Ep.17 Evan Dornbush | Escalate and The Gamification of Learning

podcast default

In this episode of the Cybrary Podcast, we sit down with Evan Dornbush, the CEO of Point3 Security. Speaking with Cybrary's VP of Engineering Mike Gruen and Head of Infrastructure Jonathan Meyers, Evan explains how Point3 is using gamification to help people learn through CTF's and other hands on activities.

Hosted by: Mike Gruen, Jonathan Meyers, Evan Dornbush
Length: 56 minutes
Released on: April 1st, 2020
Listen to the Audio
Enjoyed this podcast?
Share it with friends now!

In this episode of Cybrary's Podcast, Joining us along with Cybrary's VP of Engineering Mike Gruen and Head of Infrastructure Jonathan Meyers is Evan Dornbusch. Evan Dornbusch is the co-founder and CEO of Point3 security. Evan explains how ESCALATE, Point3's gamified learning ecosystem helps individuals to develop their skills in cybersecurity.

The ESCALATE ecosystem purely consists of hands-on learning content like puzzles, Capture the flags, etc. Every challenge is mapped over the NIST NICE framework which helps the user identify which job titles he/she is qualified for. The common mistake that companies make is hiring the wrong employee since companies are going behind certified employees. The trio discussed how certifications affect the hiring process acting as a gatekeeper. Evan pointed out how Point3 is helping a lot of organizations to hire smarter. Evan also mentioned that he receives handwritten letters from students saying that they've got a good job. Mike added that a lot of people in cybersecurity are driven from the inside and mentioned how he switched from a mechanical engineering background. Jonathan shared that Cybrary receives similar success stories from their students. The trio discussed the potential impact of AI on cybersecurity. Evan highlights how ESCALATE stands out from its competitors by preparing users for not yesterday's attacks but tomorrow's. ESCALATE also provides mentorship to its users. Evan encourages companies to invest in their employees in different ways.

Apart from ESCALATE's gamified learning ecosystem, Point3 also hosts live events, conferences, and more. Point3 security teamed up with Women's Society of Cyberjutsu, WoSec, WomenHackerz, Gatebreachers and together hosted the WomenUniteOverCTF event in November 2019.

To find more about ESCALATE, hop on to


Evan: Evan Dornbusch co-founder and CEO of Point3 security.

Mike: So yeah, Mike Gruen, VP of engineering and head of security at Cybrary. So I've been at Cybrary for almost two years. It'll be two years in November. I came here right when we started the re-platforming effort and moving everything over and really built out the infrastructure and security team and monitoring, moved us more to a DevSecOps mentality.

Jonathan: Cool. And then Evan, do you want to talk a little bit about your company real quick and then we'll go in.

Evan: Yeah, fair. So I have been with Point3 for about four, maybe five years, give or take, we are an information security company that helps organizations of all shapes and sizes, manage, assess, and cultivate their cybersecurity talent. We do it through a proprietary gamified learning ecosystem, which we call ESCALATE.

Mike: So how does ESCALATE fit into the whole, how do they, how does the gamification sort of fit into a training program or an organization in general?

Evan: Yeah, so. Good question. The gamification side, we tend to emphasize that on podcasts and informal settings, cause it's like a catchy word but the reality is the gamification piece is secondary to the learning piece. So what we've done is we've created, what I just call a jungle gym for hackers. Individuals can roll in at their leisure and engage in hands on content. So we don't do video based learning modalities or multiple choice tests or lectures. There's puzzles, go solve the puzzles, capture the flag, and by capturing the flag, you're demonstrating competency over some particular skill set. We map everything over the NIST NICE framework, which we can talk about later. But ultimately the idea is a learner is going to learn something and a manager is going to see something, in terms of career progression and the gamification piece keeps it sticky.We've built a community. So individuals are motivated to either collaborate or compete using tricks that we've just learned from video games.

Mike: So is the collaboration competition within the organization or across, your sort of platform overall?

Evan: Yeah. So we can do it both ways. So, When an individual logs in, he or she has their account, they've got no points.They've got no demonstrated competencies and they're mapping themselves typically against the global leader board. Right. Everyone in the community, strengths or weaknesses wise. But we can create tailored competition specifically for member organizations. We've done some times where like customers will challenge other customers, like in a particular vertical market or in a particular geographic region.And so you can kind of,but you know, build out your human network by collaborating and competing against folks that are in the community but just not necessarily part of your direct, you know, capture the flag team.

Mike: So what's the sort of motivation for the individuals within the organization.And then maybe the motivation, like how does the manager take advantage of that or, try and get people to participate.

Evan: Yeah. So the participation is going to be driven by the learners. You know, we consider ourselves a workforce development company. We try and stay away from the training word. Because training to me sounds forced and boring and there's no real outcome. And so, you know, we can lead the horse to water. You can't force the, you know, the horse to drink. And so with our learners, they want to be in cybersecurity and they want to get more hands on skills with technical areas that they might not have been exposed to elsewhere and so. That motivation has to be there already. We're not there to inspire that part of it. We inspire when someone has made the commitment to, you know, invest in him or herself and go in that direction. Right. So we can ourselves go to a gym. Right. There's a lot of heavyweights everywhere, but you've got to lift the heavy thing up and down to get the, you know, Cyber muscles. If I can quote an awful phrase, right. It's up to you. And we're there to help and motivate and, you know, do the personal training like inspirational side of things but you have to do the heavy lifting and the value to the organizations. We're learning this as we go. When we went to market with ESCALATE, we thought the individual would be the end user. We thought an individual would come to us and say, Hey, You know, I've read the book, but I don't get it. Or I've, you know, I went to a conference and saw somebody say something really cool, but I don't know how to get started. I don't have the facilities to go about it. And so like, alright, we can create the ecosystem for you. But from a business standpoint, it's organizations that have come to us, managers saying I can't hire people or I'm hiring the wrong people based off of like this technical certifications they have which don't necessarily translate to demonstrated competency, or I don't know how good my team is or who my top performers are, or I need to identify strengths and gaps within the team. If I'm a consulting firm, I need to know who my best athletes are. Right. And so, it's really been organizations that have been driving our growth and they're interested in, again, like giving a fun environment for their employees to get better, clearly defined career progression paths. And again, you know, perhaps identify that talent that may be latent inside your organization, that, you know, somebody in finance or help desk should be reassigned to, you know, Cybersecurity, because there's an interest and an aptitude there. That drive is hard to find sometimes. And we help uncover that.

