It's exciting times with Senteon. There is a big announcement, a discussion around endpoint hardening, and their roadmap for 2025. I hear firsthand from Henry and Zach about their adventures in bootstrapping Senteon to where they are today. This is an episode you don't want to miss.
[00:00:06] Welcome to MSP 1337. I'm your host, Chris Johnson, a show dedicated to cybersecurity challenges, solutions, a journey together, not alone.
[00:00:21] Welcome everybody to another episode of MSP 1337. This week is a special week as I have Senteon on to talk about their recent new announcement
[00:00:39] and what better place to do it than on a podcast that has like 10 listeners. No, we have more than that.
[00:00:45] But so I'm flattered that you wanted to be on the show to share. I think this is great news. I think the channel and our community needs to hear it.
[00:00:53] So Zach and Henry, you know, we've talked about this before we came on the show, that there's often this misunderstanding or misalignment
[00:01:04] when vendors start talking about how they're needing to take on investment money.
[00:01:08] And now that's the evil twin in the room.
[00:01:10] And now we'll never really care about you because our channel partners are what was the lifeblood is now.
[00:01:18] It sounds like you don't need me anymore because you have money and and I do not.
[00:01:23] So can you give it to me for free?
[00:01:24] So so walk me through. I think what everybody wants to hear is what led up to this maybe a necessity to say, hey, we need to secure investment.
[00:01:36] Yeah, I know from the go to market side of it is really being the new guys in a space that doesn't have a lot of innovation.
[00:01:43] So for the listeners who don't exactly know what we do yet, we are actually hardening workstations, servers and browsers to best practice secure recommendations from CIS or other regulated frameworks.
[00:01:55] And there's not a lot of solutions out there that are actually making those changes.
[00:02:00] So for us as a bootstrapped company, really trying to build our name without being able to afford those massive shows, we were a little bit of a disadvantage.
[00:02:08] And we got to the point where we needed to really just toss some fuel on it on the go to market perspective.
[00:02:14] But there was also a lot of operational hangups.
[00:02:17] And maybe, Henry, can you talk a little bit about your your point of view on the need for this to go?
[00:02:21] Yeah, I mean, the fact of the matter is when we have a little bit more runway and we're able to do a little bit more business planning, right?
[00:02:28] So we can actually think about things that are a year out, two years out and not dinner tomorrow.
[00:02:34] It becomes a little easier for us to be able to plan those activities.
[00:02:38] And then just echoing that as well on the development side of things, too.
[00:02:42] You know, there's a there's a cadence that we want to be able to maintain to help support all of our partners in terms of make sure we get new updates done on time.
[00:02:49] If something like a zero day does pop in, that we're able to help put something out in a more timely fashion.
[00:02:54] Things like that. I think that just we've been limited from our ability to do so up until now.
[00:02:58] I think the investment is is big for us to be able to enable us on some of those fronts.
[00:03:03] But you can't be, you know, you know, five guys and fries forever, right?
[00:03:07] Like you when you started this, you know, that trademarked Chris, five guys and fries.
[00:03:13] I was just I just threw out a number as random as a random number.
[00:03:16] I think about like any MSP that's out there when they started their business, it was one or two people maybe.
[00:03:23] And they added maybe a third in the near future if they were that aggressive.
[00:03:28] But it was very difficult without the tools and third party services to deliver to their own clients, let alone consider.
[00:03:35] Well, how does this work when we're talking about the vendor space who are providing me those tools and services?
[00:03:40] They're largely built in the same fashion that an MSP decides to launch their men's services path, right?
[00:03:47] So I think that's one of the things that is kind of that hidden unknown when someone says like, well, they're they're relatively new.
[00:03:53] They started their business in the last two years.
[00:03:56] You know, I love getting on a call with vendors like, yeah.
[00:03:58] So we've been around since 2022.
[00:04:00] And you're like, oh, wow.
[00:04:02] So you're just a toddler.
[00:04:03] Got it.
[00:04:04] Yeah.
[00:04:05] So so talk me through how you think you're going to be here tomorrow.
[00:04:09] And without fail, a lot of them, in fact, will say things like, well, we're on our second round of or we just got this round of funding and we've got some investment or some some backing to help ensure that we're not just, you know, Chris and Zach and Henry, you know, hanging out in the back of a pub going, hey, Mr.
