82: Unmasked with Nelson Santos

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: Nelson Santos is a security professional with years of experience in both attack and defensive teams. He holds multiple top tier security certifications and is trained under some of the best known researchers in the field. His interests range from exploit development and vulnerability research to machine learning and AI. In his free time, Nelson enjoys sailing, playing with his toddler son, and long walks on the beach.

Chris: Nelson, thanks for stopping by BarCode, man.

Nelson: Chris, thank you so much for having me.

Chris: Absolutely, man. So let’s talk about automated security validation. And for those that aren’t familiar with the term, can you walk us through the meaning of automated security validation and then also help us understand how it differs from traditional methods of security testing?

Nelson: Yeah, that’s a great question, and it’s something that we’ve been fighting to get the term out there for people to understand a little bit more. Gartner actually just came out this year with a category for these type of products. But the idea is, as attackers get more sophisticated, they automate their own attacks, know their own techniques, the idea is to automate the validation of your security controls.

Nelson: So nowadays there are so many letters out there. I mean, we’re talking about this. I’m here at RSA. You see the number of companies out there selling defensive software, detection software and all that. But how do you make sure that these things are all working together? There are tools out there that allow you to do some manual tests, right, and probe like tests and allow you to do that. But with automated security validation, the idea is to have the software, the service make the decisions on how to find vulnerabilities, how to then leverage those vulnerabilities to see how far an attacker would be able to go. And does doing this in an automated way, right, so you don’t have to manually intervene or to think about scenarios. The tool will do that for you in terms of advantages.

Nelson: You get more coverage, you get more speed, and you get a lot more consistency as well.

Chris: I know you’re at RSA this week, so I’m just curious, what are you seeing in terms of the vendor landscape there and even outside of RSA as well? I mean, is this something that you have seen become more prevalent as of late?

Nelson: Yeah, that’s definitely something that we’ve been seeing a lot more. Right, soar platforms, right. The security orchestration automation platforms, I guess they kind of started the trend when you’re dealing with creating playbooks and things like that to automate the whole process. But then it’s more usual that the sort tools are usually used for instant response. What we’re seeing now is a trend to have these same automation tests and I’m definitely seeing more companies.

Nelson: There are always booths and we hear more from doing our calls with clients, competitors that are doing something similar. A lot of mix into it because the bridge and tax simulation tools were somewhat automated, but you still have to create playbooks and things like that. But we’ve also seen them moving more into that space of being a little more comprehensive and having more pre built models and things like that to perform these tasks.

Chris: How would you say the concept of automated security validation has evolved over the years, especially with the COVID pandemic? And what are some of the major challenges that organizations have run into when either evaluating a specific method or implementing a solution that attempts to solve it?

Nelson: Yeah, I think the main problem has been that there are so many defensive solutions out there, right. You and need to integrate them and make sure that they work together. But you mentioned something that’s really interesting was with COVID there was this acceleration of people working from home. Nothing new here. I’m sure you talked about this before on the podcast and how this opened up people to other avenues of attack.

Nelson: I mean, a lot of times we used to think about this defense in depth concept, right, where you have the different layers and you make sure that each of those layers is really strong. But with COVID it just accelerated a trend that we already had before. It of extending that and removing those boundaries. So we had the evolution of things like zero trust models and things like that. But those are hard to implement and sometimes there are flaws.

Nelson: Again, they’re extremely expensive to implement properly. So that’s when we started to see an uptake as well on the need for automated security validation because it’s just too much to cover back. I talk to people about this all the time. Back in the days, if you wanted to put a new service that was available on Internet, you meant buying a server, having someone install the operating system, install the software, configure everything, make it available, things like that.

Nelson: Now you can expose a brand new service in a few minutes right. With Azure Cloud Services and things like that. So it’s so much easier to extend that attack landscape sorry, your surface landscape. So you need tools that are automated that would allow you to be able to test them and to make sure that these things are protected.

Chris: Has resourcing become a challenge for organizations or budgeting for resources? As you’re in these conversations with organizations, what have you found to be challenging that prevents organizations from implementing a solution?

Nelson: Yeah, so one thing that we saw the best few years was the team best ten years, I would say security teams have grown a lot, right? Before you just had security teams so much to defend. Then you start having to concept red teams, blue teams, purple teams. But with that, the security resources started getting more expensive and harder to get by. Plus there are limitations to these groups. Even a good red team exercise is going to take months to set up and to configure and to properly run through with Pentesting. Same thing, right?

