
[00:12:41] It's actually giving you 80% of what you would expect in terms of, you know, data link prevention and trackers and all the good stuff that you want to see. Or just to give the users the ability to open a ticket in your system. So the Chrome extension is one aspect. The other aspect is the agent itself that is local on the device and helping us achieve a lot of capabilities in terms of constantly monitoring and helping you improve the health of the machine.
[00:13:08] Like the bold example that we spoke about it before. In many cases, the machine is becoming slow. Why? Because the disk is becoming full. So we have this, you know, ability to monitor and clean the disk on a daily basis or whatever, in any frequency that the IT wish to do. And those are just simple examples, but it's much more holistic in the way that we're thinking about the problem.
[00:13:33] We saw from time to time that more users are asking, you know, for different capabilities, like, you know, a real backup that is working and not just with Google or Microsoft. So, of course, we have that as well. So it's becoming this one platform that's actually giving you a peace of mind as an SMB owner or MSP that is dealing with SMBs just to run it and taking care of all the good aspects of what are the daily usage of, you know, different SMBs.
[00:14:05] So we've touched on a little bit of IT operations. We've talked a lot about cybersecurity. But one of the things that drew me to kind of the overall offering is an area that I spend a lot of time in, and that is the compliance space. We both do it through the GTIA cybersecurity trust mark with MSPs. But as you know, and one of the things I saw on your website was, you know, how do you, like, defensibility with regards to, like, CMMC?
[00:14:31] You know, we've got a lot of challenges happening in the space of, like, is the platform FedRAMP authorized? Does it, you know, where is it at in that realm? And then just kind of, like, you know, how, I mean, it just sounds so compelling that we could solve so many problems. How do you fit in that, you know, CMMC is kind of this sort of still black and white space of, you know, whether you're FedRAMP authorized or not, how you help deliver in that area? Yeah, that's a great question.
[00:15:01] So, after we built these basic building blocks of, you know, managing the IT and managing the security, we saw that it would be really powerful to allow our customers to actually work on their compliance needs. And, of course, CMMC, it's a forcing function. Sure. All the different 300,000 companies that need to work with the developer will need to have it.
[00:15:26] And the beauty with our platform, I would say very shortly, when you're comparing it apples to apples with the Vanta of the world, is that in the Vanta of the world, you'll get a very nice detailed report of what you need to do. And now you need to go and do it. So, password policy, you need to go now and enforce it. And with our platform, you could ask the barista, what is the status of the users now who are not with the password policies that I need to enforce? And it will give you a nice report. And then you could say, okay, enforce it. And it will go do it and return to you.
[00:15:53] So, we're really helping companies achieve this up to CMMC. And, of course, ongoing monitoring of what they are doing with it in terms of giving you a really one holistic view of what your current status with regard to the controls that you need to implement. I like it.
[00:16:17] So, really, the sweet spot is, regardless of what framework that I'm needing to align with, regulatory or otherwise, execution of leveraging your agents or the tools is to be able to gather the evidence to support. And in the areas where it's not being enforced, to help with the execution of enforcement. Or showing proof, right? Or being able to get to, I have proof. Exactly.
[00:16:43] And that's actually a great point that the platform is giving you by default. And usually, it's really hard if you don't have an holistic platform. Because just to show that you saw an event and you took care of it and what you did in that specific event, obviously, everything is audited in our platform in the logs. And you could show the proof that you did it. In other cases, you could imagine if you're going to enforce password policy now and you need to go directly manually to each and every device that you have in the organization,
[00:17:10] much harder to collect the evidence and it will be much more time consuming. Yeah, Noah, I think along those lines, it's kind of interesting thinking about the maturity and inflection points of solution providers, of really any business. How do you know that they are improving? And obviously, most of what's out there is only capturing a moment in time. Like today, you passed the MMC audit, but tomorrow you might not.
[00:17:37] And so, you know, I think one of the things that you talk about a lot within your ecosystem is detecting drift. What does that look like for an MSP? Because I think detecting drift, I think in an MSP world is like everything's always drifting, right? Like it's always moving out of band or out of the area where I want it to be.
[00:18:01] Like understanding that not only can you detect drift, but I assume you can ensure that it gets back into, you know, correct course accordingly. How does that work? Because I feel like that's one of the struggles that we all have is to allow for the automation to fix something. But then going, do I want to allow this drift to be fixed through automation or do I want to see it first?
