In this Brand Story podcast episode, as part of our Black Hat USA conference coverage, host Sean Martin is joined by Snehal Antani, co-founder of Horizon3.ai, to discuss proactive security, autonomous pen testing, and the art of attack informing defense strategies.
In this Their Story podcast episode, as part of our Black Hat USA conference coverage, host Sean Martin connects with Snehal Antani to discuss proactive security and autonomous pentesting. Snehal shares his expertise on the importance of blue teams proactively verifying their security posture and fixing exploitable vulnerabilities on their own terms and timeline. He emphasizes the need for a bias for action and highlights the value of offense informing defense.
The conversation digs into how Horizon3.ai's technology helps blue teams automate specific workflows, such as account resets and incident response processes. Snehal explains how the platform can be used to tune security controls and improve overall effectiveness. He discusses the impact of Horizon3.ai on the cybersecurity skills and expertise of its users, allowing them to focus on more challenging and creative aspects of ethical hacking.
Snehal also explores the role of storytelling in cybersecurity, particularly when communicating with executive teams and the board. They discuss the importance of framing cybersecurity issues in the language of business continuity and uptime, making the impact tangible and relatable to board members.
The discussion provides practical insights and strategies for improving security posture and effectively communicating its importance to executive stakeholders. Snehal emphasizes the need for organizations to be proactive and take immediate action to remediate vulnerabilities. Also highlighted is the value of understanding the art of attack in order to become better defenders.
Overall, this episode offers a thought-provoking conversation on proactive security, autonomous pen testing, and the evolving role of security practitioners. It provides practical insights and strategies for improving security posture and effectively communicating its importance to executive stakeholders.
Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-story
Guest: Snehal Antani, Co-Founder & CEO at Horizon3.ai [@Horizon3ai]
On LinkedIn | https://www.linkedin.com/in/snehalantani/
On Twitter | https://twitter.com/snehalantani
Resources
Learn more about Horizon3.ai and their offering: https://itspm.ag/horizon3ai-bh23
For more Black Hat USA 2023 coverage: https://itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegas
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
BHUSA _ with Snehal Antani at Horizon3.ai
Sean Martin: And hello everybody, this is Sean Martin. I think uh, many of you know that if you've been following for a while. Uh, redefining cybersecurity here on ITSP Magazine, uh, part of our Black Hat USA 23 coverage, our chats on the road, and, and uh, sometimes Mark was with me, sometimes not. I get to have... This nice in depth conversation and looking at new technologies and the way to solve the tough challenges in cyber that we all face on a daily basis.
And I'm able to do that today with Snehal Antani. How are you Snehal?
Snehal Antani: Great to meet you, Sean. I'm looking forward to this discussion.
Sean Martin: Yes, likewise. And, um, I think, I don't know, I did, did some exploring at RSA and, and I don't know that I got. Some of the cool stuff that I'm hearing this, this time around from Black Hat.
So things, things seem to be surfacing. That doesn't mean they just.
I'm excited to dig into what you're doing with Autonomous Pen Testing and how that fits in with what you do and how it's unique and helps companies. Before we do that though, I think you have a history of your own. That, uh, I think loosely we've crossed paths. We know a lot of mutual folks. Um, tell me a little bit about who Snehal is and your journey to, uh, to Horizon3.AI
Snehal Antani: sure. Um, so kind of my background, I'm a software engineer by education and trade. And, uh, started my career at IBM as a developer for middleware systems and WebSphere. And then, uh, uh, spent about 10 years there and then became a CIO at GE Capital. And then, uh, spend time, uh, leveraging tech to, to create revenue, uh, overseeing cybersecurity and a whole bunch of other aspects of, um, just typical CIO role at a, at a bank.
Uh, and from there, uh, in 2015, I left Capital and moved to the Bay Area, uh, became the CTO at Splunk and worked closely with the, uh, with a pretty awesome exec team and helped, uh, scale and grow that company. Over about three years. And, uh, at the end of 17, I took a break from industry and my wife jokes. I had a midlife crisis, uh, took a break from industry and, uh, chose to serve within the special operations community.
So I left a Splunk as CTO and joined joint special operations commander JSOC as its first ever CTO. Uh, so came in as a highly qualified expert, um, and worked alongside just some incredible people. Uh, that, uh, I learned and grew as a leader, uh, and more personally and professionally in that role than anything else I'd ever done.
