We think we know the value of first principles in offensive security
- Article tags
Ready to excel in offensive security this year? Delve into the mind of Vivek Ramachandran, a cybersecurity virtuoso who’s seen (and learned) a lot in this field.
He's a force that fuels both his current company and the broader cybersecurity landscape with original thinking, educational and actionable insights.
And there's more to Vivek than just technical savvy. He's on a mission to revolutionize how we view ethical hackers and infosec pros, using his captivating comic books to challenge cliches and spark a new wave of enthusiasm in the next generation.
Vivek Ramachandran bio
Vivek is a titan in offensive security with 22+ years of hands-on experience and 13 more as a trailblazing entrepreneur. He's not just an icon of deep expertise, but a beacon of inspiration for everyone, reshaping how we approach, learn, and evolve in cybersecurity.
Founder of Pentester Academy and SquareX, his career journey blends technical mastery with impactful education and community building.
He’s the author of several books on Wi-Fi security, including comic books with realistic portrayals of hackers. Vivek also speaks at top security conferences such as Blackhat USA, Europe, DEFCON, Hacktivity, and others.
Tune in for this insightful episode with Vivek to find out:
Why people mistakenly equate offensive security with functional testing [04:36]
How (and why) the Hackers: Superheroes of the Digital Age comics came to be [07:13]
Why first principles are essential in mastering and elevating security concepts [12:31]
How to build your career on curiosity, gut feeling, generosity, and perseverance [19:33]
Why we need human ingenuity as the nature of what we automate changes [29:10]
What an entrepreneurial adventure will teach you about yourself - and others [43:45]
How being part of the infosec community changes your work, thinking, and career [51:00]
Vivek’s vast career is a rich source of inspiration if you’re ready to practice extreme ownership, radical candor, and achieve the kind of alignment between your principles and actions that will propel your work and life to the next level.
Resources from this episode:
Vivek on LinkedIn
Vivek’s story in cybersecurity
Comic books - Hackers: Superheroes of the digital age
Vivek on the Philip Wylie Show
Advanced Wi-Fi security with Vivek at DEF CON 23
Training courses on Pentester Academy
Listen to this episode on:
Episode transcript
Andra Zaharia: Only the most curious and persistent people thrive in offensive security. How do I become a better hacker? How can I build and maintain my advantage over adversaries? And what's limiting my ability to think creatively?
This podcast is for you. If you're the kind who's always digging deeper for answers, join me as I talk to some of the world's best offensive security pros about their work ethic, thinking, and real-world experiences.
This is We think we know, a podcast from Pentest-Tools.com. We think we know what to learn from the evolution of offensive security.
But today's guest is here to challenge that and offer new ways of building your skills, mindset, and career.
[00:55] Andra Zaharia: Let's dive into the depths of offensive security with Vivek Ramachandran, a titan in the field with over 22 years of frontline experience and 13 years as a trailblazing entrepreneur. He's not just a figure of profound expertise, but a beacon of inspiration, reshaping how we approach, learn, and evolve in cybersecurity.
Vivek's journey is a masterclass in blending technical mastery with impactful education and community building. He's a force that fuels both his current company and the broader cybersecurity landscape with original thinking and actionable insights.
In this particular episode, we're breaking down the misconceptions about offensive security.
Vivek illuminates the lesser seen facets of this domain, debunking the myth that it's a rigid, tool-centric process. He advocates for a blend of originality, creativity, patience, and a deep understanding of complex systems that are all necessary for anyone aspiring to excel in offensive security.
Andra Zaharia: And there's more to Vivek than just technical savvy. He's on a mission to revolutionize how we view hackers and cybersecurity pros, using his captivating comic book project to challenge cliches and spark a new wave of enthusiasm in the next generation about the real thrill of cybersecurity.
Join us as we delve into the mind of a cybersecurity virtuoso. Along with celebrating a career filled with achievements, we're also about to unpack the mindset, principles, and values that are essential for thriving in this demanding field.
Welcome to a conversation that's as informative as it is transformative.
Andra Zaharia: We are so, so grateful to have you on the We think we know podcast.
You're one of the MVPs of the offensive security space and cybersecurity in general, with your contribution to the community, with your drive and determination, energy, and just everything that you bring into the space. So thank you for being here.
Vivek Ramachandran: Thanks so much, Andra, for having me on the show and thanks for that very sweet and kind introduction about whatever I've done. I think still lots to be done, a lot more to kind of go. But yeah, I'm super excited to be working in cybersecurity almost now for 22 years, 13 years as an entrepreneur, and hopefully can go on till the day I probably die.
