 Hello, I'm John Furrier with theCUBE and welcome to this special presentation of theCUBE and Horizon3.ai. They're announcing a global partner-first approach expanding their successful pen testing product, NetZero. You're going to hear from leading experts in their staff, their CEO, positioning themselves for a successful channel, distribution, expansion internationally in Europe, Middle East and Africa, and Asia Pacific. In this CUBE special presentation, you'll hear about the expansion, the expanse partner program, giving partners a unique opportunity to offer NetZero to their customers. Innovation and pen testing is going international with Horizon3.ai, enjoy the program. Welcome back everyone to theCUBE and Horizon3.ai special presentation. I'm John Furrier, host of theCUBE. We're here with Jennifer Lee, head of channel sales at Horizon3.ai. Jennifer, welcome to theCUBE, thanks for coming on. Great, well thank you for having me. So big news around Horizon3.ai driving channel-first commitment, you guys are expanding the channel partner program to include all kinds of new rewards, incentives, training programs to help educate partners to really drive more recurring revenue. Certainly cloud and cloud scale has done that. You got a great product that fits into that kind of channel model, great services you can wrap around it, good stuff. So let's get into it. What are you guys doing? What are you guys doing with this news? Why is this so important? Yeah, for sure. So, yeah, like you said, we recently expanded our channel partner program. The driving force behind it was really just to align our, like you said, our channel-first commitment and the creating awareness around the importance of our partner ecosystems. So that's really how we go to market is through the channel. And a great international focus. I've talked with the CEO about the solution and he broke down all the action and why it's important on the product side. But why now on the go-to-market change? What's the why behind this news on the channel? Yeah, for sure. So we are doing this now really to align our business strategy, which is built on the concept of enabling our partners to create a high-value, high-margin business on top of our platform. And so we offer a solution called Node Zero. It provides autonomous pentesting as a service and it allows organizations to continuously verify their security posture. So our company Vision, we have this tagline that states that our pentesting enables organizations to see themselves through the eyes of an attacker. And we use the like the attacker's perspective to identify exploitable weaknesses and vulnerabilities. So we've created this partner program from a perspective of the partner. So the partner's perspective and we've built it through the eyes of our partner, right? So we're prioritizing really what the partner is looking for and will ensure like mutual success for us. Yeah, the partners always want to get in front of the customers and bring new stuff to them. Pentests have traditionally been really expensive. And so bringing it down and one to a service level that's one affordable and has flexibility to it allows a lot of capability. So I imagine people are going to get excited by it. So I have to ask you about the program. What specifically are you guys doing? Can you share any details around what it means for the partners, what they get, what's in it for them? Can you just break down some of the mechanics and mechanisms or details? Yeah, yep. So, you know, we're really looking to create business alignment and like I said, established mutual success with our partners. So we've got two key elements that we were really focused on that we bring to the partners. So the opportunity, the profit margin expansion is one of them and a way for our partners to really differentiate themselves and stay relevant in the market. So we've restructured our discount model, really, you know, highlighting profitability and maximizing profitability. And this includes our deal registration. We've created a deal registration program. We've increased discount for partners to take part in our partner certification trainings. And we have some other partner incentives that we've created that's gonna help out there. We've put this all. So we've recently gone live with our partner portal. It's a consolidated experience for our partners where they can access our sales tools. And we really view our partners as an extension of our sales and technical teams. And so we've extended all of our training material that we use internally. We've made it available to our partners through our partner portal. We've, I'm thinking now back, what else is in that partner portal here? We've got our partner certification information. So all the content that's delivered during that training can be found in the portal. We've got deal registration, co-branded marketing materials, pipeline management. And so this portal gives our partners one stop place to go to find all that information. And then just really quickly on the second part of that that I mentioned is our technology really, is really disruptive to the market. So, like you said, autonomous pen testing, it's still a relatively new topic for security practitioners and it's proving to be really disruptive. So that on top of just, well, recently we found an article that mentioned by markets and markets that reports that the global pen testing markets really expanding. And so it's expected to grow to like 2.7 billion by 2027. So the market's there, right? The market's expanding, it's growing. And so for our partners, it's just really allows them to grow their revenue across their customer base, expand their customer base and offering this high profit margin while getting in early to market on this just disruptive technology. Big market, a lot of opportunities to make some money. People love to put more margin on those deals, especially when you can bring a great solution that everyone knows is hard to do. So I think that's going to provide a lot of value. Is there a type of partner that you guys see emerging or you're aligning with, you mentioned you aligned with the partners? I can see how that all the training and incentives are all there. Sounds like it's all going well. Is there a type of partner that's resonating the most? Or is there categories of partners that can take advantage of this? Yeah, absolutely. So we work with all different kinds of partners. We work with our traditional resale partners. We're working with systems integrators. We have a really strong MSP, MSSP program. We've got consulting partners and the consulting partners, especially with the ones that offer pen test services. So they use us as a, we act as a force multiplier and just really offering them profit margin expansion opportunity there. We've got some technology partner, partners that we really work with for co-sell opportunities. And then we've got our cloud partners. You'd mentioned that earlier. And so we are in AWS marketplace of our CCPO partners. We're part of the ISV Accelerate program. So we're doing a lot there with our cloud partners. And of course we go to market with distribution partners as well. Got a lot of the opportunity for more margin expansion. And every kind of partner wants to put more gross profit on their deals. Is there a certification involved? I have to ask, do people get certified or is it self-paced training? Is it in person? How are you guys doing the whole training certification thing? Is that a requirement? Yeah, absolutely. So we do offer a certification program and it's been very popular. This includes a seller's portion and an operator portion. And so this is at no cost to our partners and we offer it both virtually. It's live, it's virtually but live. It's not self-paced. And we also have in-person sessions as well. And we also can customize these to any partners that have a large group of people and we can do one in-person or virtual just specifically for that partner. What any kind of incentive opportunities and marketing opportunities, everyone loves to get the deals just kind of rolling in, leads from what we can see in our earlier report and this looks like a hot product. Price-wise, service-level-wise, what incentives do you guys thinking about and joint marketing, you mentioned COSEL earlier in Pipeline. So I was kind of honing in on that piece. Sure. And then to follow along with our partner certification program, we do incentivize our partners there if they have a certain number certified, their discount increases. So that's part of it. We have our deal registration program that increases discount as well. And then we do have some partner incentives that are wrapped around meeting setting and moving opportunities along to proof of value. Got to love the education, driving value. I have to ask you, so you've been around the industry, you've seen the channel, relationships out there, you've seen companies, old school, new school, horizon3.ai is kind of like that new school, very cloud-specific, a lot of leverage with what you mentioned, AWS and all the clouds. Why is the company so hot right now? Why did you join them? And why are people attracted to this company? What's the attraction? What's the vibe? What do you see and what did you see in this company? Well, this is just, like I said, it's very disruptive. It's really in high demand right now. And just because it's new to market and a newer technology, so we can collaborate with a manual pen tester. We can allow our customers to run their pen test with no specialty teams. And then like I said, we can allow our partners can actually build businesses, profitable businesses, they can use our product to increase their services, revenue and build their business model around our services. What's interesting about the pen test thing is that it's very expensive and time-consuming. The people who do them are very talented people that can be working on really bigger things in the customer. Absolutely. So bringing this into the channel allows them, if you look at the price delta between a pen test and then what you guys are offering, I mean, that's a huge margin gap between street price of, say, today's pen test and what you guys offer. When you show people, do they say too good to be true? I mean, what are some of the things that people say when you kind of show them that? Are they like scratch their head like, come on, what's the catch here? Right, so the cost savings is huge for us. And then also, like I said, working as a force multiplier with a pen testing company that offers the services and so they can do their manual pen test that may be required around compliance regulations. And then we can act as the continuous verification of their security that they can run weekly. And so it's just an addition to what they're offering already and an expansion. So Jennifer, thanks for coming on theCUBE. Really appreciate you coming on, sharing the insights on the channel. What's next? What can we expect from the channel group? What are you thinking? What's going on? Right, so we're really looking to expand our channel footprint. And very strategically, we've got some big plans for Horizon 3.ai. Awesome. Well, thanks for coming on. Really appreciate it. You're watching theCUBE, the leader in high tech enterprise coverage. And welcome to theCUBE's special presentation with horizon3.ai. With Rainer Richter, vice president of EMEA, Europe, Middle East and Africa and Asia Pacific, APEC, Horizon 3.ai. Welcome to this special CUBE presentation. Thanks for joining us. Thank you for the invitation. So Horizon 3.ai driving global expansion, big international news with a partner first approach. You guys are expanding internationally. Let's get into it. You guys are driving this new expanse partner program to new heights. Tell us about it. What are you seeing in the momentum? Why the expansion? What's all the news about? Well, I would say in international, we have, I would say a similar situation, like in the US, there is a global shortage of well-educated penetration testers on the one hand side. On the other side, we have a raising demand of network and infrastructure security. And with our approach of an autonomous penetration testing, I believe we are totally on top of the game, especially as we have also now starting with an international instance. That means, for example, if a customer in Europe is using our service Node Zero, he will be connected to a Node Zero instance which is located inside the European Union. And therefore he doesn't have to worry about the conflict between the European GDPR regulations versus