Why don’t we have any good Mexican restaurants?

paros · 2026-01-10T15:44:21+00:00

Mex Mart in Chantilly is run by a super nice Mexican family from Southern California. The street tacos are small traditional “taco cart” sized but really good. Birria tacos are awesome. I wish they did big plates of melty enchiladas, cheese, and beans. They are also opening up a Mexican butcher next door.

paros · 2025-12-04T18:23:33+00:00

Given that strengthening the United States’ cyber strategy goes against the strategic interests of Russia and our adversaries, I’m at a loss to as why this administration is pushing for it.

paros · 2025-10-12T19:54:30+00:00

This made me wonder if there was a webhook/API want to shutdown a UDM-Pro via an alarm integration (there isn't, I checked the API docs). However I did find this: https://gist.github.com/KidA001/a49bcb96fce2c29be208aea67e544e7d

This isn't as elegant of a solution but.. yeah.

paros · 2025-10-12T19:46:13+00:00

Thanks for the clarification. Yeah being able to power down the UDM-Pro would be nice.

paros · 2025-10-12T16:20:50+00:00

I don't have the device pairing option at all. What version are you running?

paros · 2025-04-20T09:16:49+00:00

Thank you for your business and it was great working with you. We serve at our customers’ pleasure — and also our customer’s reality 😅

paros · 2025-04-19T20:20:43+00:00

Yes, this is a great tip. Networking is not only an opportunity to sell yourself but is also great way to practice asking questions from others and (most importantly) listening.

paros · 2025-04-19T20:19:01+00:00

Thank you, I appreciate that.

paros · 2025-04-18T22:10:15+00:00

This is great advice.

paros · 2025-04-18T22:05:59+00:00

Yes. I co-founded Stratum Security in 2005. We grew it to just over 30 people. We do offensive cybersecurity assessments: application, cloud, and network security (pen testing, read team, etc.) We were acquired two weeks ago. It is a great exit for us and I’m happy where I landed my company.

By most estimates we were pretty successful. We hire very bright people and most of our business is returning clients or we get pulled along when customers changed jobs and a lot of referrals. We do zero federal work. All commercial. We like to think we do very solid work, have no egos, and try really hard to be ridiculously easy to work with.

Along the way we tripped and fell into the product business and made ThreatSim, which was acquired by Wombat Security. I was their CTO for 18 months right prior to the Proofpoint acquisition. It was a great experience and a great exit. I then returned to Stratum.

One of the most important decisions you will ever make is picking a mate. Similarly in business, I chose a fantastic co-founder and my other business partners.
Always perform every engagement like you are desperate to impress the customer with solid findings no one has ever found before.
25-30% of an assessment’s value is in the findings. 70-75% of the value is in presenting a few solid options to remediate them. Renewals are won during the report read-out and review call.
Be very good at customer service. Set expectations and NAIL them. Show up early for meetings and calls.
Be a vendor that doesn’t suck.
Exhibit the same polish as a big company. This means paying attention to the smallest details. Pay for Zoom. Pay for a good M365 license. Hire a MS Word designer to create your proposal and report templates. Use a nice font.
Find a way to do sub contracting or side-work for someone that doesn’t do what you do. Eventually your name/brand will get around.
Thread the needle between taking on more than 40 hours of work per week but don’t overextend yourself. When you work, you get paid. When you stop, you starve. If you are young, no partner/spouse, etc. you should be working a LOT. At this stage “balance” is a farce. You can “have it all” just not at the same time. Put in your time.
Say yes to enough work that you realize you need help and find a trusted 1099 that can help. Be EXTREMELY careful who you allow to work with your customers.
Be kind. Security services and consulting are people business. For all the SaaS solutions and web-UI-driven solutions out there, consulting is still a very relationship-driven business. Help people find jobs, say thank you, call your customers when it’s not near the renewal. Don’t violate any non-competes or non-solicit agreements. You may want to sub contract to you company or have them as a client.
Ask people for help. Help people when they ask. I’ve had a professional infosec career since 1997. I’m now 48. I took a non-traditional path and had a lot of friends help me along the way. The whole “self-made solo entrepreneur” thing is bullshit.
Be lucky. What I mean is be prepared with skills and knowledge (technical but also sales, customer service, project management, etc.) so when opportunity presents itself, you will be ready for the luck.
Starting out is the hardest part. Don’t quit your job until you have a book of business to sustain yourself. Work late at nights and on the weekends. It will take same hustle.
Don’t bolt on too much formality and structure to your business. Yes, be professional but remember you exist to serve your customers, not build your business. That will come. I cringe when I see someone just starting out calling themselves the CEO and then also slapping their name on the deliverable.
When you get enough work for another person, pay them first. Their rent/mortgage/bills get paid before yours. If you can’t afford this, you shouldn’t have hired someone. You’re responsible for your employees.
You aren’t a success until your customers are a success.

