UP042: Threatcare // automated third-party threat detection

In All Episodes, upside by jayclouseLeave a Comment

view episode transcript

Marcus Carey 0:0
Most of the things in cyber security have been the same things that have been plaguing the industry for years, and we just don’t fix them. I think that if you picked an industry that has Blinky light or shiny object syndrome, it will be cybersecurity.

Jay Clouse 0:16
The startupinvestment landscape is changing. and world class companies are being built outside of Silicon Valley. We find them, talk with them and discuss the upside of investing in them.

Welcome to upside.

Eric Hornung 0:43
Hello, hello. Hello, and welcome to the upside podcast. The first podcast finding upside outside of Silicon Valley. I’m Eric corner and I’m accompanied by my co host, Mr. well connected introvert himself, Jay Clouse. Jay,

how’s it going, man?

Jay Clouse 0:59
Is that a compliment?

Eric Hornung 1:00
It’s not an insult.

I just think it’s mind blowing. You have I don’t know how many LinkedIn connections you have. If the guests that it’s over. You know, 2000 you got tons of Twitter followers. You know, a ton of people you’re incredibly well networked. But here you are. You were here at South by Southwest. We’ve been CES together and networking drains you?

Jay Clouse 1:21
Yeah. Yeah. exhausted. Yeah. This is a common misconception about the man the myth, the legend Jay Clouse

Eric Hornung 1:28
Did you just call yourself the man the myth, the legend?

Jay Clouse 1:29
I did.

Eric Hornung 1:30
That’s embarrassing.

Jay Clouse 1:32
Common misconception about myself is that most people assume I am an extrovert. And I am very much not and being in such people intensive environments, especially with a lot of strangers or there’s not like a clear goal or thing that I’m doing. It’s just like meeting people for meeting people sake so hard for me.

Eric Hornung 1:51
Can you be one of those guys who’s just like, if I just get a little tipsy that I can get really into this? or it doesn’t matter how drunk you are, this is just not going to be your thing?

Jay Clouse 2:01
No at that. I mean, I do it. And I do it. And I think I do it fairly well, especially if it’s not multiple of these things in one day, but I do it pretty well. I would say that a social lubricant helps a little bit but at the end of the day, it’s not it doesn’t like get me into it per se. It just makes me a little bit more comfortable.

Eric Hornung 2:19
So how are you going to detox from 10 days of SXSW which is literally just been non stop meeting strangers?

Jay Clouse 2:25
Yeah, I detox by finding time to be alone. And like really leaning into it like I will probably pull up in my apartment. Like get under the covers and watch like the rest of that 2000s documentary series in silence with my phone like turned upside down for…

Eric Hornung 2:44
I’m sure your girlfriend loves that answer.

Jay Clouse 2:47
So this is one thing I really love about my girlfriend is it doesn’t feel like I am you know, pulling from the being around people bucket when I’m around her. So sounds weird to say, I feel like I’m alone when I’m around here. That’s not what I’m saying. But I don’t have the energy drain that I do around other people when I’m around her.

Eric Hornung 3:04
so romantic. “I feel like I’m alone when I’m with you.”

Jay Clouse 3:06
No, see that’s what I’m saying! I’m not saying that. I’m not saying that. I feel very seen and appreciate it. And yeah, she refills the bucket refills the cup.

Eric Hornung 3:16
refills the bucket. That is…

Jay Clouse 3:18
that’s a phrase right?

Eric Hornung 3:19
I don’t think so.

I think it is like refills the cup at least I can like play with I can I get to play it off of…

Jay Clouse 3:24
You know, there’s there’s a reason I was single for five years, Eric.

Eric Hornung 3:27
true, but you’re not single in the sense of being in a room with people. today. You’re here with me. And we are talking to who Jay.

Jay Clouse 3:34
Today we’re talking to Marcus Carey the founder and CEO of Threatcare. Threatcare allows organizations to better defend against cyber security threats by improving vulnerability management and defense capabilities. Their platform is a breach and attack simulation technology that allows security teams, incident responders and network forensic practitioners to reduce their attack surface by continuously monitoring their cyber security posture. Marcus, something that I did find out has a background as a Navy cryptologist

Eric Hornung 4:05
mm, that’s a title that not everybody has.

Jay Clouse 4:07
That is not a common title by any means. And I’m excited to dig into that, because that sounds like a whole can of worms. Mostly, I’m just interested in how people get into that.

Eric Hornung 4:16
I think that this whole space is something we’ve been talking about a lot and wanting to have somebody from a cyber background on, because I think everyone just uses this term cyber security. And it could mean so many things.

Jay Clouse 4:30
Everybody wants it like, yeah, I want cyber security.

Eric Hornung 4:32
Yeah, I want to be secure in a cyber fashion.

Jay Clouse 4:35
And I also have no idea if and when I am like if someone I have such shallow understandings of cyber security that if someone was like, yep, I’ll make you cyber secure. And they sold me something. I’d be like, I must be set. But really, I could still have tons of vulnerabilities. Who knows?

Eric Hornung 4:49
Right? So if you guys were looking for a great interview asking really deep questions about cyber security, this isn’t it.

Jay Clouse 4:56
We’re gonna try some more context on Threatcare there were found in 2014. They’re based in Austin, Texas. They recently raised a $1.4 million seed round from moonshots capital, flyover capital and Firebrand Ventures.

Eric Hornung 5:11
And our friend John Fein was the one who introduced us.

Jay Clouse 5:14
That’s right. We put out the call. We said we’re going to go to South by Southwest, we want to meet some Texas startups. John saw tweet you said let me connect you and really got us plugged in here talking other companies getting us the room here at Threatcare. We’re coming to you from the Threatcare conference room, and so appreciate our friends over Firebrand for that.

Let’s bring in Scot Ganow, an attorney at Taft, Stettinious, and Hollister to teach us about data privacy and security. Taft is a full service law firm known for assisting entrepreneurs across the Heartland. As a reminder, the following remarks by tax attorneys are for informational purposes only and are not legal advice. This information is not intended to create in receipt of it does not constitute an attorney client relationship. No person or organization should act upon this information without seeking professional counsel. Scot, thanks for coming on the show. How are things going in Dayton?

Scot Ganow 6:05
Absolutely great. Spring has sprung into Heartland. So things are looking up. We’re happy.

Eric Hornung 6:11
Gotta love allergy season.

Scot Ganow 6:13

Eric Hornung 6:14
Scott, I want to throw a hypothetical out there for you. Let’s say I’m a founder and I have limited resources, what are the three biggest pieces of low hanging fruit for data security and privacy?

Scot Ganow 6:23
So these are the basics. Number one, you have to classify your data, you have to give it a name, you can’t possibly govern and protect information if you don’t know what it is. And so you have to think of it both in external terms, for example, how the law recognizes such information like pH I, for HIPAA, or maybe PCI for credit card data, but you also have to classify it for internal term so your employees understand the different sensitivities and responsibilities attached to such data. So maybe you call it confidential, proprietary public, or maybe high, medium or low priority to help employees understand what data is special, what data is a little less risky. Once you’ve classified your data, you have to locate your data or map it, you have to understand where it is because you can’t possibly tell me it’s secure or being used appropriately if you don’t know where it is being used. And that internally, in your offices, technically and physically, both on servers and file cabinets, but you also have to think about the third parties with which you share that information. And then lastly, you have to implement risk based administrative technical and physical safeguards to ensure information is protected at the highest level possible.