the US Cloud Act. And I would say there we have a total good package for our partners that they can provide differentiators to their customers. You know, we've had great conversations here on theCUBE with the CEO and the founder of the company around the leverage of the cloud and how successful that's been for the company. And obviously I can just connect the dots here, but I'd like you to weigh in more on how that translates into the go-to market here because you got great cloud scale with the security product you guys are having success with. Great leverage there. I've seen a lot of success there. What's the momentum on the channel partner program internationally? Why is it so important to you? Is it just the regional segmentation? Is it the economics? Why the momentum? Well, there are multiple issues. First of all, there is a raising demand in penetration testing. And don't forget that in international we have a much higher level in number or percentage in SMB and mid-market customers. So these customers typically, most of them even didn't have a pen test once a year. So for them, pen testing was just too expensive. Now with our offering, together with our partners, we can provide different ways how customers could get an autonomous pen testing done more than once a year with even lower costs than they had with a traditional manual pen test. So, and that is because we have our consulting plus package which is for typically pen testers. They can go out and can do a much faster, much quicker and their pen test at many customers once after each other. So they can do more pen tests on a lower, more attractive price. On the other side, there are others or even the same one who are providing no zero as an MSSP service. So they can go after SMB customers saying, okay, you only have a couple of hundred IP addresses. No worries, we have the perfect package for you. And then you have, let's say, the mid-market, let's say there are a thousand and more employees than they might even have an annual subscription, very traditional. But for all of them, it's all the same. The customer or the service provider doesn't need a piece of hardware. They only need to install a small piece of a docker container and that's it. And that makes it so smooth to go in and say, okay, Mr. Customer, we just put in this virtual attacker into your network and that's it and all the rest is done. And within three clicks they can act like a pen tester with a 20 years of experience. And that's going to be very channel friendly and partner friendly, I can almost imagine. So I have to ask you, and thank you for calling out that breakdown and segmentation. That was very helpful for me to understand. But I want to follow up, if you don't mind, what type of partners are you seeing the most traction with and why? Well, I would say at the beginning, typically you have the innovators, the early adapters, typically boutique size of partners, they start because they are always looking for innovation. Those are the ones, they start in the beginning. So we have a right range of partners having mostly even managed by the owner of the company. So they immediately understand, okay, there is the value and they can change their offering. They're changing their offering in terms of penetration testing because they can do more pen tests and they can then add others ones. Or we have those ones who offer pen test services but they did not have their own pen testers. So they had to go out on the open market and source pen testing experts to get the pen test at a particular customer done. And now with node zero, they are totally independent. They can go out and say, okay, Mr. Customer, here's the service, that's it. We turn it on and within an hour you're up and running totally. And those pen tests are usually expensive and hard to do. Now it's right in line with the sales delivery. It's pretty interesting for a partner. Absolutely, but on the other hand side, we are not killing the pen testers business. We do something, we're providing with node zeroes. I would call something like the foundation work. The foundation work of having an ongoing penetration testing of the infrastructure, the operating system and the pen testers by themselves, they can concentrate in the future on things like application pen testing, for example. So those services, which we're not touching. So we are not killing the pen test the market. We're just taking away the ongoing, let's say foundation work, call it that way. Yeah, yeah, that was one of my questions I was gonna ask is there's a lot of interest in this autonomous pen testing. One, because it's expensive to do because those skills are required are in need and they're expensive. So you kind of cover the entry level and the blockers that are in there. I've seen people say to me, this pen test becomes a blocker for getting things done. So there's been a lot of interest in the autonomous pen testing for organization to have that posture. And it's an overseas issue too because now you have that ongoing thing. So can you explain that particular benefit for an organization to have that continuously verifying an organization's posture? Certainly. So I would say typically you have to do your patches. You have to bring in new versions of operating systems, of different services, of operating systems of some components and they are always bringing new vulnerabilities. The difference here is that with node zero, we are telling the customer or the partner package. We're telling them which are the executable vulnerabilities because previously they might have had a vulnerability scanner. So this vulnerability scanner brought up hundreds or even thousands of CVEs, but didn't say anything about which of them are vulnerable, really executable. And then you need an expert digging in one CVE after the other, finding out is it really executable? Yes or no. And that is where you need highly paid experts which we have a shortage. So with node zero now we can say, okay, we tell you exactly which ones are the ones you should work on because those are the ones which are executable. We rank them accordingly to the risk level, how easily they can be used and by a sudden and then the good thing is converted or in difference to the traditional penetration test. They don't have to wait for a year for the next pain test to find out if the fixing was effective. They run just the next scan and say, yes, closed. Vulnerability is gone. The time is really valuable and if you're doing any DevOps cloud native, you're always pushing new things. So pen test, ongoing pen testing is actually a benefit just in general as a kind of hygiene. So really, really interesting solution and really bringing that global scale is going to be a new coverage area for us for sure. I have to ask you, if you don't mind answering, what particular region are you focused on or plan to target for this next phase of growth? Well, at this moment, we are concentrating on the countries inside the European Union plus the United Kingdom. And they are of course, logically, I'm based in the Frankfurt area. That means we cover more or less the countries just around. So it's like the so-called Bach region, Germany, Switzerland, Austria, plus the Netherlands. But we also already have partners in the Nordics like in Finland, when Sweden. So it's rapidly, we have partners already in the UK and it's rapidly growing. So for example, we are now starting with some activities in Singapore and also in the Middle East area. Very important, depending on, let's say, the way how to do business currently, we try to concentrate on those countries where we can have, let's say, at least English as an accepted business language. Great, is there any particular region you're having the most success with right now? Is it sounds like European Union's kind of first wave? What's the- Yes, that's the first, definitely. That's the first wave. And now we're also getting the European instance up and running. It's clearly our commitment also to the market, saying, okay, we know there are certain dedicated requirements and we take care of this and we're just launching, we're building up this one, the instance in the AWS Service Center here in Frankfurt, also with some dedicated hardware and a data center in Frankfurt, where we have with the data, by the way, the highest internet interconnection bandwidth on the planet. So we have very short latency to whatever you are on the globe. That's a great call-out to benefit too. I was going to ask that. What are some of the benefits your partners are seeing in EMEA and Asia Pacific? Well, I would say the benefits for them, it's clearly they can talk with customers and can offer customers penetration testing, which they before even didn't think about because penetration testing in a traditional way was simply too expensive for them, too complex. The preparation time was too long. They didn't even have the capacity to support an external pain tester. Now with this service, you can go in and say, even say, Mr. Customer, we can do a test with you in a couple of minutes. Within, we have installed a Docker container. Within 10 minutes, we have the pain test started. That's it. And then we just wait. And I would say that is we are seeing so many aha moments then on the partner side when they see node zero the first time working. It's like, wow, that is great. And then they walk out to customers and show it to their typically most at the beginning, mostly the friendly customers. Like, wow, that's great. I need that. And I would say the feedback from the partners that is a service where I do not have to evangelize the customer. Everybody understands penetration testing. I don't have to say, describe what it is. They understand the customer, understanding immediately. Yes, penetration testing heard about it. I know I should do it, but too complex, too expensive. Now with an MS, for example, is an MSSP service provided from one of our partners, but it's getting easy. Yeah, and it's great, great benefit there. I mean, I gotta say, I'm a huge fan of what you guys are doing. I like this continuous automation. That's a major benefit. If anyone doing DevOps or any kind of modern application development, this is just a godsend for them. This is really good. And like you said, the pen testers that are doing it, they were kind of coming down from their expertise to kind of do things that should have been automated. They get to focus on the bigger ticket items. That's a really big point. So we free them, we free the pen testers for the higher level elements of the penetration testing segment. And that is typically than the application testing, which is currently far away from being automated. Yeah, and that's where the most critical workloads are. And I think this is the nice balance. Congratulations on the international expansion of the program and thanks for coming on this special presentation, really appreciate it. Thank you. You're welcome. Okay, this is theCUBE's special presentation. You know, checking out pen test automation, international expansion, horizon3.ai, really innovative solution. In our next segment, Chris Hill, Sector Head for Strategic Accounts will discuss the power of horizon3.ai and Splunk in action. You're watching theCUBE, the leader in high tech enterprise coverage. Welcome back everyone to theCUBE and horizon3.ai special presentation. I'm John Furrier, host of theCUBE. We are Chris Hill, Sector Head for Strategic Accounts and Federal at horizon3.ai, great innovative company. Chris, great to see you. Thanks for coming on theCUBE. Yeah, like I said, you know, great to meet you, John. Long time listener, first time caller. So excited to be here with you guys. Yeah, we were talking before camera, you were at Splunk back in 2013. And I think 2012 was our first Splunk.com. And boy, man, you know, talk about being in the right place at the right time. Now we're at another inflection point and Splunk continues to be relevant and continuing to have that data, driving security and that interplay and your CEO, former CTO of Splunk as well, at horizon3.ai, who's been on before. Really innovative product you guys have, but you know, don't wait for a brief to find out if you're log on and write data. This is the topic of this thread. Splunk is very much part of this new international expansion announcement with you guys. Tell us, what are some of the challenges that you see where this is relevant for the Splunk and horizon.ai as you guys expand node zero out internationally? Yeah, across so, you know, my role within Splunk was working with our most strategic accounts. And so I look