#257 Proactive Measures in Cybersecurity and the Role of AI: A Conversation with Philippe Humeau

0:00:01 - Mehmet
Hello and welcome back to a new episode of the CTO Show with Mehmet Today. I'm very pleased joining me from France, Philippe Humeau. Philippe, very nice to be with me on the show today. I'm very humbled to have you. Thank you very much for joining. The way I like to do it, I keep it to my guests to introduce themselves, so the stage is yours. 

0:00:21 - Philippe
Thank you. Mehmet. So yeah, I'm Philippe, ceo and co-founder of CrowdSec and, for my background, I come from this IT engineering school, right. So cybersecurity and all. But it was like 25 years ago, so the landscape was fairly different, but I stuck to it. I love it and I had a company in the past MSSP, msp. We were also doing a lot of intrusion, testing, pentesting red team and so on, but nowadays I'm really glad to be on the defensive part and to bring something near the table. 

0:00:58 - Mehmet
Great, and thank you again for being with me today, philippe. Now you mentioned something about how the landscape has changed, so how did you see it evolve? You know, from mainly cybersecurity threats perspective. So what was different, let's say, 10 years back from now? 

0:01:16 - Philippe
Yeah, if you take, for example, a single IP address over the internet and I did this test, like 10 years ago, an IP address that would be absolutely random. So you know, like a home, a great IP address that is distributed by your ISP or something like this, it would be scanned something along the lines of 700 times per day, right, the super-o-port scan, to see if there's something new. Nowadays we're more on 2.5K, 2,500. So it tripled already. 

And there is a permanent opportunism of all the nation-states, the government, their affiliated groups, for some of them to be aware of the concept of the landscape and be able to react or act as a see fit to defend a political view of the world on our digital life, because is it what it is? I mean, we cannot anymore live without our digital surface and I think nation-states and states are very, very much aware of it and they fight this graze on the war. You know, as long as there are no bodies, they feel like it's not going to trigger a war anyway. So they can assault themselves, each other online, constantly stealing IP, stealing properties, stealing secrets and so on. Because, hey, no bodies, so no official war declaration. 

0:02:43 - Mehmet
Yeah, it's completely different place from where we were like 10 years back. And, yeah, back to your point, like even the nature, I think, of the attacks changed as well. So, from your interaction with your customers, what do you think there are their most pressing challenges? You know, especially you know when you deal with businesses, so what do you think is their most? You know I would say thing that they, it was, it was them the most. 

0:03:19 - Philippe
Yeah, it can typically depend on the business. Like we see as we speak right now, there is a DDoS happening on OpenAI. Yes, I have a transparent on that. Their API endpoint is being hired. We only exactly know the nature of these DDoS, whether they are the KDE or network based, but, for example, for OpenAI, you know their API endpoint and their SaaS services is their whole business stream. So it's critical. 

It's a life and death matter for them to be able to render the service online. Otherwise, you know, no income, no income, no IPO, blah, blah, blah or SPAC, whatever they will do. But you know it's a lot of value right away and a lot for clients and business. For others, it is rather around revolving around the private data. Like if you are a B2C selling something online, an e-commerce shop or something like this, losing your client database is used to be bad, but now it's criminal, which is different from just having a problem with a moral problem. Now you also have a serious legal problem, right? So, yeah, it's so dependent on your business, but I don't see any business being totally a safe. So if anything happens on their digital surface, whether you're a plumber or Microsoft, doesn't change anything. You depend on your digital surface to work and to get an income. 

0:04:45 - Mehmet
Yeah, and to the point that you mentioned in Philippe, which is, you know it's something we repeated on the show and you know I have my, you know both of your audits and sometimes even when I was at the corporate world, because you mentioned OpenAI. So, openai, yeah, people know it's chat, GPT, but there are a bunch of businesses that they rely, or startups, maybe they rely on their API, so this becomes like a problem with supply chain. Like, I use some tools actually for my podcast production and I had to go to the manual work this morning, for example, to do some tasks Because you know none of the services that works with OpenAI is working good enough. You know that they have this If you have the developer account with OpenAI, so you can go to the playground and you can do that. It's like their internal system, isolated system from the outside world. 