Uh, and I, you know, you come from that community, so you can, uh, certainly relate, I'm, I'm sure. Uh, and then that time I met my co founder, Tony, uh, he was my deputy CTO at JSOC and when he retired from the Air Force and I left the command, uh, cause my highly qualified expert, uh, tour was over, uh, we started Horizon 3 and we've been at it about three and a half years.
We have 110 employees. A third are former JSOC, SOCOM, NSA, CIA types. And two thirds are nerds and skinny jeans that know how to build, ship, and sell software. So it's been a hell of a social experiment bringing together two completely different worlds and completely different backgrounds. Um, but, you know, we can talk about the attributes or characteristics of people from the Special Operations Committee, but...
Uh, it's actually the perfect foundation to start a high growth hyperscale company.
Sean Martin: Well, I want to I do want to spend a moment here because I think those two things merging Super cool, but your your background coming from from uh, uh Financial services industry where things are very, I'll say rigid and buttoned up and batten down and whatever terms you want to use there.
Um, how does, how does running a startup leverage some of that mindset? Um, and perhaps, perhaps how you looked at things, you were a CIO, right? Over, had responsibility for security. Well, it sounded like, so I have, it's a lot of questions here. How, how the CIO role connected to cybersecurity at a big FinTech FinServ company.
Uh, and then obviously your special ops and, and then figure out how to get a team to build stuff quickly as well.
Snehal Antani: Right. So, so there's, um, there's a few aspects to that. So let me, let me kind of go back, not to make this a career talk, but it's, it's relevant and important. So when I started my career at IBM, I was a software engineer.
I did my undergraduate degree in computer science. And my focus early in my career was, uh, building technical credibility. I wanted to become an expert in my areas of distributed systems as demonstrated through patents and papers and all the stuff that, that helps to, um, to, to build out your technical credibility and expertise, uh, most importantly, it was building a reputation amongst IBM's customers of being an expert in a couple of different areas, and they're the ones to judge whether I'm an expert or not.
Not, it's not for me to declare. But they, they would pull me into some pretty hairy situations that, and they would expect me to figure out how to troubleshoot a, an outage or anything to that effect. Uh, when I think about my time at GE Capital, you know, when I first walked into a meeting at GE Capital, people thought I was there to fix the projector.
They had, they had no, no, for them, tech was a back office function. And, uh, my boss at the time, Seagal and, and the, and the, the CIO and kind of technology executive team, we were all kind of commissioned to figure out how to leverage tech to create a competitive advantage and earning a seat at the table.
And so you learn a lot about, uh, less about the, the, the dolphin speak and kind of widgetry of, of a new shiny piece of technology. And more about how to apply it and how to describe it in a language of the business. Super important. And then my time at Splunk was all about articulating or empathizing with the pain of Splunk's customers.
Because I had been a CIO now. Uh, and then really rounding out the variety of use cases and kind of technology challenges or new ways to apply tech. And that was kind of culminating in my time at JSOC where... You know, you're talking about everything from drone swarms to self driving boats to sharks with laser beams, and is the epitome of leveraging tech to create an advantage.
And, uh, that was really kind of the skill and the ability to tell stories. About the role technology is going to play to a person that is pressed for time, doesn't have an engineering background, but it has to make incredibly important decisions. So I think those were the skills that were important for anybody in any position, but especially as a startup founder, because as I'm working with the engineering team to make a product decision.
I can look at that decision through the eyes of a buyer when I was a CIO at Capital, or as a developer of tech from my time at IBM, or as a, as a user of emerging capabilities at JSOC and elsewhere. So the ability to have, having held those different roles, you can empathize from that role's perspective because you've been there.
It actually allowed us to have an incredibly awesome user experience because a lot of people in the company are former practitioners. So we built a product we wanted to use, or we wish we had. Uh, and then that empathy helps to cultivate radical champions because we're very authentic. At what we're doing.
Cause we spent most of our time as practitioners of the technology versus kind of ivory tower builders. Does that make sense?
Sean Martin: It absolutely does. And I'm glad we went there and I'm, I'm, I'm grateful you shared those, those parts of the story. And I'm, I want to. Pick out a little bit the, cause you kind of just said, we, we started horizon 3 because, because we were all together and we experienced a problem.
What, what was the problem that you were experiencing and why did you, I'm, I'm sure it wasn't the only one that you experienced. So why this one? And, uh, and what made you think that, uh, you could, you could tackle this problem differently than others?
