 A couple of things here before we get started, we were originally slotted about a week ago still for a 20 minute slot. We got bumped to an hour, so we promised not to be offended if you get up and leave after 20 minutes. So this is our talk, kind of a couple of things here to start off the conversation. Early stories for us when we started a penetration testing company, things we never thought we would have to deal with. So some funny stories hopefully you relate. So I think the first thing you should know is we own no rights to any of the images you're about to see. A couple we do. If we happen to use your image and you're upset about that, you can have half of all the money Josh made. Okay. So who are we? Just a couple of years ago, we'll introduce ourselves here. A couple years ago this was us, this was actually Josh. Defcon about four years ago, five years ago. And I'm actually, by day, I teach kind of offensive security network based security stuff at Dakota State. And then I work as a consultant penetration testing company. I work as a penetration tester for a company in the Midwest. And then the early stories we're going to talk about here today come from my experiences when I own my own penetration testing business. So this is actually a picture from Defcon 16. That was our first year we came to Defcon and it was, we showed up at 10 o'clock on Friday morning thinking it was going to take two minutes to get our badge. And that didn't work. So they said we'll come back later today. The new shipment's coming in at three. So at 245, we got in line. And they said, well, you're only about 1,500 people short from getting the next shipment. If you remember the electronic badges, they've come in like shipments of 24, I think. It's great. So Saturday morning, be damned. We were going to sit, like we got to the Rio, or the RIV, sorry, the RIV first thing and sat by a trash can with two students from actually the University of Vermont in it. So like the running joke is like four dudes by a trash can. Because people were like, are you guys really in line? It was like 7.30. Like, yeah, we're getting a badge. We're leaving tomorrow, we're getting a badge. So that's kind of our background. So that was us four years ago. This is us today. Actually, this is Josh today. That's real. That's real facial hair. Alright, so we don't really dress like that in South Dakota, but I had to work this picture in because it's a great picture of Josh. So honestly, even if you think our talk is full of shit, at least you'll get a kick out of our pictures. So hopefully you enjoy. Alright, so we want to start this conversation out with this overall question, right? So you want to be a pentester? Right? Well, so did we. So kind of getting back to the story here. Talk a little bit about the business of pentesting and some of the surprises that we ran into along the way when we were kind of going through some of this stuff. We started out, if you read the description, pretty naive, pretty much a couple of lammers trying to make a difference in the world. So I actually started a penetration testing company and then connected with Josh as the company grew to do the web, the offensive web side of things for me. I couldn't handle everything at once. So it seemed like a pretty good fit at the time, right? It seemed like we were doing some pretty fun stuff. So you want to work with me? And of course the changes. But these are pictures you guys probably recognize some of these guys. Jared Demont on the left there and then Moxie and Joe Grand. They actually came out of South Dakota. So there's two things you need to know about these pictures. The first one is it's April, but for some reason the steakhouse that we're eating at has a Christmas tree in the background. Not really sure why. Even though Moxie is like, dude, this is weird. There's a Christmas tree. It runs full year. Oh, it runs full year? Okay. That's even weirder. And then those guys are getting ready to chow down on some Rocky Mountain oysters. So that's Joe actually taking a picture of it and sending it to his wife. He's like, I don't think she's going to believe what I'm about to eat. So I think if you don't know what Rocky Mountain oysters are, it's a Google it. It's a Google away. Delicacies. I think actually Jared's eating chicken gizzards, but that's not as cool. Yeah. Well, if you come to South Dakota, we'll feed you right. Alright, so anyway, we wanted to be penetration testers and so we did it. We started this company, right? And we actually very quickly realized that something was extremely wrong. Something wasn't didn't quite add up, right? And we were a little shocked at all the stuff we didn't know about about not only the business about running the business and all kind of funny things that go with that. So that was the inspiration for this particular talk. So, you know. Yeah. So I mean, you spend, I think all of us, especially the technical background, spend your time becoming more technical and learning the latest tools and how to do things. And then you're blindsided by all this BS that you have to deal with, which you guys that have real jobs. I'm a professor too. So all you guys that have real jobs deal with all the stuff we're about to talk to, even if you're not a pen tester, but if you're a developer or a project manager, if you're a project manager, you're making a lot of this stuff. And then one other thing, this lovely, lovely assistant that we have. I'm not sure if anyone's ever had like a Vanna White or like a ring card girl in their talk, but we have one of our students, Mike, is going to help us out today. So hopefully you get a kick out of Mike here in a little bit. So, Mike. Mike, that's your