Yeah, but you know this is really really a big issue. You know, and people, you know I think they ignore this. I would say the impact of these attacks. You know you're losing, as you said, you know from revenue perspective, and it's can affect because you said maybe it will stop the IPO as well 100%. Now, I know, like you do, and discuss a lot of things about leveraging open source security platforms. So, in your opinion, what are some of the advantages and some of the potential drawbacks of, you know, utilizing open source security platforms? 

0:06:21 - Philippe
Well, the main advantages are transparency, because you know the code is clean. There are thousands of eyes looking into your code. That there's no backdoor, no problem, no existential crisis in the making for yourself like, not like SolarWind. You know close code, we don't know. Oh my God, there was a backdoor. Even though they didn't want it, you know it was embedded by other people. 

First of all, transparency, I'm pretty sure. The second thing is it's also very efficient to help you adapt your software to any kind of it surface. So there are just so many stacks in the world, so many people using so many different technologies. It would be nearly impossible for us alone to be able to stick to all their surfaces. Now, because we have a community and because it's open source, people develop their own scenarios, their own connectors, their own parsers and they can contribute to the software we can move versatile. That it ever was or ever would have been if it would be a closer software. So those are really two big pros in my eyes. 

And the last one, which is not related to open source but is kind of a sibling, is it's free. One is not the other, we would all agree on that but the fact that it's free. It allows it to have like a virality, because the first friction to adoption is money. So when you can offer a software for free and find a business model around it that would sustain this kind of growth and help everyone but also help yourself in the making, I think those are very virtuous business model. 

But the weakness, the vulnerability, is here as well. I mean, if you cannot validate your business model as an official software editor, it's, first of all, it's really hard to find one and second, it's really really tricky to point to because the community can backlash on you because you made these are that pain and the fact like they are the trade or at some scale, like larger scale, like elastic search, readout and so on. They are so many people in news lately that you know to change a model because they couldn't meet the two ends at the end of the month, you know, on the piano. So, yeah, really tricky business model to balance, but very good of your choose. 

0:08:41 - Mehmet
Regarding cybersecurity, yeah, yeah, definitely. Now, one of the things I know that you like to discuss a lot is you know, let me, let me first, because I never asked this question. I know it's a very obvious question for people who are experts like us, but I mean, let's, let's explain. I know it's a very obvious, but I want to hear from an expert, because some of my audience you know when I tell them this is here, what do you mean? Zero day attack, what? What do we mean by zero day attack? And then I will relate this to the next question. 

0:09:14 - Philippe
Yeah, so zero day attacks usually to attack start unknown from public sources like CISA or other CV is like continuity database that are not known yet and that exploited by several criminals actively. But good guys, good researchers, have not found it yet. So we see spots, we see traces of something being exploited and we never knew it was vulnerable in the first place. So this is what we call a zero day. It's a private research that is at large somewhere and able to compromise things even though we don't know about it yet. 

0:09:54 - Mehmet
Yeah, yeah. So this is always where I tell, because, to your point of the previous question, when you write code you never know if there is a back door and if someone or maybe even a bug that no one discovered, and we always tell people the bad actors. Actually they do research as well and they spend time and money to find about these and their number one goal is to find actually this zero day attack and there isn't zero day because no one knows about them. Now this is where you talk about the multiplayer firewalls. So, and the concept of having this to make it different than the traditional firewall solution to avoid zero day attacks. So can you explain that? What do you mean by the concept of multiplayer firewalls? 

0:10:48 - Philippe
Yeah, so lately I'm using an image. I mean arguably maybe not the best because of the world state right now, but it's still very easy to understand. So when you receive an attack at your border on exposed services, on workloads that are running in the cloud and DMZ in your infrastructure somewhere and that they receive public requests, you can compare that to having a rocket fired at you. So there is a part of it, a missile site. So there is a part of it which is basically a rocket propellant that pushes the payload toward you. And there is a payload which is eventually an exploit, a logic fault, a brute force attack, a DDoS attack, whatever it is. 

So if you separate this in two parts, the rocket is where CropSec tried to act, so we tried to dismantle, disable the vehicle that will carry the attack to your border, and this vehicle over the internet is public IP addresses. 