Mike: Yeah, no, that makes a lot of sense. I think we use the gym analogy a lot as well for our stuff, and nobody goes to the gym just to go to the gym. So there's usually some other outcomes that they're hoping to achieve, whether it's, you know, a better job or advancement in their career, whatever it is, are changing. So yeah. Sort of get that.

Evan: Yeah.

Mike: You mentioned certifications, I'm always interested in sort of what the sort of, if you've seen like trends with certifications, either, you know, more employers looking for them or they're becoming less important, just curious what you've sort of seen.

Evan: Yeah. So I think certifications certainly have a role and I'm not diminishing that. How we came to be is, It's probably ultimately a story around certifications. So, My co-founder and I. We were teaching, you know, two and three day symposiums, actually at a little local bagel shop in Maryland. And you know, we're teaching reverse engineering, malware analysis, exfiltration of data, command and control, like just niche type topics. And as our story goes, one of our brochures ended up down at the Pentagon where the director for force readiness and preparedness says, Hey, like this is actual cyber security. What we are doing for the next generation of warfighters isn't working. Can you help us? And so he said, well, what are you doing? Right. And the response was, well, it's a six month, you know, nine to five. So 40 hours a week for six months, a series of boot camps where you know our men and women's service members are engaging in get the security plus cert and then get the network plus cert and then get the A-plus cert and then get the certified ethical hacker cert. And then get the CISSP cert. And the CCNA and yeah. And then you forward these individuals to mission producing units and they can't operate.They don't know necessarily how to perform and that's because the technical certs are. To by far and large are, you know, rote memorization of definitions. So, right. So yes, we have a skilled workforce that knows that yes or no, encryption is important. That's great. But they don't know like how to implement it or how do you perform crypt analysis to determine whether the crypt is even secure or, and so what we did was we came in and we said, Hey, What if instead of six months of watching, you know, like PowerPoint lectures and taking multiple choice tests, what if we give them like an authentic environment where individuals who have very limited computer backgrounds can investigate in that time into programming, into using open source tools, into creating their own tools, into performing vulnerability research and exploit development and understanding, you know, memory forensics and, this nuclear arms race of attack, defend, attack, defend for six months. And then. That seems to be more effective. Right. And that's just not my word. Like it was a Pentagon, you know, research effort. So, you know, we did our thing and then data scientists from a bunch of different research laboratories came in and they inspected us, the students, the curriculum, and then they tracked the students after attending this, What they're now calling a cognitive apprenticeship style course. And lo and behold, the students are more engaged in the community. After the course, they can perform better or they're being promoted better there. They understand, and they enjoy what they're doing, which is also important. And so long ways to go back to your question. The reason why Point3 exists is that while certifications are important and do have a role, there's an over reliance on them from a hiring standpoint. And it's just because somebody has all of the technical certifications, like all of them does not intrinsically mean that they will be able to do all of the things that you may need them to do in their current work role.

Mike: Yeah, no, I definitely see the same thing in software engineering. My background is a software engineer, you know, I started off doing the things, right. So I didn't know. Like we came up with model view controller, but we didn't know that that's what that was called. Right. It was the nineties, that old. So we did all these things and then, you know, you go out and your job interviews or whatever, they start asking you questions. And I think certifications, it sounds like it's a similar thing where it's like, if you know the terminology, it's a great shorthand and it allows a team to sort of. Make sure that we're all talking about the same thing. It doesn't necessarily mean that you know how to do the thing, but at least means that you know what the thing is. And I think there's a lot of that. I think, when I look to hire people, I always look like, can they do the thing that, do they know what it's called?

Evan: Yeah.That's literally what we sell right. Is a benchmark on, Hey, this person says they can do malware analysis. That's what I need them to do. Can you throw a piece of malware at them and see if they can analyze it

Mike: Right

__Evan:__Yeah. Easy, right.

Jonathan: I know a bunch of people that like look for jobs and things like, what are your thoughts on basically the certifications being the gatekeeper. They even bring you in for an interview? I'm kind of seeing, I'm hoping that it goes away because I hope like more sites like yours and ours kind of like hope opened the door to be like, Oh, look, there's actual like demonstrated knowledge here, as opposed to like, I sat down and took this test and answered your hundred questions.To the best of my ability. And it gave me a score that determines if I can even like come in for an interview. So I'm wondering if like, with a lot of your customers and things like that. I wonder if it's kind of started to shift their mindset from that, like that gatekeeper mentality for at least the first like initial interviews it's like that.

Evan: Yeah, I think it has. And again, I don't have a whole lot of frame of reference because we're a relatively young company and all we sell is, I guess, anti-gatekeeping. So of course I'm seeing an uptick because you know, our basis was zero. But it's helping, it's helping a lot of people it's helping a lot of organizations hire smarter. It's helping, like when we did a course in Chicago and we, through a government grant, we're able to help individuals from like Chicago South side. Right. And no prior computer experience or limited prior computer experience, a bunch of different age groups and we had a chemical engineer, looking for a job change in his sixties. And we had a bunch of 18 year old kids and people all in the middle. By the end of that course, I think we had over a 90 or 95% job placement rate for decent salary paying jobs. And we have handwritten letters from the students saying, Hey, Based on my zip code or my last name, like no one was calling me back and now I've got a good job at a really well known company and that story, we hear it over and over again. And we're still getting handwritten letters from a lot of individuals that, They don't have a college degree or they don't have a technical certification, but they've got skills and passion and increasingly they are getting picked up by larger and larger companies. So to me that gives hope. I think the gatekeeping era is done. We're past that. Now we have to reward drive and passion and competency and not, you know somebody signing off on somebody else's being okay to talk to.