cue. I mean, if you go to DEF CON most years, there's no girls, right? I mean, there's tons of girls here this year. You know, I mean, Mike was like the sexiest thing I could come up with. I didn't know all these girls were going to be here this year. So. So, back to the talk, right? First thing we thought was basically we would start this penetration testing company and run a couple of tools and make millions of dollars and quit our jobs as professors. It turns out that, you know, chicks don't think that that's very cool. They don't really get that. Alright, that'd be good. That's good to know. See, my wife would disagree. My wife thinks I'm bowling right now. So, lots and lots of kind of things that we thought were pretty obvious weren't obvious to us to begin with. It's going to get better. He's promise is going to get more sassy as we go. Okay, so like everything, any type of business that you run, this goes across the board. It boils down to money with the business. We learned that very quickly, right? We didn't realize at first that so much of running a business was a money thing. Again, we had a little passion and really wanted to do something and thought that was really all that it took. You know, we thought we were going to get a couple of clients and we were going to, you know, work for a few months pen testing a client and then, you know, cash these fat checks. Turns out we actually had bills to pay, so that didn't really work. Yeah, so another thing is like, you know, obviously there's tons of good open tools, open tools are very, very, very cheap tools. But something that we found out was even like something as simple as buying a $200 burp suite license for all the web stuff that we do. That becomes like, really? You know, somebody's going to ask you like, $200 bucks? You need $200? Like, good lord. It's $200 for like the tool for the year that, you know, the main tool I'm going to use. So, and then kind of a funny tangent. The company we work for now, when the license for burp, which is the tool I use mainly, came up. I had like four or five guys around my desk like, hey, I'll buy that burp license for you. I'm like, what is going on? Well, the company we work for, they reimburse you. So what everybody was doing is they were throwing it on their credit card and like earning reward points, like in their personal name. And then like the company's reimbursing, I'm like, oh, okay, I get it. I get it. Issue number three. So, this was a little bit of a shock. There's only 15 issues. Yeah. This was a little bit of a shock to us when we first started out, right? Yeah, obviously everyone knows you're a penetration tester. You're doing something offensive for a client. I mean, you need an authorization form, right? Get out of jail free card, like I call it, right? So, the problem with that was that our authorization form began to get molded by the clients, right? We need to know all kinds of things from you. We need to know what IP you're coming from. When you're coming from that IP, you know, how quickly you're going to run your scans. How much bandwidth you're going to have. So, and we talk about this a little bit more a little later. And actually that whole series can be another talk. But there's all kinds of things here, right? That, I mean, if we're going to run a penetration test, we're going to run a penetration test. Let's make it something that adds security value. Well, I mean, if I'm giving you a form that says I'm coming from this IP address at this time, and I'm going to run, you know, these tools against you, well, that's not really much of a penetration. Yeah, and then, you know, the form was something that both the client and some of our management wanted. I think it was kind of a CYA in effect. You know, when we first signed up, we wanted to say like, well, give us like a 30-day window. Give us like a whole month. We won't tell you when or how or for how long or anything. And at the end of the month, then give us, you know, a couple more months to write a report. And we'll get it back to you. Now they wanted like, here's your two-hour window to start. It needs to be done by business hours. And so, you know, those, I mean, it's something that those companies deal with, but you kind of have to, you know, fit yourself into. Yeah, so, I mean, this gets back in. We'll touch on this a little bit, right? And it's all about educating your client. And there's lots of good podcasts out. If you've been following the community at all this year, and lots of good speakers have brought this issue up. So we'll come back to this. Gillette makes a razor named after this one. It's called the Quattro. That was bad. That was bad. We might actually make him stop. Uh-oh. He's gonna disrobe. It's gonna fit. It will fit by the end of the talk. It's spandex. So just in case you can't see this, right? This is down in the corner. It's a funny little screenshot I found, which obviously somebody searched in Google, and then we have the, you know, Google doing some keyword advertising for us, which is, in this case, I think, love, buy it new, used, and cheap on eBay. So... New inbox. So obviously, information gathering, it's a huge part of any penetration test. I mean, it's a massive part of anything that you do. It's a big part, obviously, of penetration testing. The problem is that it's really hard to explain to people who are all about the bottom line that you're spending, you know, six weeks doing recon on a company, because the payback is maybe a root shell, but they don't really get that. Right? So, you gotta be careful here. It's a balancing act. You need to worry about educating people inside your organization about the value of something like this. So... Again, as