We don't know any other way to actually carry attacks from A to B, except if you are close to the physical building and you try to hack airways like Bluetooth, wi-fi and so on, but other than that, if you're on distance, you have to go through public IP addresses. 

And then there's a second part, which is a payload. The payload eventually reaches your own workload, exposed over the internet, and you don't want it to explode in and create damages around you. So CropSec added this cybersecurity software that read the logs and we look for payload traces, right Things that are bad behavior, things that you don't want to see happening at your place. But by doing this in a network effect, by networking all the security engine doing this and collecting logs and reading logs and blocking attacks at scale, we create a network effect that is disabling the rocket bottom by disabling, by diffusing actually the payload in many places. We also see what are the carriers and the vehicle, the rocket, the public IP addresses that are launching those payloads. And then we create this attracted block list that we share back to all the members of the network. So the telers square address them and in return and how, and in return, we tell them who is aggressive toward everyone else, so that they are protected before those IP addresses even reaching their doorstep. 

0:13:13 - Mehmet
OK, I got it. So is this something similar to what we know as the threat intelligence service? Is it similar to that? 

0:13:25 - Philippe
Yeah. So threat intel often relates to feeds that you receive. They are often curated and of various quality, but they react in months or weeks, eventually days at best. Crowdsack is a fully dynamic system so it reacts below a minute, sub minute. So if a 9-tiered rest becomes extremely aggressive, very quickly it will be part of the block list extremely quickly as well. And also CTI, if you ask people. 

We'd love to partake into this Google for Startup program and we had many people from many as mentors and we asked them hey, what would be a definition of CTI? And it's like, oh, this, when we search for traces, when we search for what happened in the breach, we know how it happened. Then we dig into the CTI to have it. And Crowdsack, in a sense, is proactive, it's not reactive, it's not about dead body counting, it's about preventing it from happening in the first place. So I would say we play in the TI field globally a gender patenting, but more in a proactive manner than a reactive manner, more as a block list and a database of information. So, yes, we partake into this world, but maybe in a bit of a different way. 

0:14:41 - Mehmet
Got it, so it's like more an early sign before actually the bad things start to happen. If I find this to the right from you, ok, great. 

0:14:52 - Philippe
CTI. If you have things in your logs like you use a CTI because you saw IPA, bcd in your logs, something happened, and so on, you dig into it. You want to know what happened when it happened, and so on and so forth. It's too late already, right. 

0:15:04 - Mehmet
Something happened already. 

0:15:05 - Philippe
So potentially it's too late and crud's. A goal is to actually make it too early that, blocked at the border, it doesn't even reach the payload in the first place. And if it reaches the workload in the first place, you still have something to diffuse the payload locally, which is a security engine that will still try to kill the connection to this public IP address. So, yeah, it's slightly different position, even though I agree we play in this field. 

0:15:30 - Mehmet
Right. So, and I believe you know, because you identified this bad IP, so it will be in the firewall rule, so that will be blocked. Before actually reaching the payload reach the destination. 

0:15:48 - Philippe
Globally. Yes, after there is a lot of difficulties. Like, say, you're, for example, eShop, a webcommerce system, and we tell you no IPs, don't worry, we know they are bad and like, yeah, but you know what? Some of them are VPNs, some of them are residential proxies and we still want them as a customer potentially. Yes, those IP may carry some danger, but we still want them as customer potentially. What is your real stake as an eCommerce system? Like avoiding to get credit card stuff. You know people trying credit card and making fake buying. Avoiding credential stuffing. Like people trying to use the credential of others to buy things for themselves and to get your system down, or scalping. You know these kind of attacks that are very specific, but maybe the rest you don't feel so much, you don't care much about. I don't know VYP scanning, blah, blah blah. It's not your stuff. So instead of just dropping it into your firewall, you may want to send CAPTCHA in return to the IPs that would be both fairly, fairly quickly and fairly efficiently. 

And do you really need to block them entirely? Maybe not. Some are harsher. Some they put it in the budgetary block list. You don't even get a rod in this place. Your packet is in the void instantly. So there are many ways of you know using these remediation components, and we leave it to the client to decide why is their own strategy, and some of them actually have a hybrid approach, like they don't want any danger whatever on the VPN endpoint corporate network. You know this is so precious, nothing should happen. We just drop them, period. And on the eCommerce front, they're like yeah, okay, everything credit card related, both related. Now we discard and we send them a CAPTCHA and, for the rest, that's fine. So you know, mixed strategy as you see fit. 