Andra Zaharia: That is an impressive career and not just through your actual contribution, but to the model that you set, honestly. You're a role model for many, many people, not just with your determination and persistence, but also with your generosity.
You know the space really well because you've built an incredible body of educational resources that continues to fuel the company, to fuel the industry, and this space in particular.
So given your unique insight, what do you think is one misconception that most hurts offensive security professionals?
[04:36] Vivek Ramachandran: Yeah, I think the one misconception overall is that it's a very process-driven, it's a very well laid out plan that you can decide upfront and just execute on that with a known set of tools and test cases. So I think the biggest misconception is for people to equate offensive security with functional testing and just call it security testing.
Andra Zaharia: I totally agree, because we seem. Well, given that cybersecurity in general has entered mainstream and it has become such a vast playground for commercial intentions. We seem to want to find those formulaic approaches, those very structured, like if you do this, then those formulas, which in a space that brings so much together—human nature, technology, sociology, geopolitics—that's really hard to achieve, isn't it?
And something that I took from some other interviews that you did is that this is all kind of wrapped up in a very negative tone of voice and you're actually trying to fight against that with one of your personal projects.
Andra Zaharia: So I thought if you could just go into that just a little bit because I find that one of the most fun, entertaining, and educational tools that we have in the space.
Vivek Ramachandran: You mean the Comic book and everything? Which, okay, having been in this space for 20 years, and of course, most of us feel proud to be called hackers in our own right. And that's really where, incredibly, what had happened is that my elder son, who's ten years old, he came to me one day and he was like, "Dad, what do you do?" And I was like, "Okay, go Google it and find out." I've given enough talks that I was very curious to see how he pieces together what his dad does. But then he came back, like, the very next day after school, and he was like, "Oh, you're a hacker, and you steal from people." And for a second, I was shocked, right? Because when your own son comes to you and literally says you're a criminal, that isn't the most fun thing to hear.
So I quickly realized that the mainstream stereotype of security people, hackers, people in offensive security, unfortunately, is this very negative caricature, which really points to somebody who's, like, hidden away in a small, dark room with dimly lit surroundings and only doing negative things. So I think what I thought was, hey, the younger generation is very impressionable, and at the very same time, if you wanted something which would speak to them, you probably have to use an art form that almost all of us go through when we are young, which is comic books.
[07:13] Vivek Ramachandran: And at the very same time today, we live in the age of superheroes, right, with Marvel and all of these guys putting all these things out. So I thought it would be very interesting to create a hacker vigilante, but not something which is fake, right? We've all seen Matrix, where Neo waves his hand and everything stops. And I guess that dramatization is nice when you're watching a movie, but very far away from realism. So the whole idea was, could you create a hacker vigilante with a very realistic portrayal of hackers hacking, going down to the nuts and bolts, where people could get a real flavor of what this art form is about and why this is so intriguing, interesting, and so much fun and actually very addictive once you get hooked to it.
So that's really how Hackers: Superheroes of the Digital Age, the very first edition, came out, and now we are all set to actually put out a few subsequent issues as well, which we're almost done with.
Andra Zaharia: I can't wait to read those. And I think that this kind of approach is something that we need more of because it's not all doom and gloom. It's actually interesting work that makes you feel something, that makes you passionate, that makes you even pursue your curiosity and dig deeper beyond the surface of technology, of how things work, understand systems. And these are kind of, let's say, the superpowers, the real-life superpowers that hackers have. And I was wondering, because you mentioned something that is, I think, very interesting and very powerful that hackers don't necessarily fit the hoodie-type, basement-dwelling stereotype.
You've seen offensive security professionals in almost every context. Where do you see them now that they're more part of the conversation in business settings and so on and so forth? What do they look like? Paint a small picture of this diversity that we're all striving to achieve.
Vivek Ramachandran: So I think if you look back almost 20-25 years when I had started, it felt like at that point, this was a very close-knit community. You could literally count people on your fingers when it came to people who were really doing security research in various different countries. But I think now we've come a lot further. Some credit goes to mainstream as well. A lot of people did get excited and interested about cybersecurity. Many folks have tried to enter, some succeeded, some didn't.
I think today's average offensive cybersecurity engineer is as diverse as they get. So both men, women, of all age groups, from different countries in the world, I think the representation is very diverse. The hotspots, though, still remain, I would say America to some extent, India, because of course, there is a massive software spectrum know, sitting in India and of course, large pockets in Europe, like Romania. I actually feel Belgium has a bunch of folks as well. And then, you know, go about pretty much to South America and where not.