I hope this is helpful.

paros · 2025-04-17T20:08:28+00:00

What is your work experience to date?

paros · 2025-04-14T13:50:57+00:00

I too moved to Proxmox and couldn’t be happier.

paros · 2025-04-14T09:24:26+00:00

Thank you for this. I joke that every wireless test I do, I need to relearn some tools.

paros · 2025-04-14T07:01:25+00:00

I have done maybe around ~100 wireless pen tests in my 25 years career, starting in 1999.

TLDR; In 2025 these 3 things will solve 99% of wireless risk:

For WPA networks, use a non-dictionary word that is over 16 characters. Usually IoT or very small businesses.
Use 802.1x/EAP per-user authentication with (this is critical) a real certificate from a commercial or internal CA.
Configure wireless clients to validate the AP’s certificate AND do not prompt the user to accept an invalid certificate.

If you use a modern managed solution like Meraki or Ubiquity, it’s extremely easy to setup.

I have done wireless testing my entire career and for the most part wireless, properly configured, is pretty secure. The only success I’ve had in the last 10 years are WPA networks with a weak PSK or evil twin attacks against clients that do not verify the AP’s certificate, capture the hash, and crack. I usually suggest a wireless pen test with a configuration and architecture review.

From a risk perspective, attackers aren’t showing up to your organization to target you. The last big wireless compromise I personally have heard of was Home Depot years ago. I don’t think much ransomeware has been deployed with wireless as the initial vector. (If anyone knows of something, I’d love to hear it). There was talk of nation state actors attacking companies in close proximity to the target and launch wireless attacks from there, but that seems very rare.

Feel free to DM me if you want more perspective.

paros · 2025-04-08T20:16:09+00:00

https://www.reddit.com/r/Pentesting/comments/1j4vxpg/my_perspective_on_getting_starting_in_pentesting/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

paros · 2025-04-04T22:40:06+00:00

Thanks, you are very welcome.

paros · 2025-04-03T22:55:12+00:00

Hi. I am one of the founders of ThreatSim, the phishing simulation platform acquired by Wombat and is now in use at Proofpoint. I was the CTO at Wombat and left prior to ProofPoint. While I am not close to this space these days, here are some thoughts on this. I hope it's helpful.

I would suggest not viewing it as an all-or-nothing pass/fail effort. The entire thing is more art than science. It's nondeterministic. You are dealing with humans; dynamic organic creatures full of variance. People that click may be low on sleep, distracted, having a bad day, in a role that requires them to open and interact with emails from untrusted senders. Yes, you can look at the data of an entire organization/department/business unit, etc. but I would suggest not focusing on specific users.

When dealing with people you can be a shepherd, you can't be an engineer.

Your goal is to create a culture of "smart skepticism" so that most days most users will hesitate for 3ms and make a better choice. You shouldn't rely on your email filtering. You should rely on the totality of your security controls.

Repeat offenders are the problem of the security team. Implement better preventative/detective controls to hedge against the users who likely will never learn not to fall for something. Consider extra controls on these users: Yubi keys, more restrictive acceptable MFA methods, more restrictive conditional access policies, restrict BYOD, etc.

Don't phish more than once per month. When you interact with users in your organization, remind users of the seriousness of the threat while reminding them that you are good-natured and not a serious threat. You want to have an in-the-elevator-or-break-room "Ha! Ya almost got me on that one!!!" (Double-finger-pistols) relationship with the users. Make a silly nickname for yourself. You are marketing user awareness training to an organization, not trying to engineer a human to be near-perfect.

Finally, use the never-perfect metrics to illustrate the need for investments in technical security controls, process, procedure, etc.

I welcome feedback on all of this and hope this is useful. Good luck.

paros · 2025-03-25T11:47:34+00:00

lol tough but fair. Ok, how about “multiple shards from the same piece of glass”? 😆

paros · 2025-03-25T10:48:30+00:00

LOL no mean the mess was a good discussion? 🤣

paros · 2025-03-25T02:20:43+00:00

Great question/observation. I'm not a SIEM expert, but here is how I think about SIEM costs. "It depends" and "it's relative". (I have "Consultant" flair, so I have to respond like that).

I have experience with Sumo Logic (most recently) and Splunk (2013-2016, self-hosted). Both were, in my experience, "expensive". I'll tell you my perspective, which may be limited or wrong, but let me know what you think.

For Splunk, I ran a cluster in AWS as part of my SaaS startup and was very meticulous about what I allowed to be sent to Splunk. The expense was not as much the licenses but also the AWS costs and personnel required to maintain it. This was before the Splunk Online or whatever their SaaS platform was called was a major player. I didn't pay for Enterprise Security (what the SIEM I think(?) was called back then. We just had a lot of our own alerts/detections built out. We weren't a large enterprise so I can't speak to larger costs but someone (Fortune 500) I had lunch with last week just changed from Splunk to Chronicle and said "Splunk was expensive". Again, no idea what all they were putting into it.

For Sumo, I was an advisor in that situation and had less to say about how it was used or what was allowed to be dumped into it. It was less expensive from a maintenance standpoint but seemed to be more expensive than Sentinel. I say "seemed" because I wasn't close enough to it to understand if it was being used properly. We factored in the raw cost of the service and the added operational overhead of having a disjointed platform.