Mike: That makes sense. I actually, the whole like motivation thing, getting back to what I was asking about, you know, how to individuals, you know, why are they motivated to do it? I think I find it in software engineering and anything what's, which is they have a natural drive to it. I switched from mechanical engineering to computer science because I was in the lab all the time, fighting with the computer. And my friend was like, if you enjoy fighting with the computer, you should probably switch. Right. And I think the same thing is probably true in cybersecurity or whatever it is. If you are interested in a topic, you'll look for opportunities to do those things and learn more skills and level up and things like that. So it's, most people are sort of driven from the inside.

Evan: Yeah. Fully agree. Fully agree.

Mike: Cool.

Jonathan: Yeah. I think we also see similar things like in Cybrary. Like we have a bunch of success stories that people that are just like, kind of taking these courses on the side. Right. Still doing other things and things like that. And then they just all of a sudden find their like niche, I guess in cybersecurity, like really enjoy it. And then they just kind of deep dive. And then, you know, a couple months later they land these like pretty major roles at these companies and like a whole new career which I think is relatively unheard of. Like, I guess for the most part, like, I mean it's tough to switch from industry to industry especially if you're already established and things like that. And coming in at certain levels of. Pretty unheard of, but I think we've seen, we've seen several that kind of come in and now they're very vocal. They're like rockstars, their companies and things like that. That's pretty awesome.

Evan: Yeah. And that's to me the value of the Cybrary community, right? Because your content is extremely varied and cybersecurity is a big tent. And there are lots of areas that could be of interest to people and not, I guess not all cyber is the same. Right. And so that's tremendously valuable for people to realize, Hey, here's what I'm interested in. Here's what I'm good in. Maybe there's overlap. Maybe there's not, but regardless there's a way to find. In this day and age, someone that's willing to pay you to continue that the need is clearly there. The gap is clearly there.

Mike: Yeah. What we're finding is there's a lot of people that, you know, they'd know cybersecurity is, you hear the things on the radio. You hear all sorts of stories about how it's a growing career and people want to sort of move into it. There's more jobs than there are. There's. Yeah, more jobs than there are people but they have no idea what it means. It's like saying I want to be a doctor or a lawyer. They don't really realize there's all these specializations and they don't necessarily even know what they're good at or what they're interested in or what the opportunities are. So I think platforms like ours and yours sort of help that. I like the idea of, you know, sort of what you were talking about before, about someone who's maybe already at the organization. Maybe they're an IT support. Maybe they're in finance, wherever it is. And they sort of show an aptitude and an interest in it. And suddenly they're now doing a thing and getting into cybersecurity where maybe they were never exposed to it. Never even knew that that was an option for them.

Evan: Yeah.

Mike: So cool.

Jonathan: It also, I think it would also, basically enables them to kind of almost be like a security champion in the enterprise too, which helps like strengthen your, if you're the security team. Having people that, you know, and like the finance department that is like competent enough to be like, Hey guys, like we shouldn't be doing this. And kind of like knocking off 90% of the attacks or attack vectors, I guess before they even happened. I think that's a super strong asset to have in any company. And so, I mean we're kind of seeing that on the Cybrary side. It was a big blackout. We were talking about security enabled and things like that, where it's just, everybody's trying to spread all of this knowledge out the masses to kind of like raise that general bar and then kind of start to identify like the security champions that are kind of existing throughout the organization. I think it'd be really cool. Like some companies are starting to like, you know, give those people some extra training in cybersecurity, kind of letting them go down that rabbit hole while still doing other jobs. And that's kind of super powerful. I think hopefully that trend continues. We're seeing it kind of start to take off, I think especially since all these hacks and all the other data breaches and things seem to be like one a week now. And it started to hit home for most people. It's a lot easier to kind of sell it these days. And I would say probably two, three, four years ago, maybe even a year ago, trying to sell like actual cybersecurity training, not, you know, the brand awareness, watch this video. Make sure you don't share your password and

Evan: Don’t click that link

Mike: Right. Don’t click that link. I mean, I think on the security awareness, yeah. You just have that sort of very base knowledge, whereas security enablement is really about like, Hey, you're part of the marketing team. You're now responsible for certain pieces of technology. You're setting them up. You're doing a lot more. I think the cool thing about technology is that it's getting easier and easier. For lay people to use, configure, set up and do what they need to do. And so getting them more sort of in a security mindset and privacy data, how to handle data properly is going to be just more and more important. I think it's getting easier and easier to sell. Like I think about our own marketing team and all of the things that they can do, which is amazing, but also scary from a security perspective.

Evan: I think that's a good point, right? Like I think organizations are increasingly recognizing that these skills matter and whether you're employed as a cybersecurity professional or not, and you know, for better or for worse, it doesn't matter what you do or what your organization is. You're in cyber, right. If you're a bread manufacturer, you’ve got equipment that is, you know, electronically controlled, right?

Mike: Right

Evan: If you're in media or in finance, you've got apps and technology and privacy considerations, and everyone has to at least recognize that right. Awareness, at any level is a net positive for enterprises. And I think. I attribute the growth to Cybrary and to a lesser degree to Point3 on that. And that, you know, you might not have gone out to be a cybersecurity company, but, you know, I mean look, we see governments getting hit with ransomware they're in the business of cyber whether they want to admit it or not. Yeah. Hospitals are turning away patients because the equipment has ceased to work. They're in the business of cyber whether they set out to be that way or not.

Mike: Right

Evan: And we're seeing that translate to every industry and vertical.