back to 2013 and I think about the sales process, like working with our Splunk customers. You know, it was still very siloed back then. Like I was selling to an IT team that was either using us for IT operations. We generally would always even say, yeah, although we do security, we weren't really designed for it. We're in a log management tool. And I'm sure you remember back then, John, we were like sort of stepping into the security space and in the public sector domain that I was in, you know, security was 70% of what we did. When I look back to sort of the transformation that I was witnessing in that digital transformation, you know, when you look at like 2019 to today, you look at how the IT team and the security teams have been forced to break down those barriers that they used to sort of be siloed away, would not communicate one. You know, the security guys would be like, oh, this is my box, IT you're not allowed in. Today, you can't get away with that. And I think that the value that we bring to, you know, and of course Splunk has been a huge leader in that space and continues to do innovation across the board. But I think what we're seeing in the space, and I was talking with Patrick Coughlin, the SVP of security markets about this is that, you know, what we've been able to do with Splunk is build a purpose-built solution that allows Splunk to eat more data. So Splunk himself, as you well know, it's an ingest engine, right? The great reason people bought it was you could build these really fast dashboards and grab intelligence out of it. But without data, it doesn't do anything, right? So how do you drive and how do you bring more data in? And most importantly, from a customer perspective, how do you bring the right data in? And so if you think about what node zero and what we're doing on a horizon three is that, sure, we do pen testing, but because we're an autonomous pen testing tool, we do it continuously. So this whole thought of being like, oh, crud, like my customers, oh yeah, we got a pen test coming up, it's gonna be six weeks away, oh yeah, you know, and everyone's gonna sit on their hands, call me back in two months, Chris, we'll talk to you then, right? Not a real efficient way to test your environment. And shoot, we saw that with Uber this week, right? You know, and that's a case where we could have helped. But just real quick, explain the Uber thing, because it was a contractor, just give a quick highlight of what happened so you can connect the dots. Yeah, no problem. So it was, I think it was one of those, you know, games where they would try and test an environment. And what the pen tester did was he kept on calling them MFA guys, being like, I need to reset my password, read it and set my password. And eventually the customer service guy said, okay, I'm resetting it. Once he had reset and bypassed the multi-factor authentication, he then was able to get in and get access to the domain area that he was in, or not the domain, but he was able to gain access to a partial part of the network. He then paralleled over to what would I assume is like a VMWare or some virtual machine that had notes that had all of the credentials for logging into various domains. And so within minutes, they had access. And that's the sort of stuff that we do. A lot of these tools, like, you think about the cacophony of tools that are out there in a ZTA architecture, right? I'm gonna get like a Z scale or I'm gonna have Octom and I have a Splunk. I'm gonna use a source system. I don't mean to name names, you're gonna have CrowdStriker or Sentinel-1 in there. It's just, it's a cacophony of things that don't work together. They weren't designed to work together. And so we have seen so many times in our business through our customer support and just working with customers when we do their pentests that there will be 5,000 servers out there, three are misconfigured. Those three misconfigurations will create the open door. Cause remember, the hacker only needs to be right once. The defender needs to be right all the time. And that's the challenge. And so that's why I'm really passionate about what we're doing here at Horizon 3. I see this, my digital transformation, migration and security going on, which we're at the tip of the spear. It's why I joined Sehaal coming on this journey and just super excited about where the path's going and super excited about the relationship with Splunk. I can get into more details on some of the specifics of that. But, you know, great. Well, you're nailing it. I mean, we've been doing a lot of things around super cloud and this next gen environment. We're calling it next gen. You're really seeing DevOps, obviously DevSecOps has already won. The IT role has moved to the developer. Shift left is an indicator of that. It's one of the many examples. Higher velocity code, software supply chain. You hear these things. That means that IT is now in the developer hands. IT is replaced by the new ops, data ops teams and security, where there's a lot of horizontal thinking to your point about access. There's no more perimeter. So there's a huge, 100% right is really right on. I don't think it's one time. You know, to get in there, once you're in, then you can hang out, move around, move laterally. Big problem. Okay, so we get that. Now the challenge is for these teams as they are transitioning organizationally, how do they figure out what to do? Okay, this is the next step. They already have Splunk. So now they're kind of in transition while protecting for 100% ratio of success. So how would you look at that and describe the challenges? What do they do? What are the teams facing with their data? And what's next? What are they, what action do they take? So let's do some vernacular that folks will know. So if I think about DevSecOps, right? We both know what that means that I'm gonna build security into the app. I don't really talks about SecDevOps, right? How am I building security around the perimeter of what's going inside my ecosystem and what are they doing? And so if you think about what we're able to do with somebody like Splunk, is we can pentest the entire environment from soup to nuts, right? So I'm gonna test the end points through the IT. I'm gonna look for misconfigurations. I'm gonna look for credentials, suppose credentials. I'm gonna look for anything I can in the environment. Again, I'm gonna do it at light speed. And what we're doing for that SecDevOps space is to, did you detect that we were in your environment? So did we alert Splunk or the Sim that there's someone in the environment laterally moving around? Did they more importantly, did they log us into their environment? And when did they detect that log to trigger that log? Did they alert on us? And then finally, most importantly for every CISO out there is gonna be, did they stop us? And so that's how we do this. And I think when speaking with Stay Hall before, we've come up with this Boyle's Oodaloo but we call it Fine Fix Verify. So what we do as we go in is we act as the attacker, right? We act in a production environment. So we're not gonna be, we're a passive attacker but we will go in uncredentialed, unagent but we have to assume, have an assumed breach model which means we're gonna put a Docker container in your environment and then we're going to fingerprint the environment. So we're gonna go out and do an asset survey. Now that's something that's not something that Splunk does super well. So can Splunk see all the assets? Do the same assets marry up? We're gonna log all that data and they can then put, load that into the Splunk CM or the Splunk logging tools just to have it in enterprise, right? That's an immediate future ad that they've got. And then we've got the fix. So once we've completed our pen test, we are then gonna generate a report and we can talk about these in a little bit later but the reports will show an executive summary, the assets that we found which would be your asset discovery aspect of that, a fix report and the fix report, I think is probably the most important one. It will go down and identify what we did, how we did it and then how to fix that. And then from that, the pen tester or the organization should fix those. Then they go back and run another test and then they validate like a change detection environment to see, hey, did those fixes take place? And you know, Snehal, when he was the CTO of JSOC, he shared with me a number of times about it. He's like, man, there would be 15 more items on next week's punch sheet that we didn't know about. And it has to do with how they were prioritizing the CVEs and whatnot, because they would take all CVEs that was critical or non-critical and it's like, we are able to create context in that environment that feeds better information into Splunk and whatnot. That was a lot. That brings up the efficiency for Splunk, specifically the teams out there. By the way, the burnout thing is real. I mean, this whole, I just finished my list and I got 15 more or whatever the list just keeps growing. How did Node Zero specifically help Splunk teams be more efficient? Like that's the question I want to get at because this seems like a very scalable way for Splunk customers and teams, service teams, to be more efficient. So the question is, how does Node Zero help make Splunk, specifically their service teams be more efficient? So today, in our early interactions with building Splunk customers, we've seen our five things. And I'll start with sort of identifying the blind spots. So kind of what I just talked about with you, did we detect, did we log, did we alert did they stop Node Zero, right? And so I would put that at a more layman's third grade term. And I think if I was going to be the fifth grader at this game would be, we can be the sparring partner for a Splunk enterprise customer, a Splunk essentials customer, someone using Splunk SOAR or even just an enterprise Splunk customer that may be a small shop with three people and just wants to know, where am I exposed? So by creating and generating these reports and then having the API that actually generates the dashboard, they can take all of these events that we've logged and log them in. And then where that then comes in as number two is how do we prioritize those logs, right? So how do we create visibility to logs that have critical impacts? And again, as I mentioned earlier, not all CVEs are high impact and also not all are low. Right? So if you daisy chain a bunch of low CVEs together, boom, I've got a mission critical CVE that needs to be fixed now, such as a credential moving to an NT box that's got a text file with a bunch of passwords on it. That would be very good. And then third would be verifying that you have all of the hosts. So one of the things that Splunk's not particularly great at and they'll elevate themselves, they don't do asset discovery. So dude, what assets do we see and what are they logging from that? And then for every event that they are able to identify, one of the cool things that we can do is actually create this low code, no code environment. So they could let, you know, Splunk customers can use Splunk Store to actually triage events and prioritize that events or whether they're being routed within it to optimize the SOX team time to market or time to triage any given event, obviously reducing MTR. And then finally, I think one of the neatest things we'll be seeing us develop is our ability to build glass tables. So behind me, you'll see one of our triage events and how we build a locking Martin kill chain on that with a glass table, which is very familiar to the Splunk community. We're going to have the ability and not too distant future to allow people to search, observe on those IOCs. And if people aren't familiar with the IOC, it's an incident of compromise. So that's a vector that we want to drill into. And of course, who's better at drilling into data than Splunk? Yeah, this is a critter. This is an awesome synergy there. I mean, I can see a Splunk customer going, man, this just gives me so much more capability, action ability, and also real understanding. And I think this is what I want to dig into if you don't mind understanding that critical impact, okay, is kind of where I see this coming. Got the data, data ingest, now data is data, but the question is what not to log, you know, where are things misconfigured? These are critical questions. So can you talk about what it means to understand critical impact? Yeah, so I think, you know, going back to those things that I just spoke about, a lot of those CVEs where you'll see low, low, low, and then you