This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris Glanden: Welcome to Chris Glanden. I’m your host, Chris Glanden, and today I’m with good friend and close partner of Chris Glanden, Mike Lisi. Mike is the founder of Maltech Solutions, president of the Red Team Village and CTF design lead for NCAE Cyber Games. Mike, thanks much for joining me.

Mike Lisi: Thanks Chris, glad to be here with you.

Chris Glanden: Mike, you and I go back, quite a bit. But, I don’t think we ever spoke about your specific journey into the cybersecurity industry. if you don’t mind, I’d love to start there and just get your origin story

Mike Lisi: Absolutely. It was not a direct path, when I started just getting into cybersecurity, that was maybe 12, 13 years ago, but I started off in my teenage years just getting into computers, I would be building them. would be programming, would just be learning how to install operating systems, all those things when I was a teenager. In fact, parents were just confused by it. I asked, I think it was my 16th birthday, my mom asked me what I wanted and I told her I wanted the Unix Administrator’s Handbook. And she was just, what is wrong with you? And I just knew from that point on that I was going to be doing something with computers. I just kind of saw where everything took me.

Chris Glanden: you

Mike Lisi: I started with just your typical building and designing and setting that up. I got an internship out of college where I was just doing help desk stuff, learning how to troubleshoot, fix things across the board for a, it was a local credit union. And then once I graduated from college, I got an opportunity to get into cybersecurity a little bit more through research and development. I got picked up by a government contractor. got to dive into coding stuff. My first project there was manipulating IPsec tunnels at the kernel level, it was just a completely new world for me. And from there, we did all this, research, we did all these offensive and defensive techniques that we were looking into and developing. And during my job at one of those contractors, we got asked by one of the government departments to do penetration testing on their systems and I had no idea what was involved with that. There was some guys on the team that were they were certified in this and they had done this before I just got to kind of shadow and I learned a lot about what they were doing and it was just all this cool offensive stuff and from there it was just kind of a little spark and I decided I’m that’s just what I’m going to do this was back in I think 2013 I started to

Mike Lisi: just pivot, went after OSCP, no certifications, nothing else, just dove into it and just didn’t look back.

Chris Glanden: what was that experience going for the OSCP? Was that just overwhelming for you? Because I know even at that time it was a very difficult start to get.

Mike Lisi: It was. Back in 2013, it was still relatively new. And I am the type of person that gets super obsessed into puzzles. for me, it was just this huge puzzle and I was just loving it. It didn’t feel a chore to me. It was just this next thing to try and solve. when I, when I did it, I signed up for the 45 day class, I think is what it was. You get lab time and I just spent literally every day after work from 6 PM to 10 PM.

Mike Lisi: all weekend just hitting those labs, popping every single box and just learning from scratch, all of the things related to, know, identifying vulnerabilities, enumerating things on systems, writing exploits, doing the exploitation, pivoting, all that stuff. And it was just intriguing to me that it wasn’t even a chore. And I knocked that out in about 30 days before I took the exam. it was, it was intense. It was definitely. overwhelming at times, but I just kind of got obsessed with it a little bit.

I got obsessed with OSCP — it was one big puzzle I had to solve. Share on X

Chris Glanden: do you think that that cert specifically was, the the most instrumental for you?

Mike Lisi: I think. For me personally, it worked really well. I’m the type of person that can kind of take that stuff and run with it and just be really self-motivated, which I come to understand just doesn’t work for everybody. I hear some criticisms of the OSCP where they’re just, try harder, try harder. And I get that because you really do need to be self-motivated and able to try and solve your own problems when you get out into the industry and when you’re doing this stuff. unless you have a team to rely on, it’s really about that learning path and trying to figure out the ways to bypass these things that you’re presented with. I think it was a great way for me to start versus going a different route. Although, back in 2013, there wasn’t as much of the resources available that there are today. I don’t know that it would have been, there would have been a better alternative for me to go down that path versus what exists today.

Chris Glanden: in 2013, I was sort of forced into getting my CEH to and I had just got into security. for me, it was, similar situation where I had zero knowledge and going to get my CEH at a, a seven day boot was difficult. But once I once I got that, that was just the point of no return. I’m in.

Mike Lisi: I hear you. I did the CEH second and I was just, holy cow, what a drastically different type of environment, learning path, everything that for it. I

Chris Glanden: Well the OCP was more, I guess, practical, OK.