[00:18:25] And maybe this is a two-part question, but some things I don't care about it being done through automation and other things I might have a different view. Is there ability to kind of mix mode for depending on what the type of environment is? Yes, absolutely. So you could, you'll get at the beginning a ticket notification in your Slack, your email, your preference, whatever you prefer. You'll get notification on all, let's say, that you defining the medium and above alerts.
[00:18:54] And then you could tell the system, you know, if it's just, you know, cleaning the disk for a user, don't bother with me in the future, just do it. But if it's something more serious, yeah, I want to be the one that's taking the decision if you are going to execute on it or not. So you have a full control of what's going on. Just to circle back to the drifting part and, you know, change is the only constant.
[00:19:16] And we all know, you know, even if you pass the SOC 2 or the CMMC at some point of time, a day after you have a new user or someone is leaving the company. So it's always changing and you want to enforce all the practices, all the controls on the new changing users, devices. And that's the beauty of the system. So once you're putting in there, you have the peace of mind that it will be executed.
[00:19:43] And of course, you could get those regular reports on each frequency that you will choose. But you know that the system is actually enforcing it on an ongoing basis. So that's, I would say, one of the most important aspects that it's taking now the responsibility from you to test the company every quarter or every year. And it's doing it on an hourly basis because we're leveraging, of course, our agents and the AI. So our audience is obviously predominantly MSPs.
[00:20:13] I'm sure there are more than a couple of vendors, though, that tune in from time to time. So that's kind of the general audience. You know, you talk about, you know, schedule a free compliance readiness call. You know, it's funny, not funny. I say it's funny because of the expectations that we see out there in the space.
[00:20:33] But you see a lot of these, the smaller supply chain vendors that are obviously in a predicament of getting to a state of compliance so they don't risk losing their patents or, you know, compromising at some level what they've been entrusted to protect. What does something like that look like? Because, you know, one of the things and the reason where I'm going with this is time, right?
[00:20:58] So time to get compliant with any framework, if you've not done anything, can be quite tedious and time consuming. In fact, for the Trustmark, we tell MSPs, give yourself 12 to 18 months is what we consider to be a reasonable amount of time. I would argue that if I'm leveraging something like your AI barista, some of that stuff is able to be done much more quickly because, well, I have a limitation on my staff,
[00:21:28] but I now have an augmented virtual staffing that can help me with some of these things. What does that look like? Because I think more want to know where they are. They want to know what the gaps are in their organization before they take on one of these adventures. Absolutely. So, I mean, it's twofold. The benefits are twofold. One will be with the evidence gathering.
[00:21:50] And because we are leveraging the agents that are local and the agent, we could generate you the current state of things and the gap analysis very, very quickly. So, again, your assumptions are really on the point in terms of, you know, maybe it's more than three quarters in most cases. And what we saw so far that we are able to shrink it to a few weeks.
[00:22:15] It's still taking time because, obviously, you know, people are on vacation, devices are not online and so on and so forth. But it's much, much faster. And then, of course, the ability to have less people in order to, you know, find the meaning and see what you want to tackle first, what you want to tackle later. I wouldn't say that it's, you know, send it and forget it. You do need to intervene and have some manual work because there are some judgment calls that you need to take. Yeah.
[00:22:44] Remediation is always like that, right? Yes, exactly. But the gathering of the evidence and creating the gap analysis, it could be done very, very quickly, depending on the organization. And for the MSPs, we have this ability to give them a holistic view of all their customers. So you could see, you know, which customers are doing better, which need more attention. So you could prioritize and see where you want to put more of your time.
[00:23:07] So shifting gears a little bit from CMMC, because I know that's in some respects, it's kind of a buzzword, you know, that we know that November we've got enforcement coming up. So I don't want to dismiss it, but obviously there's other frameworks. So are there, is there a limitation at this point? Like if someone came to you and said, hey, I've got to do ISO 27001 or I've got to do fill in the blank. That doesn't sound like it would be much of a challenge for you guys to incorporate other frameworks. We build it from the ground up to be generic.