Jay Clouse 7:35
That’s great. Scott, thank you so much. If people want to learn more about tapped or the work that you do, where should they go?

Scot Ganow 7:41
Go to Taftlaw.com where we have everything about our privacy and data security practice. You can also find me on LinkedIn.

Jay Clouse 7:55
Marcus, welcome to the show. Although you should be saying welcome to us since we’re using your base here.

Marcus Carey 8:02
Yeah, appreciate that. And thanks for having me on the show.

Jay Clouse 8:04
Yeah, thanks for letting us use the conference room here at Threatcare for the last two days, we definitely will lay off all of our really hard questions about that.

Marcus Carey 8:12
I appreciate appreciate that very much. Thank you very much.

Eric Hornung 8:14
On upside, we like to start with the background of the founders. So can you tell us about the history of Marcus.

Marcus Carey 8:22
So how in depth Do you want to go?

Eric Hornung 8:23
wherever you want to take us?

Jay Clouse 8:25
Whatever seems relevant?

Marcus Carey 8:26
OK, cool. So I’m actually from originally from button 90 miles north of here, and a small town called Marlon, Texas. So Marlon is sound about 3000 people. So I’m a I’m a country boy. I tell people when I come into the room, thank God, I’m a country boy starts playing.

So I grew up. I was born in my grandmother’s house. That’s how country Oh, yeah. So I ended up growing up in a small town. I live in a couple different cities around Texas, but I was born or raised in Texas overall, when I became when I was 18. I joined the military did pretty good on my military entrance exam. So they give your career fields based on how well you do. They told me that I was wanting to cryptography communications. And I didn’t know what that meant. But I ended up I ended up getting the highest clearance in a land working pretty much for NSA since I was 18. So I did that for about eight and a half years military.

Jay Clouse 9:21
Was that test like mathematical how they decide. This guy’s a cryptographer.

Marcus Carey 9:26
It’s a bunch of different things. And the military just gets it right, because they end up having the same kind of personality types in the same space. So it’s a bunch of clones of yourself. You’re working with a bunch of people just like you.

Eric Hornung 9:38
Why did you pick the military? You’re 18, you had kind of college, you could have went worked, you decided military? What was the thought process there?

Marcus Carey 9:47
Well, so I believe this and on, I thought I was going to go to the NBA, I was a hardcore basketball player actually had a college offer. But the college offer wasn’t, it wasn’t a full ride. Basically, they would say about tuition, but they wouldn’t do books or ruin board and all that. So I would have had to find a way to, you know, come with the rest of the money. And I was from a very poor background. I was seriously though, like the poorest person I know growing up. So there was no way for me to pay for even particles, I would have to have a full ride. So I was too short and too slow to get a full ride to do on any who ended up. That’s why I chose the military because the military had this thing back then called the McGorry GI Bill. And that GI Bill, they build it as it can pay for college. And so I’ve always been a nerd my whole life. No, I was a nerd. I knew I wanted to work with computers in the military offer me an opportunity to learn computers at 18. Pretty much they give you a trade they pay for college. So what my goal was to Funny enough, I wanted to do for years in the military, and come back to Austin, Texas, and go to UT. That was the big game plan. I ended up spending eight and a half years in, I did earned my bachelor’s degree in the military. A while was in a year and a half years. And then I did a master’s degree when I got out. So it was all about education. And that was the only way I could have pay for my education is about going to the military.

Eric Hornung 11:15
Why was education so important to you?

Marcus Carey 11:18
So I grew up in an era where I was born in 75. Awesome, I’m 43 now, Funny enough, My birthday is Friday, I’ll be 44 Hey, so I grew up in an era where after the Civil Rights Movement, education was was really really harped on upon. I remember learning about Dr. Martin Luther King in school, I understood that he had a doctorate degree that means he had a lot of education. And so I kind of wanted to be a doctor, I wanted to be like a have a PhD myself. I no longer want a PhD. I did a master’s degree which is plenty. They say a bath as science a BS Bs, MS is more.

And a PhD is piled higher and deeper.

Yeah, I won’t. I won’t be doing a PhD anytime soon. But I knew that I understood the being being black. I had to get get an education, to get ahead in life and to you know, to get myself out of my situation. So that’s why education was super important.

Jay Clouse 12:24
Was that your parents that instilled in you?

Marcus Carey 12:26
Not at all. I had a had a rough childhood. I don’t know my father. So I was 26. And I met him. I met him I’m cool with my father now. And my mother wasn’t really around. My mother dumped us on other people. My grandmother pretty much raised me. So I got this crazy story is going to make a great movie one day. Yes. So I was smart. I was always in gifted and talented classes in the students that I was that I was with. They all were talking about college and and I would do, I did this thing called Olympic sort of mind, where it was like a gift and a time to program. I would do you a little competitions for math and science and all that. So I’m just super blessed that I’m smart. And I was always around the right people in their families. You know, a lot of times we’re talking about columns and stuff. So I just was around the right people. Because I was pretty smart kid.

Eric Hornung 13:19
You were 18 in ’93ish? Why…you said that you knew you want to do something with computers? That’s like pretty early in like the computer really revolution and movement. Right. So how did what was your first interaction like with a computer? You’re a country boy, right?

Marcus Carey 13:35
Yeah, yeah. So my first interaction product was some kind of Atari series thing. We got one at a garage sale. Just was like after atari had been Did you know you pick up stuff a garage sales. So that was kind of like my first interaction with a computer type system. But I was in gifted and talented always I was, you know, one of the couple of black kids in I got to program basic analysis, third grade. And in high school, I took pets call programming language. So when I was young, I also saw war games. And a lot of people saw war games and, and any kind of tech kind of thing even like tinkering MacGyver, the a Team Knight Rider, there was always these tech, you know, there and that is everything was like futuristic, and everything was about a computer kit. It was artificial intelligence. Everybody wants to be kitten our kid or something, right? So we grew up in an age where there was a lot of hype around technology, even though there wasn’t access, there was definitely a lot of hype and a lot of science fiction related to it. And so that and just being like I said, I remember, we must have had some of the first apples. So let’s just timing and just me and alright school kind of district or whatever. But most of the people in the town I was in more. I mean, it was just a couple of other people and and the sound that I’m talking about its minerals, Texas, shout out to everybody mineral oils.

Not a lot of black people in that particular city. And they had access to a lot of cool stuff. Being in this when I was in Olympic on a month, I was in all these little creative programs. And that’s how I got into the situation where I was around technology.

Eric Hornung 15:17
So the game plan was OK, I’m going to go do my four years in the military and then go to UT what actually happened?

Marcus Carey 15:25
So I got to Scotland.