Snehal Antani: Yeah. The, there's a couple of parts that the first one was.
This is the problem I had experienced for over a decade. So I suffer this experience at GE Capital. I'd observed this experience prior to that, which is we have no idea we're secure until the bad guys show up. And by then it's too late. How do I make sure I'm fixing vulnerabilities that matter or that my security tools are actually tuned and working correctly?
Or that my team knows how to respond to a breach. I can't sit around and wait for the bad guys to show up to find out. I want to proactively verify my security posture. The only way to really do that was to pay for consultants to show up once a year or a couple of times a year to run a pen test. And if I had 100, 000 hosts, like at GE Capital we were a large environment, if I've got hundreds of thousands of hosts, well I can't afford to have that pen test or test everything.
I've got to dramatically reduce the scope so they can only test one narrow slice of my environment. So I end up with this incomplete snapshot because they'll show up once a year or twice a year. My environment has changed dramatically in between and I'm sitting here accruing a significant amount of exploitation debt, I guess is the way to describe it, and I have no way to, uh, to identify my exploitable attack surface.
methodically reduce that attack surface, and then prove to my boss, my leadership, the board, and auditors that we're doing a good job. And that was really the challenge. So the solution was, can we invent technology that allows an IT admin, a network engineer, or anyone else that has zero offensive experience and background?
To in a few clicks run an infrastructure pen test at scale with no knowledge of the environment, no scripting, no agents to deploy. And that was really our design goal at the beginning of Horizon 3. And a lot of that was influenced by our ability to be very close and observe how offensive cyber operations executed at the government level.
Because you know, you, you, once you're in the thick of it from an offensive standpoint, uh, you get to learn a whole lot about those tactics, techniques, and procedures. And if you have the right software engineering lens and the right platform background, there are ways to bring those worlds together into what we've invented.
Which is AI powered pen testing, uh, and the ability to execute infrastructure pen testing at scale. Like in many ways, we've built a cyber weapon where an IT admin is hacking themselves. Multiple times a day or multiple times a week, uh, to verify that they're not exploitable.
Sean Martin: And, uh, I don't know if that was a good time.
I think I saw a couple of things on your site. Patched is not remediated. Vulnerable is not exploitable. Um, how, how important is that aspect of it? Cause I mean, I'm, I'm picturing. The slice of scope at GE that you cut out for a team and, and they came back with all these findings and, and ranked listed them and you maybe got through 10% of them.
And who knows where they, I don't know, 15, 20 years ago, are they smart enough to. To identify which ones and call out which ones were exploitable versus not. And how, how, how much impact it would have if it was talk to me a little bit about that, because that's an important piece, I would think to, to really hone in on when you're looking at the response end of this part.
Snehal Antani: Absolutely. So there's a few parts, uh, one think of traditional vulnerability management and vulnerability scanning. We, I was one of Qualys's largest customers globally at one point. I was one of Nest Tenable's largest customers globally at one point, you know, having been in that practitioner seat, I've had the ability to use a lot of different vendor products and technologies, and they're all good in different ways.
But regardless of the tool, the vulnerability reports would come back with 100, 000 findings. Maybe 5 or 10 were actually exploitable and relevant. The others either weren't actually exploitable because we had some other mitigating control in place. Or the scenario to exploit it required, you know, physical access to the data center, standing on one foot, holding a pizza in one hand and, you know, a keyboard, some super obtuse conditions.
And so my team would end up having to chase down all a hundred thousand of those issues because yeah, we could go focus on the criticals, but the other risk is that there are, you can combine lower risk vulnerabilities and in aggregate becomes a higher risk issue. So it burned a lot of calories by my teams sifting through the noise to find the issues that truly matter.
And so that's why pen testing is so important because with pen testing, you're not only finding the actual attack chain or kill chain or attack path, where. A misconfiguration from one machine plus a credential harvested from another plus a vulnerability in a third, an exploitable CV in a third can be combined together to become a domain administrator.
So pentesting is looking at how to combine issues across different machines. Number one. Number two, the proof of exploitation. Here is the command I executed on this box. Here is the output to show there was a misconfigured JMX server that gave us host compromise. And then how to fix it. Like, don't just tell me there's a problem.
Tell me how to fix it and why I should fix it right now. So path, proof, impact, and remediation became the four elements that mattered. So in, in our product, in the way we designed the product, everything is centered around path, proof, impact, and what to do. Because that was the hardest part of my job as a CIO, was deciding what not to fix.