Mike: Yeah

Jonathan: Speaking of governments, being in the cyber industry, Point3 is Baltimore based?

Evan: We are

Jonathan: Baltimore recently had some fun stuff happen to their city systems. So that's a good transition. Talking about why Baltimore? Why did you pick Baltimore? You from Baltimore originally? Like what kind of led you guys down that route? You were excited by the growing Baltimore, Texas, or what was it?

Evan: Good question. I think for us. Baltimore is where we're at. It's probably where we'll always be, a lot of love for the city. I know it gets slammed a little bit from outsiders, but it really is just an awesome place and it's definitely where Point3 considers home. I think we honestly got started there fairly arbitrarily, but it's really grown on us as we get more and more involved in the city and the local ecosystem. I think most of our talent, in terms of employees, has some kind of Maryland tie. we get a lot of individuals that come out of the intelligence community or the defense department or government in general, which Maryland is pretty heavy in. And many will choose to stay in Maryland and happy to support them more than not our employees. Or like peace out, right? I'm going to the middle west or wherever. You know, I just did 10 years at some, you know, mold infested government lab, and my spouse hated it. Now we're going back to where my spouse's family is from. And so we use Point3 support that we're fully remote, you know, work from anywhere kind of company. But Baltimore has a decent tech scene. It's fun. It's an artsy city. It's quirky. I think anything goes and that helps keep us, you know, creative and going.

Mike: I think some of the other things Baltimore has going is, not only its proximity to DC, but I think it's proximity to Philly, New York .It's well situated. That's also why the company that Jonathan and I worked at previously was situated there. It's in a good location. There is a lot of tack. You have a lot of good universities in the area between Maryland and obviously in Baltimore, lot in computer science, UMD and stuff like that. So I think there's a lot to pull from. Not just the government agencies. There's also a lot of college kids and post-grad and stuff like that to pull from as well.

Evan: Yeah. I mean the city is accessible. We have you know, Great airport. We have great train station, internet exchange point. So, you know, internet options that are pretty, pretty well, bandwidth out, or whatnot. I-95 is easy. Like you said, to get to pretty much anywhere we need to go.

Mike: if you have the time.

Evan: Yeah, but, yeah, that's not why we picked Baltimore. We just happen to live here and enjoy it, but yeah, the city is great. Any way we can, provide a win for the city. We'd love to. Yeah. It's also had some knocks too.

Mike: Yeah. I mean, I think we've talked about it. Cybrary has similar to what you were talking about before with Chicago, trying to do something with Baltimore, Baltimore city tried to do some sort of Cybrary program. I think maybe there's an opportunity there. I think that'd be pretty cool. Sort of help people find new careers.

Evan: Yeah

Mike: Have you seen any evolution or changes in sort of the positions or I mean, I know you've sort of been around for four years, I think is what you said, but in terms of, what companies are looking to hire for, or things like that

Evan: Let me answer a different question related. So, You know, Gartner famously has their hype cycle. We talk about a new technology and it's going to change the world and then everyone hates it. Then it kind of the truth kind of lies somewhere in the middle. I'm seeing a lot of artificial intelligence for cybersecurity. And part of me is like, all right, we're just at the, we're in the upswing of the hype cycle. This is going to go away because it just, it can't be what it promises to be. But the other part of me is a little bit terrified. I think the marketing play that I've seen for most AI companies is. You know, we can get rid of all of your junior positions and replace it with automation and that lets your people do the things that, you know, they'd rather be doing or more important whatever. But when you, and I understand the attractiveness for businesses, right? Like if I don't have to hire all these like junior people that I don't have to like build them up to where I need them to be. And people come with baggage and whatever, but like as an industry, do we really want to be in the business of like getting rid of the junior level workforce, because that's where the senior workforce comes from. Right.

Mike: How do you find the next person if you get rid of the entry level?

Evan: Yeah. And so that's a little bit terrifying. You know, we talk about, you know, three million unfilled cybersecurity positions. However, that number was computed, but I hear it toss around a lot, but. There's a real possibility that the market actually contracts and doesn't expand if we try to convert certain positions to software. And I personally think that would be a mistake.

Jonathan: I mean

Evan: what do you think?

Jonathan: Do you, I think it's an interesting problem, I would say I'm wondering if AI has like it's niche. In the fact that like we're letting it kind of do the older school attacks that are very well established. The trends are very like written down and things like that. And kind of let humans kind of start to do the more, I don't want to say groundbreaking but like the newer vulnerabilities they're coming out and spend more time not basically checking the entire list of like 99 things I need to check for. A Heartbleed attack that came out 10 years ago and kind of allow us to focus on like, what are the next trends? Like, what are these new ways they're kind of coming in and things like that. That's where I kind of see it kind of starting to fill hopefully, is just kind of like sifting through all the noise that a lot of these end points and steps are to make. And so I don't know if that's a weird marketing play is like. Our end point generates more noise, but we use AI to sift through the noise.

Evan: Right

Jonathan: So

Mike: Yeah, I mean I think it's more than just the end points. I mean Jonathan and I were at a talk and they were talking about you know, the software control networks and all the data that they generate and trying to analyze that data to figure out how to make things go smoother and address the network. I think the same thing, I sort of am in between the two of you on opinion with AI. I think about, You know, software engineer. When I first started, we had to do everything right. And now I think about the entry level positions I have where they're just building on top of these existing platforms that handle all of the junk that we had to deal with before like, Oh we left a database connection open and like that's just not a thing anymore. Cause the frameworks take care of it. And so we're able to hire more creative people. So web application development is being filled more and more by artistic creative people, which I think leads to really beautiful web applications. Whereas back in the day it was done by people like me that are engineers and it's like squares and whatever. So I wonder if AI sort of helps with that as well as pushes those entry level positions somewhere else. There's still an entry level position and maybe that's it is getting rid of a lot of that noise or the craft the day to day stuff.

