CYBR.HAK.CAST

CYBR.HAK.CAST is the official podcast of CYBR.HAK.CON., where cybersecurity professionals, hackers, and thought leaders come together to share their stories, insights, and lessons from the front lines of the infosec world. Hosted by Michael Farnum and Phillip Wylie, the show dives deep into topics shaping the modern cybersecurity landscape - from red teaming and ethical hacking to threat intelligence, blue team tactics, and the human side of security. Each episode brings candid conversations with speakers and experts from CYBR.HAK.CON., offering listeners a behind-the-scenes look at the people and ideas driving the future of cyber defense and hacking culture.

All Episodes

CYBR.HAK.CAST

CYBR.HAK.CAST Episode 14: Tim Medin

May 12, 2026 • CYBR.SEC.Media • Season 2 • Episode 14

0:00 | 26:54

On this episode of CYBR.HAK.CAST, Tim Medin joins hosts Michael Farnum and Phillip Wylie to talk about offensive security, the evolution of penetration testing, and why defenders need to stop relying solely on compliance checklists and start thinking like attackers. Along the way, the crew swaps war stories about old-school hacker culture, Dallas conference history, and why cybersecurity still misses the basics despite years of progress.

SHOW NOTES:

Things Mentioned:

Red Siege: https://redsiege.com/
Upcoming CYBR.SEC.Community events: https://www.cybrsecmedia.com/conference/
CYBR.SEC.Careers: https://www.linkedin.com/company/cybr-sec-careers/about/ fundraisers:
- Cards for a Cause: https://www.linkedin.com/posts/cybr-sec-careers_cybrseccareers-nonprofit-cybersecurity-activity-7436794892787359744-v4Cz

Episode 13 Timestamps:

00:00 – Welcome and CYBR.HAK.CON hype
Michael Farnum and Phillip Wylie open the show, joke about football rivalries, and discuss the upcoming CYBR.HAK.CON conference in Dallas. Tim Medin joins the conversation and talks about why Dallas has long needed a larger hacker-focused event.

07:10 – Cybersecurity community and workforce development
The hosts discuss the mission behind CYBR.SEC.Careers and their nonprofit work supporting youth and veterans entering cybersecurity through mentorship, education, and community programs.

10:15 – CYBR.HAK.CON speakers, villages, and AI CTFs
Phillip and Michael preview the conference lineup, including Jason Haddix, Dustin “Wirefall” Dykes, and Larcy Robertson. They also discuss the AI Village, lockpicking, ham radio activities, and an AI-focused capture-the-flag challenge.

14:45 – Tim Medin’s origin story
Tim shares how hacking curiosity started with bypassing school computer restrictions to play Wolfenstein in the early 1990s. He talks through his path from electrical engineering and OT systems into networking, penetration testing, and eventually founding Red Siege.

24:30 – Acuvant, FishNet, and merger chaos
The group laughs about the infamous Acuvant/FishNet rivalry and the awkward branding chaos that followed their merger into Optiv. The discussion turns into a nostalgic look at old-school security culture and industry evolution.

34:00 – “Offense for Defense” and the problem with checkbox security
Tim explains the philosophy behind his CYBR.HAK.CON talk, focused on teaching defenders how attackers actually operate. He discusses tools like BloodHound and PingCastle and argues that many organizations still miss foundational weaknesses because they focus too heavily on compliance instead of attacker behavior.

44:20 – Why “assume breach” changes penetration testing
The conversation shifts into modern penetration testing methodology, including assumed breach scenarios where testers start with stolen credentials or internal access instead of trying to break in from scratch. The hosts explain why this more accurately reflects how real-world attackers operate today.

57:00 – Security culture, budgets, and uncomfortable truths
The group discusses how some organizations intentionally avoid testing systems they know are vulnerable because they fear accountability more than compromise. Tim argues that security culture failures often become more dangerous than technical weaknesses.

Do you have a questi

SPEAKER_03 0:04

Hello, and welcome to another episode of Cyber Hackcast. Today I'm joined by my BBFF, my bald best friend forever, Michael Farnum.