Mike Lisi: 100%, 100%, just couldn’t be more opposite to me. I found the CEH super approachable, but coming from having that hands-on thing, that hands-on approach through the OSCP labs, I felt that the CEH, wasn’t as helpful for me when I got into the field, but it was a good primer, a good introduction to the types of things that you really need to know.

Chris Glanden: Got it. Got it. Mike, you and I share a common interest in I’d to just shift to that real quick and, understand when when did that happen? When did your focus shift specifically to consulting? And then also, what do you most about consulting with, a wide range of clients with, different needs?

Mike Lisi: Sure. The switch to consulting came literally after I finished OSCP. I was working, I said, as a defense contractor. We were mostly doing R &D stuff. And I had started really getting involved in cybersecurity conference attendance. And at the time, this was when DerbyCon was happening. I think it was DerbyCon 3, where there was a recruiter essentially that was giving a talk at DerbyCon and just talked about opportunities to do the Offensive Security Consulting. And this was, I said, after I finished OSCP. And I realized, I can actually just start doing this as my full-time job. And there was some challenges on the contracting side that I just started getting. I’m not really bored of, but I just was frustrating, When you’re doing all these proposals, when there’s potential government shutdowns, all this stuff happening, I realized, maybe this other path is going to be a better road for me to go down. I literally applied to a consulting firm with zero experience, just the certification. And they put me through a practical hands-on test or writing assessment, that sort of a thing. And they offered me a job and it was for me, it was super easy. I realized again, 10 years ago very different landscape than what it is now. And I couldn’t be happier with that opportunity that I was granted to just start consulting and working with these companies to try and assess where their risks and where their vulnerabilities were. And it was a huge wake up call though. I expected to go in there, just start popping every box. That’s just what your experience was with OSCP. And you get into real world environments and you’re, wow, this is completely not. the expectations were very, different. it was kind of a drastic learning curve once I got in there, but it was awesome. I really, I really don’t regret making that change. The thing I really about it is just seeing how different companies both approach. their cybersecurity posture and how they try and defend themselves. And also what really motivates them and the types of things that they’re trying to protect because it’s not just a one size fits all thing. What one company is trying to protect against is completely different from another one. And you learn a lot about what those needs are and what those concerns are in the consulting world. And it’s just a really, really interesting kind of space to learn a lot about not only security, but about business. itself.

You can’t take a one-size-fits-all approach to security. Share on X

Chris Glanden: and I’m just curious, what what organizations do you typically work with?

Mike Lisi: It’s honestly been across the board. I spent the first six years working for another firm. They were phenomenal. I really have no complaints about the work that I did. We got to assess things from, banks, medical facilities, schools, e-commerce. There was a lot of that. I was able to get exposed to a lot of these different industries. And then when I had that opportunity to kind of step back from consulting with somebody else to doing more of a freelance role, which is how things started with my current company, I got to do a lot of subcontract work and partnership work, which really exposed me to just almost every industry that I can think of. And it really just opened my eyes to the different types of tests that are out there, the different types of environments that you’re going to see. And it wasn’t really just focused on a particular niche. at this point, know, 10 years on, I’ve seen many just different industries and work with many different clients.

Chris Glanden: you got to keep up with the governance regulations and things that, which, again, for me, I love the pace of that and being able to, stay in tune, with that. you guys do any, GovTech or government work?

Mike Lisi: We don’t do a significant amount of it. There were a few opportunities that came up with some of our partners where we were able to work with more county, local governments, those types of areas. And that was a really cool experience just because there’s many different components to a government, a government client, whether it’s the police and the jails, those type of things. They have the health, they have their legal, they have their internal stuff. you almost kind of get a little taste of everything

Mike Lisi: when you’re working with the government side and it’s also just huge environments that we test with them.

Chris Glanden: you had mentioned this, but I think a major focus when working with a client is assessing where their organization stands within their security posture. curious from your experience, where do you feel there is a void when it comes to an assessment process an assessment that needs to be performed in order to optimize the value for that client?

Mike Lisi: it comes into a, there’s a few things that really have kind of cropped up to me as being really important in that regard. Number one is that often we talk with customers that basically want to want to know, Hey, what can the bad guys do? We don’t want to give you any information, but we want to see what you can do. But that kind of doesn’t really sync with how much time they have, what their budgets are in order to really be practical about that. What I usually try and push back on for those types of customers is to work on prioritizing a practical solution that also fits with their time and budget. that kind of requires an exchange of information that a typical attacker may not have, We’re kind of skipping a few steps when we work with those customers, but at the end of the day, we’re going to get to the things that are actually of concern to them. within their time and budget restrictions, which I think is an important thing for customers and companies that are looking for this work to keep into mind. there is a scenario where you do want to have that no knowledge sort of a test, but that’s the side of that bell curve for most organizations. Everybody else kind of falls in the middle where there has to be some sort of exchange in order to make it practical and approachable and realistic given what their constraints are.