And you want to be able to surface that quickly. So you're expending your limited resources on the problems that truly matter.
Sean Martin: So how, how does this fit into a current security program? Does it replace traditional pen tests? Do teams need to rethink how they take this function on, use the data it comes up with?
Um, how does it connect to other systems? Maybe kind of paint the picture of where this fits in? And who has the fingers on the keyboard to actually do something with it?
Snehal Antani: So the primary users of our product are blue teams. Actually, um, blue teams, because once again, there's just not a lot of red teaming capacity out there.
So that local hospital, that mid market bank, that insurance company, even the large shops as well, um, that use us, it's the blue teams primarily. And they're using us for, for two sets of reasons. The first one is to proactively fix these exploitable problems because they'd rather fix it on their terms and their timeline and be proactive.
Then get burned Christmas week where they got to come in because there was an incident. Now, every Christmas, there's a major, a major incident, a major breach or, or new zero day that comes out and everyone's got to burn their vacations. So blue teams want to proactively verify their security posture. And I joke, you know, they want to go home early on their time.
The second aspect though, is being able to wire very specific blue team workflows in. So if we were able to compromise a bunch of credentials because they had passwords, we could easily crack or credentials that were reused across different systems. There's a bias for action there, which is how do we take those 15 or 20 credentials that were compromised?
and quickly drive and automatically drive an account reset for them. So what you want to do is not just find problems, but create this bias for action to fix them. Another one, if we get a host compromise or a domain compromise, that should trigger at least some sort of lightweight digital forensics and incident response process.
Because if we could compromise a host, Someone else may have already done it. You better check to make sure that wasn't the case. Or if you are a Splunk admin or a CrowdStrike admin, there are so many knobs and levers to tune those products. Are you logging the right data? Is OS credential dumping turned on correctly within CrowdStrike and so on?
That you end up using us as a sparring partner to tune the security controls and improve your overall effectiveness. So the thesis here is offense informs defense. Offense, offense verifies your defensive posture and then offense tunes your defensive tools appropriately. So blue teams primarily use us, uh, for those that have the luxury of their own internal pen testing teams.
They'll, those teams will use us as a force multiplier. We're, we're doing infrastructure, pen testing at scale so that the humans can be the scalpels that work on the really hard stuff that puts them on stage at DEF CON every year.
Sean Martin: Nice one. Nice one. And I love those three, those three buckets that you, uh, that you called out.
Cause I think, correct me if I'm wrong. I, if I understood correctly from, uh, Eric Parrizzo from Omdia talking about proactive security, it's, it's just what you described. We're. Taking knowledge from what is exploitable, signs of exploitation, and using that to build better defense. One, so you don't have something bad that happened before happen again.
And two, perhaps get ahead of proactive in terms of your protections.
Snehal Antani: In fact, if you build on that, you know, 10 years ago, most organizations started their journey towards defense in depth. And you didn't really know. I mean, you'd go look at like the Gartner Magic Quadrants and buy a whole bunch of tools, but if you really want to be effective at defense in depth, you, you have all your tools in place.
You run us as a pen test and you'll see what did we achieve and what, what was blocked. Okay, cool. Now I understand what we achieved. Now, what, why did we achieve that? Were we exploiting a misconfiguration at the seams of these tools? Are there blind spots that you have? Another thing people do is run us with CrowdStrike turned on and see what, what, what we could do.
Run us with CrowdStrike turned off and see what we can do. And now you can prove the effectiveness of that single control. And you can see, well, what did CrowdStrike miss? Okay, what is the next layer of defense to catch what CrowdStrike missed? And think of that, you know, water filter purification where each layer in that filter is taking out more and more of the sediment.
So that's super important. And then as people evolve towards zero trust. You can burn all sorts of money on a zero trust project. But what you want to do is run us as a pen test at the beginning of that project and see the network reachability of your environment. And as you deploy Zero Trust, you should see our network reachability reduce over time.
And you're now proving the effectiveness and the blast radius reduction, uh, of an attacker from an authentic attacker's perspective.
Sean Martin: And I, I think I saw, I don't know if it was a webinar. We're not, uh, something around, uh, attack simulation. Um, how, how important is it to understand this? Um, obviously you're, you're helping to automate a lot of this activity, but I presume you also present information that, that allows.
