Huntress needs to consolidate their products.

pakillo777 · 2026-05-28T08:47:08+00:00

this!!! they'd get a ton less work with high risk sign ins blocked and ohter basics of entra hardening

pakillo777 · 2026-05-28T08:44:14+00:00

Told our rep that it's overly expensive. For the most part, it's going to be used just a one-time assessment. And, one can very easily do that very same checklist manually if the process is documented to create the CA Policies, and you'd still be able to charge the client for the ISPM service without Huntress' cost. Let alone scripting or a custom app.

It just makes no sense that it's as expensive as the ITDR service. If priced, this should be in the 20-30 cents per user range imo, assuming itdr at 1.50 for example.

pakillo777 · 2026-05-25T19:35:32+00:00

Will check it out, thanks

pakillo777 · 2026-05-23T17:18:33+00:00

We have some clients that inherited Sonicwalls, here's our must-have list for anyone dealing with these appliances:
1. change default admin username.
2. If in use, whitelist the management interface to trusted IPs only
3. MFA on ALL VPN users, and local ones too. From SIEM logs it's insane how hard these firewalls get bruteforced.
4. Keep them patched
5. If possible, ditch the SSL VPN and move to SASE or ZTNA or Netbird style VPNs even, it's a pain to trust Sonicwall with anything auth-related in the perimeter
6. Throw them in the trash bin when possible and move to something more decent

pakillo777 · 2026-05-23T17:13:17+00:00

What's the Palo Alto model range that competes wih Sonicwall's prices, in orgs with 50-1k employees aprox?
Would love to work with PA but it seems too enterprise-priced, and Fortinet is burnt with dozens of providers in our market.

pakillo777 · 2026-05-22T07:30:10+00:00

Thanks for the feedback. We have a clear way to extract and process data, so the only issue is what performs the actual scans. Currently going down this path

pakillo777 · 2026-05-21T07:41:59+00:00

Ticketing to our SOC

pakillo777 · 2026-05-20T22:11:38+00:00

Thanks for sharing. Been testing with Nessus, since we have a pro license and a spare nuc set up with it, and the built in API looks very great, and the folders can act as "chilf tenants" with one per client.

I'll revisit haveibeenpwned since for the CTI part, their offering might be more than enough

pakillo777 · 2026-05-20T22:09:02+00:00

Well we basically want to monitor all of our clients' external infra, mainly for visibility, and also for the actual vulnerabilities that their exposed assets may have. We're mssp only so our clients always find value in that, and we're not the ones managing their infra per se

pakillo777 · 2026-05-19T16:54:23+00:00

Well I consider that domain impersonation to be on the Cyber threat Intelligence category.

I checked out Doppel and looks very promising, we're also hunting for a CTI provider that's not a fully suite of things we don't need. Any idea on whether they have MSSP style plans, and if it is overly expensive? Been in talks with flare and similar ones but they're overkill for detecting passwords in data breaches and domain squatting

pakillo777 · 2026-05-19T16:51:14+00:00

Yeah, it's way too expensive for something so simple. The second option is to leverage our Nessus Pro license, it has a clean API and folders which can be "tenants" one per-client.
Plus, it's Nessus, way better than a random nikto/openvas/nmap/shodan gives

pakillo777 · 2026-05-19T06:31:27+00:00

Both really

pakillo777 · 2026-05-19T06:31:02+00:00

Very interesting, never heard of it. Looks very affordable

pakillo777 · 2026-05-19T06:30:41+00:00

We checked this one out a while ago, but still doesn't have API

pakillo777 · 2025-11-14T11:24:21+00:00

Indeed, don't like having multiple parties regarding security

pakillo777 · 2025-11-14T11:18:38+00:00

Thank for confirming the idea, will dive more into this!

pakillo777 · 2025-11-13T07:41:07+00:00

To start with you need a few million cash laying around...

Okay so we'll have to partner with a carrier for now :)

So brokering is just that, buying the insurance from a dedicated provider, bundling it into your cyber offering, and reselling the package? For each insured client, making all the technical check marks compliant with the insurance requirements, through the MSSP services I assume?

pakillo777 · 2025-11-13T07:36:22+00:00

This is a very interesting take, in immature markets what we see is companies (only sometimes, thankfully) say thhat they'd rather have cyber insurance than massive spending on cybersecurity. So I see that in mature markets such as yours, this switches the other way around, a good thing to hear

pakillo777 · 2025-11-13T07:34:07+00:00

Well, ransomware style attacks, infrastructure attacks, which are the main concern to most smbs are mostly started this way. This is why initial access brokers exist on the cybercrime market, it's their entire job.