When it comes to really probably looking at cybersecurity in a very, very serious way in the enterprise, I think the US still does lead the pack. I think most of the other countries are still being led because of regulation and compliance, more than probably a genuine kind of need to be secure. But I think that's changing. That's changing. But hacker diversity-wise, I think pretty much, I wouldn't even try to paint any form of caricature anymore. I think it's just as diverse as it can get.
Andra Zaharia: And let's hope that continues to build in the future because that diversity is actually, as you well know, necessary to make sure that we put out quality work, to make sure that our diversity of mindset reflects the diversity of skill, which is so necessary and actually fundamental for this space.
So talking about skills, there are a couple of things that go beyond what everyone knows they need in this space. You've created educational resources that cover every aspect of penetration testing, of security testing in general. You've talked about all of these things, but what I've seen advance your contribution to this field and your career, was that all of those skills come wrapped up in a series of principles, in a series of values that you've consistently practiced. So what can you tell us about how those values and principles and that particular mindset evolved for you, and how has it helped you be at a point where you can actually bring change into this space, a lot of positive change?
[12:31] Vivek Ramachandran: Yeah, that's a great question. I'll actually break up my answer into two parts. One is, of course, the whole technical learning side, and the other is, of course, the whole soft skill and how you are as a person. From the whole learning standpoint, I would say the value system that I've always imbibed is massive curiosity and at the same time trying to learn everything from a first principle basis. So I guess the way I can explain it is today, technology stacks are so complex that generally, if you start from the absolute middle, you probably have no clue about how a piece of technology evolved, what lies underneath, and hence your learning typically is a little shallow. You may be able to do some small things, but beyond a point, you might actually see you're not able to push the envelope any further. So one of the guiding principles, and I still do it today in Squarex when we are building a very deep technology product, is I try to ask questions absolutely from the first principles.
Now, the best example is, let's say you are building as a simple example, let's say an isolation solution, right? So at that point, you start questioning and say, okay, in Linux, what are the starting units of isolation? So somebody may say, oh, you know what? These are containers. Now, technically, container is still an abstraction where if you go levels below that, you would actually say it's namespaces, it's control groups. Now, if you really start digging deeper into what namespace control groups and all of that is, you'll realize the absolute bottom layer of how you could think about isolation, getting built from a security standpoint, starting with namespaces, control groups, Docker containers inside that and whatnot. So one of the things which has always served me really well is this massive questioning around first principles.
I also got a thumbs-up in the video. And alongside with that, this curiosity where I think a lot of people, as they start going through their career, feel that if they ask questions, they might sound bad or dumb, because, hey, you don't know that, right? Like you're supposed to know this. And I think, unfortunately, that's really where learning starts to taper down because you stop asking questions. So for me, given I have a big team of technical people who are currently working with us, I learn most of my stuff today by just asking questions, many of them very rudimentary, very bottom layer, where to somebody who's very specialized probably in that field, it might be like, hey, Vivek, this is simple, but that has always served me well because it allows me to challenge people on first principles. And generally, I've seen if someone isn't able to answer first principle questions, they themselves fully don't understand it.
The third thing, I think, from a pure system of things that I've followed is massively practicing everything in an absolutely practical way. So this isn't a field that you could read a blog post, you could watch a video of somebody demonstrating something at DEFCON or Black Hat and just sit back and say, you know what, I understand this. So I think you need to kind of go ahead, put that in with experimentation as well.
Vivek Ramachandran: Now, on the other side, the soft skills side, security is one of those fields where I think trust and integrity need to be built almost every single day with whoever you're discussing. As a simple example, imagine somebody playing a bug bounty and reaching out to a company in a tone that is extremely threatening, right? This could be a case where otherwise a company who would have typically responded well may feel very threatened and immediately start looking at a legal resource rather than a dialogue.
One of the things that served me well is, hey, be humble, try to go ahead and present your case to people in the company, outside the company, in a very detailed way where they have a full understanding of things. Try at every point to see how you can build integrity and trust. And this is something which is going to serve you along the way anyway, regardless of whichever roles. But in cybersecurity, I feel this matters a lot more because people wouldn't want to trust somebody with their infrastructure, with their entire security products and whatnot, if you are somebody who principally comes off as someone who can't be trusted, right? Where you put things out on your Twitter, where someone reads it and they're like, oh, you know what?! I don't know what to expect from this person. Things like that. I don't know if I adequately answered your question or if there is anything I can elaborate on.