So this is funny. So this is like it was a transition from being in the hood to being in an intelligence community. This is funny, and I think I like to tell these stories. So like I said, at 18 years old, highest clearance and I’ll and I had access to all the Intel in the land, I could read any kind of into report. And so back then there was a big crisis going on. And y’all may remember the Rwanda crisis, where there was a huge genocide issue. So called back home, and I would be trying to talk to them about current events. I was like, I will call back home to the hood. I was like, Man, that’s Mr. What’s going on in Rwanda, right? My friends, like, I don’t know, who were one is what

sounds like I’m in a different world now. That was That was hilarious. So yeah, even lost the question I had to tell a story was the question again, what’s the?

Eric Hornung 16:15
Question was what actually happened?

Marcus Carey 16:18
You know, yeah, so I get so I get out. So I didn’t get to Scotland. I NC started when I started on how to program databases as our Learning Network Security. That’s kinda like the film. And so I was curating. And so being exposed to that technology, and Funny enough, my first duty station, I met my wife, and I had a baby in Scotland must my oldest son. So instantly, stuff got real.

Jay Clouse 16:43
This is ignorance on my end. Why Scotland? Is that where the intelligence organization is based?

Marcus Carey 16:49
Absolutely. So most of the Intel people are station ignorance, like I said, totally, totally. As most of the Intel people are stationed overseas, where they’re doing some point of whatever. And so I was stationed in a area strategic to, you know, doing stuff related to our at the time our enemies, and you could use your imaginations, the who was our big enemy and 1993.

Eric Hornung 17:14
Your wife, is she’s Scottish?

Marcus Carey 17:16
My wife is from Scotland. But she was born in England. So technically, is that’s awesome. She moved to Scotland when she was younger. So she’s English. But I met her in Scotland.

Jay Clouse 17:27
Was that a tough sell to get her to come back to America? Or coming to America in the first place?

Marcus Carey 17:32
I mean, golly, so…No, no, not really. So me and my wife been together for 20. Some years. It was it was kind of like we totally clicked one of those things, right? They say they were saying we go to Scotland, you either come back and drunk or married, or both.

Eric Hornung 17:48
That should be their official tourism slogan.

Marcus Carey 17:51
That’s the same. And so a lot of people, you know, a lot of military people who get stationed overseas and get married. the tough part is since I had a clearance, they had to do this background investigation. That was my next question. Yeah, so it was it was hilarious. But you married for a long, long time. And we have we have four kids now.

Eric Hornung 18:10
Wow. How long? Were you in the military before you transfer it out? And did your masters? Was that part of the military? How did that all kind of work? Like how long were you there?

Marcus Carey 18:21
So I was in the military for eight and a half years. While I was in the military, I took advantage of this program called clip test. I want to write a book on this because this is awesome. So I kind of like you’ve heard a CLEP test where you CLEP out on it’s like AP test?

Eric Hornung 18:34
Yeah, but you could take it in college, right? So it’s like 75 bucks. And if I didn’t want to take accounting one on one, I could just take the test.

Marcus Carey 18:40
Bingo. So I took 115 of those credits. Wow. So I just studied any random subject. I kind of mapped up my degree for the distribution goes, like you need it so much math, you need it so much arts and sciences. And then I taught myself all the subjects and I went to this. I’m a nerd. bookworm.

Jay Clouse 18:58
So you got your masters out, really stepping foot in a classroom?

Marcus Carey 19:01
Well, yeah, so yeah, I got my bachelor’s. Yeah, hundred 15 credits, pretty much. I didn’t enter classroom from my bachelor’s, and a Master’s I did online program. Nerd gang nerds always win. So I totally game the college system.

Eric Hornung 19:14
That’s awesome. I always want to do those tests. But in college, my priorities were more aligned with that natural light, then studying for tests. So that’s very impressive.

Jay Clouse 19:25
He’s talking about like the Ohio Lone Star beer and not like good sunlight coming in the room.

Marcus Carey 19:30
Yeah. There’s some details about how state

Eric Hornung 19:35
so eight and a half years, what happens after that help us kind of close the gap between here and Threatcare.

Marcus Carey 19:40
Yeah. So basically, I got I was stationed at Fort Mead for the last almost four years of my Navy for. And for me, that’s where the national security and for me is the last place that they like to send people, because they know that you’re going to be a hot commodity for the civilians. And the do contracts was because I mean, if you were looking at it, I tell people that my military, if you’re like, for cyber security, or security, or whatever, in general, you’re like Jason Bourne. Like, if there was a cyber element, where you could be like a world trade machine, it would be the Navy cryptography, cryptography route. And so when I was in a, say, I got, they spent hundreds of thousands of dollars, at least $100,000, no joke on my technical education. So in a say, I would work for three weeks, and I will get training for a week for three weeks could train of two weeks, or three weeks, sort of whole time I was there, I took the most high end civilian training. Also, NSA has his own training, as well. And so they train you how to do technical stuff. And so it is ridiculous, especially for a sponge like me, I got all kind of certifications. And I was worth a lot of money, I was worth three times more than I was earning military salary. So it’d be crazy if you re endless. So got our military f4 be a word for God contractor for some time doing security and networking and all that did some more work up in the DC area. And then how got back to Austin, where we are here is a company called rapid seven hard me. Rapid seven is a cyber security company. They went public, I think last year, maybe two years ago. So I worked for that company actually built a product for them, contributed to other products there and conceptualize products for them. So I’ve been kind of like a product machine I built to other products for other people. So after writing products for other people and conceptualizing products for other people, kind of like well, I should do this for myself.

Eric Hornung 21:50
Did you get to take part in the IPO? Like…

Marcus Carey 21:53
I do not know.

Eric Hornung 21:54
Okay, so you didn’t have equity, you were just an employee.

Marcus Carey 21:56
I was employed for a company, but almost two years. And I was on Funny enough, my son works for them. And he got an A, he’s been working over five years.

Jay Clouse 22:04
Talk to me about the evolution of technology and the things that you’re coding in and what type of like arms race goes on in the world of services. cybersecurity, kind of seems like it’s a whack-a-mole type game.

Marcus Carey 22:16
I think a lot of people think think it is a whack-a-mole. But I kind of find quite the opposite. Most of the things in cyber security have been the same things that have been plaguing the industry for years, and we just don’t fix them. I think that if you picked an industry that has Blinky light, or shiny object syndrome, it will be cybersecurity. One year people worry about mobile hacking. The next year, they’re worried about full disk encryption. The next year, they’re worried about this, the next year is AI and machine learning. So I think cyber security every year, there’s something different that that the industry focuses on. And that doesn’t necessarily fix the old problems.

Jay Clouse 22:59
So what is what is Threatcare focused on.

Marcus Carey 23:02
So Threatcare is focused on imitating breaches on that works, essentially pen testing to allow companies to be able to improve what we call their security maturity capabilities. Basically, we’re almost like a retro company where we say you need to fix all this stuff, you need to get this basic blocking and tackling done. And sometimes that means buying other security solutions will will will recommend other things for them. But the key that we do is we try to automate the whole process. In the past, you need somebody like a crazy guy like me, on your team, to figure out all the security problems. And so essentially, what we’re doing what our system is, were imitating me on your network and giving you recommendations that I would give you to fix it.

Jay Clouse 23:56
What’s that called? like black hatting?

Marcus Carey 23:57
So yeah, so there’s a concept called Black Hat. And why had the black hats are the bad guys. So the white hat supposed to be the good guy. So I’m a white hat hacker.