I mentioned earlier, and I know there's been some great talks, and we've had a number, a number of our clients, you know, who have asked us some pretty ridiculous stuff. If you're a penetration tester, you probably have seen this or experienced this, right? But a lot of people will say, you know what I want? I want a real, real penetration test. Do me good. Yeah. But don't hit this IP address. Don't go after this box or that service and stay away from this range during this time. Right? All right. That doesn't make any sense. But... So, obviously, it's a bad idea. This is all about educating, which is, I think, again, something we could probably do a whole new talk on educating your clients about how that's wrong, right? And I think, you know, one that kind of sucks, probably the worst is, you know, they want what they think is a pen test, but they don't want any exploitation done. So... Yeah. They want like a vulnerability scan. They want a vulnerability scan or vulnerability assessment. You know, they don't want, like, the biggest nastiest thing we can do on the web is a pop-up window with a, you know, stored cross-site script or something. And then you try to explain to them why that's bad. They're like, well, it's just a pop-up window, right? I mean, things that people are talking about five or six years ago and they're like, well, you know, that's proof of concept that we could inject arbitrary, you know, commands. They got nothing. We might have to get rid of him. All right. So this is one I found very early in my career, especially when I was first starting out. You know, I used to get an IP list. It literally was a form that I would get signed by a company with an IP. You know, they'd scratch something on and fax it back to me and then I would type it into my pen testing box and then, you know, I'd scan them and run all those tools and every time I would scan them, I would retype the IP address and inevitably I'd fat finger something. And then the guys in suits or the ISP calls me the next day and we've been blacklisted because I have chubby fingers. So, you know, there's a number of issues here that you can run into. Be careful with this. There's some very easy technical stuff you can do. You create your IP address, you know, dynamically so you're never touching it. You put it all back on the client. Make them fill something out so it's automatically generated. Use a firewall obviously, you know, so you're, you know, making connections only to your target. All those things take time. You know, another one here that isn't on this slide but we have some smaller clients who actually have a dynamic IP address. So, they might fill a form out today for a pen test six weeks from now. You're like, all right, great. And then you'll run that scan and it'll find weird things and maybe, you know, you weren't expecting from that client and you'll write up the report and life is good and you'll send in the report and they'll be like, wow. You're owning some XP no-service back box. Yeah. This is sweet. This is sweet. You're like, wow, these guys are great. And you give them the report and they're like, that's not even our stuff. They're like, I didn't fat finger. Maybe we're copying, pasting or we like to just set up like a little notepad files with IPs and URLs. Well, if they have a dynamic IP, if they don't, so now what we have to do is like the day we're going to run the scan, like call up that client back. Is your IP still this IP address which you've just, you know, obviously sounded the alarm bells that you're about to do your thing. Which should be another issue. Trying to get a client to give you an IP address is way more difficult than you would think. Issue seven. Are you Bulgarian? All right. There's all kinds of issues with expectations, right? This runs again, especially one of the first areas that we ran into this was with the concept of deadlines. People who are maybe not, maybe they know the pen testing process, but from a business standpoint again, going back to the first one where we deal with budgets who can't spend an infinite amount of time doing a pen test and gathering information against the target, they're worried more about the bottom line. So deadlines become this kind of huge role. These internal expectations and then trying to work through this issue with your management process kind of becomes a really big deal, right? So in-house issues. Yeah. So some in-house issues, like you have to know or educate hopefully before they talk, like any sales guys or anybody who's going to talk to a potential client. So we think we have a pretty good wrangle on the guys who do sales, the guys in-house who do sales on different levels of scans or pen tests, how long those are going to take, what the report's going to look like, sanitizing a sample report and getting that out to a potential client and life is good. But what I would urge you to do is anybody in the company could talk to a potential client and say all sorts of goofy things. So it might be a manager, might be a consultant, might be a financial person in the company that, you know, their uncle owns a company and promises the moon on a pen test or something. Which, I mean, it's obviously really easy the first time you talk to that person and say, no, that's not really what we do. But a little bit of education up front just internally will help out. So, you know, we've had all sorts of things like, you know, huge, huge, huge ranges that somebody has promised to be scanned in a matter of I don't know, minutes or hours, which just isn't realistic to even get started. Yeah. And the other one is, like we talked about earlier, wanting more of a vulnerability assessment than a pen