[00:23:35] So we'll give you this ability of CSV that you could import to the system and then the framework will be. In the end of the day, it's different controls and what's delivered from them. So, yeah, it could be. I mean, your AI barista can read what the requirement is from a control and go, hey, yeah. That's how you do it. So you got everything through it. So you'll give it this CSV with the new framework and it will tell you what it could understand from it. And then after you will approve, we're up and running.
[00:24:04] So I have a dumb question because it's in, well, I think it's dumb, but maybe it's not dumb. Do you see like, so you've got operations, you've got cybersecurity and you've got compliance. Any future predictions or roadmap with regards to helping in sort of the legal space?
[00:24:25] Like, obviously you have policy resources in there, but it got me thinking about like, you know, as an MSP is using this, looking at how it might update, you know, managed services agreements or some of those other documents that kind of fall more into a legal space. Is that something you guys have planned in the roadmap? It's a great question. It's not dumb at all. We've been thinking about it and my hunch is that we might partner.
[00:24:51] There are several really successful companies that are doing some interesting things in those area. My hunch is that we'll partner with them, not reinvent the wheel again, but who knows? We'll see. Okay. So then maybe a less of a reinvent the wheel. I mean, I guess getting into like, I stayed in a Holiday Inn Express last night, therefore I'm now a lawyer is probably not a path to take lightly. But the other one that comes to mind is insurance. Insurance is constantly looking for evidence.
[00:25:19] In many cases, they ask questions now built around like CIS top 18. But I often find that the phrasing of those questions doesn't lend itself to a really a great answer, no matter what the environment looks like. Do you have any insurance that you're working with now or that you can share that would be, you know, MSPs would be interesting? Because one of the things that everybody's challenged with is you either are going after assurance or insurance, right?
[00:25:48] So in that assurance space, you're seeing the trust mark that we have, which is one of the ways. Another one would be like whether you're using like Quark or Spectra Cyber, where they're providing a warranty type of a layer that's on top of whatever the insurance agreement is. And then, of course, insurance. Do you guys have something that's coming along in that space as well? I'd just be curious because it seems like that's the next easy progression. Yes, yes. So we're thinking about it. It's all about prioritization for us.
[00:26:18] Absolutely. I mean, I like where you're at right now. I'm just. Oh, yeah, yeah, yeah. No, no. We're definitely talking with a few insurance companies to see how can we provide and bundle it and make sure. Because, I mean, the main aspect that we are giving those insurers is the ability to audit and to see exactly what's going on.
[00:26:37] Not to mention that you could produce those status reports and it's very beneficial because, you know, if you know that you are in compliance 24-7, it's much more reassuring the insurer company that you are with the best practices and you are in a much better spot than others. So it could influence lots of other details.
[00:26:59] Yeah, I would assume that with the way your dashboard works and the idea behind working with MSPs is that the multi-tenant view would also be how is this rolling up? And as far as the MSP is concerned, like my overall risk, because it's not just me now. It's per client. And then looking at potentially how does the per client risk look? If one client is risky, does it have, does it impact the other clients in our portfolio?
[00:27:25] I mean, obviously, you know, in some cases, no, but there's a lot of cases where, hey, if you've got the vulnerability with one, you probably have the vulnerability with all of them. Right. And that's part of the beauty of the barista that in some cases we could extrapolate and see, you know, if Notepad++ got some huge vulnerability that is being used. We recognize it and immediately, you know, it will know to scan the inventory of the apps that the users are using and do the right things with quarantine it or removing it.
[00:27:55] So last question, we have a couple minutes left. I ask this to just about everybody that's on the show. Is there any book that you are currently reading or have recently read that you think our audience would be interested in? And it does not have to be nonfiction. Okay. So I'm usually trying to do one nonfiction, one fiction. Nice. And I really love Morgan Haswell. So all his books are amazing in my mind.
[00:28:20] And The Psychology of Money is the last one that I read a few years back, but now I'm getting into it again because there's a ton of good things that are very applicable. So highly, highly recommending it. Got it. Last question for the audience. Where can they find you if they have more questions about Espresso Labs? Sure. Sure. So Espresso Labs dot com or Greeny doing one word in whatever social platform you are on it.
[00:28:49] So LinkedIn and all of them, it's the same thing. Well, there you have it. For those of you listening, this has been an episode of MSP 1337. Thanks and have a great week. Thank you very much. It was a pleasure. Thank you.