Andra Zaharia: Oh, no, that was a perfect overview of all of these things that are so instrumental for everyone in cybersecurity, and you embody these practices and this way of showing up in the space so, so well. And I think that that's one of the reasons why I do this exercise. From time to time I ask people like, what do you admire about the people that you follow, the people who you trust, who you allow influence your work and your priorities. What do you admire about them? And it's always that ability to be clear, to be generous, to be reliable, to just be, again, trustworthy. So I think that you capture that really perfectly. And these are, I feel, like first principles in how to be just a generous human contributor to the space that can bring out such great things about ourselves and help us discover such great things that we can actually do with other people.
And to your point, so your career started with building products, then you switched to breaking them, for ethical reasons, of course, and now you're back into building products. And I can't help but see that that trust that you were talking about earlier is something that has contributed to where you are now, to getting a huge investment for the company that you're building, to build yet another team that trusts you, to lead them into a space and to create something different, to transform things, to challenge things. So what were the inflection points along that cycle of building and breaking and building again? And how does that feel for you now, looking back on over two decades of experience?
[19:33] Vivek Ramachandran: Very, very good question, I think very early on. So my background is I was born and brought up in India. I studied there, and then, of course, traveled the world, lived in multiple countries. But going back, I would say, Andra, from my perspective, and of course, this is very cliche, I know literally, you'll hear this in every single motivational talk. But I feel like I genuinely followed my interests quite a lot, even though it was at a time when people genuinely didn't believe cybersecurity would be big, right?
So to give you an idea, when I was in my engineering college, I was literally the only person in the whole batch who was, like, downloading exploits from exploit db those days, it used to be Millw0rm. I don't even know if folks remember and trying different things out from Backtrack and all of these mailing lists. And I know that a lot of the folks who were studying with me at that time, and I was studying electronics and communications, trying to specialize in cybersecurity, everybody looked at it and said, hey, this is so childish. Hacking and what is this, breaking into systems? Come on, this isn't a real career. And to be frank, I wasn't even looking at that as a career because I just enjoyed programming, writing these things out, seeing what other people were doing.
So fast forward, when I had my very first job at Cisco Systems, where I was programming layer two, security 802.1X for their catalyst switches. While I was programming it, the only thing I was thinking about is I'm building these features. But my hacker side is also telling me how hackers would probably end up breaking these features. So, of course, it did make me a better security programmer, for what it's worth.
For me, the big, I would say, break was there were two important inflection points. One is Microsoft, when I was still working at Cisco, had announced this contest called Security Shootout, where they were holding a competition, PAN India. Some 60,000 people, I think, had participated. And they had basically given a web app in ASP.NET, which they wanted people to break and patch. And I was one of the winners of the contest, India's top ten. And post that, I started feeling like, hey, I was probably good at this. Then I was lucky enough to be able to work for this cybersecurity company called Airtight Networks, which was building wireless intrusion detection systems. And over there, the founder of the company had me work on a technology called Web Cloaking, which was basically to cloak web and to break it and then find other exploits. And he told me, hey, Vivek, if you manage to do this, you know what, submit it to DEF CON. If they accept, you can go.
And, you know, going behold, DEF CON accepted. And this was 2007, right? 16 years back. And once DEF CON accepted and I did the main stage talk. I think my belief in myself went sky-high when I thought that, you know what? I could actually now compete with the best in the world, right? And I think once that happened, Andra, I kind of also quickly figured, like, I think I had a knack for breaking systems. So I came back, quit my job, really had no intent to ever build a business, but went back to my parents' home, put out this free site called SecurityTube.Net, because, hey, I was researching anyway, and I thought, why not just put up those videos online and see what happens?
And all I wanted was to get talks in various conferences so I could just go speak, show off my findings. And what happened, incredibly, is that website just grew in readership, and people from all around the world training institutes started contacting me and said, hey, our trainers are actually using your videos to teach classes. Do you think you would actually come down and do the teaching yourself? So that's really how I literally traveled 20-25 countries way back in 2010 and saved up enough money to actually start SecurityTube Training, which eventually became Pentester Academy, which eventually then got acquired, and then I moved on to starting Squarex and all of that. But I think those were the inflection points.
I think you just need to trust yourself and trust your own gut feeling of what interests you the most and keep going at it long enough before, as they say, the proverbial miracles happen or magic happens.