Threat intelligence teams and red teams and blue teams understand the, the attack flow kind of you described a little bit already. Yeah. But what are your thoughts on simulation and, and emulation?
Snehal Antani: Yeah, it's, I actually, um, I, I, I was, uh, I commented the marketing team, you know, that's a word that we should never reuse and we don't simulate , we attack like we were, we don't emulate, we don't simulate, we attack, uh, and we successfully exploit.
And we do so in a way that is safe for production. Um, but this idea of offense informs defense. What I've found, even from a career development standpoint is that IT admin or network engineer with, with, with the responsibility of fixing security problems, but no real knowledge of offense, they've become better security practitioners.
Because they now understand the art of attack. Like I've personally, in three years of running Horizon 3, I've grown significantly in my security expertise because I'm looking at and understanding the art of attack every single day. And from there, I'm becoming a better defender as a result. So I think there's just a natural upskilling that's occurring amongst our users.
Because they're, they're understanding that attacker's perspective. And I think separately back to, if you already have that attacker's perspective as an ethical hacker, you're bogged down spending most of your days doing stuff that isn't pushing you to your limits. So by using us to free up your time, you as an ethical hacker can get back to the really fun research and the things that are pushing your limits and making you better and allowing you to share those best practices.
And, uh, at a much broader scale as well. Uh, and so I think the biggest surprise for me over the last few years is looking at the effect our technology has had on the cybersecurity skill and expertise of our users.
Sean Martin: That's a, it's an important piece. Of course, the, uh, never hire enough people.
Snehal Antani: Yeah. People, but even career development, you know, like, you know, mastering the art of, of writing, of getting responder, uh, to run and, you know, pipe credentials.
That, that's, that's not where the real innovation is going to be as an ethical hacker. Like that's all stuff that algorithms are far better at solving. You need to spend your time doing things humans are uniquely gifted at, like finding zero days in application code. That's super hard to automate or use autonomous or algorithmic techniques for.
There's a lot of human creativity to identify logic flaws that are necessary. So humans really need to be gravitating towards that part of the exploitation problem and recognizing that machines are far superior at building very large scale knowledge graphs that represent the cyber terrain and that can algorithmically, algorithmically Compromise and environment.
Yeah. I actually think that many of the security educational institutes, whether it's stands or ins or so on, I think that they're gonna have to make a hard pivot pretty quickly and rejigger their entire curriculum towards the aspects of security testing. Uniquely human. Yeah. The rest, the rest of it is going to be uniquely machine.
Sean Martin: Yeah. Good. A good separation between the two. I want to, I want to go back to one of the things you said earlier in the, in the conversation around, And your role as a CIO and communicating with your peers and perhaps, uh, the board, uh, in some instances, you talk about proving your security posture. How do you help CISO and their peers and the other roles tell the story?
That you are improving the posture, you're working smarter, not harder, right? I'm not, I'm not being, I'm not just being busy patching for the sake of patching. I'm actually reducing exposure and mitigating risk. How do you help with some of those stories that need to be told?
Snehal Antani: So the first very important aspect of executive storytelling is you've got to put yourself in the shoes of the listener, of the audience.
An independent board member at a publicly traded company may have zero cybersecurity knowledge and background. And for the most part, honestly, they probably don't care. That's not what they came from. They came from growth or product or very specific vertical expertise or an audit background or finance background, something to that effect.
So you've got to recognize that they're coming from a position where they, they usually don't care and they're not incentivized to care. And that's just the reality. Now, because. Uh, you know, the, the new SEC reporting, um, still puts a lot of the liability on the CISO. So you have this, this issue that's, that's starting to emerge where the board isn't incentivized to care.
The CISO is even more incentivized to care because they're the ones that are going to get, excuse me, fined or go to jail and you've got to narrow that gap. So there's a couple of aspects and I'm going to start with a story here. Uh, so the, allegedly the Japanese. Armed the Ukrainians a few months ago, the Russians got upset and ransomware through criminal proxies a small manufacturing company in Tokyo.
That manufacturing company in Tokyo supplied all of the cupholders for Toyota Motor Company and Toyota Motor Company had to shut down 28 production lines and it cost nearly 400 million dollars. in economic impact over cupholders. Now the real flex was that the Russians knew exactly where to apply the least amount of effort to cause the maximal amount of economic harm.