[00:04:30] Waiter, sir, could you please bring us some more napkins?
[00:04:32] We're building our business plan, right?
[00:04:34] Like that's part of it, right?
[00:04:37] Like if you don't have a path that you can financially be supported and those are the questions that no vendor wants to ask when an MSP is like, well, talk me through like your financials.
[00:04:46] And you're like, click.
[00:04:48] And, you know, you say that as an example, but those were real conversations that I had.
[00:04:53] You know, I am largely responsible for the go to market sales meetings and whatnot.
[00:04:57] And that is one of the, you know, sniff tests is, hey, what amount of customers do you have?
[00:05:03] What type of backing do you have?
[00:05:05] And, you know, a lot of it varies across the market.
[00:05:08] Like you said at the start, there's a bad connotation sometimes with taking on investment.
[00:05:12] But some MSPs wouldn't want to proceed the conversation if we didn't have backing because it maybe proved we weren't mature enough to get backing.
[00:05:20] Hence, why should they use the platform?
[00:05:22] So we'd be in this catch 2020, catch 22.
[00:05:25] You just said two years ago.
[00:05:27] Threw me off.
[00:05:27] Yeah, it's a catch 2022.
[00:05:30] Catch 2022.
[00:05:31] So it really put us in this challenge point of do we please that half?
[00:05:37] Do we please that half?
[00:05:38] If we stay bootstrapped, how are we going to reach the larger audience and have a chance at that larger success?
[00:05:44] So it really was something we had to think through as a team and determine if it made sense.
[00:05:49] And as you can tell from this announcement news, we did make that decision.
[00:05:53] Well, at any point in time, a bootstrapped company can be done, right?
[00:05:59] Like there's and I remember this even growing an MSP.
[00:06:04] You know, I get to a certain point.
[00:06:05] You're like, am I really good with running payroll against my 401k?
[00:06:10] Like or when I go to buy a house and they're like, sorry, sir, you're self-employed.
[00:06:16] You can't buy a house.
[00:06:17] We're not going to give you a loan.
[00:06:19] And I'm like, but what about my employees?
[00:06:21] You'll give them loans.
[00:06:23] So if I fire all of my employees, can I then get financing to buy a house?
[00:06:28] I won't have to spend money on them anymore.
[00:06:30] Right.
[00:06:30] Like and they couldn't even look at me.
[00:06:32] They're like, I don't understand.
[00:06:33] They're like, logically, I get what you're saying, but the system doesn't work that way.
[00:06:37] I'm like, got it.
[00:06:38] So the S&B space is the backbone of this capitalism America.
[00:06:43] But when it comes time to spend the money that I have, I can't spend it because.
[00:06:51] I do that.
[00:06:51] So tell me.
[00:06:52] So you guys have gotten you got this big announcement.
[00:06:56] What was what was that like?
[00:06:58] Because I would imagine that just like you have your little check that you got from ConnectWise back there behind you on screen.
[00:07:08] For those of you who can't see it, it's the large check that you get for winning the sweepstakes.
[00:07:12] Yeah.
[00:07:13] Tell us about that journey, because it wasn't like you just decided one morning you woke up and said we should get investors as opposed to, say, be acquired by somebody that might write us a big check.
[00:07:26] Oh, I thought that's exactly how it went.
[00:07:29] It could be.
[00:07:30] You woke up and just had millions?
[00:07:33] Congrats, Senator.
[00:07:33] You made it.
[00:07:34] It's a lot easier.
[00:07:35] I mean, it does.
[00:07:35] As you said, it just shows up in your bank account.
[00:07:38] It's just that easy.
[00:07:40] No, I mean, I think the big part of it for us is like making sure that we're picking the right partners and the right people to work with.
[00:07:47] There's a lot of money out in the world, not a lot of experience, I think, we found when it came to looking for the right people to work with.
[00:07:54] And working with the Google Tech guys, probably should have announced that first, actually.
[00:07:59] But working with our new leads, the Google Tech guys, we've been really excited for the type of insight and the type of introductions they've been able to provide us and sort of their background history.
[00:08:09] It was a unique experience for me, having done a lot of pitches and gone through some of those, to be able to walk into one where they're like, yeah, yeah, we know what you do.
[00:08:16] Can you just show us a demo so that we can see the final points?