Evan: So it could, so like Point3, we have, we work with companies to help them implement their hiring philosophies. And so really there's two schools of thought, right? The first school of thought is. I need the unicorn and I need the unicorn now. So you know, again where Point3 helps is, you have hundreds of applicants because everyone is receiving hundreds of applicants and your HR can't screen them fast enough. So before you burn very time consuming, you know, hours and labor in interviewing every single one of these hundreds of applicants, you know, Point3 will roll in and give you a screening or your candidates a screening assessment. And then, so from a technical competency perspective, there's either a fit or there's not. And that whittles down the pool and thus saves time and money on the HR side. So that's a school of thought is I need to hire the unicorn who can come in and run. But the other school of thought, which we also support is. To your point, Mike, let me find somebody that's alternative background. Let me find somebody that's an artist or from finance or whatnot. Identify the interest and the passion and then that's the individual who internally you want to train up using either your own internal proprietary schoolhouse or training program or again obviously with ESCALATE you can stay in that ecosystem all day long. But we see both schools of thought and I think. It's probably too early for us to derive trends. But I do think that's ultimately a positive thing where the positions that are being opened are starting to be opened to a more broad audience where I think historically everyone was just holding out for the unicorn and now industries are realizing well, An 80% solution is better than a 0% solution. And let's find the 80% solution and then train up the remaining 20.

Mike: Right. No, I agree with that. Are you also seeing like, you know, within any organization, they're always pyramid shaped, no matter how flat they are, right. There's only so much room to grow at any organization unless they are. Grow, unless the organization itself is growing. Do you see trends where companies are like, yeah we're willing to bring people in, train them and more than happy to sort of have us be a training, like see them go on in their career, other places. And we sort of know that we help launch their career.

Evan: So we are seeing that in two ways. The first way is interesting. A customer kind of came up with this and then shared the idea with us. And then we've kind of shared it back out and other people have started implemented. And that is almost like a Cybrary concept of micro certing and so you know, inside ESCALATE, we have 120 plus challenges. New ones released ,you know, monthly in a variety of different skill areas. And so what we can do is we can work with your organization. Let's say, it's a pentest firm, right? The pentest firm is not interested in all 120 plus challenges we have, but they're probably interested highly in 10 or 15 of them. And so internally that pentest firm can say, all right, team, if you solve these three or four, you are now blessed internally as a junior operator. And here are the things you can or cannot do for our organization. When you solve this next one, like now you're a mid level operator and that bestows upon you additional responsibilities, maybe a title change, maybe a salary bump, whatever. And if you solve like the, you know, the next three or four, like now you're a supervisor, right? So there's clearly defined, meritocratic, if you do this, here's what happens. And that's extremely, extremely beneficial for both the employee and the employer

Mike: Right.

Evan: Where that roadmap is defined.The second thing that we've done inside ESCALATE is we've mapped all of our challenges against the NIST NICE framework. And so what that does for an employee, and for an employer is to identify where the skill sets are. So as an employee or as a learner in general, you know, if I solve a certain number of challenges, I can then map myself against NIST NICE and say, all right, here are the job titles that I'm qualified for. Right? Maybe I didn't know, this thing existed. Cause in NIST NICE, it's like 120 different job titles.

Mike: Do you want to take a step back? I mean, we know what NIST NICE is. Cause we are, we also map our training to that as well, but maybe, really quickly. What is it?

Evan: Yeah, so to me. I don't have the full history but let's go back into it and change everything with the government does it. So, NIST is a government standards group, National Institute for Standards and Technology. They're the ones that say, Hey, you know, 12 inches is a foot and an inch is this. Like, they define all the weights and measurements for everything. So they're, those are the standards and how we measure things, a subgroup inside that is NICE, the National Institute for Cybersecurity Education and they have a bunch of different initiatives on how to create a common lexicon because if there's one thing our industry sucks at is either using awful words to describe things unclearly or overloading terms and using the same word to describe different things in different contexts. And so to me, the idea of NIST NICE was. All right. If I'm at company A, you know, you're looking in the job postings and I'm looking for, you know, a SOC analyst, and the company B also has an opening for a SOC analyst. Those could be two very different things even though they're both SOC analysts because each company has a different definition for what the SOC is and what its employees should be doing. And so the idea of NIST NICE is well, What if instead of calling people, SOC analysts, we just said here are the knowledge, skills, abilities, and tasks, the KSATs that individuals are expected to be doing. That way I, as an individual, I don't need to look at, you know, Incident responder, malware analysts, security researcher, and try and figure out what actually is going on at this organization. The employer could say, alright, like if you're going to be incident responder to our company, these are the things that you should be expecting to be doing.

Mike: Right.

Evan: Ironically, I think NIST NICE has kind of backed into the same problem that we all found is well. No one's going to look at a thousand different knowledges, skills and abilities to determine what it is he or she wants to do. And so NIST NICE now gives you a hundred, some odd job descriptions

Mike: Right It's very hierarchical, which is great.

Evan: Yeah.

Mike: I mean, they even have it out with the very high level of like, are you on the attack or the defense side? Or you know, and sort of has that nice classification, like a way to sort of. It's a document.

Evan: Yeah, Like, Are you ultimately an analyst, an operator, you know, a responder, a risk compliance person, but even within that, you now have as a job seeker. Here's the 10 or 15 commonly used job titles. So if he didn't even know this thing existed now, you know, it existed. So what do I want to be when I grow up? Well, here's what I'm eligible for,

Mike: Right

Evan: Or I always want it to be this but here's where my talent actually lies. Maybe I should explore this

Mike: right.

Evan: And so within ESCALATE, we provide that, you know, if this is where you are, and this is where you want to be, here's what you should be doing next, that recommendation engine. And that works for the employer as well. Because again the employers may want their individuals to be really, really good at what they've been hired to do right now but they may want to create that. You know, career progression pathway of like, here's how you go from SOC to blue team, to red team, to CISO

Mike: Whatever, right

Evan: whatever or wherever the career tree is at that particular organization.