Eric Hornung 24:06
That’s what to say. He just winked. I don’t know what that means.

Marcus Carey 24:10
Well, a lot of people say there’s no such thing as a white hat hacker.

So you’re like, programmatically, I’ve heard about these competitions at places like chase or Google have, or they’re like, hey, come hack us in this competition. And if you do, well, we’ll pay you a lot of money. And then we’ll patch the problem that you could have exploited. And so you’re basically democratizing access to that using your software. So what we do is we we imitate the hacker themselves. And so what you’re talking about, there’s bounty programs that that other people put out on their products or their services. And so what we do is we, instead of them having to learn how to do all the hacking our software, does this for them.

Eric Hornung 24:50
Does your software learn? Like hackers learn over time, right?

Marcus Carey 24:54
Yeah, I would say so. So, I mean, well, hackers learn all the time, for sure. So we do make improvements in our products that maybe imitate different attacks. And we have actually have, we created this thing, you know, JSON is a markup language JSON is. So we actually have this, this like little way that you can write up your own JSON, it hasn’t been our format. But you can actually write these little configurations up. And we can imitate other newer attacks, if somebody wanted to do that.

Eric Hornung 25:25
What does Threatcare not do well?

Marcus Carey 25:29
So Threatcare doesn’t…some some things, there’s, it’s, it’s kind of impossible to, to automate. And on those things, we would have to have somebody to, actually, so we can’t make purchasing decisions or somebody. So I would say that, that that’s where you need a human that knows what they’re doing. So we can say, we got all this stuff out of your network, you should probably get a firewall. So we can we can tell you, you should get a firewall. But we don’t, we don’t say you should buy this version of our or whatever, whatever. Every network is different. And every company is different. So every company has different needs. So one of the things that that we do, as well as we actually have light services to kind of help make the right purchasing decision and, and all that stuff. The networks are so complicated, it’d be hard to do that an automated fashion, but we’re trying to address something that in the future that email could be applied to and stuff,

Jay Clouse 26:25
who is the sort of wheelhouse customer for Threatcare?

Marcus Carey 26:29
Yeah, so the wheelhouse customer for us is our software companies. Because software companies always need to prove that they’re compliant for something. So see, if you’re a software company that does banking, where you’re probably going to have to get soft compliance or some other kind of compliance like that. Or if you’re you’re purchasing, if you’re processing credit cards, you’re going to have to be able to do PCI certification. So we figured this out, this was kind of the the hard thing to figure out for most most people is, like, we see that there’s all kinds of reasons like that these people should want to be secure. But unless there’s a requirement, they’re not going to be secure. So ends up being like people like hospitals, that you think that they should be secure. Well, there’s no really requirement for our hospital be secure. There’s privacy requirements, that people kind of confused with security, like HIPAA, but uh, there’s no need for your actual hospital to be secure. And that’s kind of scary.

Eric Hornung 27:27
what’s the difference between privacy and security?

Marcus Carey 27:31
So they, they can be combined, for sure. But privacy is more of preventing the unauthorized disclosure of your information, your personal information. So it’s dealing with humans, so we call it PII personally identifiable information. So I would say privacy is could be a subset, just security, but they’re different. They’re different things. Security, and this is kind of nuanced security is make making sure nobody has unauthorized access to anything. So screwed is a bigger is a bigger thing. So somebody can log onto your Mac right there without your permission. Privacy would be like people can’t see your browsing history, or your credit card information. So it’s a little bit nuance. But for instance, like most, if you’re like most of these, your medical records, your medical records aren’t necessarily going to be sometimes there’s going to be paper, and you can go get your medical record. So you need to protect the privacy of your medical record no matter what. And so cyber security has more from all kinds of different things. And so a lot of people say information security. Before us it was information, it was data security. And so it’s all the same thing. So basically, if it’s processed on a machine, that’s kind of like computer privacy or whatever. Yeah, but HIPAA covers all every kind of borrow it mean, what is on a record, whether it’s a prescription, whatever is whatever. So they must maintain the privacy. There’s not really a security standard are there.

Jay Clouse 29:04
So you work with software companies, these typically tend to be like, fortune 500 level running security simulations. Are you doing like the small medium sized business that typically wouldn’t be able to do like a bounty program?

Marcus Carey 29:16
Yeah, so we have customers all over the place, we have four publicly traded companies that are customers of ours. They’re pretty big, pretty big logos. So it all depends on if there is a requirement, like I said, some some big people that you think would have a requirement don’t have any requirement, a major medical place that we know, big, big hospital system was spending like $1.5 million on cybersecurity. If you go down to another state, there’s a hospital we noticed minute $10 million a year on cybersecurity. But there’s one hospital got breached big time. So he spends a lot of money on cybersecurity. So it totally depends when it comes to the size of the company and how much they’re actually spending on cybersecurity. They’re small companies, it’s been more than some big companies on cyber

Eric Hornung 30:04
Internally, how do you segment your customers? Do you bucket them at all? Or is it just here’s medicine, here’s finance, like how do you kind of think about customer segmentation?

Marcus Carey 30:14
We don’t so I mean, so. So right now, like when any small company, we focused on software companies, and then there’s everybody else. So there’s people that we help out that that aren’t software companies birthday, we have international trade company, we have a they have a website and all that stuff, but they they do physical goods. So we have customers that don’t fit the scope. But uh, I think that that what we’re focused on is every coast, every small company needs to have some kind of beachhead, and there’s books on this stuff. And I’m using terms out of books, and you’re probably know the book. But basically, who do you focus on as a small company? And how do you just totally kill that sector? And so we focus mostly on our outbound on regionals, those companies that are software companies that have to prove that they’re secure. So that’s what we tell people, we help you prove this, you’re secure for compliance for regulatory. Sometimes customers ask for our you know, and we can provide customers with that.

Jay Clouse 31:13
How often do you find companies that should be proving something and they’re just not like, how big is the gap between companies that you would meet other people that are just not at all living up to the actual law of what they have to prove that are operating?

Marcus Carey 31:28
We see it a lot in any security company will tell you the exact same thing that there’s a lot of people that don’t have any kind of real, discernible cyber security program at all.

Jay Clouse 31:41
And they are in breach of the law and not having that.

Marcus Carey 31:44
Well, the definitely, definitely, or regulatory related stuff. There’s not like a really long, long books about cybersecurity, like, you know, there’s not a lot of laws. But yeah, so people are definitely in violation of whatever they should be compliant.

Jay Clouse 31:58

Marcus Carey 31:58
Put it like that.

Eric Hornung 31:59
How is this different than a security audit?

Marcus Carey 32:02
So it is an automated security audit, I wouldn’t say that it is a security audit, but we automate it. So what’s cool about what we do, is that some of our customers are, I think they call them big for but there’s, there’s these big firms that they go around audit, everybody. They use our stuff. Now we have three of them that use our stuff.

Eric Hornung 32:22
Three of the big four use this product?

Marcus Carey 32:24

Eric Hornung 32:24
That’s a lot of…How do you like it license that

Marcus Carey 32:29
we do it by the team. So if he wants to put a copy on your machine to machine that would be two licenses. And you about to separate licenses.