Nelson: There’s so many Pentesting companies out there, but hardly anyone’s going to have the budget and the resources to run them every month, for example, or whatever. Even usually it’s going to be a couple of times a year right, that you’re going to be running these things. So that allowed us to kind of make a dent into that market. Now, to be clear, and to make it very clear, we’re not claiming that we can replace a good red team or a good Pentester. A good Pentester should be able, a mediocre Pentester should be able to go and do things that are beyond what an automated tool can do. It’s just like that. A Tesla is not going to drive better than a race car pilot. Right. But it will get you from A to B. And that’s the idea with Pentera is to take care of the here.

Nelson: I don’t know if you want to remove that, but that’s the idea with automated security validation is to allow the client to get through and do the basic and medium complexity attacks and tests without having to have someone manually come in and perform these things for them. But in terms of challenge, in terms of implementing the tool initially, it was just not knowing exactly what the automated security validation tools were doing right in the beginning. When I joined the company that I’m on right now, the question that I had the most often was, okay, so how are you different from a vulnerability scanner, right, from a qualifier inside VM or one of those tools?

Nelson: And that showed that a lot of people did not even have the understanding of what exactly it meant to do. The full security validation, those tools are for finding vulnerabilities. They’re great. They’re great at what to do and they’re still necessary, of course, but the whole concept behind the automated security validation is to put context around those vulnerabilities, right, by seeing how far you can actually go with them.

Nelson: So in terms of difficulty that we had was an issue was that people just not knowing why do I need this tool? Right? I have been living with my other tools for quite a while now, so talking to people and explaining to them why tools for automated validation were necessary was the greatest challenge that we had before. Nowadays one of the challenges we have is a lot of companies are moving to the cloud and the company I’m part of, we started with doing internal tests and things like that. So the cloud was kind of a secondary thing for us, but we’re moving to have more and more cloud specific attacks and things like that as well because that’s where the market is going.

Nelson: So that’s one of the challenges that we saw at the same time, because they are moving to the cloud, very few companies though, are going to be able to be 100% cloud. You still have the connection between the two, right? That’s still going to be a vulnerable point there on this environment.

Chris: So what would you say are some best practices for integrating automated security validation into the DevOps workflow and how can organizations ensure that security is not sacrificed for speed?

Nelson: Yeah, so that’s a very interesting question and I think the idea with automated security validation is, again, to it’s not going to be as comprehensive as manual tests. You’re still going to have to do those things, but they’re a lot easier to integrate with the DevOps workflow, as you mentioned. So now as I implement, as I add a new service to my network, I can automatically kick in a new assessment to see how that affects the whole of the environment. Because that’s the interesting thing about how DevOps and how a lot of these tests have been done in the past was you see the impact of an application or something that’s deployed on that server or on that application itself, right? You do the tests over there. But a tool like the traditional automated security validation tool, what allows you to do is see how that impacts the whole environment. Because now if a vulnerability is found on one machine, for example, it can then be leveraged to jump to another machine where another vulnerability might be found that can then be used to escalate privilege and perhaps move to another two other machines and things like that.

Nelson: So I think that the main impact that tools, that automated security evaluation tools are going to have in DevOps is again, to really give them a context around the problems that they find by the SQL injection on a certain application that DevOps just deployed. It’s certainly interesting to know it’s something that they definitely want to fix, but it gives a lot more context when you can actually show. All right. From that SQL injection, we were able to execute schema on the box that allowed us to extract information for the machine and then use that information to move laterally and things like that. So I think that’s really where these automated secure valuation tools will come in, is to allow you to just have more coverage and not look at these applications and these services in isolation, but really look at the whole picture.

Chris: You mentioned the importance of not removing the Pentester, and I want to expand on that just for a moment. Can you further detail your perspective on balancing the need for automated security validation with the importance of the human factor, human expertise within identifying and addressing security vulnerabilities?

Nelson: Yeah, I think that’s a central point to what we’re doing is to make it clear to people that it’s not a replacement for the human. And the reason is automated tools in general, right, computers in general, they’re great at finding patterns. They’re finding things that are not easy for humans to find because there’s maybe too much cover or things like that. So doing the boring stuff. But humans are so much better at doing creative things, right, than any machine is.

Nelson: So the combination of the two, I think it’s really what creates the benefit of having this automated security validation tools. What I mean by that is I’ll just give an example, right, when I worked at the Pentester, every time I would go into a client and it was actually almost like, say 90% of the time, client would ask me, oh, are you going to try those many years ago? But still, are you going to try this zero day that I just heard about that came out last week or something like that?