[00:08:19] And I was like, this is going great.
[00:08:22] Yeah.
[00:08:23] You already got 30 minutes from the pitch.
[00:08:25] And I'm like, yeah, yeah, you know.
[00:08:28] So for us, a big part of that was finding the right partner that does understand the space, understands the product, understands what we're trying to do.
[00:08:35] And it's not just like, oh, this sounds interesting.
[00:08:39] See what we can do with this.
[00:08:40] Right.
[00:08:40] And so that was a big part of that.
[00:08:43] Let's talk about that for a minute and then jump back into where you guys are going in 2025.
[00:08:48] Because I think what you said is really important.
[00:08:51] There's a lot of private equity firms out there, investors that, you know, angel investors and otherwise.
[00:08:57] That at this point in today's landscape of investment, everybody's investing in something.
[00:09:06] Right.
[00:09:06] They're buying up companies, private equity is like we can make money off of even associations.
[00:09:11] Having, as we've seen with recent examples.
[00:09:15] Right.
[00:09:16] But so Gula Tech Adventures, you mentioned them.
[00:09:20] They're unique in a way that I think is important for the audience to hear is that they're focused on investing in companies and nonprofits that defend the nation's cyberspace.
[00:09:30] That's a pretty bold statement to say as an investment firm.
[00:09:35] So you guys must have had some sort of warm fuzzy out of the gate when you started having a conversation with these guys.
[00:09:43] The warm fuzzy showed up eventually.
[00:09:46] Part of that, I think, because our team is so technical by default and a little bit less maybe on the gold market operations and stuff.
[00:09:53] So we're always looking for validation.
[00:09:54] And you get the warm and fuzzies and they tell you you like what you're doing.
[00:09:57] But when you're walking into that meeting, you're like, well, the co-founder of Tenable tells me this is a shit idea.
[00:10:02] I'm going to be pretty sad walking out of that meeting.
[00:10:04] So warm and fuzzy is for sure.
[00:10:08] So to be fair, I wasn't implying that you just get a warm and fuzzy because of private equity.
[00:10:16] It was more along the lines of having the conversation and coming out of that, knowing what they stand for as an organization.
[00:10:22] They're not just investing in random companies because they see an ROI.
[00:10:27] They're investing in companies that are making a difference in the threat landscape.
[00:10:30] And I think that's what's important.
[00:10:32] It's just not a land grab just to buy businesses that might make them money.
[00:10:38] I mean, they've made money.
[00:10:39] They've been there, right?
[00:10:40] Like they exited Tenable.
[00:10:43] And there's a reason behind why they're now reinvesting some of those dollars.
[00:10:48] Yeah, I hit the nail ahead there.
[00:10:49] Yeah, I think that's really important too.
[00:10:51] Just talking about the investment space and what we've learned, there's acquisitions to where you're just trying to get market share and grow your customer base.
[00:11:27] And then you're going to get into something greater.
[00:11:28] So it was really cool finding a firm that prioritized a little bit more technical over that land grab, as you said.
[00:11:35] Yeah.
[00:11:36] Like we just want a place to put our money that's going to have a good, you know, X factor on my return.
[00:11:42] Yep.
[00:11:43] All right.
[00:11:44] So we know who Gula is now a little bit, the value that it brings to the equation.
[00:11:49] I think it brings also a level of confidence that this isn't just a buy and sell, right?
[00:11:54] Like this is a where we're investing in the future of cybersecurity.
[00:11:58] And you're one of the vendors that they see the reason to do so, which I think is pretty awesome.
[00:12:03] So that obviously lends itself to the question of what's on everybody's mind is what does the roadmap look like for 2025?
[00:12:11] Did it change as a result of the investment or was it more of like, it's just going to help accelerate what you already had planned?
[00:12:20] Well, like I told you, CJ, now that we have some money, we can actually make a roadmap.
[00:12:26] That's a good start.
[00:12:27] We can now buy paper.
[00:12:28] We could have milestones and deliverables to meet milestones without just trying to go as fast as we can.
[00:12:36] Is that some of the resources that you get from someone or an organization like Gula Tech where they help with that type of stuff?
[00:12:43] Or I mean, because granted, you guys didn't start sent you and be like, hey, no day one, we should probably have a roadmap of where we want to be in three years.
[00:12:49] You're like, I want to make sure that we can eat tomorrow.