Eric Hornung 32:37
How much do you pay for a license?

Marcus Carey 32:38
It’s $2,000 per install.

Eric Hornung 32:41
$2,000 per install? And then that’s good for all the updates in the future?

Marcus Carey 32:44
One year, one year, so it’s annual…

Jay Clouse 32:46
One year one seat license.

Eric Hornung 32:47
Got it.

Jay Clouse 32:48
You guys were founded in 2014. Right? Talk to me about the journey to get to today. Like what what are those years between 2014 and 2019 look like? what’s what’s growth been like?

Marcus Carey 32:59
So mean? It’s definitely a lot of learning. So I’m a technical founder, very technical. So in the beginning, I did everything myself, I wrote front and back in all that stuff, tried to hire some early sales, people come to find out that I’m kind of like the best salesperson. So and we’re still trying to work to see like, understanding, well, I can I’m technical but I can actually sell in a lot of people say that the founders, the best salesperson anyway. It’s just trying to grow and have processes, I don’t have a business background or anything like that, you know, just a lot, a lot of reading a lot of mentoring a lot of just all the things that you need to kind of understand business. And so now, I mean, I feel like it’s been four years, I feel like I got a PhD in business and you know, financing raising capital, all these different things, you said you weren’t going to get a PhD. I felt like it felt like it. So this is what a PhD would feel like, except I don’t have to write some kind of long page.

Jay Clouse 34:00
You wrote a book.

Marcus Carey 34:01
Yeah, had a lot of help on that too.

Eric Hornung 34:04
When you look at your business today, what are the KPIs? Or what would be on your dashboard of all right, how healthy is the business?

Marcus Carey 34:13
So we actually use a book that is pretty awesome. And if it has any founders out there, I would check this book out, we have this book called Traction by Gino Wickman. And I don’t know if a lot of people familiar with that. But so that book, we use something similar to KPIs it’s called, it’s called a company dashboard. So we definitely on that dashboard, or Gino Wickman does is he you know, basically just like KPIs, there’s leading and lagging indicators and all that stuff. So the dashboard is like we you know, how many contracts so we we assume that we should be sending our contracts every week, we should be closing a certain amount of deals every week. We shouldn’t have on that dashboard, we should understand. We have stuff like, you know, how many website visitors are we getting? So we same concept of KPIs, well, we don’t use KPS, but, but those are the kind of things that we’re tracking. Mostly because we care about sales. It’s everything sales related. Like cuz, cuz so many website visitors convert, and we’re trying to convert sodas, the same kind of concept, but it’s all about sales.

Eric Hornung 35:19
if you could only have one indicator or one stat from your company dashboard to know how good your business doing, which one would it be, besides revenue Jay loves revenue. so…

Marcus Carey 35:30
yeah, so I would say how many how many contracts were actually sending out. That’s a really good indicator for us. Because that means that we got to a point where we’re about to close. And us the final stages is not actual close. But we have to send out a number of contracts to get the number of closes. And if you’re not sending contract, so that’s a big, big red flag for us.

Jay Clouse 35:51
What does retention look like for some of the clients that you’ve had that have had licenses for more than a year? It’s everybody renewing? Do you have like an amount of churn?

Marcus Carey 36:00
You we have? We pretty much have I think we’re at 80 something percent retention, which is pretty good. Our customers love us. And many of them come back for a lot more.

Jay Clouse 36:10
Yeah. So how often do you guys add to this simulation? Because, you know, if I, if I’m a customer this year, and I run the simulation, you said you got to fix XYZ and I fixed XYZ. Is that simulation no longer useful to me? Or is it something where like, every time that my product changes, I’m introducing new vulnerabilities that we need to run the same tests on?

Marcus Carey 36:30
Well, just like a lot of people that did just worry about writing code, there’s this thing called continuous integration, where you still need to test all the time, every time you do to make sure that there are every deployment. Yeah. So they’re just because you’re all your security sales working now, doesn’t mean it’s going to be working next month. So our customers, and our recommendation is that they run our stuff every month. Also, another thing that we recommend our customers do, and they do is one are testing out new software. So we just have a customer, I was just talking to you today, I just came from a customer. And they were trying to buy a sim sim is a log monitoring system. And so what they did is they use our attacks to generate traffic that should have been caught in the zone. And there were tested it out. And they were able to tell the people that were in charge of this product or whatever, the day, we just did all these simulations, and your SIM didn’t see any of it. So before you buy, you can run ourselves to and after you buy you can make sure it’s working over time.

Jay Clouse 37:34
cybersecurity’s gotta be something that people weren’t worried about for, you know, decades, right. So what would you say is the core innovation and what you guys do that makes you different than what else might be available out there?

Marcus Carey 37:46
I think the core we make everything super simple. I’m a big Steve Jobs and even though he was crazy. So obviously, I’m still quite an apple fanboy in general. But what Steve Jobs that is he made everything easy. And so our product is super simple to use, but powerful. And I’ve written a lot of hacking software, and my life, I’ve written software to spy on people capture key logs, or whatever kind of wrote some crazy stuff that people use all over the world. I wrote, I wrote software as a law enforcement used to catch criminals. So writing all that stuff, it will require a lot of, you know, if you see a hacker movie, the hackers like type of stuff so fast. Yeah, that was me. So, so what what, instead of No, I have know all that those commands and all that stuff, we just make it’s pretty simple. You just select what you want to do, and run it. And we made it so simple that where you can, you can have a series of attacks, and you can drag and drop in our UI, what it’s actually want to run, and I’ll run those in sequential order. And you can drag and drop the order, hit play, and it runs them in this order. So you don’t have to know anything about hacking to use our stuff. Until people will take you from zero to hero.

Jay Clouse 39:05
What does implementation look like? If I’m a SAS company, I want to put this in, is it difficult for me to onboard into this and integrate this into my code base?

Marcus Carey 39:13
Well, so how it works is you you install it on a system, so people that are running don’t SAS, they would install answer vironment. And then they will be able to your download what we call, we have a three acre app is what we call it. So you can install it on Windows, Linux or Mac. And that system is like a console. And it can control other will be call agents. And those agents are just like, you’ve heard some button that so basically how a hacker can control all these, these bots. So those those bots are essentially our agents. So in our organization, you could deploy this in your cloud on premise. And you can run it all from one machine. That’s like your master hacking console is our Threatcare app.

Jay Clouse 39:59
And I I just have to install the app in my environment. There’s no actual like, deploying into my repo?

Marcus Carey 40:06
No, you don’t is separate from your code. It’s not like a continuous type situation.

Eric Hornung 40:12
How does Threatcare evaluate its own security?

Marcus Carey 40:16
So we do continuous testing internal, we have a security stuff. And we also get third party assessments on our on our software as well. So we pay people to hack our stuff.

Jay Clouse 40:26
has anything surprising come out of that?

Marcus Carey 40:28
Well, you always you always improving, and there’s always bugs himself. But we’re always improving ourselves. So basically, the, you know, the whole dog food thing, and we recommend people get tested. So we get tested as well.