Andra Zaharia: Thank you for that wonderful story and for that walk, for taking us through all of these experiences that have so much depth and so many details and so many more stories behind them. And thank you for emphasizing this idea that you need to put your work out there. You need to put yourself out there to get the validation that what you're trying to build and what you're interested in is helpful to other people and how it's helpful and how you could build on that, how you can make that into something that becomes a staple like Pentester Academy did. And thank you for also emphasizing that it takes time, because I feel that many people coming into the field now, or some people coming into the field now, lack that patience. They want to burn through stages. They want to go through things really fast. But to connect to things that you mentioned until now, it's about first principles. It's about taking your time to understand the basics so you can actually build something that's meaningful, whether it's skills, whether it's a particular way of doing things, whether it's a product, a company, a team, whatever it is. That all starts with that deep understanding of what is the problem I'm trying to solve? Who am I solving it for, and what's the underlying technological problem or business problem that I'm trying to address through all of this?
Vivek Ramachandran: One thing I can add to that, I can tell you, Andra, is when I first sent out the mail, when I first put out the few videos, some folks replied to me saying, hey, Vivek, you sound like Apu from the Simpsons. And that was the time, know, when you put stuff out and you get a backlash, you start thinking whether you want to do it. And there were so many people who told me, hey, who would want to listen to lectures in an Indian accent online? And the reason I bring this up is you were talking about having that sense of perseverance. I think my guiding light was, I said, look, out of 100 people who watch my stuff, even if ten of them like it, you know what? I have a good enough audience to just focus on. So, to your point, I don't think you can ever build anything which everybody will like. You need to have an extremely high tolerance for rejection. You have an extremely high tolerance that there are going to be haters. And, of course, in today's, social media world that compounds by quite a lot compared to 10-15 years back. And last but not the least kind of your bang, right, is 100% what you need is a massive amount of patience, which I guess, in today's world of TikTok, 60 seconds is what people are willing for a video to entertain them. Unfortunately, your life and career cannot work that way.
Andra Zaharia: That is so absolutely true. And all of these misconceptions that we're trying to bring down, I feel that it's interesting that we bump into them in a space that was built on the hacker mindset, which is about diversity, about challenging norms, about being different, about being a rebel, about totally different things than, let's say, the usual way of doing business. So it's going back to that initial, let's say, ethos, that initial kind of cinematic universe, if you will, because that's what we have on our hands here, and that's what you're building with the hacker comics and see what that's all about.
Because that's what gives us strength and motivation and energy, and that's what actually connects the people in this community. That's why people go to DEF CON and have been going for like 20 years and had considered those people part of their family like Jayson E. Street said in a previous episode. That's the feeling that we need to move this industry forward, especially with automation and AI seemingly coming to eat away at these opportunities that people have in this field and giving them the fear of missing out anxiety and so many more things.
Andra Zaharia: So in this context of, let's say, fast food offensive security, like very fast track offensive security, what do you think still makes it a craft that's worth pursuing in this slower, more methodic, more profound way, if you will?
[29:10] Vivek Ramachandran: Yeah, that's a great question. And I think that every ten years or so, and of course now a lot faster, the fundamentals of what is craft and what can get automated always keeps changing and shifting. It's very important for us to understand where to draw that line and say, this is where human intuition and human intelligence continue to add value and everything below that, you know what, human intelligence has probably already created reasonable automation, right?!
So to take you back in time, 20-23 years back, if you were able to run a good Nmap scan with all the right parameters, you actually had a good job for what it's worth now. Taking you back ten years, if you knew how to string a couple of good tools, like a Burp Proxy with some automation, DirBuster, and a couple of other things, you were now good at web application security, for what it's worth, right? You could tamper those simple parameters and look at other people's greeting card just by changing an ID and whatnot. So if you look back 20 years back, even simple network commands required human understanding where you had to know, you know, what a port could be open because of these TCP flags being on/off, or not.
Ten years past, all that stuff started getting automated quite a bit. And where human smartness and intellect went into was web application security, because you had to figure out these application-level attacks, business logic attacks, and much of this you couldn't automate at that point. Now, the bar will, of course, always continue to go high. And that's really where, if you look at it, a lot of functional testing has definitely been automated. And in today's world of ChatGPT and large language models and all of that, the big question arises, hey, where can humans contribute? Cybersecurity and even other fields? So I feel even today, when you look at security testing, offensive security-based testing, whether it is pentesting, red teaming, whatever you want to look at, I feel like this still requires a lot more original, out of the box thinking. And the reason I say this is, typically security rests on corner cases being successful. right?! Unintended consequences of a programmer developing an app in a certain way, right?!