Mike: Yep. Have you guys looked at, like, I know for our trading platform, I wanted to do some more of this of, you know, a lot of people don't know what they're good at or they just haven't been exposed to something. And so along the career path, trying to put sort of 10 gentle things that are maybe, related to other areas and give them those opportunities to sort of do a thing and like, Hey, it turns out like, Yeah, maybe they self identify or maybe our recommendation engine is able to identify like, Hey, maybe you'd be better suited for this thing. Have you guys explored some of that?

Evan: Yeah. We've invested a lot of time and energy into that. And so every member of ESCALATE has a heat map, right? Here's what you've completed. And here's what that maps to in terms of what you've already demonstrated competency in. And then again, the individuals are then empowered to either say, I want to do more of that. And you know, not just be junior but senior or like, maybe I should explore this other thing.

Mike: I really suck at this

Evan: Yeah. well, yes. No words in that line. Fair. But that's important too, right? So we actually, I will say a sidebar, you know, managers are inside ESCALATE, have full access to aggregated data from what their employees are not doing. And one of those data points that we give managers is who's not logging in at all. That has, that fact has value to a manager, right? Who's not either taking advantage of this or not doing what they're told or not progressing,

Mike: Right. Or not motivated to it. They're not interested. They just don't have that interest. Right. I mean it gets back to my first point or your first point, it's a gym, right? Like we can provide the facilities. We can give you the weights. We can give you personal trainers. But if you don't show up.

Evan: Yeah. And

Mike: and that just shows that your problem, this maybe is not something that's as interesting to you.

Evan: Right. And that's tough love, but that's important for a company's bottom line and for an employee.

Mike: Right

Evan: I mean that good fit thing works both ways, so

Mike: Yeah. I totally agree. Getting back to AI, I mean one of the other things that sort of getting back to why I think it's also a little scary is you look it like other systems that have deployed AI and. Now they've been trained to actually not identify. Because the training data has become so corrupt over time that like they're actually trained not to identify the problems and think that's normal. And so, that also worries me a little bit when you start talking about using AI within cybersecurity sort of active monitoring defense type thing is. Over time, How if I'm a hacker and I know systems are using AI, how can I exploit that

Jonathan: Yeah. It's like the, it was like that microsoft gender bot that they like trained to be a Nazi and like 14 hours or some crazy number. It's like, that's a genius way for like a hacker is like, cool. I'll just send all these fake signals out, like change their baseline over the course of six months. And then I come in and just wreck house.

Mike: Right.

Evan: Yeah, There are definitely enough studies out there to talk about the implicit biases of you know, of both the algorithms and the implementation of those algorithms and just the datasets that are either selected or not selected for the Corpus. So I agree with you.

Mike: Yeah. I mean, I think it just turns like from social engineering now it's AI engineering, right? I mean like the same techniques that you sort of see hackers use to get in the door can be applied to.

Evan: But that's why you need people. Right. And that's why Cybrary is doing well. My Point3 is doing well and others are doing well because, you know, just going back to like the Stuxnet day is right. Like everything was blinking green checks across the board.

Mike: Right.

Evan: And meanwhile stuff is on fire and no one is like thinking to look physically at the device and say,

Mike: I smell smoke.

Evan: Yeah. But if you're going to outsource all of your decision making processes to software and, not have the trained individuals to understand. How do I know, just because it's green that it's green, right?

Mike:: Right

Evan: What are the other things that a human will just have intuitive, you know, dialogue with, more powerful, you know, way more powerful.

Mike: Right. And I think the way you get that sort of intuitive is. Going through it. Like I don't, A, getting back to the sort of actual level. Hands on learning

Evan: Yeah, absolutely. The only way to learn is to do

Mike: Right

Evan: or one of many ways. But the way that we found our niche is, is to do it.

Mike: It's totally a way. I mean, and I was actually, I think it was yesterday. I was listening to a podcast about learning in general and how important it is to sort of reinforce things that, like, I think this gets back to the certification. I think a lot of people can sit in a class, can learn the material .Do well on an exam. But they haven't really learned it for life. You need multiple modes of learning in order to actually really learn a thing you need time in between them. One of the other things I thought was interesting that they brought up was they've done studies about, I can't remember what they called it, but it was, Sort of doing multiple topics, like spend you know, 10 minutes doing math and 10 minutes doing English 10 minutes doing science and then go back to math. So that you're sort of doing small chunks, spaced out, sort of integrated learning, I think is what they called it. And I'm trying to think of how we would apply that also at Cybrary. And I'm sure, you know, sort of the same thing of like

Evan: Yeah, I believe that, I definitely feel like a lot of times the human brain will incorporate lessons like in the shower or like through a dream or you know, and not necessarily when you're physically on keyboard. And we see that like a lot of our challenges are designed to not be five minute puzzles but like five hour puzzles and rarely do we encourage the individual to sit at the keyboard for five hours.

Mike: Right

Evan: But if you do an hour a day, you have the problem down in a week, which. Is again better for your brain and for your confidence. And that's more indicative of a real world problem. Anyway, you know, you're not going to always be able to copy paste off the internet and like in 30 seconds

Mike: Right.

Evan: Mission accomplished, you know?

Mike: Yeah, totally agree.

Jonathan: That would be like, It would be like a four day lab where you spend the first three days getting absolutely nowhere looking through logs.

Evan: Yep. A lot of our challenges are that way. Yeah. Our biggest challenge, our, as a company, our biggest challenge is people get frustrated quickly and they give up quickly and. Our job is to make sure that yes, it's new. Yes. It's intimidating. Yes. It's hard, but you can do this, you know, just don't give up, like you get there if you invest the time. But I agree with you. I think, in a four day challenge, like three days is going to be just like, Googling terms to then Google research papers to then, you know, install software and deal with all of the dependency health. And then finally you're ready to like look at the problem.