Nelson: And I would say, yeah, let’s talk about it again in a couple of days. Sure enough, you go in and you go through the initial motions just running a vulnerability scanner and then finding to see if the looking to see stuff vulnerabilities available on an exploitation framework. Sure enough, you’re going to find a vulnerability from five years ago, right, on a machine that was forgotten somewhere, or even a new vulnerability, but something that’s very well-known and things like that. So that’s where the automation comes in. It’s really helpful. It allows you would allow you to test thousands of machines in a very small amount of time for these vulnerabilities. It actually goes back a little bit to your point. You’re asking about not sacrificing security for speed.

Nelson: And that’s important because what automated tools allow you to do is have more coverage, target a lot more machines than you would during a Pen test. But you still want that human to actually and you want the automated tool to take care of the boring stuff so the human can take care of the more creative things. You want them to spend more time right, finding the vulnerabilities that are interesting and they’re hard to exploit and they require just more creativity.

Nelson: And the automated tools can take care of, again, the boring stuff. I just stepping back a little bit, but I worked on kind of the blue side of things at a big investment firm a while back. And what we did, we use soar tools to automate the incident response process. And what that allows us to do was not that we wouldn’t look at the incidents anymore, what that allows us to do is just that we can pay more attention to the interesting things about the incident. Right? So the basic detection, making sure, looking for hashes, see if they’re known or not, that kind of stuff was all automated and now we could take care of actually investigating the malware, see if it was something a little more targeted, what kind of information might have been extracted and things like that. And I think that’s true for any automation, including security automation, screen validation, automation, love it.

Chris: And what would you say is the ideal organization for a tool like this? When you look at SMB to large enterprise or is it really cut for any organization?

Nelson: That’s a really good question. And if you talk to our marketing people and I’m sure they’re going to complain to me about it later on, they will say yes every vertical. And it’s true, we do have clients on every vertical out there, right? Enterprises and enterprises, different enterprise for banking, for manufacturing, things like that. But the truth is, historically mid-sized enterprises I think are the ones that benefit, who get the most benefit right out of the box.

Nelson: Because these are enterprises that they have perhaps a lot of resources, a big footprint, it footprint. But they might not have a security team, a dedicated security team. Or if they do, they don’t have time, they don’t have a dedicated red team or they can’t do pen tests every month or something like that. So that’s where these tools, I think they benefit these companies out of the box because they put it in it’s already value added.

Nelson: For enterprises, it does require a little more work, right? Usually they’re going to have an environment that’s more distributed, a little more complex. So it does require more work to deploy the tool. And one thing that particularly with the tool that we deal for the company that I work on, for the internal test, the tool is self-contained, it’s not assessed servers. And we did that on purpose. When the tool has been designed.

Nelson: The idea being that you hold on to your own data and things like that. We didn’t want to be responsible for cracked passwords and things like that on the environment. So specifically for our youth, for our use case, it does, the deployment on enterprises gets a little more complex, but everyone can take value out of it because again, for enterprises, it can still cover a lot more ground than you will be able to do manually.

Chris: Okay, so what are some of the most important aspects for organizations to consider when they’re vetting and selecting a tool and how would they measure the effectiveness without the solution vendor understanding the environment variables? What questions should organizations be asking?

Nelson: Yeah, that’s a really interesting question. And I think the, the main point here is they have to have a security program. Now getting an automated security validation tool in there before they have a, you know, security program in place. They have good defensive tools and things like that. It will show a lot of results. Right. There’s going to be a lot of reds and it’s not really going to give you a lot of value because it’s just going to show, yeah, things here are very vulnerable and you probably knew that because it didn’t have a security program. So you certainly need to have that in place. So the interesting thing about these tools and a few years back when you saw marketing material for these types of companies, they were talking about automated Pen testing and things like that. But that has moved to automated security validation. And the reason is you’re validating that security program is appropriate, right?

Nelson: Not that your, it not that patching is running as expected because that’s something that your vulnerability scanner can tell you is if the security program itself is good. So an example would be, yes, you put a tool in there and it might be able to compromise, go all the way to compromising a domain controller or something like that. But if you didn’t have alerts that were supposed to be in place to detect these things, if you didn’t have an EDR that was supposed to block it, there’s no surprise there.