test is, you know, walking right up to the line where, I mean, even, you know, you have the Metasploit module locked and loaded and ready to fire and it'll reverse shell. But, you know, the rules of engagement say they actually want no actual exploitation. So you can show them, well, if we would have pushed this button, it would have done something, which, you know, that doesn't strike home with them at all. So. All right. Beginning of the thing, Michael's a bad idea. All right. So the flip side of that to the last slide was all about, can your internal expectations, especially if you're from, you know, a company that includes multiple levels, that tends to blow up very quickly. You need to work and manage that process of whether or not you have sales people out in the field who are selling for you. You need people that understand that process, whether or not you have, you know, a business manager or somebody that's all about the bottom line. They need to understand that process and why something like information gathering is important. So the other side of that is the expectations you will have from your client. And we get a lot of stuff like, okay, so I know you just owned the box last week and you totally destroyed us, but now we fixed XYZ. You know, can you just give us a quick re-scan, right? Which, I mean, again, defeats the purpose of the pen test. And another, probably another one of our favorites is we get a lot of consultants, or not consultants, but the actual clients that will actually call us and say, you know, we're 24 hours or 48 hours into a pen test, and they'll be like, hey, you know, how's the pen test going? Can you give me an update on the pen test? Yeah, the client, yeah, we want to know how it's going. Can you give us a quick summary of the results? We haven't even generated a report. I mean, sometimes we're not even done with the actual scanning of it. So obviously that's an issue to try and deal with. Yeah, and another one is we'll work with clients who actually outsource most of their web app stuff. So if there's any issues down the road, then we end up talking with a lot of developers from other companies that built the web application. So a funny true story is we actually had a company called me. I gave my cell phone, you know, because that's the easiest way to contact me. They said, I hope it's okay, but I gave that third party development company your cell phone in case they had any questions directly. Like, oh boy. And no shit. I'm sitting in my garage having a beer on like a Friday afternoon at 4.30, my phone rings. And I'm the kind of guy like if it's an unknown number, like if it says unknown or if it's a number I don't know, I'll actually answer it. It's kind of sadistic and fun for me. So I opened it, or I opened it. I opened the beer. I opened my phone and said, you know, this is Josh and blah, blah, blah. And it was this third party company with like four guys just foaming at the mouth around a speaker phone that wanted to talk about this vulnerability I'd found in their web application. So I'm like, okay. So I'm like trying to open a beer and talk on the phone. I'm like, you know, trying to like keep the beer sound down and talk to these people. So that's, you know, client expectations are, you know, I'm more than happy to talk to your third party vendor. You probably shouldn't give them my cell phone number until I tell you it's okay. So. Okay. So I know a lot of us are penetration testers in this room or you're thinking about being a penetration tester in this room. And so everyone starts at a certain level, right? And I guess what I want to say here is, you know, I know a very few penetration testers that will write their own custom exploits for everything they do, right? There's lots of good resources. We all know them out on the web. But I also know it's very easy to go out and grab, you know, stuff from the community. And if you don't know, if you don't know how to audit shell code and you don't know how to audit the exploits that you're looking at, just, I mean, right, don't be surprised if you end up with a, you know, giving away an extra shell when you're using someone's work. So just be a little careful here. We've hit this issue ourselves. So. And how to check to see if what the shell code did actually did what you thought it was going to do. And if it did something you weren't, then how do you contact that bank or that insurance company or that school district and say, oh, by the way, I know we weren't supposed to do any actual exploitation. But, you know, this shell has spawned up and here's how you should log in immediately and take care of it. I know it's four o'clock on a Saturday afternoon, but yeah. All right. This next issue is number 10. So this was another one from early on like the fat fingers that I did myself, which was really fun. It was like the first week on the job. Yeah, yeah. So I thought I was Uberly and wrote this who is reverse lookup script and let it rip and it melted down the switches in the ISP and we ended up getting a bunch of our stuff banned and it was not a fun phone call to make. So before you start actually, you know, deploying your own work, which kind of goes back to the slide we just had. I mean, you know, try to try to know what you're doing. That's quick. I would repair this one. Yeah. So this one is actually one of Josh's early, early fails. I guess this is all about fails. Yeah, like I'm a huge burp fan boy. Like Daph has done a great job developing that tool. And I was using it and life was great. And I'd actually used it for like, I don't know, eight weeks. And for all you burp users in the spider tool, it's Peter Wiener from Wienerville, Wisconsin with, you