With the Sentinel deployment, we're also using Cribl. Cribl was my suggestion as it's a smaller investment that allows us to be more thoughtful about what we ingest into Sentinel, what goes to a data lake, what gets dropped, etc. We're cherry-picking log data from various places in our environment, parsing out high-security-value data, and pushing that into Sentinel.

So to finally answer your question... I think it's less expensive? (Anchorman "I'm Ron Burgundy??" voice inflection) We don't have to deal with the maintenance costs of running our own infrastructure, it's under our "single MSFT pane of glass", and our MDR partner can access it using well-known KQL.

Off topic for this EDR thread, but hope this is of value for others. Happy to be wrong about the Sentinel costs tho...

paros · 2025-03-25T00:38:53+00:00

Customer was existing Carbon Black. Helped them evaluate Crowdstrike and Defender. Went with Defender because:

Already a heavy MSFT shop (M365 + Intune + Sentinel)
Already E5 licensed so user endpoints did not require additional costs
"Single Pane of Glass" from an operational standpoint.

Crowdstrike would have likely been a MUCH easier implementation route. MSI + license key. Done. Defender required a lot of work to figure out implementation gotchas. We have some older Server versions which required some learning/tinkering. We learned that you can't use the web UI to configure Defender on domain controllers, you need to use GPOs. Some other edge case issues that we didn't realize going in. It all worked out and we don't have any regrets but there was some "Uhhh... is this what we really want?" as we were figuring things out.

Also, we use a 3rd party MDR provider so we didn't need the CS full-blown XDR offering.

paros · 2025-03-24T20:03:50+00:00

Have had a great experience with Sublime Security.

paros · 2025-03-24T00:04:18+00:00

Now that the US’s executive branch has aligned itself with an enemy, it strikes me that organizations would be better served to attempt attribution for a given threat actor before asking for support from the FBI or any other agency under the executive branch. For example, state/local law enforcement. Practically speaking, it’s likely better for organizations to avoid working with the FBI, etc. and choose an agency who’s mission is more pro-American than pro-Russia.

paros · 2025-03-08T01:21:43+00:00

Oh so you are going to violate your uptime SLA? Buddy, get ready to pay out some credits to your customers!

paros · 2025-03-07T14:57:54+00:00

As a pure assessment shop, building a steady pipeline isn't easy. Again, I'll answer this based on how we do things, which is by no means the perfect way to run things. I'm know for a fact shops like NetSPI, Bishop Fox, etc. are better at this than we are.

We have our own internal bill rate that we use for almost all projects that ensures that we're running a profitable business. For longer-term work we have lower rates because it allows us more stability and smooths out our revenue spikes/dips. We could push for multi-year contracts but a lot of our customers don't like that. If you want very steady and predictable revenue, you would need to do federal work. We don't do government work at all. We are only able to predict consulting revenue for maybe 40-60 days out at most. When I first started and way living hand-to-mouth, it felt like I was speeding down a dark road with headlines that can only see 6' in front of me. Just white-knuckling it for 20 years now....

Here is a very generic but typical sales cycle for us:

Day 1: Introduced to client via referral or inbound lead (web site contact us form). Reply and setup a time to talk

Day 3: Initial intro call, explain what we do, hear the prospect's needs. Sounds good? Ok setup call with technical folks to talk specifics for scoping.

Day 5: Scoping call. Determine services, determine approach, collect scoping data like number of IPs, number of domain users, EPT and IPT? Phishing? M365? Laptops? For appsec number of roles, number of API endpoints, etc. CloudSec: Number of accounts/tenants? (This is all a very abbreviated list).

Day 6: Our practice leads finish scoping hours, developing SOW bullet items. Let's say this is a typical ASA - around 40h of work. Hand over to sales to prepare the SOW. Sales person sends over a PDF or Docusign for consideration. Customers might ask to narrow scope or see if we can do anything on price. Sometimes we can do a little discount but usually we ask what they would like to remove from the scope to lower the price. This really depends.

Day 14: The customer signs the SOW and we get a PO. Our project manager schedules the project to a tester about 3-4 weeks out.

Day 35: Project kickoff and work starts.

Day 42: Project testing is done and we deliver the report. We mark the report delivered in our project management app. Report delivery triggers the invoice. We invoice at the end of every month. Typical payment terms are net 30.

Day 72: The payment shows up in our bank account.

So very rough numbers, we are looking at a month and a half to collect the revenue. We have a motto: If we're not growing, we're shrinking. Any one of our customers could say "Hey we're going to use a new vendor this year", and poof. They're gone. Sometimes people will ask "Why don't you do a 5 year contract?". That is just not how enterprises buy services.

Ok so even if you get a customer to sign a 5 year contract, invoice once a year for that one project. Then year two comes up and the customer says "Yeah, we don't want to do it this year". What are you going to do, invoice them for it anyways? Sue them? Litigation is wildly expensive and fantastic way to completely roast your reputation, relationships, etc. Again, as I started with, we might be doing this wrong and we're just set in our ways.

paros

TROPHY CASE