Jay Clouse 40:42
What types of promises do you make? Like if I use the Threatcare software, and I fix everything? It says it needs to be fixed, and I still get hacked. Does that have any besides just like trust from the customer? Does that have any effect on you guys?

Marcus Carey 40:55
Well, so here’s the deal, everybody’s gonna get hacked. And so we’re, we’re very clear on this like, so what our software is meant to do. The funny enough is imitate how I hack, how the breach looks on our network, how an attacker moves about their network, so they can actually detect them when that happens. So we’re there, essentially, if, say, if they were trying to break into this office, is the camera train to see an intruder, because that’s what we’re after we’re acting like the intruder. So we’re not prevented it. We’re making sure that if an attacker does come in, that you’re seeing the event happen. So if you are breached, and after use our stuff, you should definitely be able to identify that are breaches taking place. That’s what we tell our customers.

Eric Hornung 41:41
How big is this opportunity? Like? How do you think about the size of the market for Threatcare, specifically, not just the cyber security market?

Marcus Carey 41:49
We believe is enormous opportunity. So people like Gartner says that automated testing is going to be a $20 billion industry, and then bought by 20, 25. So everything, even on a coding side already have people doing software development, you can see that everything’s being automated, whether it be word Cuban, 80s, whether it be with Chef, puppet, all these different things from a DevOps perspective, is being done. So we believe that from a security aspect, that’s what we do. We’re automation, just like those companies, you know, people like Docker, and all these other companies have came up and made DevOps, super simple. We look to do security operations in that fashion. So we believe is a huge opportunity for us to automate a lot of stuff. Some companies are doing their they have their internal red team is what they call it. So we want to be if you don’t have red team, will, will be here at the end for you. And we can augment anything and give them a team capabilities.

Eric Hornung 42:53
What is a red team?

Marcus Carey 42:54
So red team imitates the bad guys on your network. So you probably heard of a popular thing. Most developers and most start people have heard…have you ever heard chaos monkey?

Jay Clouse 43:04
Yeah, I think you told me about chaos monkey.

Eric Hornung 43:06

Marcus Carey 43:07
so something to Netflix uses and systems go down and all this stuff, it causes chaos, right? And so essentially, you can kind of compare us to that kind of situation, where it’s where the security version of that.

Eric Hornung 43:19
Growing to 20 billion by 2025 — that’s a very fast growing market, it’s moving fast. What’s competition look like? Because I feel like there are so many cyber security firms, or maybe there’s not mean, I just feel like that.

Marcus Carey 43:30
Oh, if there’s tons of people trying to make money and cyber security for, for sure. In our space, there’s a couple of funded competitors, or two well funded competitors in a space that have both raise their 20 million, the investors believe that this is a solid space, and the space is still early. And what’s cool about the spaces that we actually we actually have our product in more people’s hands, we do have a freemium product, we’re doing about 100 downloads a month on the free product. And that’s that’s leading to some conversions on enterprise side.

Eric Hornung 44:07
how does Threatcare differentiate from those competitors, you listed?

Marcus Carey 44:11
The big way we differentiate is like our software can be installed on any laptop, Windows, Linux or Mac, as a standalone reaching attack platform. And our competitors. They’re mostly web based, they do have agents as well. But the fact that you can install our our system, that means you can, you can run simulations, offline, meaning that if you were to nuclear power plant, you can install our stuff and run it on. And that kind of closed network or on a government and work or anything of that nature. So some companies have higher security, and they don’t want to have this cloud thing and in store their data in the cloud. So that’s the big, big differentiator from from what we do compared to our competitors. How big is your team? So our team is seven people full time, and we have a number of contracts was the work with us as well.

Eric Hornung 45:01
And how are they split out? In terms of like, what are they doing?

Marcus Carey 45:04
Yeah, so we we have sales sales, we have pretty much a really core of each individual role we have, we have sales role, marketing role, we have engineer role to we have two people working full time our product, kind of get my hands, and it’s where we need to do some prototyping. And we have one full time services person, we have a security researcher as well. So we took we have we have really good people for every particular role. And so I kind of compared to like, if you you think like Adam and I company, like I think we’re like a nice little mass. And we’re ready to explode. So also, we talked about that book Traction, that book Traction is excellent on on Tron on defining what it has a instead of having an org chart, what it talks about in the book is it talks about, it calls it an accountability chart. And so somebody, some people may be doing different roles. But as soon as you get to a level where you can hire somebody new, you already have the roles and all that stuff laid up. So I highly recommend that book to anybody that’s trying to build a company or any investors that are trying to get a good way to operationalize for entrepreneurs and stuff, disagree with ops.

Jay Clouse 46:22
So if you have a couple of competitors in the space that have raised like $20 million, why aren’t you guys going out and saying we’re going to raise 30?

Marcus Carey 46:28
Well, and venture capital, how things work are quite interesting. As you all probably know, so many times of these people, the people that were we’re going up against, they’re funded by some big players in Silicon Valley should I say, and many times those, those people in order to try to get ahead in a particular sector, they’ll dump money into a couple of companies that that they have background with, whether it be that they were a part of some previous startup, there was on the portfolios manner. So that’s kind of like I that’s why we have a couple of people in our space as popular. And so the concept was pretty hot. And some big name, investors have back people that they have history with.

Eric Hornung 47:15
If you raised $30 million today, what would change about Threatcare?

Marcus Carey 47:25
We wouldn’t be on a house on east 7th!

I’ll try to answer though…

All right, if we will raise 30 million today, what we will be able to do is we’ve definitely be able to expand the team and build on what we’ve already built. I think we like I said we I think we have a solid core. And we built upon that we actually have a really good new stuff that we’re actually issuing, releasing at the end of this month, that does more comprehensive security all around. So what we’ve done is we’ve we’ve got region attack simulation down really well. But region attack simulation doesn’t necessarily bill help build them a program, it helps test the program. And what we found is similar to what I was talking about earlier, a lot of these companies do not have any problem whatsoever. And so a $30 million cash injection to our business would actually help us. We have this this module that we want to help people build, measure and maintain their cyber security infrastructure. So what we’ve been doing is we can measure really well. And we can measure repeatedly to help them maintain their program. But the build piece is something that we’re releasing to help them build that program. So we’ll be able to help anybody, you know, regardless of sector to help build, measure, maintain, or cyber security infrastructure, and $30 million would definitely go get us will take us a long way down the road on doing that.

Jay Clouse 48:51
Would you stay in Austin?

Marcus Carey 48:52
Yeah, I think that Austin has the talent and is cheap compared to you know, the bay or what not, bro. Yeah, we love Austin. And I think we’re awesome based company, but $30 million would change a lot of things.

Jay Clouse 49:05
Yeah. I didn’t know where is like the hotbed of cyber security. Is there a place where that is like the industry of choice?

Marcus Carey 49:12
I don’t think there’s a hotbed. I mean, Silicon Valley is the hot but because of the money, there’s definitely a lot of cyber security companies that have came up out of the Mid Atlantic region, because of God. And all that Funny enough, I kind of like grew up in that area, me being an NSA and all that stuff, sort of Mid Atlantic region is pretty high for cybersecurity.

Jay Clouse 49:33
I’m going to take a weird right turn here with just a couple of rapid fire questions, because your background is so unique. As a consumer, what are mistakes I’m probably making with my own cyber security.