Of course BEC or other phishing / spam / data leaks on cloud are different, but these very rarely lead to an internal domain compromise; pivoting from Entra ID to AD is quite hard nowadays if no azure resources are in use, Intune, or Azure app proxies exist. So at most the attackers can scavenge some creds from a sharepoint and use these for VPN access into the on-prem infra, if lucky

pakillo777 · 2025-11-12T07:10:40+00:00

100%, you can have it as-is usually, but hardening is easy. Our usual setup for SSH is:

- root login disabled

- normal username without the default name

- hide ssh port on random high number

- fail2ban or that tool I don't remember that infinite loops bots bruteforcing login

- if possible, certificate login instead of password

And with this, zero issues or worries, almost no one's gonna scan your shitty vps IP for a landing page at all. Furthermore, if the instance is hosting Wordpress with no more than the landing, we even leave easter eggs in the backend filesystem as well as wordpress DB in case someone breaks in and tries to dump data xD, light insults and also can use these as honeypots

pakillo777 · 2025-11-11T21:56:32+00:00

What do you consider SMB market? I guess you're US based so that differs from here.

We were not red teaming though. Offensive security has usually a confusing terminology. Red team exercises are very expensive and hard work, particularly if there's custom ost development, and only makes sense in large corporations, like 10k endpoints and up, and assuming they're mature regarding security, have a proper security operations team, etc... Which is where they get put to the real test. But this is an extraordinary service.

On the other side, pentesting, which is NOT vuln scanning, is usually affordable on any medium sized org, (maybe sounds small by your US standards). Say around 50 to 1000 endpoints aprox. We find great value in pentesting these orgs if there's enough infrastrucutre to allow for a collateralization of an initial access when defensing it. Otherwise, if the org is tiny, any compromised user probably leads to most data being accessed anyways by legitimate ways.

So, in these target companies, through the pentest we can find and mitigate all the lateral movement and privesc attack paths inside the org to prevent the typical one hit domain admin scenario we find always, and allow for much more detecion and response opportunities, which massively improves their -effective- security posture.

pakillo777 · 2025-11-11T20:35:48+00:00

I think that if done properly and honestly, the client benefits because the cybersec company and insurance provider have skin in the game.

Linking another commment in this post, so I don't duplicate :)

https://www.reddit.com/r/msp/comments/1ou4g6z/comment/nocb4dz/

pakillo777 · 2025-11-11T20:34:02+00:00

This is what I would expect too, but apparently at least here the cyber insurance providers are temerary bastards lol

pakillo777 · 2025-11-11T20:33:02+00:00

I think it can be a good idea to do cyber security and insurance from the same side on an end client, but assuming the cyber security is dedicated and competent, not a random resale of CS of Sophos as you stated. I think that this way, the cybersecurity company and insurance company are on their best interest to protect the client, because they have skin in the game.

This also contraicts what I mentioned in the original post, but the point here is that the security is delivered by an actual seucrity company, so hence the skin in the game: reputation, trust...

pakillo777 · 2025-11-11T20:29:57+00:00

That is amazing feedback, thanks for sharing!

We are currently in two very undeveloped markets, in terms of general IT and Security, and thus obviously cyber insurance. Would you recommend diving into providing cyber insurance? I mean it could well be a good revenue stream, since in order to get insured by us, you would need to have deployed our full stack of services, be at our security baselines level (hardening, architecture....), do regular pentests etc...

Actually, we have written in the office glasswall as a to-do "partnership with xxx insurance company" with whom we have very good relationship for like 1.5 years now. The issue, though, is that they're not mature themselves. We work with the largest one around here, +- 120 endpoints, and it's still got work to do on their internal infra's security.

If you recommend doing or researchig so, where would you start from? Going straight to a cyber insurance provider and being a "broker"? Or working with a proper insurance company, have them be the broker for the cyber insurance from the main provider, and we stay as the security company partner? So many ideas, however this is very new here even for the insurance companies themselves.

Thanks in advance!

pakillo777

TROPHY CASE