SPEAKER_01 0:12

I love it when guests haven't heard that yet. Yeah. All of our listeners are tired of it, but our guests haven't heard it yet. It's fantastic.

SPEAKER_02 0:19

Play to not set me up on that one. That was awesome.

SPEAKER_01 0:21

Oh, we had to leave the surprise there. How you doing, Phil?

SPEAKER_03 0:24

Good. How about you? I'm good. I'm really good. So you're getting ready for Cyber HackCon? It's what a couple of weeks away. Yeah. Too far. It's kind of crazy. Has it been long since you wrapped up OT SetCon?

SPEAKER_01 0:33

It has not been. And even though I live in Houston, I get to come to my Mecca. I've already talked to Tim about this before the show and come see. Uh I like to go to the Omni and the Star and go see my Cowboys. Everybody can just, if you're watching this, you can ignore Tim's background with all that Green Bay stuff back there. It's horrible. It's making me sick. He's never invited back.

SPEAKER_03 0:53

Yeah, it's great to have Tim on. It was great seeing you at a CypherCon recently.

SPEAKER_02 0:57

Yeah, that was a great event. I'm actually really looking forward to this. Dallas hasn't had a good big con. The B sides and B sides are, don't get me wrong, B sides are fine, but I'm stupid excited about this.

SPEAKER_03 1:07

New thing because Dallas definitely needs it, I think. Yeah, one of the one of the best descriptions that I've heard so far is Wirefall says we have our B size, but we don't have the A side to it. So which was a good description.

SPEAKER_02 1:16

That's a good way to put that because the B sides, I think, has its spot. And I think this had just it just fills a different gap. And it's Dallas is a top six cities in the US as far as size. And to not have that, I almost feel bad. So super excited to finally bring that back. I was hoping that the Texas cyber would move up, but they just disappeared instead. Best best of both worlds or something. I don't know. But yeah, really excited about this in a month from when we're recording, not from when you see this.

SPEAKER_01 1:39

Yes, two weeks or something. Yeah, it's crazy. Yeah, we're excited to do it. I back when I started HughSecCon way, way back, it was the same year that B Sides DFW started and the same year that LastCon started. So we kind of had this whole Texas triangle thing where people would because we were all around about the same time. And yeah, Phil and I went to B-Sides DFW, and it's a good hacker show. It's just having something like this a little bit bigger, and I'm excited about doing it, especially with Phil, because I jump in front of a bus for Phil.

SPEAKER_03 2:07

Yeah, it was actually so Tim may not know the story, but it was actually Hack SpaceCon that finally inspired me to want to do something like this. Oh neat. I texted Michael after Hack SpaceCon and said, Yeah, I'd like to start a hacker conference in Dallas. And he asked if to have a call. So we had a call and he proposed partnering. So that's kind of where it all started.

SPEAKER_02 2:24

So you were to that con and decided at that event I don't have I have too much free time. Clearly, I should start a con.

SPEAKER_03 2:30

Yeah, sometimes I can be a glutton for punishment because when I was running Pwn School, I used to run two meetings a month, one one in Dallas and one in Denton. That's a lot.

SPEAKER_02 2:37

That was busy.

SPEAKER_03 2:37

Yeah, that's two meetings. I was busy. And actually, Michael probably don't know this, but Tim was one of my speakers. Actually, I think one of the one of the last Pwn School Dallas meetings, because it was like in a December, and it wasn't too long after because in February, I think the venue where we were hosting Pwn School out in Dallas closed down. The pizza place closed down, and that last meeting that was supposed to be physical ended up having to stream it instead because we couldn't find a venue last minute. No one called us when we showed up that night to do the event. There was a sign on the door saying it's closed. Oops, too bad.

SPEAKER_02 3:09

That was a good pizza. I like that pizza too. It was is it still closed?

SPEAKER_03 3:12

Yeah, still closed. Yeah, yeah. There was like a chain of them. There were like two or three of the restaurants, and they just all of a sudden closed. Even the staff, I talked to the staff. No, it wasn't COVID. It wasn't COVID yet. It's just they just, I guess business wasn't going well or something. Because actually, if Tim remembers this, that the other locate okay, other Picasso's was the location for besides for DC two and four because you'd spoke there.