Nelson: It’s going to be easy to do it. So the same thing as running a Pen test on a company that doesn’t have any security controls. So you run it the first time. My suggestion would be run a Pen test the first time and then once you have something in place, then you get an automated tool to test these things. So it’s not about size. That’s something that’s interesting. I got a lot of questions. My environment is not big enough to have this. I don’t think that’s true.

Nelson: Sorry. I’m sure it’s true sometimes, but it’s more important than size is just the maturity of the program. And it seems sometimes we get companies that have very secure, very mature security programs and what they see is the automated tool is great at validating that really they are secure. And not just because it doesn’t show anything, because they can actually detect. They’re sophisticated enough that they can see all of the attacks that are being tried and they can say, yes, I know I’m supposed to be detecting this thing. I know, I’m supposed to be blocking these types of attacks and things like that, just circling back. I think that the important thing for a company to have. If you’re looking at Automating, your process is to have a process in place in the first place.

Nelson: I think that’s something that’s very important. And I would even argue before getting the automated security validation, do some internal or again, just an external competition, do a Pen test or something like that. So do it manually a few times to understand what it should look like and then automate.

Chris: Yeah, that’s great advice. Get a baseline first and then you can determine afterwards how it augmented the process.

Nelson: Right, exactly. It’s not supposed to be a comparison. I mean, we talked about this a while back. It’s not that these tools are going to do more than the Pentester will, but still, it should at the very least do some of the stuff that the Pentester did. It should be able to find some of it.

Chris: Yes, makes sense. So let’s transition into the product. You’re representing Pentera. Tell me a little bit about the history of Pentera.

Nelson: Sure. So Pentera is a pioneer in this space. There are other companies that did some automation and said bridge and tax simulation has been here for a while. Usually philosophy was always to have an agent or something like that, installs more of a probe. Right. And they’re amazing at that, but they’re more probe tools. But Pentera itself started, it’s an Israeli company, and it started when a coroner with the IDF, he was in charge of unit that did exactly this. It tested their government and did pin tests for internal systems.

Nelson: When he left the IDF, he started Pentera, and that was five, six years ago. And he started Pentera and just basically got a lot of people that used to work for him at the IDF to work at Pentera. And it’s still like that. Most of our researchers and all come from the same unit that he used to be part of. And that’s where it all started. They started Automating and in the beginning it was kind of an overlay, over open source tools and things like that. It did the automation part, but it did rely on a lot of open source tools and things like that. But as the platform evolved, it became our own thing. It’s now we develop our own exploits. Because one thing that we noticed from the beginning is that safety, of course, was very important to clients. Right. When you’re running an automated anything, if you’re an automated car, right, you don’t want it to crash anywhere.

Nelson: If you’re in an automated security validation to something that’s exploiting vulnerabilities, you want to be sure that these exploits are safe to run. And that’s something that has been embedded into Pentera since the beginning. We’d rather not exploit something. There are a lot of vulnerabilities out there that can be exploited, a lot of techniques that can be exploited safely. So we would rather not cover something if there’s any danger of Blue screening a machine or impacting environment. Now, obviously we’re talking about it, so there’s always a possibility of something breaking, but we take a lot of care, a lot of QA into making sure of that. But anyway, just going back to the history, so from that initial product came into our Core, which is our main product. It does the internal test. So the idea here is akin to an internal pen test.

Nelson: You put a machine on the environment with our software and that machine is then going to start doing the attacks from that point of orange. And last year we came out with a new product because there was just a lot of customers asking for something that could do the same thing before the outside in. And we came out with Pentera surface. And Surface is a different philosophy, is a SaaS offering and the idea is to do the same, right? Well, of course the attacks are different, sorry, some overlap, but the attacks and the approach is different from Core. But the idea is the same is to not only find vulnerabilities, but exploit them and see how far you can go by leveraging those vulnerabilities security issues.

Chris: So you talked to the feature set, but would you mind expanding on the differentiators and talk to the factors that have contributed to Pentera’s success thus far?

Nelson: Yeah, so again, when I dropped Enter in 2020, the main thing that we needed to differentiate from was vulnerability scanners. So I’ll start there. The difference is the vulnerability scanner stop at telling you the vulnerabilities. Pentera and automated security validation tools in general, they pick up from there. So the idea is to see how that vulnerability actually affects the environment and give you the problem there.

Nelson: And then last year, the year before 2021, 2022, we got a lot of okay, so how are you different from breach and attack simulation tools? Our main differentiator and again, for other tools on the same bracket that we are, is that we don’t use agents. Right. The idea is not for you to probe something. It’s not for you to get a deep understanding of where your EDR is failing on these specific attacks. The idea with Pentera and automated validation in general is to do coverage.