Mike: Yeah, no, I can't tell you how many times you go to look at the problem and now you're solving all the other problems with it.

Evan: Yeah

Mike: Like it’s on the software, it's like, now this thing, and now it's like, Oh no, I gotta go change that role and do this. And by the time you're done two days later, you're like, wait, I haven't made any progress on the actual original problem.

Evan: You just don't feel it. And I think that's a benefit of a hands on learning approach, as opposed to say going to some like a one week seminar ,you know ,workshop where you might feel good at the end of it because someone has led you to that solution. But you're not actually doing good. Right.

Mike: And you don't get that high, that endorphin rush of like, I solved the problem, right. Somebody has to lead you to the next problem

Evan:: Yeah. You already do the next problem. And you have research tools at your disposal that you've learned through struggle.

Mike: Right

Evan: You have to learn through struggle.

Mike: So for the lower level or the entry level type for people that are just getting in. Do you try and make them shorter? So you sort of get those quicker wins where maybe, Hey, this environment's already set up and you just have, you know, you don't have to worry about all of the nitty gritty or

Evan:: Yeah, we try and make that process easy for our members. Right. We have everything hosted in , you know, cloud based range. You can VPN in and go to town. You don't need to have special software. You don't have to have or you know, a hypervisor or you don't have to have, you know, large downloads to make things happen. You just, you know, fire your computer at our network and you're good to go. And that takes a lot of the intimidation factor out of getting started.

Mike: But do you, and do you make it. Do you give less and less as people progress as they

Evan: Oh yeah.


Mike: Right. So, yeah. Okay.

Evan: Yeah. I mean, notoriously, within the ESCALATE community, like why are there no directions where, why can't I click a hint by then? I don't know, like welcome to life dude. You know, like, you know, inside at least the way we've contrived ESCALATE. Everything is a flag. So you will always be looking for a flag and we tell you what the format of the flag is. So you already know the end state, how do you get there is totally different, you know, cause even like we thought about it, like where a lot of our competitors will be like, this is the buffer overflow challenge. This is the rough challenge.

Mike: Right

Evan: This is the SQL inject challenge, but like. If you tell them that then they know the answer, right. They might not know how to like tease it up, but they've already exhausted all of the other things

Mike: Right, They’ve would been

Evan: That could be

Mike: 80% of

Evan: Yeah.So all of our challenges have just silly, like randomly generated code word names.

Mike: That’s great. So you don't know if it's a SQL inject or you know, file inclusion error or something. Like you have to go through the processes then you develop yourself and work the problem, you know

Mike: Is there a fun theme to the random generated names?

Evan: No, I will neither confirm nor deny that there's a rational by, in any of the terms

Mike: They made things as always the hardest thing in computer science.

Evan: Oh yeah. Especially if you're ever coming out of like the intel community, you know, all of those discovered terms mean something.

Mike: Right.

Jonathan: I don't know if I would say it's the hardest, I would say the most amount of time

Mike: Well, there's that

Evan: Oh, Yeah.

Jonathan: Yeah, You know it's funny. Cause like, I remember when you're talking about like the name of the game, it was like early on, like I remember, It was like hack this box or whatever. And it would just be like, step one. It's like here's your SQL injection pack. And then it would just like, they would get harder and harder. There's no direction. But then it was like solve hack this and then it was just like all these like cheat sheets and like crazy things like that. And it was like, Yeah, no hack this box like works great. It just, it tells you so much information that like, you're not really like learning anything. And then at the end of the day, because you know, that parachute exists like right there, like how hard are you really going to try to kind of go down it and things like that. So I think that's super interesting how you guys are like kind of giving away. It's more like real world type situations where you can't just wait and go, Oh, I know it's this. Now let me start digging that.

Evan: Yeah, we're big fans of hackthebox. And I think what they're doing is super important. We've tried to take away for the entry level, inspired individuals, some of the complexities of setting up your own home lab and kind of going through that process. But I think really, you know what we have tried to focus our content on is less on. Oh like, Hey, the gimmick is that it's, you know, windows XP and you can go online and download one of a million different other windows XP exploits. Right. And they're well known. You don't need to know what they are, how they work or how they were invented or really what the mitigations are. You just download plugin, DoubleClick kind of a thing. We've tried to develop content where you have to develop your own exploits and write your own shell code and on defensive challenges, the host targets, they're hardened, right? They've got logging and antivirus and other mechanisms. And there's still a bad guy there. Right? So your job is to find the bad guy that's already passed all the defenses. And so we try and come up with not yesterday's attacks but tomorrow's and I think that's what separates us from those other kinds of lab environments.

Mike: I mean, but given the fact that so much of like the attacks and other things are basically script kiddies they are just downloading those things and doing that. Is there some level of training people to deal with that stuff? Or you just sort of basing it on? Well, you know, those are known exploits. And so if you just do this

Evan: because I think not for Point3, right? I think hackthebox already does a great job. And if that's your threat vector is a PHP five bug or some cold fusion bug or whatnot then. Then go with hackthebox.

Mike: Right.

Evan: Cause they've already done it. Like they've built it out and the contents are fantastic.

Mike: Right.

Evan: We're trying to train like the next level of thinker. So the problem sets are a little bit different and the outcomes that our members get is different so

Mike: Totally makes sense

Evan: Yeah know, props to hackthebox. Like honestly, the technology is fine. Like they're doing a good thing for a lot of people and that's great.

Mike: Yeah. No. And I think that getting back to what Jonathan was saying about people taking hands, I think that's actually, we have similar sort of labs and they can give hints and whatever, but that's also accounted for like, how quickly did the person do, you know, after the fall to that day, did they have to take the hint to get farther? And that's an indication, well, maybe they need to go back and learn this in a slightly different way. They didn't really learn the lesson. Now let's have them go back to that lab environment and try again. So

Evan:: Yeah, Reasonable.