SPEAKER_02 3:32

Oh, yeah, okay. Yeah, that's right.

SPEAKER_03 3:34

Yeah, that's a shame that they closed down. Now I want pizza. I know. Yeah, it's the guy that someone associated with it supposedly opened up another place called Andrew's Pizza. They're supposed to be some of the same recipes and stuff. How do you go from Picasso's to Andrews?

SPEAKER_01 3:47

It's like he just went from Italian to British or something.

SPEAKER_02 3:51

Not even a good New Yorker Italian name.

SPEAKER_01 3:53

Like, yeah, it's like, come on, at least Marcos or something. I guess that one's taken, but yeah, I don't know.

SPEAKER_03 3:58

Yeah, yeah. Anyway, cool. Well you wanted to share with the audience about the upcoming cyberset community stuff.

SPEAKER_01 4:04

Yeah, Cyberset Careers stuff. So for those of you don't know, uh, we've got uh nonprofit that we partner with the Cyberset Careers, and they can tell you how close the the partnership is because the whole thing's called Cyberset Community, but obviously it's a nonprofit. So just if you go out to cybersetcareers.com and obviously cyber without a knee because we're cool like that, that's what we like to say around here. Go out to cyberset careers. We got some fundraisers going on. That's all about helping the youth and veterans get into cybersecurity and grow their career into cybersecurity. Uh, it's all nonprofit 501c3 stuff. So we got some fundraisers out there if you want to be a part of that, some events coming up, and then we've got you can just donate online, but all of that goes to helping our run our youth event at CybersetCon that we do later in the year, youth setcon and other stuff like that to help people with mentorship and just workforce development and cyber, specifically, like I said, youth and veterans is what we're focused on. So, yeah, go out to cybersetcareers.org or.com. Both of them will go to the same spot and consider giving. If you feel so led, we would appreciate it. Now we got cyber hackcon news still because that's what we're all here for, right?

SPEAKER_03 5:10

Yep, yep. That's why I'm doing a third podcast. That's not enough. Two more. Not yeah. So yeah, really exciting. Cyberhackcon is coming up soon. It's going to be at the Plano Convention Center. It's a really cool venue. And one of the things that's kind of cool about it too, I think I shared with Michael on one of the other episodes was there was one time an attempt at a hacker conference, like in early 2000s. Really? Yeah, early 2000s. It was Dow HackCon. I think it ran for a couple years and that was it. And it was at Plano Convention Center, and it was a pretty interesting conference and style conference, and it ran for two years and that was it. Actually, Wirefall probably more know more details about than I because I only attended one of those, but it was pretty interesting back then. So the cool things we're in the same venue, and so we did not know that name.

SPEAKER_01 5:52

We know it's hackcon, but we didn't, I didn't know it was called Dow HackCon.

SPEAKER_03 5:56

Yeah, no.

SPEAKER_02 5:56

Well, I mean, I feel like hack is has to be in there.

SPEAKER_01 5:59

Con has to be in we just took the C out of hack. We took the C out of hack and the E out of Cyber. Makes those domain registrations a lot easier. So yeah, we're just we're trying to be all cool like that. At least we left some of the vowels.

SPEAKER_03 6:11

Really, I think really what I think happened is Michael probably came up with all these names because it helps him in Scrabble so he can come up with words easier.

SPEAKER_02 6:20

Or if he's like me, I tried to spell it right and it didn't work, and that's what we registered.

SPEAKER_01 6:24

One of the jokes is that because Farnum can't spell, that's why we left out the E. It's like all kinds of stuff. That'd be me too.

SPEAKER_03 6:30

It's gonna should be a great conference. We got Tim Medine, of course, Mr. Kerb Rosting speaking, and we've got Jason Haddock's the opening keynote in Wirefall, aka Dustin Dykes, the founder of Dallas Hackers Association, doing the closing keynote. Uh Larcy Robertson is also one of our featured speakers, as well as Justin Hutch Hutchins, who is also creating an AI CTF for the conference. Yep.

SPEAKER_01 6:52

That's cool. That's gonna be cool.