know, the social security number. Like basically an auto form submitter. And I mean, I had never, ever, ever looked through the actual config of the spider. I just, you know, I changed some of the, you know, parameters on threads and some of those things, but never actually looked to see what values it was using. So I think that's what Daph was actually banking on was to put people in this situation. So we were on the job. We had been on this, not the same job, but been doing pentests for like eight or 10 weeks. And a company CEO calls us and wants to know why Peter Wiener has made like 400 form submissions and how classless that was. And like, okay, I mean, I couldn't argue. Like, yeah, I probably should Peter Wiener. Yeah, you got me there. So lesson learned. So any like, yeah, like anybody else, it's Peter Wiener now. I mean, I just from Wienerville, Wisconsin, you know, I didn't want to like, yeah, Daph didn't know that me even in the Queens English, that doesn't mean Wang. Okay. Yeah. Okay. So, yeah, so that was that was good. And so like when you load up a tool, especially if it's, I mean, it's a tool I knew pretty well or know pretty well, but look through, look through those. So you're sure coming off, right? Yeah. So this one is obviously one you need to be a little careful of people tend to recycle a lot of data. I think this is pretty self evident to everybody in this room. But the people you're going to go back and work with or the people you're going to start a company with, they don't always get this point. So when it comes time for a machine to get recycled or something to be turned over and cash out a little bit of equity on, it's not worth it. All right. And this one you can also, you can also be a little bit careful here too, folks, I would just tell you when you talk about your reports, right, most of you will probably run your pen testing from a box or two boxes or a dozen boxes or whatever it is. Those particular things, not only do you not want them on eBay, right? Forensically, you don't want them on eBay, but the reports that you generate each time, you have to be a little careful, obviously, right? Sensitive stuff. Many of you probably running around, you know, using a great distro like backtrack or something, but you're running a lot of hacker processes. And if you go back to some of the stuff we just talked about, you're downloading exploits, right? Just be careful, that's all I'm saying. And another one on the reporting side is something that a client always wants to see before they sign up is, well, what's a sample report look like? You wouldn't imagine, I mean, it's hard to imagine the amount of work it takes to sanitize a report and actually have that report still maybe show something that you could do. So we actually went through like three or four iterations of a sample pen test report, you know, still with the fancy graphs and the pie charts and all the network stuff and the web stuff, but something that we could show a potential client that says, here's the kind of stuff you're going to get without them saying like, oh, that's the law firm downtown. So I mean, it's actually way, way more work than it's worth, I mean, sort of like using the scratch out tool in paint. Which we all love paint. But you like that mic not on? Nope. Oh, number 13. Ava, Ava, you guys love you. So I've been on both sides of this before I came back to economics before, before I started the penetration testing company and became a consultant, pen testing consultant. I was on the defensive side of things. And so this one is, this one touches home to me a lot because I was very protective of my networks as a CIS admin, especially as a security labeled CIS admin, right? And so this one, this one, you just got to be careful how you present it, but sometimes that's the way it goes. Yeah, and this one, you know, something really great I think for most pen testing firms is to provide some sort of feedback above and beyond the report. I mean, the report is the exhaustive, you know, go-to resource at many different levels on that organization. The CEO can read it. The manager can read it. The developers or the network guys can read it. But, you know, giving those people the green light and saying, if you want to discuss your reports or your findings, you know, let's do that. And I think that's a great, a great thing. But that's also the time you get the CIS admin or the developer just with sharpened elbows on the other side of the phone, you know, ready to, ready to, you know, take you down. I mean, that's just part of it. You have to go into that with, you know, try not to offend them or anything. Oh, this is kind of a related one, Mike. You can stay down on this one. This one is, you know, 13B is actually, you know, most, and we do this with the firm we work for now is pen testing our internal systems. So, you know, I always call it like working the forbidden speed bag. So, you know, just like any CIS admin from another company, your own developers or your own CIS admins will take it really, really personal if you find something on their systems or if you put up a snarky pop up box like this on their web app and, you know, send them the report and ha ha, funny, funny, funny. The only difference is instead of being like thousands of miles away on a phone, they like walk around the corner. Like, what the fuck, man? You know, so like, okay. You can be as snarky as you want with your pop up boxes. Yeah, I think it's a side point there. I mean, the point here again is, I mean, you're a PT firm. You should either get another good PT firm to come at you or make sure, at the very least, make sure you're doing it yourself. All right, so eventually we found out