Chris Glanden: absolutely. I think that I think that is very important going in because you don’t want to waste their time either. And, I think that’s that’s a great, great, great advice. congrats on recently being named president of Red Team Village. For those that are unfamiliar with Red Team Village. Do you mind just running down, what that is and then how you became involved?

Mike Lisi: The Red Team Village is a nonprofit organization. We have this mission to provide educational experiences and opportunities for people in the offensive security community. We’re here to connect people, to help provide skill development, learning, training, all that type of stuff to the community in order to help foster. technical growth for people that are looking to transition from, maybe just operational status into cybersecurity or from something a penetration tester into a red team operator, Because there’s different types of skills that you need. And we try and connect people to resources that can help promote those skills. I got involved through, it was actually kind of a weird opportunity that kind of arose here. And I know we’re going to get into the NCS cyber games a little bit, but through the work with NCS cyber games, I run CTFs. When I was doing research on CTFs, I was trying to find other people that were running these events I could kind of pick their brain and find ways to do this better for the students. And that got me in contact with Barrett and Wes, also known as PonyIP and Knopp Researcher. And they were running an event down at Cactus Con. I talked to them a little bit, we synced up and then we exchanged some challenges. we discussed how we approach CTFs. I learned a lot from them. And then I found out they were associated with Red Team Village. they were looking for more people to help the stuff that they’re doing for the Village. And they invited me to kind of join the crew to help out in that regard. this was probably about four or five years ago. And then since then, I’ve been involved in various capacities, helping them run the Village typically at DEFCON. where we have these workshops, have these talks and training opportunities. then, last year, I joined officially as just a core member, helping organize the volunteers for DEFCON32. And some of the founders there, Omar West, Savannah Barrett, they were kind of ready to take a step back a little bit, let some new people kind of take over some of the village operations. And we had this vote. back in January, end of last year, beginning of this year, to kind of create a new board. I was nominated as president for that. The team thought that would be a good idea. now that’s official. I’m really looking forward to helping take all of the stuff that Wes and Savannah and Omar and Barrett have done and just continue that and continue that mission because they’ve put in much time and effort to make the village just super popular. And I have a lot of big shoes to fill, And I’m really kind of stressed about it, but I also know that they set us up for success

Chris Glanden: you’ll be fine. In terms of popularity, I seen you guys at Defcon last year and I was really impressed with how long the line was just to get into the RTV room. And I know that you guys also do events and projects outside of Defcon. for those that are listening, where can they find RTV and also is there possibility for them to get involved?

Mike Lisi: for our TV itself, we are going to be at HackSpaceCon in May. there’s going to be both some onsite presence for the village as well as a CTF. We’re going to be at DEF CON this year as traditionally as we are. we’ll have a village there. We’re looking to change it up a little bit this year to make it more approachable. Last year there was a lot of talks and We didn’t have as much of an open space for people to flow in and kind of check things out. we’re hoping to minimize the lines a little bit in that regard by having things a little bit more accessible. You can find us online at redteamvillage.io. And we’re also starting this new monthly series called RTV Kron, where we’re going to be putting on a free workshop live once a month, the last Thursday of every month. We’re going to bring in somebody that’s going to present on a specific topic. follow along, they can learn, can watch, and then we’ll talk about all the updates for the Village, other things that we have going on, where to find us. But traditionally, we’ve only been at DEF CON, and we’re starting to expand a little bit more into other areas just because people want to be able to interact with us. As far as how do people get involved, you can reach out to us at Red Team Village on Discord, on X. We have a call for volunteers that’s going to be opening up on Friday 14th, that’s tomorrow, and people can sign up to get involved in different ways and be part of the events that we hold.

Chris Glanden: Nice I’ll be down at hackspacecon, I’ll stop by. you going to be down there personally?

Mike Lisi: it’s looking no, I won’t be down there personally. I have a different event that I’m going to be responsible for running at the same time. there’s just many conflicts that came up for on that same date. The 15th was just a crazy day.

Chris Glanden: It is it is a crazy day, but I’m looking forward to I hear nothing but great things about the conference itself. looking to go down and checking it out. I mentioned your CTF design lead for NCAE cyber games. Let’s just level set first. Do you mind just talking about what NCAE cyber games is?