SPEAKER_03 6:53

Yeah, so even on the topic of AI, we're gonna have AI Village, really nice program for the AI Village, as well as lock picking and a ham radio station.

SPEAKER_01 7:02

Yep, yeah. I'm really excited about the AI one. We were having conversations about how that's gonna be lined up. We're they're gonna have their own room to do some really cool stuff in there. So there'll be little workshops and all kinds of stuff. So anybody who's interested in that, all that's out there on the site, I think, too. I think I know the agenda is out there. So yeah, villages stuff out there as well, I think.

SPEAKER_03 7:18

Yeah, agendas up there. We're gonna have four tracks, and so it should be a lot of fun. And so make sure to get your tickets.

SPEAKER_01 7:23

All right, we'll see everybody on the other side of the break and we'll come back and talk to Tim Medine.

SPEAKER_03 7:33

And we're back, and today our guest is Tim Medine, as we mentioned at the first of the episode. So before we get too far into our discussion, Tim, if you wouldn't mind sharing your origin story, how you got started out up to what you're doing these days.

SPEAKER_02 7:46

Yeah, sure. Yeah, many moons ago, back in high school in the oh, mid to early 90s. God, that's bad math. I don't like this at all. But the whole goal, we we go to class, we had the IBM, it's like a one unit PC, I forget the name of the IBM PS2. I forget what it's called.

SPEAKER_01 8:00

Anyway, well, it was like the PC slash two or what I forget the I think that was it.

SPEAKER_02 8:04

Anyway, our whole goal was to get through their class when we got to go to the computer lab because we didn't have computers everywhere because that wasn't a thing. But like during programming class or some of the other classes that we had in the computer room, my goal, our goal was to get to play Wolfenstein as quickly and efficiently as possible. So we would try they had built this fancy menu to try to keep us in, and we kept trying to figure out ways to get around that. Just a fun way of playing with the computers to to make it frankly, just play a game, but to sound more professional and appropriate, make it do something it wasn't intended to do. And then interest just kind of just kept growing. I went to college, completely different direction. I actually went to school for electrical engineering. I was gonna do a double major with computer science engineering, but there were too many new nerds in that computer science thing, so I decided not to. A little bit of irony now, right? So did computers that that for a while, got into control systems, the the OT world may be a term you guys, some of you folks are probably maybe a little bit more familiar with. Went from there into programming, liked programming. I love getting a program to about 90%. That last 10%, I would rather have you push me off a clip and I'll help you. Hey, hey, hey day. Networking, love networking, absolutely love networking, went from the programming into networking, love it. But the problem is you never get a phone call at two in the afternoon on a Tuesday, it's 3 a.m. because the backups are failing, the sand is down, and you gotta run and take care of that stuff. But really, I'd probably still be doing that. But the security thing just really piqued my interest. And I started picking up a little tip for some of you folks if you're trying to get into security and you've got an IT related position, if any security-related projects come up, what I did is I tried to get my fingers into those as much as possible. Hey, can I work on that? Can I work on that? Can I work on that? Can I poke with this? And got some experience on the security side, and then became the technical security guy at that particular organization. And then I realized from there, hey, you can get paid to hack stuff. That's a real job. You can that's a thing. I remember watching sneakers and games, and I was like, holy smoke. So I just consumed every single podcast, all the blogs that I could, started running my own blogs, and eventually convinced then Fishnet. Now they're part of Optive.

SPEAKER_01 10:12

Optive.

SPEAKER_02 10:13

Um gave me a job, and I've been doing pen testing now for I should do math on that, but I don't remember off the top of my head 10 plus years at this point. And then now started a own pen test company coming up on nine years this year, and been doing that ever since. When working some wicked smart hackers and just keep on banging on stuff. It's not lots and lots of fun.

SPEAKER_01 10:31

So we got some weird background difference. So you worked at Laterno, that's my alma mater, but I didn't, I never went to the campus.

SPEAKER_02 10:38

Oh, actually, I I worked there and I went to school there.

SPEAKER_01 10:40

Okay.

SPEAKER_02 10:41

My undergrad, probably the master's program then, huh? The MBA.