And this, at least today, is still difficult to kind of train an AI model to do that kind of out of the box thinking. What today, even still AI models are good at, is if you throw them a lot of examples about something they're able to produce, similar to better examples. But if it is something they've never ever seen or thought through, we still aren't at that point where out of the blue, it would actually pick up an extremely corner case. And all of security, the good bugs, is all those extreme corner cases. That is one. The second part is today's security is also stringing together attacks and observations across multiple layers, applications, networks, and whatnot. So a complex attack could involve poisoning DNS, which would be a network attack, and then probably kind of load jacking and loading a page, which ideally shouldn't have gotten loaded, but now is because of their whole DNS poisoning. And then that page itself might trigger a multilevel exploit, which might somehow break out of the sandbox of the browser, right?!
So I think still all of this requires a well thought of human ingenuity, which kind of passes through the structure. And I feel like this is still very far away from where today's AI automation and all of that is now what will definitely get automated is, I would say, base-level testing, whether it comes to web applications, network applications, APIs, simple fuzzing, simple fuzzy logic and all of that.
So I think as a security person today, if you're doing offensive security stuff, it's probably a good idea to focus on that top cream level where you are trying to use tools to your advantage to gather all of that background info and then use your intellect, understanding your experience, to munch through that and figure out second, third order attacks where you can string together things. So I think the first order reconnaissance, the first order basic attack testing, that's pretty much automated and probably should be because applications are complex enough that now you really require to think 2nd, 3rd, fourth order.
Andra Zaharia: So well lined up. You lined up everything. I feel that someone in the space needs to really not just level up, but to better understand how to use their time and their energy and their resources, which come in limited supplies, since we're still humans, in spite of us trying to overcome our biological limits in so many ways. So given that, again, you're putting to work your understanding on all of these layers into a new form by finding a gap that's still unaddressed. So what you're building right now, because I know that you're passionate about deep tech solutions that address all of these, that come with this multilayer way of addressing issues. Can you tell us just a little bit about the gap that you tried to solve with what you're building at SquareX and where that came from?
Vivek Ramachandran: Yeah, yeah, no, I think fantastic question. I mean, you know, I think I was lucky enough because I was in education for a while. I spent a lot of time looking at a wide breadth of topics, but also looking at them very deep, right? Because that's the only way you can have an understanding to create great content and material. And of course, we were also very lucky that Fortune 500 companies across the world, I think, at peak, pentester, had tens of thousands of customers from over, I think, 141, 50 countries. So this allowed us to get a lot of feedback from practitioners in the field as to what kind of attacks they wanted to simulate in their own organizations to prove to their security teams as well as to management the kind of products and whatnot they needed.
So during this time, people used to come back to me and say, Vivek, I don't know how to solve this, and I used to get surprised because I was like, okay, is there no product that actually does this? Approaching things from a hacker's perspective, I think gives you a very good adversarial understanding of probably how a product should have been built to block it. So I think once I exited out of Pentester Academy and I kind of like, took over, I started spending a lot of time researching and looking at what are Internet-sized problems where I felt like I wanted to make an impact over the next 10, 15, 20 years, right?! Because if you're building a company, you probably want to look at that time horizon and nothing lesser. So the whole thought process to me was, hey, people are spending more and more time in the web browser where your browser has started to become your operating system today.
Andra Zaharia: So, true.
[35:05] Vivek Ramachandran: At the very same time, the existing, I would say, product lines are siloed out in each of these different layers. So just like you had OSI layers, you have network security products, you have endpoint security products, you have application security products, which are primarily like secure web gateways and whatnot. And each of these layers kind of got independently developed in their own era, right? In the beginning, it was this network security tax and whatnot. And really, if you have to detect a cross layer attack, the only way is these layers tend to send their findings to a SIM product somewhere in a security operations center. And there, there is automation or people looking at it, trying to write out policies, correlation and whatnot.
Now, truth be told, by then, it's already too late because the attack has happened. And see, security has always been a needle in a haystack problem, right? Which is you can't even miss the smallest thing because that compromises the keys to the kingdom. The other observation we had is probabilistic security has failed us. And what I mean by that is, no antivirus, no matter how much of AI jargon or marketing jargon you throw at it, is ever 100% going to be able to detect every single attack deterministically, right?! So our thought process was also like, hey, we needed a solution where we could go ahead and move from probabilistic to deterministic security. And that can only really happen if you treat every link, every file attachment that you receive and assume that it is probably fully malicious and you will not be able to detect that malicious intent with your existing technologies. So if you combine all of this, our simple perspective is, could we actually build a product, which has a browser component and a cloud component, where we could actually go ahead, run machine learning models in the browser so that it can actually learn from you.