Mike Lisi: the NC Cyber Games is an initiative that was, it’s currently grant funded through the NSA. It started as this local competition that we ran in upstate New York for local college students. And what we would do is we would get about 100 students together from various colleges, mix them up, throw them into teams of about 10 or. And then we would give them two tasks. One is to defend a set of vulnerable systems from attackers, an actual live red team. And the second is a traditional kind of Jeopardy-style CTF. The goal of this was just to get them hands-on skills for defense and learning about how cybersecurity works, how an actual attack may take place, and then put them in that seat of, you’re being attacked, you’re being compromised. How do you handle that? Your goal is to keep your stuff online and accessible for your users or whatever the case may be. But that’s also a difficult thing just to throw people at without any context. we supplemented it with the CTF to give. kind of a non-compromised space for people to learn different hands-on techniques and skills. we ran this for, I don’t even know, almost eight years just locally. It was super successful, super popular. And then the NSA came along with a proposal that basically said, we’re looking to provide some more competition-based learning experiences for college students. And the college submitted for that. It was funded. And we’re currently in our, I believe it’s our fourth year where we’re running this for schools across the country. instead of hundred students in upstate New York. We’re now reaching over a thousand across the country.

Chris Glanden: that’s cool, And it’s a great way to get get people involved to that may not be familiar where where else to, participate in the CTF. But I would love for you to talk me through the. the design process, because myself and others are really more familiar with participating in the CTF, but not from the perspective of actually designing one. we’d love to hear, what that actually involves. And then how do you ensure not only the the challenges are effective, but that they’re, challenging enough for the participants?

Mike Lisi: Honestly, the approach for CTF design is a little bit simpler than most people would probably expect, but it really depends on what your goal is for this. for NCAA cyber games, we’re targeting a beginner audience. People with not a lot of history or without a lot of experience competing or trying to solve those. But at its core for a CTF event, what you want to do is first decide what your objective is. let’s say in one case, it’s trying to exploit a system or a particular vulnerability. a way to approach this is by doing research, finding typical vulnerabilities that you could leverage or maybe CVEs or exploit opportunities. And then you want to construct the environment around that objective for what you want them to accomplish, whether it’s, hey, I want them to learn how to create a reverse shell or learn how to identify an enumerate of vulnerability with a public disclosure, whatever the case may be. And that’s kind of gives you the framework for that challenge. And then the goal is to now add the restrictions in place that people are really focused on. that one path that you’re looking for them to take. Because at the end of the day, you want them to learn this one skill, you have to kind of eliminate all those other variables to the extent that it results in just that specific path forward that you want the participant to take. Now, as far as how to adjust the difficulty of this, it ends up becoming an issue of how much information to give them. if you give them very little information, it makes it much more difficult to find

Mike Lisi: that little breadcrumb to follow. the more that you add to that, it directs them more specifically towards that task and makes that challenge a little bit easier. And it’s really kind of creating that balance of how much information to give them or how much information to take away in order to adjust the difficulty of that challenge itself.

Chris Glanden: Got it. Got it. That’s that’s super interesting, I guess what what kind of, resources would you suggest as, someone from that perspective for someone that’s looking to get into. CTFs are there any free resources, any free sites that someone can just go on and on their own time and practice CTFs to get, more familiar, more comfortable to be able to do it in a more formalized setting?

Mike Lisi: on the creation side, there’s lots of opportunities to reach out because content development is one of the most in-demand things for any sort of platform, Whether it’s hack the box, whether it’s try hack me, whatever. For us at the cyber games, we’re always looking for people that have ideas for CTFs in order to help create more content for learning. From the execution side and from the practice side or doing a participating within them. There’s a couple of things you can do. One is you can go to some of those other platforms and try them out. Hack the Box has opportunities to run CTFs from time to time. MetaCTF has events all the time. And then there’s a website, ctftime.org, which tracks almost, I wouldn’t say all, but a significant number of CTF events around the world where you can sign up and participate and test your skills out. The other place I would suggest is looking up all your local conferences, any security conferences typically have some sort of a competition or at least often they’ll have some sort of a CTF or competition where you can practice and try out some of these challenges and things.

CTFs aren’t just games — they build real-world skills. Share on X

Chris Glanden: if you’re developing content for these platforms, whether it’s CTF or some other sort of educational platform, what’s important for content developers to be aware of?