0:17:41 - Mehmet
Great. Now, I think, the natural question that comes maybe next. So why do you believe there's an increase in size of the, the, the attacks that comes from? You know, these multiple IP addresses Like? Is it like? Is it like from, from the hackers, or like, say, the bad actors perspective? Is it the easy thing to to, to, you know, use it as a vehicle or like? Why, I mean, do you believe it's? It's like the, the same crease that we started to see recently? 

0:18:18 - Philippe
So there are more people active in this field than there used to be, and what I used to say, what I still say, actually to most companies is you don't need to be a Google or Microsoft or Cloudflare to be attacked. I mean, if you're the next or a plumber and you make a some turnover using the internet and someone can scout 5,000 euros from you by spending not so much time on the attack and not so much resources, they will try. It's like the mob. They have to climb the ladder. They don't become the boss and the Godfather next day. They have, you know, to make the artists and cloud before they are efficient and try to take down the NSA. It's not the the end boss. You take on the first day in your job. 

So there is this there are more and more and more actors trying out to, you know, make money out of these cyber crime activities. And also, I think it's it's really important to consider that IP addresses are a vehicle and it's it's becoming increasingly harder for them to actually just use VPN endpoints or stuff like that, because, first of all, they are filtered. Second, they want to stay under the radar and a lot of VPNs. You are not at liberty of paying cryptocurrency or they have KYCs. You know they won't know that customer, they won't know who you are and you're not really at ease with telling them who you are and why you're using the IP address. Or if you look at AWS, for example, they make you pay for public IP addresses now, and Google will be saying he's already the same and as well. So if you want to rent a public IP address is 3.6 euros a month, give or take. You know that you would have to spend and it's expenditure. It's all tax for you as a cyber crime group, right. So, specifically, if you need a lot of them because when we see a meaningful group, they count thousands of IP address, not one or two, and so it's easier for them to rent them on the dark net. 

You know to go and as as there are initial access brokers, there are also brokers that are giving you a bunch of compromised machine that you can control on distance and carry your attacks for you. So when they do it, they're random, right? Only 5% of the attacks are really carried through VPN IP addresses. So far we can tell from our figures. So the rest is what is compromised service? So how do you compromise a service. How do you get this munition, this ammo, in the first place? Well, you constantly scan the internet. The day there is a CV of neurality, you exploit it, you keep the server for yourself and you write into the dark net for the others. That's why we see so much activity on this front. 

0:20:49 - Mehmet
This is very important one, philippe, because I'm putting now myself, because you know people. They think that these IP addresses are machines which are owned by the actors, which, majority of the time, to your point, they are not. So they are infected machines that they are using. Now, if I am someone new to the space, I mean I'm a startup and maybe I'm building, you know, ASAS, whatever, so I'm using some form of IP addresses because I'm using, like, public facing website and so on. Maybe I'm building on one of the hyperscalers and so on. So this should be worrying me, right? Because if my IP get blocked or get, let's say, labeled as bad, now, first, how, what is the best way I would know that my IP is now used? And, second, how should I act as a business owner or, like you know, someone who owns this IP from your experience? 

0:21:55 - Philippe
So if we speak cross-section, we have this kind of picture so we can tell you if your IP start to be reported by the network which is already, you know something inoperatively, before it becomes an increasingly bigger problem. Second thing is preventive actions are always the best here. I mean, if you have to create it later on. This IP already took a hit in terms of reputation. It will never be perfectly pristine Virgin again, ever. So prevention is really of the essence. 

Now, if you start being reported and if you start being blocked, your client, your user, will start complaining to you that you know they can access your website, they can access your services, they can access their APIs and so on. And this is these are signals that potentially you ended up in some list. The way I would proceed as a business owner is to go to virus total right, very famous website for that. They are aggregating tons of fees, like I don't know, probably a hundred or something like this. I type in my IP address or my domain and see if it's supported by people, by companies and who, and then I would go to this company and say, hey, why am I reported? What's wrong? How can you help me? 