So the moment we run alongside it knows what Andra does, it can learn what kind of places you visit and when it starts to see aberrations and problems, it can immediately flag up and actually detect attacks right there. Now, to do this in a privacy first way, where entire model and all of the data is just running locally, this, if the user does not want, is never synced between devices, is never sent to a server, none of that bad stuff happens, right?! Unless you're an enterprise and that's really what you want, which is you want more fine-grained control over your employee computers or whatnot.
Vivek Ramachandran: So I think the whole vision SquareX has is, can we actually solve browser endpoint security, But think out of the box. Not the traditional way that these products have been created and deployed for the last 10-15 years, but rather in a way which automatically lends itself to cross-layer attack detection and having an intelligent detection system running on the endpoint itself, which can make decisions locally rather than for every single thing, do the whole crowd round trip, where honestly, by then things have been compromised altogether anyway for some attack classes. And that's really what SquareX is trying to do.
Andra Zaharia: There's so much space, I feel for, I want to say innovation, but I feel that word sometimes gets stripped of its meaning for transformation, for evolving things in this way, especially in particularly because privacy has actually become almost a reflex, which is such a great thing. I feel like this is so, so important, and perhaps it doesn't get enough credit or enough attention in the offensive security space, where it's almost everything about security but privacy, which kind of opens up this field to other types of problems and challenges, sometimes not, gets overlooked, but maybe sidetracked just a little bit.
So the fact that you're bringing these two together in a way that looks at it from the attacker's perspective, but also with a lot of thoughtfulness for the end user who expects everything to be easy and fast and not intrusive, I feel like is definitely a worthy challenge to pursue. And I'm very excited to see what you do next. When you bring all of these elements together. It is quite exciting. And this is actually one of the reasons why I love working in the space, because there's always something better and meaningful to pursue, actually.
Vivek Ramachandran: Thank you so much. And yes, I think that's really where we wanted to create a security product for the times, which users love and not hate, right?! Because the average user doesn't enjoy installing, buying, using security products, and most of the time that security products light up, it's generally bad news where they end up blocking access to files and resources and just getting in the way of productivity.
And that's really where the whole thought about SquareX was, hey, could you unblock? Users never get in the way of productivity, be privacy first, and try to see if imbibing all of these principles, the user tends to appreciate it and value it more than the current generation of tools.
Andra Zaharia: And something that is valuable, I think, to emphasize in your journey through cybersecurity and through addressing and solving all of these problems is that there's so much flexibility to move from one role to another. So, for instance, how did your relationship with your work change as you became a business owner and started to develop team and took on all of this additional responsibility?
How did you balance working on the business with maintaining that curiosity and practice of security in every way that you were interested in? I'm very curious about that because perhaps people who have entrepreneurial ambitions think like, how am I going to do this? I don't want to leave the work because I love doing the work, but I also want to build this new thing. So how can I ever do both?
[43:45] Vivek Ramachandran: Yeah, that's a great question. I'll actually break it up in different timelines, right?! So when I was doing Pentester Academy in the early days, of course, at that point, it was a bootstrapped company and we were just starting. So I guess at that time I was heavy-lifting everything, right?! Writing code for the website, making the videos, making the lab exercises, and whatnot. And I had a very small team who was helping out with customer support and whatnot. So I think if you have entrepreneurial ambitions the first couple of years, be ready to wear multiple hats and do crazy amount of heavy lifting. I think for the first three to four years, I think I must have done 14, 15-16 hours work days. And the only reason I could do it is because I genuinely enjoyed it. I enjoyed making every video, I enjoyed responding to every single user who used to write in. I used to enjoy reading those comments, and in my mind I was like, oh, wow, I have an opportunity at building a legacy here, right?! And that kind of kept me going on.
My work was being appreciated and I enjoyed it. So I feel like to be an entrepreneur, the first question you have to ask yourself is, are you picking something you genuinely enjoy so much that it isn't going to deter you from doing a crazy amount of hard work, right? And I think, of course, once the company started working and we started generating revenue and you start hiring people, the greatest learning I've had, I think in Pentester Academy, multiple iterations, but less in SquareX, hire the best people that you can find and make sure that what they are working on is also their kind of like first passion. And the reason I kind of say both are important because you could hire a very smart person and give them a task or activity they absolutely hate. And when that happens, there is this impedance mismatch where eventually they will either leave or do a bad job. So my typical thing I do when I interview people is I ask them, hey, if I gave you absolute freedom within the scope of what the company is building, to pick something where you feel you want to absolutely run with it, then what would it be? And if after that, that aligns with the vision mission of the company, and I see that there is a good role, only then I do offer. I feel like if you do that, it brings down the amount of onboarding friction for a person, and the person also needs less convincing as to why they are building what they are building. So that is number one.