SPEAKER_01 10:44

No, I did the it was bachelor's, but it was they were one of the first remote schools back in the day. So they had a Houston remote school. Uh so that's where I graduated. And then I was at Accuvant, not Fishnet.

unknown 10:56

Oh my god.

SPEAKER_01 10:57

What a weird yeah. So I was there 2008 to 2014. We had some overlap where we, if we'd have found each other in a dark alley, we would have fought each other because Fishnet and Accuvant hated each other before.

SPEAKER_02 11:08

Oh my gosh. I remember I remember hearing stories of the the at onboarding at Acuvont. They had someone made like a Death Star with Fishnet on it and it would blow up. And that was part of the was one of our SKO's indoctrination onboarding videos.

SPEAKER_01 11:22

That's when they came together. I would luckily had left before that happened because it was a mess. But yeah, so yeah, we've got some weird, weird background.

SPEAKER_02 11:30

I always wonder about mergers. Like, how do you people expect these things to go? Because I've never heard of one where like this was fantastic.

SPEAKER_01 11:36

Yeah, I got to go to see them at the funny thing about it. I know we're a little off topic, but it's still background stuff. Uh security history, yeah, it's all security. The funny thing about it is I was I had worked for just over a year as pretty much like the evangelist technical evangelist for Accuvant, and I was called security advocate because evangelist had a weird connotation back then. Sure. He still does. So I went to become the advocate and then I left there after having another job, went, was at Black Hat, and I knew it was coming, but it got leaked. And so Acuvont and Fishnet had both had their own booths at Black Hat, and they ended up having to pivot and put like their logos together and call it AcuVont plus Fishnet before because they didn't even know what the name of the company was gonna be. And I remember talking to this chief marketing officer because I used to work for her, and I was just like, that was a mess. She was like, Yeah, that was not fun. It was so much pain.

SPEAKER_02 12:27

I wanted them to call the company Avanta Fish. Avanta Fish. What do you want to do? Avantafish. It is my advice, fortunately. It's also why I'm not in marketing, although I think I would have crutched on that one.

SPEAKER_01 12:38

I did hear fish you vont too. Fish you vont fish you vant, so it was all over the place. Yeah, those are good times.

SPEAKER_03 12:43

Yeah, I think your idea, Tim, would be easier for people to remember. Yeah, yeah.

SPEAKER_02 12:46

You could get that little that Billy Bass thing that flips out and sings the little song.

SPEAKER_01 12:52

That would be hilarious.

SPEAKER_02 12:53

Also, I mentioned I'm not in marketing.

SPEAKER_01 12:55

I look, I don't know. With the logo and everything that came up, the first one they came up with, because it was derived from AcuVant's new logo when they had spent however much money when I was in marketing doing the look back at that thing, and it looked like the Xbox logo, like the old Xbox, that circle, and everybody was like, What that just looks like Xbox? Like it was it tells you what goes in all that marketing stuff. Too funny. Thanks for the background, Tim. What so all of that we figured out, and you name some of the same movies that we all of us got inspired by war games, sneakers, hackers, all of the things. How does that lead into the talk you're going to be going into at Cyber HackCon? Does that have some influence on that? That's what's that called? The offense for defense?