Nelson: So you would start to simulate internally at Pentera for the marketing people, we don’t even say simulate, we always say emulate. Because the idea is to really perform the attacks and use the same techniques that the attackers are using. And we do that both for the penetration testing side of things and also for the ransom regulation and all the other modules that Pinterest has.

Chris: So Nelson, you’ve been in this industry for some time and you really understand this space specifically. So I’m curious, how do you see automated security validation evolving in the future? And how do you see Pentera evolving as well in securing our digital infrastructure and networks?

Nelson: Yeah, I think one thing is obviously cloud, right? A lot of tools out there are looking at cloud, but usually there are two separate things. A lot of these tools are looking at the cloud environments. They have full access to the environment, so they leverage whatever APIs are available to look up vulnerabilities and things like that and misconfigurations and those things. Automated field validation is usually it doesn’t have those claws into the system. Again, similar to the richness accumulation tools. We don’t have agents, we don’t have direct access to these cloud APIs and things like that.

Nelson: But in the future, what I’m seeing is these platforms dealing better with these hybrid environments, right? So being able to leverage all right, I exploited a machine on the internal environment, and I found an API key on this machine. Now, can I use or whatever, let’s say an AWS key on this machine? Can I use it to now access resources that are on AWS, on Azure or whatever it is, the cloud provider and kind of jump from an attack that’s internal to an external one.

Nelson: The other trend that I see is just basically forgetting about this external internal thing, integrating the whole thing, and making sure that you can emulate an attack that’s, let’s say starting from the outside and then continuing all the way into the environment. Another thing that I think is really interesting and we’re already implementing this is kind of integrating more with threat intelligence, right? So, for example, Pentera has a leak credentials feature that allows you to, once you onboard a domain to the Pentera external, we partner with intelligence companies and we just buy anything that’s available, any credentials available for those domains that are in scope. These credentials are then used for attacks because, again, anyone out there can there’s a lot of companies that do this that show you the liquid credentials. But what Ventura is doing is, yeah, I don’t care about the liquid credentials itself. I want to use them to perform an attack, and you can also use them to perform the internal attack as well. So integrating more into threat intelligence and these other tools, even with phishing platforms and things like that, to not only show that the client clicked on an email and it opened and he clicked on a link that he shouldn’t have clicked, but actually continued the attack from there. Not only did they click on it, but that actually allowed mental to get into the machine, run a certain code there that considered the attack for the environment. So I think that’s what I imagine I’m going to be seeing more in the future.

Nelson: Better integration with tools like Seims, EDRs and all these things. To be a little more descriptive on how a technique was successful in these things, I think that’s. Something that’s really important, too.

Chris: So you’re at RSA. I got to hear about this booth set up. Yeah, you guys killed it last year at Black Hat. And for those that weren’t there, Pentera had this boxing ring set up on the Expo floor and had real life boxers sparring in the ring. So, yeah, you guys definitely killed it. What do you have this year at RSA? And can we expect it again at Black Hat?

Nelson: Yeah, so I love the move that we had last year as well for Black Hat. It was a lot of fun. This year we’re doing something a little different. We’re doing rap battles. So the idea is we actually have someone from both of them, actually professional rap pedal artists, I guess, and they are each representing one side. So some of the battles they have is about hacker versus attacker versus defender, automated versus manual.

Nelson: And they make the verses and they’re doing these rap battles on stage. We have a DJ, so the whole booth looks like a little club that looks like a club, and he has the DJ. There’s always the music playing, and then from time to time, we have these rap battles. I like the setup a lot. I think it looks really interesting this year as well. You’re going to see the same thing if you go to Black Hat. We’re actually taking the same booth there. It’s going to be a bigger booth than it was last year, but I think it looks really cool and it’s an interesting, very interesting concept, I think at least I like it.

Chris: Yeah, it’s definitely interesting, man. And being that this is Pentera, my money’s on the automated battle rapper.

Nelson: Yeah. So one of our better rappers was a finalist. And again, I’m sorry, but I completely forgot the name of the program, but it was a program on Netflix about rap battles, and one of them was a finalist on that program. And obviously he’s the one representing the automation, he’s the one representing the defender and all that. He’s the better one.

Chris: Cool, man. And you mentioned Pentera is Israeli based, right?

Nelson: Yes, it is.