[00:12:53] And this is a good idea, right?
[00:12:55] Like, I don't know that most organizations when they start their businesses on day one are like, I'm so glad we wrote that five-year plan.
[00:13:05] Probably the biggest regret of my time investment before we had a product.
[00:13:08] I spent days, weeks trying to document some type of draft and then it literally was never looked at.
[00:13:14] Sure.
[00:13:15] I looked at it.
[00:13:16] It was good exercise in the day, but regarding what we learned after the fact just through experience, you know, redoing our business plan and actually having the money to make formal plans that we can be better held accountable is a lot different than pre-product, Zach, drafting up something and reviewing it with you.
[00:13:34] So, again, I think we shifted the – if I was a journalist, I'd be like, so did it really happen or not?
[00:13:42] No.
[00:13:44] Would you care to answer the actual question?
[00:13:46] No.
[00:13:47] So, what does the roadmap look like for 2025 with the potential acceleration and support you're getting from this – with Gula Tech?
[00:13:56] You know, what does that look like for you guys?
[00:13:59] A lot of scope expansion, I think, but also a lot of focus on what we're continuing to do.
[00:14:04] I know a lot of companies, you think about taking venture, you think about getting bigger, and eventually you become one of those companies that just kind of does it all.
[00:14:11] Sure.
[00:14:12] And I know you know what I'm talking about there.
[00:14:14] But I think our focus, we like what we do.
[00:14:17] We think there's a lot of use cases to improve on what we're doing.
[00:14:20] You know, right now with operating systems in Windows, we're looking at browsers, expanding that out to Macs, and then, you know, looking at other applications, whether those are MSP-focused or maybe a little more general.
[00:14:32] I think we're seeing a lot of value there in being able to do those things and then being able to do them a little bit more quickly is definitely a big value out of the round.
[00:14:42] So, let me ask you a question.
[00:14:43] Oh, no, wait.
[00:14:44] Go ahead.
[00:14:44] Go ahead.
[00:14:45] Yeah, I think the best part – and you were mentioning like taking on investment, how much that might be impacts the roadmap or makes changes.
[00:14:50] You know, yes, we didn't have like the most formal roadmap, but we didn't know what we wanted to do and we wanted to stay in the hardening vertical.
[00:14:56] We knew we wanted to be the hardening platform in the channel.
[00:14:59] That's who we are.
[00:15:00] Sure.
[00:15:00] And Gula fortunately saw that aligned with the vision of being the hardening platform.
[00:15:05] And maybe we'll just do a hypothetical scenario, right?
[00:15:09] Like if we wanted to prioritize hardening applications above everything else, kind of do this feature into application hardening, but Gula wanted us to get into cross-OS hardening, do Mac and Linux, right?
[00:15:22] We may have made that decision pre-Money to say application hardening, we have the resources, we know the roadmap to do that.
[00:15:27] But to go into Mac, Linux, it's going to take us a lot more resources.
[00:15:31] The ROI is farther out.
[00:15:32] Even if it is greater, it's going to take too long for us.
[00:15:35] But with the investment and just the really intentional relationship Gula Tech has really gone after with their portfolio companies, us included, they're able to make the right introductions to help some of those longer dev time roadmaps for items a lot quicker because they know the right people.
[00:15:52] They can put us in front of the right people, they can make us get in front of the pieces we need to get done quicker.
[00:16:00] So along those lines, I wanted to ask this question, but this now makes the question even better.
[00:16:05] So is a browser an application or an operating system?
[00:16:08] That is such a good question.
[00:16:10] Defer to Henry.
[00:16:13] Sorry, what was the question?
[00:16:15] Was the browser an application or an operating system?
[00:16:18] Yes.
[00:16:18] The browser is an application, CJ.
[00:16:21] Okay, so how is that?
[00:16:23] Well, I don't want to go down the rabbit hole on that one.
[00:16:25] But if you think about what you layer upon a browser, are those not applications on top of an application then?
[00:16:32] I asked this question.
[00:16:34] That doesn't necessarily mean that it's not an application anymore.
[00:16:36] Fair.
[00:16:37] One could say an operating system is an application.
[00:16:42] Sure.
[00:16:42] Yeah.
[00:16:43] Okay.
[00:16:43] Yeah, sure.