which we didn't realize. Issue 14. You got something good? I don't really have a card for this one, but, you know... Did you shave it into your back? I'm not as hairy as you. Okay, okay. So, issue 14. Oh, now you're sad. All right, here we go. So, this was a big shock to us, right? We thought, you know, we were going to be these lead hackers and print the money in the basement and do all these fun things. That's all we had to do. It turns out report writing is a massive component to what you do. Yeah, it also sucks. Right, because unlike a lot of the jobs in IT, pen testing, almost everything we do right is behind the scenes. It's not like a manager can call up and say, you know, give me a metric on how many lines of code your department wrote today or something like that. I mean, it's a different beast to handle. And so, a lot of times, as many of you know, the pen testing report is the final outcome. It's the final thing that your client will see. It represents you almost in your entirety. So, it becomes a big deal. Yeah, so, I mean, we've gone everywhere from writing this thing completely manually. Or by us, I mean other workers that work with us to try and automate that as much as we can. And by we, I mean other workers that work for us. So, I mean, this is something that you have to do. So, yeah, it's just kind of the... Do it right. Make sure you do it. You do it right. I'm sure most of you know this. When it comes to report writing, we try to tell. We're from South Dakota, very ag-based. So, we try to provide our reports in three levels. The top being one that you can give to any farmer and have them at least make sense of it somehow, right? Which is very difficult to do. The second one being a more executive technical summary for the technical managers. And then the third one being some very detailed stuff that the CIS admin security people can really dig into. And you can kind of see the progression there. Everyone does it a little different. But it's a huge part of your job that I guess we didn't really expect. Once again, no card. No card. So, obviously one of the issues, this is again more dealing with the client expectations. When we talk about that type of thing, one of the things that you need to really understand and I know this isn't the audience maybe to try and preach us to, because we all get this, but your clients don't understand that, right? They're going to pay X number of dollars for a penetration test. Once they pay those X number of dollars, that pent-test, they're going to assume that you are now liable for their security for however long, right? And so, that's just not the way it works, right? I think another one is the company might pay a lot of money for a pent-test that doesn't do much. It might be some automated tools, a little bit of manual digging around, a little bit of manual prodding, and for them to check the box, that's enough. And you're leaving a lot of goods on the table. A lot of things, a lot of tools, a lot of techniques that you never even got to try. So that's kind of a bummer from your perspective, because you want to dig in and you want to have 90 days with these people and you want to thrash them around a little bit, whereas they want it to kick off at four o'clock on a Thursday and by Monday they want the report and they want all green check marks and life is good. So that's a big education thing, is that we didn't do everything we could or everything we wanted to do. So you're only as secure as the things we did at that moment in time, which wasn't much for very long. Right, so I think probably the biggest takeaway that we had for us, the big eye-opener, as people who started a PT business and now work as PT consultants, in all seriousness was this concept of the PT that wasn't, I call it, which basically means I'm shocked at the level of education I have to provide to my clients about what you really are asking me for is a vulnerability scan. You want me to spend a week running some automated tools against you and then you want to call that a penetration test. But that's not, I mean don't sleep better at night knowing that because that's not a penetration test, okay? So I think that's probably for me the biggest thing that I didn't understand in penetration testing. And I think related to that, a lot of the industries that these companies are in, that does count as a penetration test. They're a standardized institution such as a bank or a hospital more and more. I mean they have standards written by non-technical people that say a pen test or a technical experiment against your network and systems means these things. And those four check boxes basically add up to a vulnerability assessment or vulnerability scan. It's not a pen test. It's not what any of us would define as a pen test but that's what the company wants. So I think a lot of times in our case, I mean it's a balancing act for us to provide what management wants fighting back against that or pushing back against that and then also providing realistic value to the clients. We're not hardcore lead pen testers. There's lots of great people I know in the industry and I just want to give a couple of heads up. If you're looking for hardcore stuff, look at like Eric Smith here. So there's some other guys, attack research. I know Josh does some stuff with DAF and Stuttered on Burp Suite. There's lots of really great things out there. Just be educated in how you work and how you get this stuff. And that's all we have. That was a 35-minute, 20-minute talk. If you have questions, we're more than happy to stick around. If you want to get a head start on your next destination, that's perfectly okay. Thanks for coming. Have a good day, have a good con.