Mike: Yeah. May think hints are important, like in a way, right? Like that's what gives you the ability to continue without that just feeling overwhelmed and like, I'm just going to throw in the towel.

Evan: Yeah. And so to address that, what we have done is we've set up a mentorship network where if individuals are just getting frustrated or confused or just need a little bit of love, they can approach one of our mentors to say, Hey, like, I'm stuck. I need a little bit of love.

Mike: Right

Evan: And honestly, we, you know, our mentors and our members now realize this, the mentors are not going to give you out. Like I can't hint. They're going to basically play therapist. Like what have you tried?

Mike: Right

Evan:: How do you know it's not working? What are some alternatives and have the individual get him or herself unstuck,

Mike: Right. No, that's great. I mean, we had, that reminds me a lot of one of the senior engineers at my last place who whenever some more junior engineer came to him with a question and like how do I do this? He's like, well, what have you tried? Like, what are the logs? Say, go do this. And so it really taught them how to fit, you know

Evan: how to troubleshoot

Mike: Right. How to troubleshoot and then when they came back, you know, the next time they usually had done more of those things, and I think that's a great way of doing it. Do your mentors and community help each other in real world environments? Do you sort of encourage that or discourage that aside from within the training itself? Like if I'm at work and I'm seeing something like to people.

Evan:: Oh, interesting. I don't know that I have an answer for that. But it's probably something we should certainly consider.

Mike: I mean it's a lot of our enterprise customers. So community is a big part of the Cybrary. System, and ecosystem, but, our enterprise customers, there are some that are very weary of having their people involved in that community because now there's information. There's compliance reasons. There's all sorts of reasons. And then you have others that are like, that are much more on board with, yeah. We'd love to have. Our staff in those communities because they can get sort of

Evan:: Yeah

Mike: So I can see how it would be very, that's why I guess I was asking the question because I could see it being very difficult. If I'm an enterprise, how much do I want my people in those communities and talking about what's going on? How do I know I can trust the other people in the community?

Evan: That’s fair. Yeah. I think you know information sharing, you know, the ice axe in general like there's definitely a value to that. There's also a time and place for that.

Mike: Right, exactly.

Evan: There’s also like a chain of command into approaching that. So, yeah, I don't know that we've directly tackled that but we do have a worldwide community. We have a vibrant chat room and forums and we do live events and people kind of spring up until, you know, physical groups to attend like web based events that we put on.

Mike: So Cool

Evan: There's definitely a vibrant community. I'm sure that dialogue is happening somewhere

Mike: Right

Evan: Yeah.

Mike: Right. Cool. It's one of the things that the last place we also had to monitor was all those sort of those chats and from a compliance perspective, what are

Evan: Yeah, fair

Mike: it was more on the financial side of, you know, looking for insider trading and other things, but it's sort of, same thing of like, if we open up these communities and allow people to share information, how do we control that information and make sure it's not being overshared?

Jonathan: General question. We're gonna wrap it up.

Mike: Right

Jonathan: Just a couple of like quick fire questions. It can be super interesting. What is the, what do you think is the most underutilized skill or tech that companies should focus more on that you've seen?

Evan: It's supposed to be a rapid fire question. I feel like that's a dissertation.

Jonathan: No, sorry.

Mike: I agree.

Evan: What is the meaning of life?

Jonathan: Ah, man

Mike: Just go for 42 and let's get

Evan: Yeah. No, look. Our company's tagline is, It takes a human. We strongly feel that your human assets are not cost centers but your assets and, We highly encourage our member companies to invest in their people in a variety of different ways, you know, training and talent cultivation is one way. But, you know, we put on competitive events to kind of build morale and to again, have those like, you know battle of Pittsburgh or like, you know all the airlines at this airport should go in like CTF against each other and like build up that human capital pool. Cause it takes a human but it takes like a network of humans to get things done.

Jonathan: So you actually do like live events like you do like straight up, like gamification in the real world type stuff.

Evan: Yeah. So we do a lot of corporate events. We do a lot of trade shows, conferences, where we can either throw on the capture the flags that are human versus computer style. We can do more of an interactive team versus team style, all through using you know the ESCALATE ecosystem and just a different capacity. Yeah, we do that quite a bit. Actually we're powering the Maryland cyber challenge coming up in December. We were actually approached, this is a really cool story. I don't know when this podcast will air but we were approached by four different women’s focused on profit tech groups, WomenHackerz, WoSec, the Women's Society of Cyberjutsu and Gatebreachers. And they each independently came and said, Hey, we want to do a Women's only CTF. So we ended up facilitating, like why don't the four of you just get together and throw this massive event. So for all of your listeners and subscribers, on the 2nd of November, there is a global CTF happening all virtually where individuals who identify as women can, for free compete in one of two tiers, there's a beginner-like noncompetitive friendly environment. And then there's a competitive environment with women from all across. I think we've got over 500 people signed up on all of the continents. If you're in Baltimore, we are doing a physical location. There's other groups that are organically kind of springing up. I think we saw one group in British Columbia is hosting. Like let's all get at the coffee shop and do the virtual CTF together. So, November 2nd is going to be an interesting, interesting opportunity for anyone who's ever wanted to start in and understand the CTF environment.

Mike: Very cool

Evan: Yeah. It's going to be really cool.

Mike:: Yeah

Jonathan: That's all I got. Do you got more questions?

Mike: No, I'm good.

Jonathan: I mean, you got any questions?

Evan: I got no questions for you guys, so, yeah.

Mike: Awesome. Yeah, I think we're

Evan: Thank you for your time. I appreciate it.

Mike: Thank you.

Evan: Yeah.

Mike: Appreciate you coming in.

Evan:: Absolutely.

Mike: It was a lot of fun.