daisy chamber together and you're suddenly like, oh, this is high now. But then to your other impact of like, if you're a Splunk customer, you know, and I had several of them. I had one customer that, you know, terabytes of McAfee data being brought in. And it was like, all right, there's a lot of other data that you probably also wanna bring but they could only afford wanted to do certain data sets because that's, and they didn't know how to prioritize or filter those data sets. And so we provide that opportunity to say, hey, these are the critical ones to bring in, but there's also the ones that you don't necessarily need to bring in because low CVE in this case really does mean low CVE. Like an ILO server would be one that, that's the print server where the, your admin credentials are on like a printer. And so there will be credentials on that. That's something that a hacker might go in to look at. So although the CVE on it is low, if you daisy chain was something that's able to get into that, you might say, ah, that's high. And we would then potentially rank it giving our AI logic to say, that's a moderate. So put it on the scale and we prioritize low versus a vulnerability scanner is just gonna give you a bunch of CVEs and good luck. And translating that, if I can, and tell me if I'm wrong, that kind of speaks to that whole lateral movement challenge. Right, print server, great example. Look stupid, low end, who's going to want to deal with the print server? Oh, but it's connected into a critical system. There's a path. Is that kind of what you're getting at? Yeah, I use daisy chain. I think that's from the community they came from, but it's just a lateral movement. It's exactly what they're doing. And those low level, low critical lateral movements is where the hackers are getting in, right? So that's the beauty thing about the Uber example is that who would have thought, you know, I've got my multi-factor authentication going in, a human made a mistake. We can't not expect humans to make mistakes. We're fallible, right? The reality is, is once they were in the environment, they could have protected themselves by running enough pen tests to know that they had certain exposed credentials that would have stopped the breach. And they did not, had not done that in their environment. And I'm not poking it. Yeah, it's an interesting trend though. I mean, it's obvious if sometimes those low end items are also not protected well, so it's easy to get at from a hacker standpoint, but also the people in charge of them can be fished easily or spear fished because they're not paying attention because they don't have to. No one ever told them, hey, be careful of what you collect. Yeah, for the community that I came from, John, that's exactly how they would meet you at an international event, introduce themselves as a graduate student. These are national actor states. Would you mind reviewing my thesis on such and such? And I was at Adobe at the time though that I was working on this and started off with the PDF, they opened the PDF and whoever that customer was launches and I don't know if you remember back in like 2000, 2008 timeframe, there was a lot of issues around IP being by a nation state being stolen from the United States. And that's exactly how they get it. And John, that's... Or LinkedIn, hey, I want to get a joke that we want to hire you double the salary. Oh, I'm gonna click on that for sure. Yeah, right, exactly. The one thing I would say to you is like, when we look at like sort of, because I think we did 10,000 pen tests last year is it's probably over that now, we have these sort of top 10 ways that we think and find people coming into the environment. The funniest thing is that only one of them is a CVE related vulnerability, like you guys know what they are, right? So it's like 2% of the attacks are occurring through a CVEs. But yeah, there's all that attention spent to that and very little attention spent to this pen test inside, which is sort of this continuous threat, you know, monitoring space and this vulnerability space where I think we play such an important role. And I'm so excited to be a part of the tip of the spear on this one. Yeah, I'm old enough to know the movie Sneakers, which I love as a, you know, watching that movie, you know, professional hackers are testing, always testing the environment. I love this. I got to ask you as we kind of wrap up here, Chris, if you don't mind the benefits to professional services from this alliance. Big news, Splunk and you guys work well together. We see that clearly. What are, what other benefits do professional services team see from the Splunk and Horizon 3.ai Alliance? So if you're, I think from our, from both of our partners, as we bring these guys together and many of them already are the same partner, right? Is that, first off, the licensing model is probably one of the key areas that we really excel at. So if you're an end user, you can buy for the enterprise by the number of IP addresses you're using. But if you're a partner working with this, there's solution ways that you can go in and we'll license as to MSPs and what that business model or MSPs looks like. But the unique thing that we do here is the C plus license. And so the consulting plus license allows like a, somebody a small to mid-sized to some very large, you know, Fortune 100, you know, consulting firms use us by buying into a license called consulting plus where they can have unlimited access to as many IPs as they want, but you can only run one test at a time. And as you can imagine, when we're going and hacking passwords and checking hashes and decrypting hashes, that can take a while. So, but for the right customer, it's a perfect tool. And so I'm so excited about our ability to go to market with our partners so that we understand how not to just sell to or not to how just to sell through, but we know how to sell with them as a good vendor partner. I think that that's one thing that we've done a really good job building, bringing it to market. Yeah, I think also the Splunk has had great success how they've enabled partners and professional service. Absolutely. You know, the services that layer on top of Splunk are multi-fold, tons of great benefits. So you guys vector right into that ride that way with friction. And the cool thing is that in, you know, in one of our reports, which could be totally customized with someone else's logo, we're going to generate, you know, so I used to work in another organization. It wasn't Splunk, but we did, you know, pen testing for customers. And my pen testers would come on site, they'd do the engagement and they would leave. And then another release, I'm going to be, oh shoot, we got another sector that was breached and they'd call you back, you know, four weeks later. And so by August, our entire pen testings teams would be sold out. And it would be like, wow, can you eat in March maybe? And they're like, no, no, no, I got a breach now. And then when they do go in, they go through, do the pen test and they hand over a PDF and they pack on the back and say, there's where your problems are, you need to fix it. And the reality is is that what we're going to generate completely autonomously with no human interaction is we're going to go and find all the permutations of anything we found and the fix for those permutations. And then once you've fixed everything, you just go back and run another pen test. It's, you know, for what people pay for one pen test, they could have a tool that does that every, patch on Tuesday, pen test on Wednesday, you know, triage throughout the week. Green, yellow, red. I wanted to see colors. Show me green. Green is good, right? Not red. And who doesn't want that dashboard, right? It is exactly it. We can help bring, I think that, you know, I'm really excited about helping drive this with the Splunk team, because they get that. They understand that it's the green, yellow, red dashboard and how do we help them find more green so that the other guys are in red. And get in the data and do the right thing and be efficient with how you use the data. Know what to look at, and be efficient with so many things to pay attention to. You know, the combination of both and then go to market strategy, real brilliant. Congratulations, Chris. Thanks for coming on and sharing this news with the detail around the Splunk in action around the Alliance. Thanks for sharing. John, my pleasure. Thanks, look forward to seeing you soon. All right, great. We'll follow up and do another segment on DevOps and IT and security teams as the new new ops but in SuperCloud, a bunch of other stuff. So thanks for coming on. And our next segment, the CEO of Horizon 3.A will break down all the new news for us here on theCUBE. You're watching theCUBE, the leader in high tech enterprise coverage. The partner program for us has been fantastic. You know, I think prior to that, you know, as most organizations, most, most bars, most MSSPs might not necessarily have a bench at all for penetration testing. Maybe they subcontract this workout or maybe they do it themselves but trying to staff that kind of position can be incredibly difficult. For us, this was a differentiator. A new partner, a new partnership that allowed us to not only perform services for our customers, but be able to provide a product by which that they can do it themselves. So we work with our customers in a variety of ways. Some of them want more routine testing and perform this themselves but we're also a certified service provider of Horizon 3 being able to perform penetration tests, help review the data, provide color, provide analysis for our customers in a broader sense, right? Not necessarily the black and white elements of what's critical, what's high, what's medium, what's low, what you need to fix, but are there systemic issues? This has allowed us to onboard new customers. This has allowed us to migrate some penetration testing services to us from competitors in the marketplace but ultimately this is occurring because the product and the outcome are special, they're unique, and they're effective. Our customers like what they're seeing, they like the routine-ness of it. Many of them, again, like doing this themselves, being able to kind of pen test themselves, parts of their networks, and the new use cases, right? I'm a large organization. I have eight to 10 acquisitions per year. Wouldn't it be great to have a tool to be able to perform a penetration test, both internal and external, of that acquisition before we integrate the two companies and maybe bringing on some risk? It's a very effective partnership, one that really is kind of taking our engineers, our account executives by storm. This is a partnership that's been very valuable to us. A key part of the value of business model at Horizon 3 is enabling partners to leverage node zero to make more revenue for themselves. Our goal is that for 60% of our revenue this year will be originated by partners and that 95% of our revenue next year will be originated by partners. And so a key to that strategy is making us an integral part of your business models as a partner. A key quote from one of our partners is that we enable every one of their business units to generate revenue. So let's talk about that in a little bit more detail. First is that if you have a pen test consulting business, take Deloitte as an example, what was six weeks of human labor at Deloitte per pen test has been cut down to four days of labor using node zero to conduct reconnaissance, find all the juicy interesting areas of the enterprise that are exploitable and being able to go assess the entire organization and then all of those details get served up to the human to be able to look at, understand and determine where to probe deeper. So what you see in that pen test consulting business is that node zero becomes a force multiplier where those consulting teams were able to cover way more accounts and way more IPs within those accounts with the same or fewer consultants. And so that directly leads to profit margin expansion for the pen testing business itself because node zero is a force multiplier. The second business model here is if you're an MSSP, as an MSSP you're already making money providing defensive cybersecurity operations for a large volume of customers. And so what they do is they'll license node zero and use us as an upsell to their MSSP business to start to deliver either continuous red teaming, continuous verification or purple teaming as a service. And so in that particular business model, they've got an additional line of