This is happening every day for us, like people looking to the IP addresses on the RST tool contact connecting us and saying, okay, guys, it seems one of our servers is compromised. Can we discuss it and can you remove this IP address? Because we've risk taken the preventive corrective action on those machines. Now, in the case of crowdseq, the IP will be automatically cleared anyway because it's only in the block, please, for as long as it is reported by the network. So when stopped because it stopped being aggressive, it's removed anyway, but for other actors it requires a manual treatment. 

0:23:42 - Mehmet
Yeah, so so it's. I think this is where the early, as you mentioned, preventive approach should be, should be implemented. So, on a high level, like, what are the best practices usually to protect against these kind of attacks? I mean to to to hijack their IPs and use it for bad actions purposes. 

0:24:06 - Philippe
Well, in a general way, what you expose overnight which would be usually one service only, publicly, and eventually from filtered other IP addresses, like management endpoint, like SSH VPN, whatever. So the service you are running is probably relying on several libraries, several softwares that you should monitor and be sure that they don't have a vulnerability or something like this. So this is fairly easy to do. There are tools and services that allow you to do this, to monitor your stack and your dependencies, to see if there is ever a vulnerability that is published. Also, you have obviously to be looking from time to time to the CVS that are touching your specific framework not all of them, because every day they are like a hundred, but at least the one that are concerning your technical stack. Obviously, you should update quickly, frequently, and have this backup strategy that allow you to be constantly up to date, because you cannot be like 10 version behind. Otherwise we will pay that some point. Technical debt is really what the leverage when they, when they attack you and when they successfully compromise you. And then everything you log in has to be MFA. There's no way around it. If you have like a login of any sort, either you log with a key or a key plus an MFA. But just looking password is not going to cut it online, because even though it would be a proper password, it could be leaked somewhere or brute force eventually. So always have some some sort of MFA that that is like a vital thing on it and your supply chain. You know, monitor your supply chain. I mean, if you depend heavily on a third party service, you have to be sure that this service is serious enough not betray you with the, voluntarily or not. You know, this is what happened to SolarWind. Actually, like companies like Microsoft, for example, were compromised because SolarWind was compromised, in this case they didn't make any specific mistake except using the software. 

For us, supply chain monitoring is key and special qualification is key. Fight against or so or fight. Try to index rather than fighting your dependency on the everything. What is it called Shadow IT? You know, when people are using services in your back and you're not really aware of it, you build up things that are totally external and in sort of best chambers. It's not a problem. Like someone used the word, press is compromised, it's a sub brand, whatever it's not really impacting your business. Well, it's not perfect, but okay. But if those things are connected indirectly to your supply chain and to your production environment, then you need to know about it. 

0:26:47 - Mehmet
Yeah, this is great. Now I had this discussion offline with someone the other day a couple of weeks back actually, when we were talking about attacks and all this, and then because we focused too much on IP address and so on, so and imagine this, and the number of IPs actually is limited, the IPv4. People were keep pushing for IPv6 and still struggling. So imagine now this if we have more public IP addresses over this, it's going to be a bigger problem. And then, you know, we started to ask like why actually this is someone I get this question from someone who's not too much technical, you know. It came to my mind now and the question was like why we are still relying on a protocol that is like I don't know how many years old now 40 years, 45 years and why we didn't come up with something which is more secure by design. What do you think, philippe? 

0:27:51 - Philippe
Well, there's a lot to impact here and I'll answer the second part of the question before why didn't we change? Because there is so much services relying already on this and it's nearly impossible to change all of the sudden and nobody would be able to migrate all of the sudden. It's impossible. That's why, for example, fire, police, firemen or police or ambulances still are using those old school you know receivers in their pockets and pagers, because you know it's part of the protocol that processes and procedures and have all the things to do in life. And just, you know, being techies and follow the trend. And I have seen banks that still have public IP addresses inside their walls Since they had, like very large public IP addresses changed at the beginning of the Internet. They use the public IP addresses internally and externally and they cannot get rid of them nowadays because those systems are in production, so they have different DMZ, subnetwork, blah, blah, blah. It's a mess. So you have to think of compatibility and migration and migrating everything all of a sudden would relate more or less to say hey, I'm in, the vehicle is over. Everybody needs to have an EV car tomorrow. We're just not ready, ready. 