SPEAKER_02 13:33

Yeah, the big goal with that one is like I do Pentas, I've been doing Pentest for a decade and a half or whatever. Big some someone do the math and let me know. But we've been doing that for forever, and we still see some of the basics missed. Or honestly, people just don't have the budget, and that's fine. It is what it is, but how can we live with that? And and the goal of this talk is to give the defenders some tools. First, we talk through hey, what's actually happening out there, what actually matters? Because we hear this stuff like all the time from we got to cut through the BS to some degree. You hear people like never connect to a public Wi-Fi, and you're like, What's the risk? Like, what encrypted inside it? Let's focus on what's actually important. Let's look back at the the data on what's happening with breaches, and then let's take a look at what we can do for defenses in that regard and walk through some of the tools and techniques that same same ones that I use. Maybe I'll use them a little bit more advanced, but like just a good walkthrough of hey, here's a great way to use something like a pink castle or a bloodhound. Look, get a quick map of your active directory, understand what's going on because if you have issues with that, is not something that you're going to change during an incident. You're not going to make architectural changes, or let me phrase that, you might, but you don't want to be making architectural changes during an incident because that's a big long process. There's cascading of effects. So hey, find these things yourself, fix them yourselves without the need for expensive consultants or like even myself. But you can take a look at those, knock a bunch of those pieces out, and then if you need a pen test still, you've got some of the basics gone, or you you should have. And ideally, that because the ultimate goal is to keep the bad guys out. Ideally, you at least but best worst best case you completely stop them. The second best case is you you slow them down, you give yourself some detection opportunities along the way, and no significant breach happens, right? Because it it's as an offensive person, we're on the same team as the defense, and it it sounds a little bit counterintuitive if you just look at it the surface, but we're practicing, we're sparring together to keep the real bad guys out of the organization. So the talk is really focused on hey, blue team, hey sysadmins. Maybe you don't have money, maybe you don't have the budget, or maybe you want to just do some of this stuff yourself to play with. Because this is another thing that I talked about a little bit earlier. I wanted to get in the offensive side, I spun it as a blue team opportunity to defend my organization, help defend my organization, learned these tools, played with it, said, Hey, made some recommendations and get to play with some of that. Because as the con name says, hacking is fun. It does actually be fun, but it's gonna be fun.

SPEAKER_03 15:55

So I'm not correct me if I'm wrong, but you had some training, you were doing some training around that concept, weren't you?

SPEAKER_02 16:00

Yeah, we actually have a uh two-day class. If you I'll just I guess shill it at this point, training.redteach.com. There's a essentially a two-day class. We're running that two-day class at some of the events. Of course, it's much more in depth than a one-hour talk because 16 times longer. But the talk is meant to do that, and I'm doing a cyber high con is just the quickest hits that I can pick that we can take a look at. Whereas the class, we go a little bit deeper, hit some more stuff, talk a little bit about the why attackers are doing some of these things, and then get into the defenses and some of the attacks that we can do to find the stuff before the bad guys do.

SPEAKER_01 16:33

Maybe that's an idea next year, Phil. Do a workshop.

SPEAKER_03 16:36

Yeah, let's hopefully things work out. We'll be doing trainings next year. But the good thing is I love about your talk is you're getting the blue teamers to think about offensive tools and get that offensive mindset because I think sometimes that's a weakness when it comes to defenders not really understanding the adversary mindset as well.

SPEAKER_02 16:53

Yeah, and I think it's my talk. I like to think that we're both right, but it is important because there's so many times you get a recommendation from a vendor, from NIST, from whatever, and you're like, do this. You're like, but why? Why does this make a difference? Why do I care? And if we can understand, hey, what is the attacker actually doing? Why is the attacker doing this? Now we understand why the attacker needs to do these things to accomplish their objective, and we can get in their way. Or even if we can't stop the whole thing, we might be able to stop particular parts of that path or slow it down, or if it's successful, we know, hey, maybe this is the thing that we're gonna they're gonna do next. So we can start to hopefully get ahead of them. So I think it's really important to understand that. Other than this, this is what the guy documents say, cool. Why do they say that? Why does this matter? So that we can pick between, let's say you can only implement two one of two defenses, try to pick the one that has more bang for the buck and have some of that understanding. Of course, I'm oversimplifying, but sometimes it does come down to stuff like that. It's budget and time, right?

SPEAKER_01 17:50

Yeah, budget resources, who's available to implement something. Yeah, absolutely.

SPEAKER_03 17:54

So, yeah, I think some of the things I've learned from Tim, it was actually Tim where I learned about uh assume breach pen test type of pen tests, because I think that's one of one of the things I learned from him that is missing someday sometimes in pen testing, actual pen test or within people's just repertoire to begin with, because you you think about traditionally in the past, and I've discussed this a lot in presentations now on some of the gaps in pen testing, is how before in the past people go and do a pen test, and if they couldn't get a foothold, they wrote up what was there, and the company was assuming that they're secure, and just that whole assumed breach methodology having credentials be able to log in the network, seeing what happens if credentials are leaked or some kind of insider threat.