revenue where they can increase the spend of their existing customers by bolting on node zero as a purple team as a service offering. The third business model or customer type is if you're an IT services provider. So as an IT services provider, you make money installing and configuring security products like Splunk or CrowdStrike or Himeo. You also make money reselling those products and you also make money generating follow on services to continue to harden your customer environments. And so for them, what those IT service providers will do is use us to verify that they've installed Splunk correctly, improve to their customer that Splunk was installed correctly or CrowdStrike was installed correctly using our results and then use our results to drive follow on services and revenue. And then finally, we've got the value added reseller which is just a straight up reseller because of how fast our sales cycles are, these bars are able to typically go from cold email to deal close in six to eight weeks. At Horizon three, at least a single sales engineer is able to run 30 to 50 POCs concurrently because our POCs are very lightweight and don't require any on-prem customization or heavy pre-sales, post-sales activity. So as a result, we're able to have a few amount of sellers driving a lot of revenue and volume for us. Well, the same thing applies to bars. There isn't a lot of effort to sell the product or prove its value. So bars are able to sell a lot more Horizon three node zero product without having to build up a huge specialist sales organization. So what I'm gonna do is talk through scenario three here as an IT service provider and just how powerful node zero can be in driving additional revenue. So in here, think of for every $1 of node zero license purchased by the IT service provider to do their business, it'll generate $10 of additional revenue for that partner. So in this example, Kinney Group uses node zero to verify that they have installed and deployed Splunk correctly. So Kinney Group is a Splunk partner. They sell IT services to install, configure, deploy and maintain Splunk. And as they deploy Splunk, they're gonna use node zero to attack the environment and make sure that the right logs and alerts and monitoring are being handled within the Splunk deployment. So it's a way of doing QA or verify that Splunk has been configured correctly. And that's going to be internally used by Kinney Group to prove the quality of their services that they've just delivered. Then what they're gonna do is they're gonna show and leave behind that node zero report with their client. And that creates a resell opportunity for Kinney Group to resell node zero to their client. Is their client is seeing the reports and the results and saying, wow, this is pretty amazing. And those reports can be co-branded where it's a pen testing report branded with Kinney Group but it says powered by Horizon 300. From there, Kinney Group is able to take the fix actions report that's automatically generated with every pen test through node zero. And they're able to use that as the starting point for a statement of work to sell follow-on services to fix all of the problems that node zero identified. Fixing L11R misconfigurations, fixing or patching VMware or updating credentials policies and so on. So what happens is node zero has found a bunch of problems. The client often lacks the capacity to fix. And so Kinney Group can use that lack of capacity by the client as a follow-on sales opportunity for follow-on services. And finally, based on the findings from node zero, Kinney Group can look at that report and say to the customer, you know customer, if you bought CrowdStrike, you'd be able to prevent node zero from attacking and succeeding in the way that it did. Or if you bought Humio or if you bought Palo Alto Networks or if you bought some privileged access management solution because of what node zero was able to do with credential harvesting and attacks. And so as a result, Kinney Group is able to resell other security products within their portfolio, CrowdStrike, Falcon, Humio, Palo Alto Networks, Domisto, Phantom and so on, based on the gaps that were identified by node zero in that PEM test. And what that creates is another feedback loop where Kinney Group will then go use node zero to verify that CrowdStrike product has actually been installed and configured correctly. And then this becomes the cycle of using node zero to verify deployment, using that verification to drive a bunch of follow on services and resell opportunities, which then further drives more usage of the product. Now, the way that we license is that it's a usage-based licensing model so that the partner will grow their node zero consulting plus license as they grow their business. So for example, if you're Kinney Group, then week one, you're gonna use node zero to verify your Splunk install. In week two, if you have a PEM testing business, you're gonna go off and use node zero to be a force multiplier for your PEM testing client opportunity. And then if you have an MSSP business, then in week three, you're gonna use node zero to go execute a purple team MSSP offering for your clients. So not necessarily Kinney Group, but if you're a Deloitte or AT&T of these larger companies and you've got multiple lines of business, if you're Optif, for instance, all you have to do is buy one consulting plus license and you're gonna be able to run as many PEM tests as you want sequentially. So now you can buy a single license and use that one license to meet your week one client commitments and then meet your week two and then meet your week three. And as you grow your business, you start to run multiple PEM tests concurrently. So in week one, you've got to do a Splunk verify, verify Splunk install and you've got to run a PEM test and you've got to do a purple team opportunity. You just simply expand the number of consulting plus licenses from one license to three licenses. And so now as you systematically grow your business, you're able to grow your node zero capacity with you, giving you predictable cogs, predictable margins. And once again, 10x additional revenue opportunity for that investment in the node zero consulting plus license. My name is Stay Hallentine. I'm the co-founder and CEO here at Horizon Three. I'm gonna talk to you today about why it's important to look at your enterprise through the eyes of an attacker. The challenge I had when I was a CIO in banking, the CTO at Splunk and serving within the Department of Defense is that I had no idea I was secure until the bad guys had showed up. Am I logging the right data? Am I fixing the right vulnerabilities? Are my security tools that I've paid millions of dollars for actually working together to defend me? And the answer is, I don't know. Does my team actually know how to respond to a breach in the middle of an incident? I don't know. I've got to wait for the bad guys to show up. And so the challenge I had was how do we proactively verify our security posture? I tried a variety of techniques. The first was the use of vulnerability scanners. And the challenge with vulnerability scanners is being vulnerable doesn't mean you're exploitable. I might have a hundred thousand findings from my scanner of which maybe five or 10 can actually be exploited in my environment. The other big problem with scanners is that they can't chain weaknesses together from machine to machine. So if you've got a thousand machines in your environment or more, what a vulnerability scanner will do is tell you you have a problem on machine one and separately a problem on machine two. But what they can tell you is that an attacker could use a low from machine one plus a low from machine two to equal the critical in your environment. And what attackers do in their tactics is they chain together misconfigurations, dangerous product defaults, harvested credentials and exploitable vulnerabilities into attack pads across different machines. So to address the attack pads across different machines, I tried layering in consulting based pen testing. And the issue is when you've got thousands of hosts or hundreds of thousands of hosts in your environment, human based pen testing simply doesn't scale to test an infrastructure of that size. Moreover, when they actually do execute a pen test and you get the report, oftentimes you lack the expertise within your team to quickly retest to verify that you've actually fixed the problem. And so what happens is you end up with these pen test reports that are incomplete snapshots and quickly going stale. And then to mitigate that problem, I tried using breach and attack simulation tools. And the struggle with these tools is one, I had to install credentialed agents everywhere. Two, I had to write my own custom attack scripts that I didn't have much talent for, but also I had to maintain as my environment changed. And then three, these types of tools were not safe to run against production systems, which was the majority of my attack surface. So that's why we went off to start Horizon 3. So Tony and I met when we were in special operations together. And the challenge we wanted to solve was how do we do infrastructure security testing at scale by giving the power of a 20-year pen testing veteran into the hands of an IT admin, a network engineer in just three clicks. And the whole idea is we enable these fixers, the blue team, to be able to run node zero, our pen testing product to quickly find problems in their environment. That blue team will then go off and fix the issues that were found, and then they can quickly rerun the attack to verify that they fixed the problem. And the whole idea is delivering this without requiring custom scripts be developed, without requiring credentialed agents be installed, and without requiring the use of external third-party consulting services or professional services. Self-service pen testing to quickly drive, find, fix, verify. There are three primary use cases that our customers use us for. The first is the SOC manager that uses us to verify that their security tools are actually effective, to verify that they're logging the right data in Splunk or in their SIEM, to verify that their managed security services provider is able to quickly detect and respond to an attack and hold them accountable for their SLAs, or that the SOC understands how to quickly detect and respond and measuring and verifying that, or that the variety of tools that you have in your stack, most organizations have 130 plus cybersecurity tools, none of which are designed to work together are actually working together. The second primary use case is proactively hardening and verifying your systems. This is when that IT admin, that network engineer, they're able to run self-service pen tests to verify that their Cisco environment is installed and hardened and configured correctly, or that their credential policies are set up right, or that their vCenter or web sphere or Kubernetes environments are actually designed to be secure. And what this allows the IT admins and network engineers to do is shift from running one or two pen tests a year to 30, 40 or more pen tests a month. And you can actually wire those pen tests into your DevOps process, or into your detection engineering and the change management processes to automatically trigger pen tests every time there's a change in your environment. The third primary use case is for those organizations lucky enough to have their own internal red team, they'll use node zero to do reconnaissance and exploitation at scale, and then use the output as a starting point for the humans to step in and focus on the really hard juicy stuff that gets them on stage at DEF CON. And so these are the three primary use cases, and what we'll do is zoom in to the find fix verify loop. Because what I've found in my experience is find fix verify is the future operating model for cybersecurity organizations. And what I mean here is in the find using continuous pen testing, what you want to enable is on-demand self-service pen tests. You want those pen tests to find attack pads at scale, spanning your on-prem infrastructure, your cloud infrastructure and your perimeter because attackers don't only state in one place, they will find ways to chain together a perimeter breach, a credential from your on-prem to gain access to your cloud or some other permutation. And then the third part in continuous pen testing is attackers don't focus on critical vulnerabilities anymore. They know we've built vulnerability management programs to reduce those vulnerabilities. So attackers have