All below the threshold for war. Like we're not going to go to war over cupholders. It's just the reality. Now the issue there is That isn't a cyber issue anymore. That's a business continuity problem for Toyota. And what they have to now understand is, anyone that employed just in time logistics and lean manufacturing has almost zero cyber resilience.
Because all an attacker has to do is go after the weakest member of their supply chain that has the critical node in their manufacturing process. So I think the way you get the board to care about cybersecurity is talking about it in the context. Of how your uptime can be compromised, uptime of your systems, uptime of your manufacturing line, and how that degradation of uptime directly relates to an impact on cashflow.
That's number one. You have to talk about the impact of an, of an issue in the language of cashflow and business continuity. Once you do that, you're going to get the attention of the board. And now, yes, it was. Triggered through a cyber attack, either your employee was compromised, your supplier was, supplier was compromised or so on, but you're speaking about it in the language of business continuity and compromising uptime or compromising data that directly leads to a fine or compromising access that leads to some downstream effect on data and uptime.
At the end of the day, though, uptime tends to be the sharpest way to talk about. To get the board's attention. Does that make sense?
Sean Martin: Yeah, absolutely. It does. Absolutely. It does. And. Yeah, cause I'm actually writing a series of blogs on the topic of the responsibility and liability, uh, for the CISO role and looking at it from different angles and the tech stack is, is one.
Um, relying too heavily on it, you kind of leave yourself bare. Um, perhaps there's a way to leverage it to, uh, to give you some protection.
Snehal Antani: Yeah. The, the other key thing, and this was, uh, during my time in special operations, my commanding general said, regularly. Don't tell me we're secure in PowerPoint. Show me we're secure and then show me again tomorrow and then show me again next week because our environment is constantly changing and the enemy always has a vote because they're, they're always evolving.
And we have to, we have to get out of this mindset of trusting that my tools are working for me and verifying my security effectiveness early and often because Every time I update an application, patch a server, or onboard new employees, My exploitable attack surface has changed. So for every patch Tuesday, there must be a pen test Wednesday to verify your exploitable attack surface.
And that's a wartime cyber mindset that is very different than the peacetime mindset of running a vulnerability scan, running an annual test and so on. And what I think we need to do is see a change in language from being secure, which is a point in time state. To being defensible, rapidly adapting to the adversary's tactics in the moment to prevent your crown jewels from being compromised.
Stop talking about being compliant, which is a checkbox mindset, to being resilient. Which is about business continuity. Once we started hearing organizations talk about being defensible and resilient, we know they're on the right path.
Sean Martin: And I think, uh, transparency comes with that kind of, to your point, show me today, show me tomorrow, show the next day.
I've, uh, I've had some conversations with CISOs that said they actually want to. Not do PowerPoint. They actually want to show a dashboard and be able to dig in in real time. And of course you want to be prepared and show you have resilience in that case. But, uh, an interesting concept, interesting concept.
So, um, great conversation, Snehal, and, uh, I'm excited to meet you and learn, learn all about Horizon 3. Uh, you and the team are going to be in Las Vegas for Black Hat.
Snehal Antani: Yeah, we'll be in Blackhat next week. We've got a booth. I think it's a 3144, you know, it's, um, no matter how big or successful we become as a company, we will always.
Have a 10 by 10 booth on the perimeter of every trade show because that's where real innovation always exists. Uh, and in fact, uh, I would imagine most of the booths in the middle of the trade show that have the really big surface area and cool robots and rap battles and whatever else, all the other gimmicks, Formula One car.
Yeah, I think those are the. Many of those are the zombies that, um, that may not be around much longer. So if you're at Black Hat, focus on the perimeter of the trade show. That's where the real innovation is. And that's where you're going to find us.
Sean Martin: That's where Snehal will be with the team. And, uh, I encourage everybody to take a look at autonomous pen testing.
Uh, it's going to change the world. For, uh, for patching, that's for sure. Hopefully we spend less time messing around with stuff that, that doesn't matter. So Snehal, thanks, uh, thanks for joining me here on the show. For everybody listening, we'll include links to, uh, to, uh, Snehal's profile and, uh, Horizon 3 website and, uh, a link to, link to find them at Black Hat as well.
And of course, as part of all of our coverage of Black Hat, almost at RSA, Black Hat 2023. Uh, so stay tuned, everybody. There's lots more coming. And, uh, hope you enjoy this conversation. Thanks again, Sneahl.
Snehal Antani: All right. Thank you. Appreciate it.