Chris: Have you ever been there?

Nelson: Yeah. So, they go from time to time. I’ve actually missed the first trip that we did, but I was there for a sales kickoff. It was great because the company is in Tel Aviv. We did a lot of events, Tel Aviv a lot and some other places. It was really interesting. That was my first time in Israel.

Chris: Nice. Did you get to explore the area at all?

Nelson: Unfortunately, what they did was, I guess what they do a lot of times with these things. They packed us. There was a lot of interesting stuff to do, but they packed us. We didn’t have a lot of time to do exploring or things like that, but in a good way. We just had a lot of activities, not just internal activity, but for fun stuff as well. But it was really interesting. I definitely want to go back and explore a little bit more.

Nelson: It was really cool.

Chris: So did you come across any cool bars while you were out there?

Nelson: So yeah, it was kind of a tiki bar. It was right on the beach. The hotel we were staying was right on the beach and it was gorgeous, which again, I’ve seen before and it was some movie, TV, whatever, the beach of Tel Aviv. And really they are gorgeous. So that was fun, but even better. So after we did the events there, they flew us to a Lot, which is in Dwight Sea and it’s, I guess, well known beach resort town, and we had a party at a Camel Ranch, which is really cool.

Nelson: So we had it all set up right to the bar and everything, but you just sit actually, even before that, we had an event on this mountaintop, which is in the desert, right? So right by the ocean. And it was like in a desert tent, like oasis type thing with sofas and everything. You can just sit there, drink. That was really cool. But the Camel Ranch was really awesome, like the whole environment and everything.

Nelson: While we were there, the people marketing was saying, oh, you guys are going to love this, because they have some live music and you guys are going to love this, this is really big. So this band starts playing and just rock and roll, good music and everything, but then when I look at the actual stage, it was a big stage. Again, the whole company was there, so it was big venue, it’s a bunch of puppets, but big ones, like The Forgetting sort of Marshall. And then at the end they have those big, I guess, Muppets they call or whatever, but the big one, and it’s those things, of course there are people there playing, but it’s with those things. And it’s funny because all these railing people are going crazy. Oh my God, I can’t believe you guys booked him and things like that. And we’re like, yeah, who are these people?

Nelson: Again, it was really fun, but it was interesting to see that. I guess they’re famous in Israel, but not very outside. And again, they played really well. The band played really well, but it was really good. So, yeah, I’ll send you the link, I’ll find it and I’ll send you because it was really interesting. Just the decorations and everything. It’s like the sofas and all of that on the copper tent and all that, so it’s really cool.

Chris: That’s awesome, man. So my bartender is over there pointing at his watch. So I have one more question for you before we get kicked out. If you opened a cybersecurity theme bar, what would the name be and what would your signature drink be called?

Nelson: All right, let’s keep it a theme. Name of the bar would be bottle overflow.

Chris: Nice.

Nelson: And the signature drink has to be Penetration on the beach.

Chris: Nice. And you have to put this bar on the coastline.

Nelson: Right, right. You have to do it.

Chris: You have to do it. Beautiful man.

Nelson: We’ll definitely sell Caipirinhas as well. And Penetration on the beach is going to have dulce de leche.

Chris: Is that condensed milk?

Nelson: Yes. Sorry.

Chris: Cool man. Well, before you run, let our listeners know where we can find you and connect with you online as well as connect with Pentera online.

Nelson: Sure. So LinkedIn, of course, easiest place to find me if you want to talk directly. But Pentera.IO is going to not only tell you about the product I recommend you visit even if you’re not interested in Pinterest itself or something like that. We have a library session where our researchers put a lot of papers about the techniques that Pentera uses. So the cool thing is that you look at the papers and of course, they might mention the COVID is going to happen like that. But it’s not about the product. It’s not teaching about the product itself. It’s teaching, for example, what techniques were developed to evade EDR, or what techniques were used to connect remotely to an environment and perform tests on the environment, things like that. So I recommend going there even if you’re not that interested into that, interested in the product itself.

Nelson: LinkedIn. Just Nelson Santos. You definitely find me very easy to recognize. Put him on the picture there. So yeah, do reach out and I’ll definitely love to talk about any of the things we discussed today. Security related, machine learning related, all of that. I love that.

Chris: Nelson, thanks so much for stopping by man, and sharing your insight with us, man. It’s been great. I appreciate it. You take care and be safe.

Nelson: Chris thank you for the opportunity and for giving me the time and for listening to me. This was really fun.