Mike Lisi: From my perspective, the thing that has helped a lot is knowing who your target audience is and interacting with them and getting some feedback. when you’re doing content development, let’s say it’s for a beginner, find some resources that and that you can trust and run some of the content by them and get their feedback. Because if they’re your target audience and they don’t understand what you’re trying to accomplish there, then you’re going to have those same challenges when you go and put this content out in front of thousands of other people. refining that stuff and taking that feedback is an awesome way to really hone in the content for the people that you’re developing it for. And then that ends up resulting in, just really fine tuned approach and this really fine tuned deliverable that ends up helping out the people that you’re, you’re looking to work with on this. And that’s really what we’ve learned over the years for the cyber games and collecting that feedback from everybody and then just reincorporating it into our next iteration of what we present.

Chris Glanden: that’s that’s great advice. And I think you can take that advice and apply that to, you your certifications as well or any any type of educational platform to keep things relevant, really. All. you travel, you travel a lot, you do Defcon. You do Cactus Con, you do a lot of the community based cons, which I’m really starting to get into myself. But you’ve seen different cities, you’ve seen different venues. You guys had an awesome RTV party at Def Con last year. curious to get your take on the coolest bar or bar type atmosphere that you’ve ever been in, whether it’s, know. personal or whether it was through our TV. Just curious to get that because I to ask that question and then what also makes that establishment different or unique.

Knowing your audience is everything when creating content. Share on X

Mike Lisi: I’ll give you two examples here. One is on the personal side. The place that I really enjoy is a place with the lounge couches, know, the place you can just kind of kick back. Sometimes they’ll have some games and stuff that you can do. that’s kind of my vibe where I want to just hang out and chat with people or do something that. If I was going to do a cyber theme bar, security theme bar, the other one that comes to mind is from my recent trip in December down to Brazil. We went to a place called Syber. Everything was cyber puns. they had a different beers that were just, a ping of death, was one of their beers that they, that they brewed there. that place was great cause it was just kind of, you’re in good company if you’re a cyber person and you’re hanging out at that bar, you can pretty much talk to anybody and they’re going to have, common interests. that, that place, that place was awesome. We had a great time. I think Wes, brought back a couple of different bottles there just cause the labels were cool that the names are cool. that was an awesome place. if I was going to do something, I’d probably make it.

Mike Lisi: a cyber pun for the bar and all my drinks would be cyber related drinks. Cause I don’t know, that just would bring in the clientele for me

Chris Glanden: where in Brazil was it and was that planned or was that just the place you just happened to walk by?

Mike Lisi: It was planned. It was down in Sao Paulo, Brazil. We were down there for Hackers to Hackers Conference, which is one of the largest events in the country there. The conference itself was about 2,000 people. Red Team Village was there. It was our first event outside of DEF CON. basically that we had actual workshops and talk tracks and those types of things. a few of the people that were at that conference were just, hey, after the event, we’re going to go down to this place called Sybeer. There’s going to be more talks. they had a whole track of people doing security talks at this beer or at this bar. we just went down and hung out and just got to interact with a few of the people. The language barrier was an issue for us, for a few of the folks, but there’s enough people willing to

Chris Glanden: Nice.

Mike Lisi: interact with us and show us a good time.

Chris Glanden: Well, I just heard last call here, Mike, you got time for one more? All. If you opened a cybersecurity theme bar, what would the name be and what would your signature drink be called?

Mike Lisi: One more, sounds good. cyber security theme bar. I said, I’m a big fan of the puns. I think cyber was a good one, I would probably well, let’s go to the drink first the drink wouldn’t end up being something related to, you have when you’re doing a trace route, you have the different hops for each one you’re going to I would tie in that hop thing for the drink itself for this specific beer

Mike Lisi: As far as the name goes, naming things is honestly the hardest thing I’ve ever come across, whether it’s my next tool, whether it’s my company, whatever. But I would have to think about that a little bit more. I didn’t come ready for a good solid name. I’d always go to Trace Route. That’s a great one. There you go. There you go. I love it. I love it

Chris Glanden: Hahaha You can name it Trace Route and then just serve IPAs. There you go. Cool Well, before you go, know, let us know where we can find and connect with you and then also where we can find and connect with our TV online.

Mike Lisi: I’ll start with RTV to rep them. Online, redteamvillage.io, discord.com, slash redteamvillage, and redteamvillage underscore on X. those are our main places to find us. As far as myself, you got my tag, Mike Lisi. That’s where I’m at, on Discord, on X, on Blue Sky, across the board. I use the same tag everywhere. from my company, meltexsolutions.com. We’re online and we’re at MelTech InfoSec on X.

Chris Glanden: Cool. Mike, thanks again much for your time. You take care and I’m sure I’ll see you soon.