And the second thing is like IPvc, is this? Is this solving the problem? Have caution. I mean, there is still something you can fight against, because there is a limited number of it, even though it's way bigger. Is there a limited number of it? Because the logic behind IPv6 is to offer you as a human, as an individual, up to 20,000 IP addresses per square meter on Earth, so that you can have your private network, your PAN, private area network, eventually machining your bodies, nano machines, whatever, or a tone of devices serving you around yourself. So, as such, the principle is good and we solve a lot of problems. Now we know that when an IPv6 is bad, it's not just one IPv6. It's the whole range around it, because those ranges are given in chunks, large chunks, to organization. So when you need to do the IPv6, you don't just black blacklist one IP address, you blacklist a whole range of them, because you know it's the same act of the idea. 

0:30:02 - Mehmet
Yeah, now, of course, I cannot nowadays do any episode without asking about the impact of AI in cybersecurity, especially in the areas that you deal with, Philippe. What are you seeing in that domain? 

0:30:17 - Philippe
We are authoring a paper as we speak with my team about something that we call Global Offensive AIs. Global Offensive AIs would be AI that our orchestrator and trained to use sub-modular APIs like the generators that are in several categories. One of them would be the generators. So voice generators, images generators, video generators, text generators All these LLMs and diffusion model. They will help you craft extremely, extremely efficient, near-perfect fishing campaigns against your target. Then there are other modules that we name the scrappers. So those AI scrappers will be scrapping the entire surface of your company, people, NIT, so that they see how it's exposed and who is doing what, and so on, and then, based on the information that they would be collected and crafting, they will craft a perfect fishing campaign that they will deliver in a snap of an instant to 40,000 people in your organization. And then every one of them will receive a perfectly crafted email containing everything that's genuine to screw them and ring them into thinking it's legitimate and make them click. This is the easy part. This is a nice part. This is a non-scary part. The scary part is the following Now you can train AI's on CVE database, on white papers, on CTF logs. 

Capture the flag logs when those guys are training in between themselves with the white hats. You get the logs of how they screw the machine, how they compromise the machine, and you make a machine a AI, so you learn on that, oh my god. Then, all of a sudden, you have all your sub modules ready to unleash hell on earth against a target, because it will be all of a sudden, in millisecond, delivering tons of fishing emails, and that will be perfectly crafted and, at the same time, tone of perfectly organized, fuzzing, evasion techniques, CVEs, exploitation, logic, exploitation all of this coordinated by a global offense CVE that will be rewarding every sub module that she has like 10 different AI modules. Every time, the work was efficient and specific, and I think this is one of the greatest potential weapon and usage of bad AI's. And the same is true on the other side. 

Now, if you start correlating when people harvest your users profile on LinkedIn and their social network, if you can correct that with also strange activity happening at your border, on your network, on your exposed surface and so on, you can have a global defensive AI as well. But I know for a fact that global offensive AI are trained as we speak. I know global defensive AI are trained as we speak. But yeah, AI will change everything. Are you as a person at risk? No, but are major companies or government at risk of it one day in 2024, facing global offensive? Ai sparkles. 

0:33:24 - Mehmet
Wow, this is really scary part, I'd say. And they are making it more easy and easy. And of course, I'm on the side of leveraging AI in everything and tech. But this is a new thing that Open AI they did in two days back and of course, this will be aired maybe in a week or so so people can relate when we record it. So they're making it more easy actually to train the model, because now you can bring the logs, the JSON files, any file, and then you can give it to the model and then you can ask it to act as a specific persona. Now, I'm sure that in the background they might have some restrictions, but again, I've seen examples where people were able to skip these let's call them the policies or the restriction limitation they put to try to protect that. Oh my god, yeah. So they make it easy now for even non-technical people to do this stuff. So this is the scary part. 