adapted, and what they do is chain together misconfigurations in your infrastructure and software and applications with dangerous product defaults, with exploitable vulnerabilities, and through the collection of credentials through a mix of techniques at scale. Once you've found those problems, the next question is what do you do about it? Well, you want to be able to prioritize fixing problems that are actually exploitable in your environment that truly matter, meaning they're going to lead to domain compromise or domain user compromise or access your sensitive data. The second thing you want to fix is making sure you understand what risk your crown jewels data is exposed to. Where is your crown jewels data? Is in the cloud? Is it on-prem? Has it been copied to a share drive that you weren't aware of? If a domain user was compromised, could they access that crown jewels data? You want to be able to use the attacker's perspective to secure the critical data you have in your infrastructure. And then finally, as you fix these problems, you want to quickly remediate and retest that you've actually fixed the issue. And this find fix verify cycle becomes that accelerator that drives purple team culture. The third part here is verify. And what you want to be able to do in the verify step is verify that your security tools and processes and people can effectively detect and respond to a breach. You want to be able to integrate that into your detection engineering processes so that you know you're catching the right security rules or that you've deployed the right configurations. You also want to make sure that your environment is adhering to the best practices around systems hardening and cyber resilience. And finally, you want to be able to prove your security posture over a time to your board, to your leadership, and to your regulators. So what I'll do now is zoom into each of the three steps. So when we zoom in to find, here's the first example. Using node zero and autonomous pen testing and what an attacker will do is find a way to break through the perimeter. In this example, it's very easy to misconfigure Kubernetes, to allow an attacker to gain remote code execution into your on-prem Kubernetes environment and break through the perimeter. And from there, what the attacker's going to do is conduct network reconnaissance and then find ways to gain code execution on other machines in the environment. And as they get code execution, they start to dump credentials, collect a bunch of NTLM hashes, crack those hashes using open source and dark web available data as part of those attacks and then reuse those credentials to log in and laterally maneuver throughout the environment. And then as they laterally maneuver, they can reuse those credentials and use credential spraying techniques and so on to compromise your business email, to log in as admin into your cloud. And this is a very common attack and rarely is a CV actually needed to execute this attack. Often it's just a misconfiguration in Kubernetes with a bad credential policy or password policy combined with bad practices of credential reuse across the organization. Here's another example of an internal pentest and this is from an actual customer. They had 5,000 hosts within their environment. They had EDR and UBA tools installed and they initiated an internal pentest on a single machine. From that single initial access point, node zero enumerated the network, conducted reconnaissance and found 5,000 hosts were accessible. What node zero will do under the covers is organize all of that reconnaissance data into a knowledge graph that we call the cyber terrain map. And that cyber terrain map becomes the key data structure that we use to efficiently maneuver and attack and compromise your environment. So what node zero will do is they'll try to find ways to get code execution, reuse credentials and so on. In this customer example, they had Fortinet installed as their EDR. But node zero was still able to get code execution on a Windows machine. From there, it was able to successfully dump credentials, including sensitive credentials from the LSAS process on the Windows box and then reuse those credentials to log in as domain admin in the network. And once an attacker becomes domain admin, they have the keys to the kingdom. They can do anything they want. So what happened here? Well, it turns out Fortinet was misconfigured on three out of 5,000 machines. Bad automation. The customer had no idea this had happened. They would have had to wait for an attacker to show up to realize that it was misconfigured. The second thing is, well, why didn't Fortinet stop the credential pivot and the lateral movement? And it turned out the customer didn't buy the right modules or turn on the right services within that particular product. And we see this not only with Fortinet, but we see this with Trend Micro and all the other defensive tools where it's very easy to miss a checkbox in the configuration that will do things like prevent credential dumping. The next story I'll tell you is, attackers don't have to hack in, they log in. So another infrastructure pen test, a typical technique attackers will take is man in the middle attacks that will collect hashes. So in this case, what an attacker will do is leverage a tool or technique called Responder to collect NTLM hashes that are being passed around the network. And there's a variety of reasons why these hashes are passed around. And it's a pretty common misconfiguration. But as an attacker collects those hashes, then they start to apply techniques to crack those hashes. So they'll pass the hash and from there, they will use open source intelligence, common password structures and patterns and other types of techniques to try to crack those hashes into clear text passwords. So here, node zero automatically collected hashes. It automatically passed the hashes to crack those credentials. And then from there, it starts to take the domain user, user ID passwords that it's collected and tries to access different services and systems in your enterprise. In this case, node zero is able to successfully gain access to the office 365 email environment because three employees didn't have MFA configured. So now what happens is node zero has a placement and access in the business email system which sets up the conditions for fraud, lateral phishing and other techniques. But what's especially insightful here is that 80% of the hashes that were collected in this pen test were cracked in 15 minutes or less, 80%. 26% of the user accounts had a password that followed a pretty obvious pattern. First initial, last initial and four random digits. The other thing that was interesting is 10% of service accounts had their user ID the same as their password. So VMware admin, VMware admin, WebSphere admin, WebSphere admin, so on and so forth. And so attackers don't have to hack in. They just log in with credentials that they've collected. The next story here is becoming AWS admin. So in this example, once again, internal pen test, node zero gets initial access. It discovers 2,000 hosts or network reachable from that environment. It fingerprints and organizes all of that data into a cyber terrain map. From there, it fingerprints that HP ILO, the integrated lights out service, was running on a subset of hosts. HP ILO is a service that is often not instrumented or observed by security teams, nor is it easy to patch. As a result, attackers know this and immediately go after those types of services. So in this case, that ILO service was exploitable and we're able to get code execution on it. ILO stores all the user IDs and passwords in clear text in a particular set of processes. So once we gain code execution, we were able to dump all of the credentials and then from there, laterally maneuver to log in to the Windows box next door as admin. And then on that admin box, we're able to gain access to the share drives and we found a credentials file saved on a share drive. From there, it turned out that credentials file was the AWS admin credentials file, giving us full admin authority to their AWS accounts. Not a single security alert was triggered in this attack because the customer wasn't observing the ILO service and every step thereafter was a valid login in the environment. And so what do you do? Step one, patch the server. Step two, delete the credentials file from the share drive and then step three is get better instrumentation on privileged access users and login. The final story I'll tell is a typical pattern that we see across the board that combines the various techniques I've described together where an attacker is gonna go off and use open source intelligence to find all of the employees that work at your company. From there, they're gonna look up those employees on dark web breach databases and other forms of information and then use that as a starting point to password spray to compromise a domain user. All it takes is one employee to reuse a breached password for their corporate email or all it takes is a single employee to have a weak password that's easily guessable. All it takes is one. And once the attacker is able to gain domain user access in most shops, domain user is also the local admin on their laptop. And once your local admin, you can dump SAM and get local admin and TLM hashes. You can use that to reuse credentials to make a local admin on neighboring machines and attackers will start to rinse and repeat. Then eventually they're able to get to a point where they can dump LSAS or by unhooking the antivirus, defeating the EDR or finding a misconfigured EDR as we talked about earlier to compromise the domain. And what's consistent is that the fundamentals are broken at these shops. They have poor password policies. They don't have least access privilege implemented. Active directory groups are too permissive where domain admin or domain user is also the local admin. AV or EDR solutions are misconfigured or easily unhooked and so on. And what we found in 10,000 pen tests is that user behavior analytics tools never caught us in that lateral movement in part because those tools require pristine logging data in order to work. And also it becomes very difficult to find that baseline of normal usage versus abnormal usage of credential login. Another interesting insight is there were several marquee brand name MSSPs that were defending our customers' environments and for them it took seven hours to detect and respond to the pen test, seven hours. The pen test was over in less than two hours. And so what you had was an egregious violation of the service level agreements that that MSSP had in place. And the customer was able to use us to get service credit and drive accountability of their SOC and of their provider. The third interesting thing is in one case it took us seven minutes to become domain admin in a bank. That bank had every Gucci security tool you could buy. Yet in seven minutes and 19 seconds, node zero started as an unauthenticated member of the network and was able to escalate privileges through chaining and misconfigurations and lateral movement and so on to become domain admin. And if it's seven minutes today, we should assume it'll be less than a minute, a year or two from now, making it very difficult for humans to be able to detect and respond to that type of Blitzkrieg attack. So that's in the find. It's not just about finding problems though. The bulk of the effort should be what to do about it, the fix and the verify. So as you find those problems back to Kubernetes as an example, we will show you the path. Here is the kill chain we took to compromise that environment. We'll show you the impact. Here is the impact or here's the proof of exploitation that we were able to use to be able to compromise it. And there's the actual command that we executed. So you could copy and paste that command and compromise that cube let yourself if you want. And then the impact is we got code execution. And we'll actually show you here is the impact. This is a critical. Here's why it enabled perimeter breach. Affected applications will tell you the specific IPs where you've got the problem, how it maps to the MITRE attack framework, and then we'll tell you exactly how to fix it. We'll also show you what this problem enabled so you can accurately prioritize why this is important or why it's not important. The next part is accurate prioritization. The hardest part of my job as a CIO was deciding what not to fix. So if you take SMB signing not required as an example, by default that CVSS score is a one out of 10. But this