[00:16:45] The reason why I asked, and not so much that it matters that it is one versus the other, is I was just thinking about what we see in the space today.
[00:16:51] So, like, you see everything from browser hardening, which is what you guys are doing.
[00:16:56] And then you see things like, well, if all of your traffic rounds through our, you know, DNS filtering and blah, blah, blah, you know, you're essentially reducing the threat that's coming to the browser.
[00:17:06] And there's different approaches, I think, in some respects to how we go about securing the endpoint, securing the end user.
[00:17:13] But one thing that keeps coming back in my mind is we still aren't seeing the end users, especially in the organization, in business space, being told you can use Edge, not Chrome.
[00:17:26] You can use Chrome, not Opera.
[00:17:28] Or fill in the blank browser.
[00:17:30] I'm not trying to make that one is superior to the other.
[00:17:32] But, like, they still aren't standardizing, let alone let's harden the browser.
[00:17:38] Because I recognize that if Centian can harden one browser, you can harden another browser, in theory, just as easily.
[00:17:44] But the reality is if I'm the one responsible for the environment, why would I want to have to worry about multiple browsers that are essentially being used for the same thing?
[00:17:54] So you actually go very much into the big reason we wanted to take on the investment and extend our roadmap to better build out everything.
[00:18:02] And you're touching on it, right?
[00:18:04] You're very much, how are we going to harden the browser if we don't even know which browser we're going to use, right?
[00:18:10] So in the MSP market, especially where we really are, that's where we got our start and that's where we still are.
[00:18:16] There are a lot of MSPs out there who still let their clients use whatever browser they want.
[00:18:20] I will note in a lot of my conversations, people are wanting to start standardizing and starting to restrict.
[00:18:25] I don't know how much actual progress is made, but that is very much an active conversation.
[00:18:30] But going back to why the investment made sense for us, it's because as a hardening company, you know, there's vulnerability management, there's patch management.
[00:18:38] There's not really hardening management today.
[00:18:40] And that's ultimately what we are.
[00:18:42] So creating this new vertical, this new Gartner quadrant, as we used to joke about.
[00:18:47] One day.
[00:18:48] Yeah, one day.
[00:18:49] We needed to build this awareness and let the market almost catch up to where we are with technology to catch up to want to change their settings.
[00:18:59] And when they want to, we want to be ready to go and have this fully mature platform.
[00:19:04] So that was really just going back to another reason we wanted this.
[00:19:07] And I know, Henry, you're seeing a lot of the same trends with wanting to standardize browsers, but not really happening.
[00:19:13] I know you do a lot more customer phone calls after the fact as well.
[00:19:16] Anything you're seeing on the trend side?
[00:19:22] Some of it is just because it's not possible to today.
[00:19:25] I mean, somebody made a joke to me about like Internet Explorer just being like one of those old gods in Lovecraftian lore that you just can't get rid of.
[00:19:35] And to that end, it's like as long as we have banking apps that are 100% reliant on being on Edge or on Explorer or like need Flash or whatever, you're probably never getting rid of it.
[00:19:45] And so there's a little bit of level there of like you need mitigation along with control just in terms of standardizing business ops.
[00:19:53] But that's becoming more and more rare.
[00:19:56] Like I remember having to fix a Dell set and they're like, sorry, until you get this fixed, we can't upgrade the OS to no longer be Flash based.
[00:20:06] And you're like, but I can't log in with the browser because it no longer supports Flash to make those changes.
[00:20:15] So along those same lines, is this kind of like going back in time to when, you know, we were responsible as MSPs like, hey, yeah, we manage your firewall.
[00:20:22] If you need us to add a rule, just let us know.
[00:20:24] But they largely didn't do things like firewall or switch firmware updates to protect those types of things.
[00:20:31] Is that an area that you see Cention getting into?
[00:20:33] Because today, you know, firewalls have operating systems that I can run on an x86 device or I can run it on, you know, the provided appliance regardless of what it is.
[00:20:45] Is that a direction that you see happening?
[00:20:49] And it's not an endpoint anymore in the end user perspective, but.
[00:20:55] It's definitely somewhere that we're interested in exploring.
[00:20:57] I mean, that comes down to the way we look at it is it's almost just like Linux support is fundamentally, I think, what that would end up being just from the way we look at the problems that we're solving.
[00:21:08] It's not the top priority.