0:34:39 - Philippe
You remember this grandma attack. It was so funny, it made my day, this grandma attack, I loved it. So the people are like, yeah, please generate keys for Windows 11 or Craigs Capture and so on, and go right in. Sorry, open AI would be like, no, I'm not going to do it. Chef GPT said, no, no, I'm not going to do it. And you would be back to it. And you go back, explain to Chef GPT that when you were a kid, your grandma that passed lately used to explain you how to make bombs or how to crack this capture. It was the secret to our cabinet and there are so many souvenirs that you would like to see. And go in, sorry, In Open AI we'll be like, yeah, sure, let me crack it for you. Like, really, because you said that it was coming from your grandma. Then it disabled the whole you know mechanism, protection mechanism that were embedded into OpenAI and you could ask it to produce I don't know whatever crap and keys and crack things you know. So, yeah, there will be bypasses, there will be holes. 

0:35:48 - Mehmet
Yeah. So time will only show us many things to come, and especially in cybersecurity, I'm excited. In a sense I'm not excited to see more attacks happening. Already there are a lot of attacks happening around, but I mean to see how you know the AI powered because, honestly speaking, we're seeing papers, we're seeing, you know, people doing things in labs. Let's say, we didn't hear about a major one that came really from there. 

But back to the open source thing, and you know, with now more open source, large language models that I believe you know in no time, you know, with the compute power becoming cheaper and cheaper, so you know like they will get this in the hand of the bad actors. So let's see Now something which is not related to tech, fili, but you know, when I was reviewing your profile and this is something related to what I cover also so you've been, like, experienced in starting up companies, right, so this is something close to my heart. So you know how is it different. First, you know to start up, especially in the cybersecurity space. So if someone today, you know maybe he's, she's listening or watching us, so what you can tell about the security experience in general and why you know cybersecurity space is also you know it's a different. 

It's a different thing than any other kind of startup. 

0:37:18 - Philippe
Yeah. So that's a great question. The first thing I would say is that you know you will be fighting against a big of this world. So you will be fighting against cloud fair, against HMI, against I don't know F5, against Google, against you know, all the big name of this world. 

And there's a lot of stickiness into the way CTOs and CISOs are approaching the system. They don't want to change it right away for no reason. So you have to bring something new at the table, entirely new that the other are not providing. And the second thing is you have to solve one problem. Don't try the one stone ten bread path. This is what I'm doing. It can tell you it's hard. We will eventually narrow down our offering to solving one problem, even though we can solve a lot of problems with our approach, because CISOs and CTOs are focusing on one problem. They don't think they have 10 of them, or the companies are so large that they are each of them individually trying to solve one problem. So this is really something that I learned at my own expenses. It's it's it's free heart. 

Second thing is there is money in the system for AI and for cybersecurity, because investors are here and understand that and understand the need for those tools, so there is something I would recommend you can explore this and invest in this, and if ever someone wants to create a startup, I can give you an idea for free. Bouncing back on what we just said about AI, you know AI is a will become a community in infrastructure, like open AI. Goal is to become the AWS of the SaaS services. Somehow, you know, and what. What we want to do is you to be able to create anything, so there will be bad use cases. There will be go is. There will be people attacking. What you could do, though, is a company that will be creating virtual employees. 

I will be happy to employ virtual employees, not for them to treat something specific, but just to exist on the social network, on the external surface, to answer some emails, very basic emails, to have a limited profile and other personal profiles, facebook and so on, so that, if ever several of my virtual employees are targeted with attacks, I know I'm under attack from, potentially, ais or other systems that are trying to screw me at scale, so that would be my kind of canaries to avoid my company to be, you know, attacked or compromised of my real users, my real employees being compromised. So if I can rent your virtual employees for, say, 20 bucks a month per employee, I would gladly employ 10 employee. 10 virtual employee that would be. You know, they could work for me, they could display on the internet and if there are there are attacked, how pooned or contacted by things that looks fishy. If your system detect it, you are, you're sitting on a gold mine and this is the I driven cybersecurity startup idea offered. 

0:40:07 - Mehmet
So do you advise them to? You know you mentioned something about investors, so do you advise them to go immediately to investors, or maybe they should bootstrap first? 

0:40:17 - Philippe
So the rule of the game. So Bootstrap is the classy, highest you know, recognized way of doing things, and I'm totally in awe of those people that are making it from ground up with their own coins, Finding it wonderful and fantastic. I'm too old for that, sadly. So I have to take some shortcuts and take some VCs, Because VCs are these, they are shortcuts. 