misconfiguration, it's not a CVE, it's a misconfig, enable an attacker to gain access to 19 credentials, including one domain admin, two local admins and access to a ton of data. Because of that context, this is really a 10 out of 10. You better fix this as soon as possible. However, of the seven occurrences that we found, it's only a critical in three out of the seven. And these are the three specific machines and we'll tell you the exact way to fix it. And you better fix these as soon as possible. For these four machines over here, these didn't allow us to do anything of consequence. So though, because the hardest part is deciding what not to fix, you can justifiably choose not to fix these four issues right now and just add them to your backlog and surge your team to fix these three as quickly as possible. And then once you've fixed these three, you don't have to rerun the entire pentest. You can select these three and then one click verify and run a very narrowly scoped pentest that is only testing this specific issue. And what that creates is a much faster cycle of finding and fixing problems. The other part of fixing is verifying that you don't have sensitive data at risk. So once we become a domain user, we're able to use those domain user credentials and try to gain access to databases, file shares, S3 buckets, Git repos and so on and help you understand what sensitive data you have at risk. So in this example, a green checkbox means we logged in as a valid domain user. We're able to get read write access on the database. This is how many records we could have accessed and we don't actually look at the values in the database, but we'll show you the schema so you can quickly characterize that PII data was at risk here. And we'll do that for your file shares and other sources of data. So now you can accurately articulate the data you have at risk and prioritize cleaning that data up, especially data that will lead to a fine or a big news issue. So that's the find, that's the fix. Now we're gonna talk about the verify. The key part in verify is embracing and integrating with detection engineering practices. So when you think about your layers of security tools, you've got lots of tools in place on average 130 tools at any given customer, but these tools were not designed to work together. So when you run a pen test, what you wanna do is say, did you detect us? Did you log us? Did you alert on us? Did you stop us? And from there, what you wanna see is, okay, what are the techniques that are commonly used to defeat an environment, to actually compromise? If you look at the top 10 techniques we use, and there's far more than just these 10, but these are the most often executed, nine out of 10 have nothing to do with CVEs. It has to do with misconfigurations, dangerous product defaults, bad credential policies. And it's how we chain those together to become a domain admin or compromise a host. So what customers will do is every single attacker command we executed is provided to you as an attack activity log. So you can actually see every single attacker command we ran, the timestamp it was executed, the hosts it executed on, and how it maps the minor attack tactics. So our customers will have, are these attacker logs on one screen, and then they'll go look into Splunk or ExoBeam or Sentinel One or Crowd Shrike, and say, did you detect us? Did you log us? Did you alert on us or not? And to make that even easier, if you take this example, hey Splunk, what logs did you see at this time on the VMware host, because that's when node zero is able to dump credentials. And that allows you to identify and fix your logging line spots. To make that easier, we've got app integration. So this is an actual Splunk app in the Splunk app store. And what you can come as inside the Splunk console itself, you can fire up the horizon three node zero app. All of the pen test results are here so that you can see all of the results in one place and you don't have to jump out of the tool. And what you'll show you as I skip forward is, hey, there's a pen test. Here are the critical issues that we've identified. For that weaker default issue, here are the exact commands we executed. And then we will automatically query into Splunk. All terms between these times on that endpoint that relate to this attack. So you can now quickly within the Splunk environment itself figure out that you're missing logs or that you are appropriately catching this issue. And that becomes incredibly important in that detection engineering cycle that I mentioned earlier. So how do our customers end up using us? They shift from running one pen test a year to 30, 40 pen tests a month. Oftentimes wiring us into their deployment automation to automatically run pen tests. The other part that they'll do is as they run more pen tests, they find more issues. But eventually they hit this inflection point where they're able to rapidly clean up their environment. And that inflection point is because the red and the blue teams start working together in a purple team culture. And now they're working together to proactively harden their environment. The other thing our customers will do is run us from different perspectives. They'll first start running an RFC 1918 scope to see once the attacker gained initial access in a part of the network that had wide access, what could they do? And then from there, they'll run us within a specific network segment. Okay, from within that segment, could the attacker break out and gain access to another segment? Then they'll run us from their work from home environment. Could they traverse the VPN and do something damaging? And once they're in, could they traverse the VPN and get into my cloud? Then they'll break in from the outside. All of these perspectives are available to you in Horizon 3 and in Node Zero as a single SKU and you can run as many pen tests as you want. If you run a phishing campaign and find that an intern in the finance department had the worst phishing behavior, you can then inject their credentials and actually show the end-to-end story of how an attacker phished, gained credentials of an intern and use that to gain access to sensitive financial data. So what our customers end up doing is running multiple attacks from multiple perspectives and looking at those results over time. I'll leave you two things. One is what is the AI in Horizon 3 AI? Those knowledge graphs are the heart and soul of everything that we do. And we use machine learning, reinforcement techniques, reinforcement learning techniques, Markov decision models and so on to be able to efficiently maneuver and analyze the paths in those really large graphs. We also use context-based scoring to prioritize weaknesses and we're also able to drive collective intelligence across all of the operations. So the more pen tests we run, the smarter we get. And all of that is based on our knowledge graph analytics infrastructure that we have. Finally, I'll leave you with this was my decision criteria when I was a buyer for my security testing strategy. What I cared about was coverage. I wanted to be able to assess my on-prem cloud perimeter and work from home and be safe to run in production. I want to be able to do that as often as I wanted. I want to be able to run pen tests in hours or days, not weeks or months so I could accelerate that fine-fixed verify loop. I wanted my IT admins and network engineers with limited offensive experience to be able to run a pen test in a few clicks through a self-service experience and not have to install agents and not have to write custom scripts. And finally, I didn't want to get nickled and dined on having to buy different types of attack modules or different types of attacks. I wanted a single annual subscription that allowed me to run any type of attack as often as I wanted so I could look at my trends and directions over time. So I hope you found this talk valuable. We're easy to find. And I look forward to seeing you use a product and letting our results do the talking. When you look at, you know, kind of the way our pen testing algorithms work is we dynamically select how to compromise an environment based on what we've discovered. And the goal is to become a domain admin, compromise a host, compromise domain users, find ways to encrypt data, steal sensitive data and so on. When you look at the top 10 techniques that we ended up using to compromise environments, the first nine have nothing to do with CVEs. And that's the reality. CVEs are, yes, a vector, but less than 2% of CVEs are actually used in a compromise. Oftentimes it's some sort of credential collection, credential cracking, credential pivoting and using that to become an admin and then compromising environments from that point on. So I'll leave this up for you to kind of read through and you'll have the slides available for you. But I found it very insightful that organizations and ourselves when I was at GE included invested heavily in just standard vulnerability management programs. When I was at DOD, that's all disacred about asking us about was our kind of our CVE posture. But the attackers have adapted to not rely on CVEs to get in because they know that organizations are actively looking at and patching those CVEs and instead they're chaining together credentials from one place with misconfigurations and dangerous product defaults in another to take over an environment. A concrete example is by default vCenter backups are not encrypted. And so if an attacker finds vCenter what they'll do is find the backup location and there are specific vCenter MTD files where the admin credentials are parsable in the binaries. So you can actually as an attacker find the right MTD file, parse out the binary and now you've got the admin credentials for the vCenter environment and now start to log in as admin. There's a bad habit by signal officers and signal practitioners in the army and elsewhere where the VM notes section of a virtual image has the password for the VM. Well those VM notes are not stored encrypted and attackers know this and they're able to go off and find the VMs that are unencrypted, find the notes section and pull out the passwords for those images and then reuse those credentials across the board. So I'll pause here and Patrick, I'd love to get some commentary on these techniques and other things that you've seen and what we'll do in the last say 10 to 15 minutes is roll through a little bit more on what do you do about it? Yeah, yeah, yeah. No, I love it. I think this is pretty exhaustive. What I like about what you've done here is, we've seen double digit increases in the number of organizations that are reporting actual breaches year over year for the last three years. And it's often we kind of in the zeitgeist we peg that on ransomware, which of course is like incredibly important and very top of mind. But what I like about what you have here is you will remind me the audience that the attack surface area, the vectors, the matter has to be more comprehensive than just thinking about ransomware scenarios. Yeah, right on. So let's build on this. When you think about your defense in depth you've got multiple security controls that you've purchased in integration. And you've got that redundancy if a control fails but the reality is that these security tools aren't designed to work together. So when you run a pen test, what you want to ask yourself is, did you detect node zero? Did you log node zero? Did you alert on node zero? And did you stop node zero? And when you think about how to do that every single attacker command executed by node zero is available in an attacker log. So you can now see, at the bottom here vCenter exploit, at that time on that IP how to align some minor attack, what you want to be able to do is go figure out did your security tools catch this or not. And that becomes very important in using the attacker's perspective to improve your defensive security controls. And so the way we've tried to make this easier back to like my, you know, I bleed green in many ways still from my slunk background is you want to be able to, and what our customers do is, hey, we'll look at the attacker logs on one screen and they'll look at what did Splunk see or miss in another screen. And then they'll use that to figure out what their logging blind spots are. And what that, where that becomes really interesting is we've actually built out an integration into Splunk where there's a Splunk app you can download off of Splunk base. And you'll get all of the pen test results right there in the Splunk console. And from that Splunk