[00:21:09] I'll say that for sure.
[00:21:11] But it's definitely something that is up there on the roadmap that we can now make to say, yeah, this is something we'd be interested in pursuing.
[00:21:17] So I have one more to ask on the roadmap side of things with regards to what you potentially could do.
[00:21:23] And then I just totally drew a blank on what that was.
[00:21:27] This is what happens when I hang out with Zach for too long at any one establishment.
[00:21:31] We can just talk about KornCon and the Quad Cities.
[00:21:34] There we go.
[00:21:35] I don't know.
[00:21:36] Maybe your question was along this.
[00:21:38] We can preview a little bit on that 2025 roadmap.
[00:21:40] I know this is something ongoing on our side of the house.
[00:21:43] We've been putting a lot more time into.
[00:21:46] Henry, I'll let you take that away.
[00:21:48] Yeah, please do.
[00:21:49] Did you just set me up for something?
[00:21:51] Yeah, I mean, I could talk to the roadmap, but you're the one who approves it all.
[00:21:56] I thought I covered all of them.
[00:21:57] I mean, yeah, so we're looking at...
[00:22:01] What did I not cover yet?
[00:22:02] Microsoft Suite hardening, getting into the application hardening piece.
[00:22:08] So very much getting more into building the all-around hardening platform.
[00:22:14] Because right now, as we introduced, it is very focused just on Windows.
[00:22:17] But the goal with this investment is to build it out, to do the Microsoft Suite hardening,
[00:22:21] the application hardening, and becoming that sole platform that can really fit directly like a puzzle piece,
[00:22:28] the missing puzzle piece to that MSP security stack.
[00:22:31] So then there's an add to that, and I remembered what I was going to say, because it wasn't so crazy.
[00:22:36] With regards to the Trustmark, which you guys are familiar with,
[00:22:40] and I know we're talking about getting something solidified after the new year,
[00:22:44] one of the things that will be coming in version two is adding in the domain from CIS
[00:22:49] with some language adjustments to make it work for MSPs.
[00:22:53] And that is, how do you go about securing custom software and application, right?
[00:22:57] Custom software application security.
[00:22:59] And I think that's one of the things that kind of goes back to what you said, Henry,
[00:23:02] about why a bank might still need to use Flash or fill-in-the-blank legacy system.
[00:23:08] But I think the same is also true with some of the futureistic applications coming down the pike
[00:23:14] that haven't been fully vetted.
[00:23:16] Still pulling in a library from JavaScript from 2005 that's got 12 vulnerabilities in it
[00:23:21] that everybody knows about.
[00:23:22] But we just put a little comment that was a request out.
[00:23:28] And so now it's okay as long as someone doesn't uncomment it out.
[00:23:32] Like, are you seeing a path where rather than this just being about providing the security
[00:23:38] and hardening for applications that you have that commercial bumper sticker for,
[00:23:42] to be able to do similarly as an MSP who's using, you know, PowerShell scripts
[00:23:46] or has started to use, you know, products like Roost or Thread that have that no-code model,
[00:23:51] they're building applications.
[00:23:53] And I think that one of the challenges that a lot of MSPs have is even if they want to,
[00:23:58] they didn't just wake up and become software developers,
[00:24:02] but they do have an obligation to ensure that that application that has been built out through that model,
[00:24:08] even Power Apps with Microsoft,
[00:24:10] to know that it's being done in a way that's secure by design, secure by default.
[00:24:17] That's a good question.
[00:24:20] There are some levels to that that I think we can impact
[00:24:23] and have a strong value proposition for.
[00:24:29] Arguably, almost, I would say with talking about the investment round,
[00:24:32] part of that is being able to make sure that we're taking the proper steps
[00:24:35] certainly for our product as well.
[00:24:37] Supply chain attacks are sort of one of those things that we're always wary of.
[00:24:40] And so being able to make sure that we're not a weak link there is important for us.
[00:24:46] Helping other companies do that as far as like building our Power Apps scripts
[00:24:50] and things like that, that people are doing internally.
[00:24:52] There's some level of it there that I think you put in safeguards,
[00:24:56] you put in guide rails to make sure that whatever is being built
[00:24:59] is going through the right channels, right funnels.
[00:25:01] Like I think we just released or we just emailed out a couple of our partners
[00:25:05] today about an NTLM vulnerability.