SPEAKER_02 18:32

Yeah, because back in art, we aren't exactly spring chickens, no offense to either of you chickens. But back when I first started pen testing, there were easy buttons. We had like MOS 08067, like that's from 2008. That's coming up on 20 years old. And this thing, I guess this bug is probably it's old enough to buy cigarettes anyway. Like you would have that. We had LM password hashes that you could crack in minutes, even with the slower computers we had back then. That's okay because passwords weren't as good. We had password reuse. So back in those days, it was you got access every single time on an internal pen test. It just that's just how life worked. And then we moved and we got rid of LM. The patching got much better, frankly, the software got much better, the exploits are much less reliable than they used to be. And we get to that point where okay, I've topped on the internal network, I can't get access to anything. What am I proving at this point? And if we go back to the basic assumption here, is I'm starting on the network. Why? Why am I starting on the network? Would an attacker have a laptop on the network at this particular organization? You're like, well, of course not. Then why am I doing it that way? How are they gonna get in? So we take a step back and we think, how's a bad guy gonna get in? Fishing. Then you're starting with access, stolen credentials, starting with credentials, rogue insider credentials, and a ton of knowledge, right? So start on those systems, and now we can get that deeper look instead of just this crappy cursory look. Look at things like active directory and permissions and really dig in and find out what's wrong.

SPEAKER_01 20:02

Yeah, it was the same theory we even had back at Accubant. There was we would do the external stuff just to show them that there was the ability to get in. But we all are we always told them like if you make some assumptions here, then we're actually saving you money and we're focusing on a certain aspect, a certain vector, so you can know. Now we had one customer who took it to the extreme. He had an environment built and he had every defense around. And this is how he would get his executives to think he was doing a good job because he built this and he hardened this one environment, and his whole environment was not like this particular environment. And he would say, Everybody has to go after this environment, and if you can't hit it, then I win. And we're like, This is not a true test. Like all of this other stuff, let us nope, I'm not gonna let you have access to that. So it was just a waste of time. But then we would say, Okay, if you let us other customers, what's a little more common sense about it, let us just go after this scenario. Just assume that we're in there, we're gonna go after that. That way we save you a bunch of money. And executives love to hear that because they're like, Oh, they're trying to help us and not just exploit us.

SPEAKER_02 21:03

Yeah, and I think with the assumption that you and I have who have both done this work, and maybe the people aren't familiar with this, but with your more common assumed breach, is we get a laptop that a user has longed in, logged into, and we start with that level of access. We drop our agent, beacon, grunt, whatever the hell you want to call it, start as that, and then see where we can get. So it's just some additional context if you're not quite as familiar with that. But yeah, I've encountered those situations too where they're like, here's this not realistic thing, beat that up, or only look at this particular part of the network and you're like, Yeah, but there's a juicy thing over here. And you're like, and I get it for things like PCI, where you like, yeah, for PCI, like the PCI assessor only needs to see this piece. Totally get that. But when you're looking for general security, the more constraints that you add there, it means you can miss things. And I've seen some glaring things where you're like, Look, this is really bad over here. And they're like, go test it. And it's literally the we don't want to know about it, or we know about it, but we don't want to talk about it. We definitely don't want the higher ups to know, we don't. Wanted in writing, like just ignore that one. That one's out of scope.

SPEAKER_03 22:03

Yep. I've heard and seen sales cases where they just didn't want anything in a report. Just ignore it. But I've been on pen tests before too, where we had the CSO for the organization is a large global law firm. He was actually pointing to things in the environment. Test this, test that, because there are things they were trying to get remediated for years, get the budget for, and they're being ignored. But he was thinking if they got a report from a consulting company, they'll take it seriously.

SPEAKER_02 22:27

And then that's and then that's and that's messed up. But at least what I like about that is they understand what they're actually getting out of this. And to be fair, I'm sad at those organizations where they're like, just take the look at this very tightly scoped thing that's not realistic, ignoring the important things. Because it what it means is culturally, if they find the bad thing, someone's gonna get fired and or have some negative impact, or there's some sort of culture of fear for pointing out things that need to be fixed. And that scares me from multiple layers, not even from a security perspective, but like a financial, like it sounds like if anyone sticks their head up, they're gonna get whacked, like a whack-a-mole. And sometimes it is just that one person, but we're all in this together. I see, yeah, it may cost you a couple extra bucks to patch this thing to pay for pen testers, but I can guarantee I'm to you it's gonna cost a hell of a lot less than a breach.