The rules of the game globally are fairly standard and so far I know it's like you have, like your business angel and your smart money, your family money, at the stage where they believe in you, not specifically your product. Then at seed stage you have proven that you have attraction, that you have users using your product and you are eventually going to grow into contracts and going to have these contracts growing. I would advise around 50,000 euros per month in revenue. Then you are in the hard zone to be seeded and then in the A round, you are in the zone where you have what's called the PMF, the product market feed. So you are ready to scale up and you are ready to get investment to repeat what worked already at scale until it becomes really a big thing. So those are the classical three steps you can think about and if you want to start kickstart something from nothing, and a way of doing it for bootstrapers basically is you gather the pounders contact on LinkedIn, you source, you reverse them to get the email addresses. There are a lot of systems doing this and once you have the email addresses of all your contact on LinkedIn all together with the founders, you probably have something like 3,000, 4,000, 10,000 contacts, and you send them one email, and one email only. 

This is the rule. You tell them OK, I'm going to solicitate you once and once only. We worked together in the past or we connected on LinkedIn. I would love to have your support today and I will never, ever ask you any other favor through this email. The favor is like a vote disposed on Reddit, a vote, my GitHub repo if you're an official software, a vote, I don't know this YC News, this Y Comiteur News post that we had anything that would help you, basically, or LinkedIn, whatever, and you give them a reaction and you forget about them. But all of a sudden, you will have a wave effect and if you are in GitHub, for example, you will end up in the weekly trending project. Eventually, you'll make a monthly trending project because there's such an income of stars all of a sudden that a lot of systems which are looking at it, including investors. So this is a good way of kickstarting things for nothing for bootstrapers. 

0:42:48 - Mehmet
Great insight, really. I think this is what resonate with a lot of people who are searching for ways of doing this, because I know in the non-cyber space, especially SaaS, I know people go to something like Product Hunt and they reach to people to support them. But yeah, it's a good advice over there, philippe, as we are almost like coming to an end where people can find more about you and about CrowdSec. 

0:43:19 - Philippe
They can find more about the Alpecare family on CrowdSecnet C-R-O-W-D-S-E-Cnet on the website. If you type anywhere CrowdSec, anyway we will pop up on the Google search with many, many different things our GitHub, our Academy, our website and so on. Just be careful not to confuse the X with a C or the C with a X. They are side by side on the keyword and CrowdSecs means something entirely different. 

0:43:46 - Mehmet
Yeah, great, great, Sure, I will make sure that I will type the right URL into my show notes. I will not do this mistake. So yeah, Philippe. Any final thoughts before we close? 

0:44:04 - Philippe
Yeah, join the army. I mean, every day there are people that are suffering from those digital cataclysms in their lives, like whether it's a hospital or your granny, or people, civilians, where the systems are not working at the wood, or businesses being crippled by those. You can help by just running the software to protect yourself in the first place, but also to protect the other, because this is a point of being safer together. This is a point of CrowdSec is to help each other in being stronger together. So that's why you can use the software, and by using the software, you make the internet a better place already. 

0:44:43 - Mehmet
Yeah, that's great. And again, thank you, philippe, for all this valuable information, whether regarding all what we discussed, the trends we're seeing, the bad IPs, how we can protect, how we can react, and what you're doing with CrowdSec regarding this, and, of course, the last part, which is very, very important, about raising funds and letting people know about the product you're building. So all these are very valuable information. Thank you for sharing that with us today. And this is how I end my episode. This is for the audience. 

Guys, thank you very much for tuning in. I really appreciate it. If you are first time here, thank you for passing by. I hope that you enjoy this episode and you keep listening to us. And for the loyal fan, thank you very much for keeping writing me and sending me your suggestions. So and again. So maybe this is something you will have seen it before on LinkedIn. So we're changing a little bit the format of, I would say, the frequency of the podcast. So we're going to reduce a little bit because people are telling me we cannot catch up on all the episodes. So we're going to reduce from weekdays to maybe two to three episodes per week, moving forward. So stay tuned for all these things, but you're going to see more episodes, more weeks focused on specific topics, so hope you will enjoy it and thank you again for joining in and this is useful. Thank you, bye. 

Transcribed by https://podium.page