[00:25:07] It was a fun zero day that got posted by,
[00:25:11] what's the name of that company?
[00:25:12] I don't remember.
[00:25:15] But that was one of those things.
[00:25:16] If you have the email, you should take care of it.
[00:25:18] You should look into it for sure.
[00:25:21] But it's just one of those things where it's like,
[00:25:23] yeah, obviously we're not going to fix the software, right?
[00:25:28] We're not the developers.
[00:25:29] They're going to beg those guys to give us their source code
[00:25:31] so we can fix it for them.
[00:25:33] But we can make sure that guardrails are in place
[00:25:34] so they say like, hey, if they're trying to use an outdated networking protocol,
[00:25:37] we have that on lockdown.
[00:25:38] And then you can go back and tell that software company,
[00:25:40] well, we can't use this because you're using XYZ protocol, what have you.
[00:25:45] Well, so you bring up a really good point.
[00:25:47] And I'm going to definitely look to rely very heavily on you as a team to help us
[00:25:53] as we flesh out in the first part of 2025,
[00:25:56] that component of the Trustmark,
[00:25:58] because there's both sides of this, right?
[00:26:00] So there's the MSPs or like what you guys are doing,
[00:26:03] where they're developing in-house applications.
[00:26:05] And in a lot of cases, it makes sense.
[00:26:07] And you're seeing this happen with Microsoft Power Apps,
[00:26:10] allowing you to actually create true applications that are standalone,
[00:26:15] they come with their own mobile app, that kind of thing.
[00:26:18] It really is an app, right?
[00:26:19] And then there's the other side of it,
[00:26:21] which is more along to your point of using a PowerShell script
[00:26:24] to do something, to execute something,
[00:26:26] and is it being done correctly?
[00:26:28] And so I think there's an interesting dynamic here
[00:26:31] where in this version of the Trustmark,
[00:26:33] it's going to kind of have the, if yes, then,
[00:26:36] you also have to answer these questions.
[00:26:39] If no custom, you know, am I asking you about,
[00:26:42] are you following OWASP best practices?
[00:26:45] How many MSPs know what I'm talking about when I throw that out there?
[00:26:48] You know, is Cention following OWASP best practices?
[00:26:51] And that's not a question.
[00:26:52] I'm not asking, I'm not putting you on the spot for that,
[00:26:53] whether you are or not.
[00:26:54] I don't think that's the rule.
[00:26:56] It says you have to use their model to write secure code,
[00:26:59] but it should give some thought to it, right?
[00:27:02] Like, why are you building this application?
[00:27:04] Why do you need to connect to these things?
[00:27:06] I think that's one of the things we see a lot of is
[00:27:09] we're quick to say, oh, that's shiny and it connects to what?
[00:27:13] Okay.
[00:27:13] I would like two of those.
[00:27:14] Well, why?
[00:27:15] Because it can.
[00:27:16] Because it can do that.
[00:27:17] Therefore, I need it to do that.
[00:27:18] And I think that's one of the challenges
[00:27:20] that I know we're going to face as we go into 2025
[00:27:22] is ensuring that we're asking the right questions
[00:27:25] as we go through the trust market around things like,
[00:27:28] why are you writing PowerShell scripts?
[00:27:29] The vendor's product that you're writing PowerShell scripts for
[00:27:32] already has it built in, and yet you're writing your own.
[00:27:35] Oh, because you can.
[00:27:36] Because you can conveniently do it when you want to do it.
[00:27:40] So that's really interesting.
[00:27:41] I like that approach.
[00:27:43] We've got a few minutes left.
[00:27:44] What else would you like the listeners to know
[00:27:46] about Cention in 2025?
[00:27:49] I assume we're going to see you at more shows.
[00:27:52] We will be.
[00:27:53] We already, as opposed to Vegas.
[00:27:55] And the other piece, just to kind of note
[00:27:57] on the Cention product side, something interesting,
[00:28:00] doing the PAX 8 community effort with the CIS mappings
[00:28:05] and something we were working in that working group together
[00:28:08] was identifying what platform does what,
[00:28:11] and we kind of ignored the efficacy of that.
[00:28:14] It was more just, does platform say they do X?
[00:28:17] Checkmark, yes or no.