Marcus Carey 49:45
So the biggest thing I tell people is to always turn automatic updates on all your devices. And that’s the best way to sort of, I actually use Chrome browser, I recommend Chrome browser, because chrome updates and all that stuff. Most of the times you’re going to get effect that is probably through browsing bad side that has some kind of exploit on it. So automatic updates on everything includes your home routers, your Apple watch whatever device you have turn automatic updates on, that’s the best thing you could do.

Jay Clouse 50:18
What about all these like home devices? Should I be worried about having a home device?

Marcus Carey 50:23
Yeah. So I think that, again, automatic updates on everything. Don’t Don’t take any chances there. Because these the so I did some research A while ago, and 66% of people never update.

Jay Clouse 50:37
Just like anything?

Marcus Carey 50:38
Anything. Like home router, all that stuff. And so that’s why you hear home routers and stuff like that being part of massive button that’s or home devices in general because nobody updates. Yeah. So turn on those updates. If you have a personal website and using WordPress or whatever, turn on updates, whatever, whatever it is, look for that dates. Also, don’t reuse passwords. That’s the second best thing you can do. Don’t reuse passwords. That’s the big thing. There’s several websites you can go to that if there’s been any breach of our site you’ve been to, this is going to have your passwords and the first thing attackers do is try to reuse that password. And multiple sites. They have bots built to do that. So as soon as they get your username password from one site, what they do is they’ll run this bud and it’ll tell them how many sites they can log on to.

Jay Clouse 51:30
That’s terrifying.

Marcus Carey 51:32
It is.

Jay Clouse 51:32
Don’t love that. Good thing I use different passwords for everything that I do.

Marcus Carey 51:38
Use one or two password managers OnePass or LastPass One Password or LastPass use one of those

Jay Clouse 51:45
how much you know about aliens?

Marcus Carey 51:47
Aliens do not exist. I tried to search it when I was at NSA. Seriously

Eric Hornung 51:51
Are you allowed to say that?

Marcus Carey 51:52
Yeah, why not?

They don’t exists. That was the main thing I was searching for. If aliens existed Edward Snowden woul’dve released it.

Jay Clouse 52:02

Marcus Carey 52:03
Yeah, why not? He leaked everything else.

Jay Clouse 52:06
Fascinating. Awesome. Well, this has been a lot of fun, Marcus. AAfter the show ifpeople want to learn more about you or Threatcare. Where should they go?

Marcus Carey 52:12
Oh, they should go to threatcare.com you can follow Threatcare on Twitter or any other social media. You can also follow me on Twitter for my witty banter and jokes. @Marcusjcarey on Twitter.

Jay Clouse 52:27
All right, Eric, we just spoke with Marcus carry of Threatcare. What do you want to start? You want to talk about the founder you want to talk about the opportunity?

Eric Hornung 52:34
Well, I didn’t even put that together until you said that Marcus Carey of Threatcare care care. How about that?

Jay Clouse 52:39
should have gone with Threatcarey. Oh, that would be a great Twitter handle. Marcus, if you’re listening to this, which I imagine you are, considered changing your Twitter handle to “Threatcarey.”

Eric Hornung 52:48
or a psyeudonymous…is that how you say that? pseudonymous synonymous No, no, no.

Isn’t that a word?

Jay Clouse 52:56
Pseudonymous account…pseudonym. Yeah, I guess.

Eric Hornung 52:59
so pseudonymous account, called threatcarey. And it’s a it’s a merger account between Threatcare and Marcus Carey. And this has gone on too far for me not to get into what I want to talk about first.

Jay Clouse 53:10
It could be a little bit of a caricature of…

Eric Hornung 53:13
You’re still going down this path? we’re still doing this?

Jay Clouse 53:15
…of the cyber threat. His name is Threatcarey. And he looks a little bit like the Sim, the burglar Sim from Sims One on PC, but in like more 2d animation form.

Eric Hornung 53:27
Marcus, we will be taking our check, you can mail that.

No, just kidding. So I think one thing we haven’t really done recently on upside is kind of walk through how we think about a company we’ve been doing. We’ve been walking through a company, but we haven’t kind of step back. And for we’ve had a lot of new listeners. So for the new listeners, on upside, we’d like to answer four questions indirectly. Do you have those four questions?

Jay Clouse 53:54
I do, I like this test. How committed is this founder? What are the founders chances of success in this business? in life? What does winning look like in terms of revenue and my return? Why has this founder chosen this business?

Eric Hornung 54:06
Well, you’ll notice about those four questions is that three of those questions are specifically about the founder. So Jay, I think with Threatcare, we should start with the founder, Marcus was one of the most unique stories we’ve had on today. And that’s saying something because we’ve had some incredibly unique people on we’ve had people on who are nothing like you and I, and I say Scotland from a small town in Texas, which I thought he was gonna make a joke and say, yeah, just a small town in Texas, something like 300,000 people, but no, it was like a really a small town in Texas have like 3000 people, and to tie all of that experience together, and his experience in the private sector, and then say, you know what, I want to launch a start up. I don’t know the thread it just felt there from the beginning of the interview to me.

Jay Clouse 54:54
I agree with that. I wouldn’t say that I like stories of founders with really tough up brings, but I certainly appreciate them in think it shows something about them and gives them a certain element of their character that we don’t see an all other founders. So Marcus, being a basketball player thought he was going to go and play in the NBA could not get a full ride to college, and therefore couldn’t go to college because you couldn’t afford room and board goes in the military at age 18 is tested into working for the Navy, cryptography group. And then eventually the NSA. What a crazy testament to somebody intelligence to test into that group at age 18. Not a former company that I worked at the CEO there also spent time in NSA, his right hand man are see Oh, spent time in the NSA. Sean, the founder joined the military at age, I believe 16, like lied to get into the military early and join the NSA. And so when Marcus shared that fact about his background, I’ll be honest, I was a little on it in the interview, because people who were trained in intelligence operations, know how to communicate in a different way. And it always made me uncomfortable. At my former job, there’ll be times I’m having a conversation with one of these guys. And I can choreograph where this conversation is going to go a little bit to know like, Okay, this is a softball. This is softball, he’s about to punch me with a question that he wants me to blurt out an answer to, to give them information. And I didn’t know how that would play out where we’re playing interviewer. But I did feel like Marcus was being very forthcoming with his answers and giving us a lot of insight into his own background into the company. And his story is one of the more awesome paths to see.

Eric Hornung 56:44
Do you think he bugged the room?

Jay Clouse 56:45
I don’t know. I don’t know. He could have bugged the whole the whole building who knows!

Eric Hornung 56:50
we were in his spot, you know?

Jay Clouse 56:52
who knows? He wrote the book on cybersecurity.