console, you're gonna be able to see these are all the pen tests that were run. These are the issues that were found. So you can look at that particular pen test. Here are all of the weaknesses that were identified for that particular pen test and how they categorize out. For each of those weaknesses, you can click on any one of them that are critical in this case. And then we'll tell you for that weakness, and this is where the punchline comes in so I'll pause the video here. For that weakness, these are the commands that were executed on these endpoints at this time. And then we'll actually query Splunk for that IP address, or containing that IP. And these are the source types that surface any sort of activity. So what we try to do is help you as quickly and efficiently as possible. Identify the logging blind spots in your Splunk environment based on the attacker's perspective. So as this video kind of plays through, you can see it, Patrick, I'd love to get your thoughts just seeing so many Splunk deployments and the effectiveness of those deployments and how this is going to help really elevate the effectiveness of all of your Splunk customers. Yeah, I'm super excited about this. I mean, I think this, these kinds of purpose-built integration snail really moved the needle for our customers. I mean, at the end of the day, when I think about the power of Splunk, I think about a product I was first introduced 12 years ago that was an on-prem piece of software. And at the time, I'm sold on sort of perpetual and term licenses. But what made it special was that it could eat data at a speed that nothing else that I had ever seen. You can ingest massively scalable amounts of data. It did cool things like schema on read, which facilitated that. There was this language called SPL that you could nerd out about. And you went to a conference once a year and you talked about all the cool things you were Splunk, right? But now as we think about the next phase of our growth, we live in a heterogeneous environment where our customers have so many different tools and data sources that are ever expanding. And as you look at the, as you look at the role of the CISO, it's mind-blowing to me the amount of sources, services, apps that are coming into the CISO span of, let's just call it the span of influence in the last three years. We're seeing things like infrastructure, service level visibility, application performance monitoring, stuff that just never made sense for the security team to have visibility into you. At least not at the size and scale which we're demanding today. And that's different. And this is why it's so important that we have these joint purpose-built integrations that really provide more prescription to our customers about how do they walk on that journey towards maturity? What does zero to one look like? What does one to two look like? Whereas, you know, 10 years ago, customers were happy with platforms. Today, they want integration. They want solutions and they want to drive outcomes. And I think this is a great example of how together we are stepping to the evolving nature of the market and also the ever-evolving nature of the threat landscape. And what I would say is the maturing needs of the customer in that environment. Yeah, for sure. I think especially if we all anticipate budget pressure over the next 18 months due to the economy and elsewhere, while the security budgets are not gonna ever, I don't think they're gonna get cut, they're not gonna grow as fast. And there's a lot more pressure on organizations to extract more value from their existing investments as well as extracting more value and more impact from their existing teams. And so security effectiveness, fierce prioritization and automation, I think become the three key themes of security over the next 18 months. So what I'll do very quickly is run through a few other use cases. Every host that we identified in the pen test were able to score and say, this host allowed us to do something significant. Therefore, it's really critical. You should be increasing your logging here. Hey, these hosts down here, we couldn't really do anything as an attacker. So if you do have to make trade-offs, you can make some trade-offs of your logging resolution at the lower end in order to increase logging resolution on the upper end. So you've got that level of justification for where to increase or adjust your logging resolution. Another example is every host we've discovered as an attacker we expose and you can export. And we wanna make sure is every host we found as an attacker is being ingested from a Splunk standpoint. A big issue I had as a CIO and user of Splunk and other tools is I had no idea if there were rogue Raspberry Pis on the network or if a new box was installed and whether Splunk was installed on it or not. So now you can quickly start to correlate what hosts did we see and how does that reconcile with what you're logging from. Finally, or a second or last use case here on the Splunk integration side is for every single problem we found we give multiple options for how to fix it. This becomes a great way to prioritize what fix actions to automate in your SOAR platform. And what we wanna get to eventually is being able to automatically trigger SOAR actions to fix well-known problems like automatically invalidating passwords or poor passwords in our credentials amongst a whole bunch of other things we could go off and do. And then finally, if there is a well-known kill chain or attack path, one of the things I really wish I could have done when I was a Splunk customer was take this type of kill chain that actually shows a path to domain admin that I'm sincerely worried about and use it as a glass table over which I could start to layer possible indicators of compromise. And now you've got a great starting point for glass tables and IOCs for actual kill chains that we know are exploitable in your environment. And that becomes some super cool integrations that we've got on the roadmap between us and the Splunk security side of the house. So what I'll leave with actually Patrick before I do that, love to get your comments and then I'll kind of leave with one last slide on this wartime security mindset pending, assuming there's no other questions. No, I love it. I mean, I think this kind of glass tables approach to how do you sort of visualize these workflows and then use things like SOAR and orchestration and automation to operationalize them is exactly where we see all of our customers going and in getting away from, I think an over-engineered approach to SOAR with where it has to be super technical heavy with Python programmers and getting more to this visual view of workflow creation that really demystifies the power of automation and also democratizes it that you don't have to have these programming languages in your resume in order to start really moving the needle on workflow creation, policy enforcement and ultimately driving automation coverage across more and more of the workflows that your team has seen. Yeah, I think that between us being able to visualize the actual kill chain or attack path paired with, you know, think of the SOAR market, I think going towards this no code, low code SOAR, you know, configurable SOAR versus coded SOAR that's gonna really be a game changer in improving or giving security teams a force multiplier. So what I'll leave you with is this peacetime mindset of security no longer is sustainable. We really have to get out of checking the box and then waiting for the bad guys to show up to verify that security tools are working or not. And the reason why we've got to really do that quickly is there are over a thousand companies that withdrew from the Russian economy over the past nine months due to the Ukrainian war. There, you should expect every one of them to be punished by the Russians for leaving and punished from a cyber standpoint. And this is no longer about financial extortion that has ran somewhere. This is about punishing and destroying companies. And you can punish any one of these companies by going after them directly or by going after their suppliers and their distributors. So suddenly your attack surface is no longer just your own enterprise. It's how you bring your goods to market and it's how you get your goods created because while I may not be able to disrupt your ability to harvest fruit, if I can get those trucks stuck at the border, I can increase spoilage and have the same effect. And what we should expect to see is this idea of cyber-enabled economic warfare where if we issue a sanction like banning the Russians from traveling, there is a cyber-enabled counter punch which is corrupt and destroy the American Airlines database. That is below the threshold of war that's not gonna trigger the 82nd Airborne to be mobilized, but it's gonna achieve the right effect. Ban the sale of luxury goods, disrupt the supply chain and create shortages. Ban Russian oil and gas, attack refineries that call a 10x spike in gas prices three days before the election. This is the future and therefore I think what we have to do is shift towards a wartime mindset which is don't trust your security posture, verify it. See yourself through the eyes of the attacker, build that incident response muscle memory and drive better collaboration between the red and the blue teams, your suppliers and your distributors and your information sharing organization that you have in place. And what was really valuable for me as a Splunk customer was when a router crashes, at that moment you don't know if it's due to an IT administration problem or an attacker. And what you wanna have are different people asking different questions of the same data. And you wanna have that integrated triage process of an IT lens to that problem, a security lens to that problem. And then from there figuring out is this an IT workflow to execute or a security incident to execute. And you wanna have all of that as an integrated team, integrated process, integrated technology stack. And this was something that I carried very deeply about as both a Splunk customer and a Splunk CTO that I see time and time again across the board. So Patrick, I'll leave you with the last word in the final three minutes here and I don't see any open questions. So please take us home. Oh man, you know, I think we spent hours and hours prepping for this together. That last 40 seconds of your talk track is probably one of the things I'm most passionate about in this industry right now. And I think NIST has done some really interesting work here around building cyber resilient organizations that have really, I think helped the industry see that incidents can come from adverse conditions, stresses, performance taxations in the infrastructure service or Apple Air and they can come from malicious compromises, insider threats, external threat actors. And the more that we look at this from the perspective of a broader cyber resilience mission in a wartime mindset, I think we're gonna be much better off. And what you talk about with operationally minded ISACs, information sharing, intelligent sharing become so important in these wartime situations. And we know not all ISACs are created equal but we're also seeing a lot of more ad hoc information sharing groups popping up. So look, I think you framed it really, really well. I love the concept of wartime mindset and I like the idea of applying a cyber resilience lens. Like if you had one more layer on top of that bottom right cake, I think the IT lens and the security lens, they roll up to this concept of cyber resilience. And I think this has done some great work there for us. Yeah, you're spot on. And that's gonna, I think be the next terrain that you're gonna see vendors try to get after, but that I think Splunk is best positioned to win. Okay, that's a wrap for this special CUBE presentation. You heard all about the global expansion of horizon3.ai's partner program. For their partners have a unique opportunity to take advantage of their node zero product, international go-to-market expansion, North America channel partnerships and just overall relationships with companies like Splunk to make things more comprehensive in this disruptive cyberscree world we live in. I hope you enjoyed this program. All the videos are available on theCUBE.net as well as checkouthorizon3.ai for their pen test, automation and ultimately their defense system that they use for testing always the environment that you're in. Great innovative product and I hope you enjoyed the program again. I'm John Furrier, host of theCUBE. Thanks for watching.