[00:28:18] And something we've noticed as we do proceed
[00:28:22] with growing this hardening platform,
[00:28:23] certain applications actually won't function
[00:28:27] or have all their capabilities
[00:28:28] if they're running on an actual hardened box.
[00:28:31] So the other piece that Cention's really calling out is,
[00:28:34] hey, this platform won't work
[00:28:37] unless you make this risk accepted at this setting.
[00:28:40] So we're also helping, not necessarily,
[00:28:43] this is not to what you were saying with the secure code,
[00:28:45] but we are identifying certain things at the output level
[00:28:48] that will no longer work because of a secure OS.
[00:28:52] Well, we've seen this over and over again
[00:28:53] with products just to be trivial about them
[00:28:56] as, you know, antivirus, right?
[00:28:58] Don't scan that folder because then it won't work.
[00:29:02] Well, then how do I know if something bad
[00:29:04] gets put in that folder?
[00:29:05] Well, you don't.
[00:29:07] But the flip side is the rest of the operating system,
[00:29:09] the rest of the folders on that machine
[00:29:11] can get scanned if you scan this one too.
[00:29:14] So I think that that's a really interesting statement
[00:29:16] because I think one of the things
[00:29:18] that we've been pointing out to MSPs
[00:29:19] that are going through the Trustmark
[00:29:20] and other programs, the other frameworks is,
[00:29:23] you know, just because you need it to officially meet,
[00:29:28] quote, fill in the blank level of security,
[00:29:31] well, what is the risk that you are no longer able to take
[00:29:34] to grow your business as a result of locking that down?
[00:29:39] There was a part that we broke up.
[00:29:41] So I froze for a second.
[00:29:44] You mentioned, I was asking,
[00:29:46] where might we see you in 2025?
[00:29:48] And then it went and just froze.
[00:29:52] If it froze on the recording,
[00:29:53] that was right of boom in February.
[00:29:55] We've got MSP Geek coming up.
[00:29:56] Is that a March show?
[00:29:58] March, I think.
[00:29:59] Yeah.
[00:29:59] And we are going to be doing
[00:30:01] some type of ConnectWise circuit.
[00:30:03] We're going to book a couple shows
[00:30:05] with the winnings we earned there.
[00:30:06] So that'll be really fun.
[00:30:07] So I would assume to see you in June is secure then.
[00:30:11] I would hope so.
[00:30:12] I would assume so too.
[00:30:14] I would.
[00:30:14] Yeah, hopefully our pitch coach
[00:30:16] and leader of the cohort,
[00:30:18] Sean Lardo, gives us a certain discount,
[00:30:20] maybe for winning.
[00:30:22] If you're listening, Sean,
[00:30:24] you heard it right here.
[00:30:25] And let's get this done
[00:30:26] before we hit the new year.
[00:30:28] Let me nice little Merry Christmas to you.
[00:30:33] So those are the big ones.
[00:30:35] And the other, I guess,
[00:30:36] really big note is
[00:30:37] with a little bit of this investment
[00:30:39] and growth,
[00:30:40] we are actually looking to hire
[00:30:41] a community manager
[00:30:43] so that we can better
[00:30:44] create a better circle of feedback loops
[00:30:46] and better engage.
[00:30:48] Just like with Henry sharing,
[00:30:49] you know,
[00:30:50] getting the news out
[00:30:50] a little bit quicker.
[00:30:52] This NTLM zero day that came out,
[00:30:54] you know,
[00:30:54] it had to formulate stuff
[00:30:56] on our own half,
[00:30:56] do our own testing
[00:30:57] and then get it out
[00:30:59] as quickly as we could.
[00:31:00] Sure.
[00:31:00] We don't have someone dedicated
[00:31:01] on that community side today.
[00:31:03] It's more of a something
[00:31:04] we do as we can.
[00:31:05] So part of this investment
[00:31:06] is to better prioritize that.
[00:31:08] Got it.
[00:31:09] That's great, guys.
[00:31:10] I'm really happy
[00:31:11] for the new successes
[00:31:13] and I look forward
[00:31:14] to seeing what you guys do
[00:31:16] in 2025.
[00:31:16] Thanks for being on the show.
[00:31:18] For those of you listening,
[00:31:19] this has been an episode
[00:31:20] of MSP 1337.
[00:31:22] Thanks and have a great week.
[00:31:24] Thanks.