Eric Hornung 56:54
Yeah, one thing I’ve realized, since we added Marcus to our pod co Twitter list, which has all of the guests that have been on the podcast on Twitter, if you want to check it out, you can go to Twitter, and go to our profile. And we have some public lists. One of them is the list of all of the guests that have been on the podcast. So check that out. Since Marcus has been added to it. I’ve noticed just how prolific he is, in talking about cyber security, and all of these things that I have no idea what he’s saying. But people seem to really dig it because he gets a ton of comments, tons of likes, and a lot of shout outs from people saying, Hey, thanks for doing this, hey, this is really cool. Hey, I just someone just tweeted, I just cracked my first hash pass code or something. And they were having a conversation about it. So I didn’t really understand that. And that’s probably my fault on the research heading in until after the interview, when I was doing a little bit more digging. And I I think that mark is really, really knows his stuff.

Jay Clouse 57:55
So here’s an interesting point, though, from our lens here on upside, it’s clear or why this founder chose this business. He was in it and doing it and trained highly in it. And he saw the problems, he seems very committed, you start a company to do it, he left probably a well paying job. And it’s certainly foregoing the salary of very high paying jobs to do this. His background makes sense. Now, as an investor, are you looking at this, from the perspective of this background makes a lot of sense, or from the perspective of this founder knows how to run a startup company? I’m not saying Marcus doesn’t at all, I’m saying that it’s clear that his background is perfect. Now let’s talk about Marcus and his ability to start and run a company, which is something that is new to him.

Eric Hornung 58:37
I think one thing that has to be tough is making strategic decisions from a biz dev perspective, which when you come from government, there’s not a lot of especially NSA, I would assume there’s not a lot of biz dev and in his last job, I’m guessing he was more on the tech side. You might have even said that. So

Jay Clouse 58:58
Hank, please tweet at us at upside. FM, if you have something to say.

Eric Hornung 59:03
He hasn’t had a lot of experience, it would be my assumption in business development in pricing decisions in customer negotiations, though he has had, you know, conversations and negotiations, I’m sure. But all of these things that you learn, kind of coming up in the private sector, when you have to dabble in a little bit of them here in a little bit of them there. He may have skipped so then it gets to his team. And can they execute on that? Or can he become smart enough, quick enough to learn to execute on these things,

Jay Clouse 59:36
some positive signs 80% retention on customers at Threatcare is investing and knowledge by reading Traction. And that’s guiding a lot of the way he measures his KPIs and his company’s performance. I loved the story about him taking the test in college and not going to classes. That also is a really good mark for me on his track record, as I’ve been full time employees. But we did not get much clarity in the way of total number of customers other than working with several fortune 500 companies. So I’m a little lacking on pure numbers and data here for this opportunity.

Eric Hornung 1:00:16
So am I. I feel like I want more on that side. And Marcus’s inclinations are definitely more towards the tech side. And the learning side. And the let’s make this product product, amazing side. Or at least that’s what we got from this interview,

Jay Clouse 1:00:34
he alluded to a couple well funded competitors in the space, which is a bit of a shadow to me, even though it is a $20 billion automated testing industry, he’s attacking his own estimation, which falls into our big bucket. And it’s not going to get less important. If several of the Big Four accounting firms are using the software. To me, that’s a very good sign of product market fit and a very good sign that he’s on the right path. So I’m asking as an investor, is he going to continue to outpace some of these well funded competitors? Is his secret sauce Saucier, than their sauce? And Will he be able to capture a significant portion of this market? Aside from what’s already out there, and I’m guessing that in the cyber security space, this may not be a one solution. And that’s it tight market, it seems like, if I’m really worried about my cyber security, I’m probably going to try multiple tools or employ as many measures as I can to make sure that I’m good. So it may not even need to be that he is the one and only automated testing service on the market.

Eric Hornung 1:01:47
So the way I understand the market right now is that there are two ways a C so which is a chief information security officer would look at their security. One, they do it themselves, they do an internal review. Or they say, Okay, here’s what we have, here’s all of our tools and strategies. I think that’s what you’re referring to with multiple tools there. The second way is that people that same see, so we’ll go out and hire a third party that’s called a security audit, that security audit firm will likely employ their own set of tools to evaluate that business. I think that Threatcare fits into both those buckets for that see. So, so whether you’re accessing Threatcare directly by buying the software, or you’re accessing it indirectly through a security audit, I think that’s that’s a really interesting path that you could access the rep care two ways. I don’t know that a seesaw would make the conscious decision to choose Threatcare and to have its competitors just to cover its bases on its diagnostics, depending on price.

Jay Clouse 1:02:53
I wish you would have defined see. So when we’re talking to Marcus, because I’m like, over here thinking about see sighs I’m like, seeing this, like teeter totter. In my mind. I had no idea what a seesaw was. I was like, Oh, yes. Good. Good point. Yeah. Thank you, chief information security officer makes a lot of sense. Point taken for sure. So Eric, since we didn’t get a lot of numbers, and we can’t pretend to do any real backwards math here, what are you looking for from Threatcare, 6-18 months from now?

Eric Hornung 1:03:20
I want to hear about two things. I want to hear how their pricing plays out. I feel like it’s still pretty early in threat carriers existence. And pricing is going to tell me a lot about how much their customers value the product, it’s going to tell me a lot about the feedback they’re getting through the Big Four and other security audit firms about the effectiveness of the product. And pricing is just going to really matter, I think a lot to the future moat of this business, which is do I keep it low and grow market share, which is I’m guessing what a lot of the people who are doing who are watching funded are doing or is it my product is 10 x better. So I can charge a multiple and just meant cash to grow other sides of this business. The second thing I’m looking for is a little bit of clarity on the business model itself. So I get that they are charging a licensing fee for this product. But it just seems like there are so many areas of potential add ons or areas where they can make very smart data driven recommendations. To see those Jay look at that thrown that name out there, again, who are maybe not the most sophisticated, but want to do their job well. What about you?

Jay Clouse 1:04:45
So I’m looking at one of Marcus’s own proclaimed KPIs, which is contracts closed? I want to see how many customers are using Threatcare. And also does that retention continue to be as stellar as that 80% or even higher? I think that’s going to be a really really good mark in users confidence in this product, and the staying power, the stickiness the efficacy of the product itself. And obviously, more contracts closed equals one of my favorite things, Eric, which is revenue.

Eric Hornung 1:05:16
Money, money, money, money…

Jay Clouse 1:05:17

Eric Hornung 1:05:21
Right on beat, Jay.

Jay Clouse 1:05:22
Alright guys, sorry for that. If you have thoughts on Threatcare, we’d love to hear them. You can tweet at us at upside FM or email us hello and upside.fm. Otherwise, we’ll talk to you next week.

Interview begins: 07:55
Debrief begins: 52:27

Marcus Carey is the founder and CEO of Threatcare.

Threatcare allows organizations to better defend against cybersecurity threats by improving vulnerability management and defense capabilities.

Threatcare’s Violet platform is a Breach and Attack Simulation Technology that allows security teams, incident responders, and network forensic practitioners to reduce their attack surface by continuously monitoring their cybersecurity posture.

Threatcare was founded in 2014 and based in Austin, Texas.

Learn more about Threatcare: https://www.threatcare.com/
Follow Marcus on Twitter: https://twitter.com/marcusjcarey


This episode is sponsored by Taft, Stettinius & Hollister, a full-service law firm known for assisting entrepreneurs across the Heartland.

Learn more about or get in touch with Taft: https://www.taftlaw.com/
Follow upside on Twitter: https://twitter.com/upsidefm