SPEAKER_01 23:13

True. Tim, we're excited about having you come share this knowledge, man, at Cyber HackCon. Really excited to have you come out, talk about it. Thanks for accepting the invitation to come out and speak. Yeah, heck yeah. And just a couple hours from my house, head over, do the event.

SPEAKER_02 23:26

Looking forward to hopefully this thing growing and we get another big conference in the the Dallas area, because I think there's enough tech, enough smart people. Hell, there's little mini events, for lack of better word, all throughout Dallas all the time. Even if you some of you folks are from Dallas, you're not plugged in. There's DC214, there's there's oh man, I blanking on like all of them, but there's one every single week.

SPEAKER_01 23:46

It's crazy. Yeah, and by the way, if you go, if you're a member of those groups or talk to any of those folks, there might be a chance you can get a discount code for our tickets through those groups and take a little bit off your ticket cost because we try not to make these too expensive. We're not black hat or anything where we're charging $2,700, but you can still get some discounts. So go talk to those groups, see if those discount codes are still around. Should be a good chance to get out there and have fun with us. I'm excited. I am so excited for this.

SPEAKER_02 24:18

I think that's the right. Is that the price I got right? I'm looking at some website right now. Okay, I'm usually this half the price of a lot of most of the ones I see. They're starting at 450, 500. So great opportunity if you're local and just it's only an hour drive from just joking about how big Dallas Fort Worth is. But uh not that terribly far over. Tons of folks out there looking forward to meeting you all. It'd be great. Same here.

SPEAKER_03 24:37

Thanks for joining us, Tim. And before we wrap things up, we got to give a shout out and mention to our media partners, Barcode Podcast, Cyber Distortion Podcast, and Killchain Radio. So thanks for those folks for supporting us as media partners.

SPEAKER_01 24:50

I think most of which will be at the event. Yeah, be some of them.

SPEAKER_03 24:54

Even one of our even one of our Eagles friends fans that Chris from Barcode.

SPEAKER_01 25:00

Yeah, I'll we'll find him in a corner somewhere and just throw batteries at him like the Phillies fans do. But I don't know if he's Chris a good dude.

SPEAKER_03 25:07

Kim and Kevin always go at each other because Kevin's local and Cowboys fan, and Chris is an Eagles fan.

SPEAKER_01 25:13

Kevin Kevin contributed heavily to Cyber Hackcon this year, too. We've got some cool stuff. I don't want to give it all away. I want people to show up, but he did some cool stuff graphically for us at the show.

SPEAKER_03 25:27

Yeah, we're good. I guess we're stick a fork in it. We're done. Stick a fork in it.

SPEAKER_02 25:31

Appreciate it, my new BBFFs. You can't claim the B yet. You gotta shave this, bro. All right, let's go with BFFs. Bald friends forever. Best. Yeah, we're working on that. All right.

SPEAKER_03 25:41

Thanks everyone for joining, and we'll see you in the next episode. And we hope to see you at CyberHackCon. Bye, everybody. Bye.

SPEAKER_00 25:49

This has been a Cybersec Media production. CyberHackCast is hosted by Michael Farnum and Philip Wiley, with production and editing by Lauren Andres. Our music is by Kike Gutts. The views and opinions expressed on this show are those of the speakers and do not necessarily reflect the views or positions of any entities they represent. This show is for informational purposes only and does not render or offer Twitter personalized advice. Subscribe now so you never miss an episode. You can find all of our podcasts, articles, blogs, and conference posts on cyberstechmedia.com at cyberwithout the ease. And follow cyberstext media on LinkedIn at Instagram and Facebook at Cyberstech Media. You can keep up with Cyberhatcon by following us on LinkedIn at Instagram and Facebook at Cyberstechcon. And you can learn more about Cyberhatcon or by doing it at Cyberhatcon.com.