The second thing, kind of coming back to what you said, I think it's very important, at least at most early to mid stages, to be in the trenches with the troops. And what I mean by that is, just because I ran a business, it succeeded. That doesn't mean anything, right?! When you start a new company, you're really starting at equal to zero. The only data point I have is one of one, and that means nothing. So it's important that from day zero, you kind of imbibe that in your culture, that, hey, there's no reason why SquareX should succeed, apart from the whole team trying to pull this together, apart from us building a great product and value to the end user and end customer. And that's the only way we can win it, right?! The world doesn't owe you anything because you're a serial entrepreneur or because the team is the same team which did something before.
The third thing is, I feel like me being your right, as a technology, as a deep technologist, I enjoy getting into the weeds of the problem. And that's why I've chosen a field which is deep technical, because I feel you can only win in a deep technical company by actually having very nuanced insights about your field. And nuanced insights can only come with a massive amount of time and experience, and I would say almost research mentality when looking at what others are doing and how you can have a 10X, 50X, 100X force multiplier improvement in whatever you're building. And because I enjoy research, and that's why I actually picked up a topic which is at the bleeding edge rather than building a metoo product, but at a cheaper price, which is also a great way to probably go into a market for people who are great at that.
But, yeah, I mean, even today, I would tell you that I have 12-13-14 hours days. I have a great team who load balances, so I try my best to give them as much autonomy as possible. So that's the other thing to your point, is trust people, give them autonomy, listen to them. Don't feel like an entrepreneur or as a founder, you know everything. I think people who are executing on the front lines of your business can give you great, key insights that you should be very receptive to. But hold people to their KPIs, hold people to their goals, but most importantly, hold yourself to what you've promised. Because I think you have to lead by example. And that's really where if you expect people to work hard to kind of be involved, you probably have to do 2X of that to show people that, hey, this isn't just lip service, but you're in it with them.
Andra Zaharia: And that is how you create change. That was really not just refreshing to hear in the mentality of how certain types of businesses get built at this point, but it was also energizing and kind of truly grounding. And again, everything that you've said so far, and the way you say it, the way you go in depth, the way you approach all of these things, from developing your own skills and understanding to maintaining this humble mindset, it all speaks to this consistency and coherence between what you believe in and what you do.
There's perfect unity there and having that type of integrity, at the end of the day, that is what makes not just work enjoyable, but it also helps us build things that we're proud of that give us the energy to work long days and to develop relationships in the workplace or in the industry, in the community, that actually feel rewarding, that give us that sense of, like, I'm in the right place, doing the right thing, and I want to keep doing this. So thank you for everything that you've shared today. It has been just absolutely fascinating. It has been so educational and so honest and so just, again, grounding that. I'm really grateful that we have someone like you in the community to help us pursue a better version of ourselves, of our work. And in doing so, hopefully a better, stronger contribution to truly making the world perhaps a bit better for everyone.
[51:00] Vivek Ramachandran: Yeah. Thank you so much, Andra. I mean, I think it's been a fantastic conversation and as like. And the most important thing for all of us eventually is just to give back to the community that helped build us. As you can see in my story, everything was possible because I was backed by the cybersecurity community right from day one with starting my career in community conferences like DEF CON and BlackHat, and then moving on to build SecurityTube, where all of these hundreds of thousands of free users inspired me to keep going, and then supporting me when we kind of moved on to Pentester Academy, where I was actually able to build a business. And a lot of the great folks that I hired were also from the community who wanted to work with us.
So absolutely, I think at least my career has been an example of, hey, if you go help a community, the community will kind of come back and help you with your own aspirations and what you want to do. And I guess that's the best way to build everything where you feel that you're part of a large community and you are contributing and the community is contributing back to you, which is fantastic.
Andra Zaharia: Ever wondered how deep the rabbit hole goes in the world of ethical hacking? Well, we're still falling, and we're dragging you along with us. One question at a time.
Thanks for wandering through this maze with us as we tackle the nitty gritty, flipped misconceptions on their heads and maybe, just maybe, made you rethink some of the things that are important to you.
This has been the We think we know podcast by Pentest-Tools.com. And before I sign off, keep this in mind. There's always a back door, or at the very least, a sneaky side entrance.
See you next time.
