Speaker 1: 0:13

Welcome everybody to this week's episode of beers and bites with our special guest, russ Sherman, the co-founder and CTO of Viso Trust. I'm Jeremy Murdershaw, ceo of Vortify247, and with me, as always, as my co-host, chris Jordan, ceo of Fluency Security, so excited for this conversation. If you recall, a few weeks back we had a conversation with the CEO of Viso Trust and now we get the opportunity to get a little bit more technical hanging out with Russ. So before we jump into that conversation, russ, what did you bring to drink today?

Speaker 2: 0:54

Today, I brought golden ginger beer from Colorado. Here in Colorado, golden is the city and I'm pretty excited about it.

Speaker 1: 1:05

So it's a non-alcoholic drink, it is non-alcoholic.

Speaker 2: 1:09

There's sugar in it, though, so cane sugar. Almost as bad as alcohol. Yeah, and yeah, natural flavor extracts, so I think that's a plus. What about y'all? What are y'all drinking today? Chris, what'd you got?

Speaker 3: 1:27

Man, I got a freaky one. I got one called Elder Pine. Look at that, it's like Matt Black. This is crazy. And they have a tasting room up in Gaithersburg, maryland, and it looks like something out of a Renaissance fair. So, yeah, they have this Norse kind of theme going. They got like old geezer and stuff. That's one of the names of one of their beers. This one's Nordic Broome. But I think these guys must do a lot of drinking and then name the beer after the drinking Very interesting group. And then what is this? Just a regular hazy. What do you got, jeremy?

Speaker 1: 2:04

Well, today I've got something called snuggles. It's got like this cute little care bear looking thing on the front of the can from a local brewery called 818 Brewing here in Southern California. It's a hazy double IPA, double dry hop. Have no idea what that means, but it'll be interesting to see how it tastes. We've got Azaka, mosaic and Citra hops in this one and it's coming in at 8.2%. So if I finish it we'll see if I need another one.

Speaker 3: 2:37

I like the Mosaic hops. I mean, that's my solid when it comes out to hop selection there the Citra and the Mosaic.

Speaker 1: 2:45

There you go.

Speaker 3: 2:46

All right, cheers, gentlemen, cheers, I'm already cheating, not bad.

Speaker 2: 2:51

So, russ, tell us about yourself. Sharp ginger over here it's almost like sharp hops, double ginger.

Speaker 1: 2:58

Double ginger, double dry aged. So let's add some context. So, for those listeners who tuned in and didn't see the episode with Paul what is Viso Trust? What is what you do? What is your offering? Give us some background there, please.

Speaker 2: 3:20

So, paul, and I founded Viso in 2020.

Speaker 2: 3:25

And we set about building a network and a product around it that helps businesses understand the risk of doing business with one another and so far as the likelihood of that other business potentially losing data.

Speaker 2: 3:42

And so what? We're in a category of businesses and security called third party cyber risk management or third party risk management, and we support a due diligence function, right? So I'm about to sign this deal, share a bunch of personal information of my customers with a product or service, but first I probably want to understand if they're going to protect that data, because their security becomes an extension of my own my own insofar as, if they were to lose my data, I'm, in part, responsible for sharing it to them in the first place. Right? We found that this problem was pretty painful at a number of companies and that it was mostly manual. We were involved human beings, reading documents, sending questionnaires, looking at the answers to questions or looking for answers to questions and set about building a product that uses artificial intelligence alongside a sensible, reasonable user interface to interact with your third party vendors. To take the time that it normally takes down from months in some cases, to days and minutes Wow.

Speaker 1: 4:57

So is your product targeted to a specific business vertical or is it just anybody who needs somebody who does business with another business? Is that, or where do you find your sweet spot there?

Speaker 2: 5:11

So we've had success across pretty much any industry that has a function within their company that cares about cyber risk so financial institutions, biotech firms, tech startups, retail companies. So really we find that when you begin to care about understanding the risk of doing business with another company, our product is suitable to satisfy that in a sense, either as part of a larger program that's very, very mature, or maybe the entire program to go from not having a mature risk management or third party risk management function to using our product and having a robust, repeatable, scalable risk management function.

Speaker 1: 6:04

What would you say is if I'm a business that's looking to obtain their SOC2 certification or their ISO certification, does your product fit in that sense as well, or is that a component of a different system?

Speaker 2: 6:21

Sure, yeah.

Speaker 2: 6:23

So today, what we do is the way I like to describe the difference in our product and what you're describing is we allow you to understand whether a company has a SOC2 and whether it's good or not, very quickly and allow you to manage understanding whether you'd like for them to produce evidence by some other means maybe not a SOC2, or an answer to a question or some other policy document.

Speaker 2: 6:51

We recognize that SOC2 is a meaningful and very common way for you to share how good you are at security or how much you care about security or what level of investment you have in securing your company. But the reality is a lot of people don't want to share their SOC2 or, when they do, they want it to be shared just between you and them, and we make it very, very easy for businesses to exchange that information and make sense of it. I would say that just to further on that a little bit. Developing and going through the process of, of procuring a SOC2 is a large investment and that alone is a good sign in terms of security maturity. Right, you care a lot, but it's largely what's considered a trust effort. Right, you're trying to build trust with your clients. Today, visa primarily serves the client and the client-vendor relationship and businesses who are looking for your SOC2 not to produce their own.

Speaker 1: 8:00

Would have. Do you feel that if organizations who were hit with some of these recent supply chain hacks had your tool in place, that that could have been prevented?

Speaker 2: 8:14

Absolutely Understanding the maturity level of the businesses you interact with and deciding making risk-based decisions on whether you actually do business with them is an important part of the third-party risk management function. I do believe it's capable of avoiding certain scenarios like having lost data in a supply chain attack. The other aspect is just having a central place to understand what third parties you have and whether they have been subjected to an attack or they're the focus of a breach scenario or potentially kind of exposing your business to risk through some other means, like a zero day or some other kind of security event. Having a product like ours allows you to go to one place and say okay, but which businesses do I share sensitive data with, and by which means, and so therefore maybe relevant to a certain new threat out in the world. It also allows you to just ask do I do business with this company I just learned about having a security problem and or do my third parties do business with them through the network, right?

Speaker 1: 9:34

The interwebs of connectivity.

Speaker 2: 9:36

Yeah, I mean we expose what's called a kind of an end-party graph, allowing you to understand you may do business with a company who does business with another company and therefore, if those companies have a security problem, you might be impacted and you might want to interact with them somehow. That's interesting.

Speaker 1: 9:56

What is the level of effort you say a user has to spend in the platform once they've gone through the initial hurdle of inputting all their vendors? What's the usage? Look like Sure.

Speaker 2: 10:10

Yeah, sure. So we allow you to kind of like sign up and import all your vendors and connect with systems like your procurement tool, connect with systems that do shadow IT detection, like Netscope for instance, and once you have a list of your vendors, it's rather straightforward to assign a business owner to them. If you need to essentially engage the rest of your business in the process of actively managing the relationship and from a practitioner's sense it's kind of a it's rather low effort you know, determining whether you want to start an assessment with a vendor or not and reviewing the results when they're done and making that informed decision. Do you onboard them, do you schedule life cycle management and continue the relationship, or do you move on and look at another vendor? Right, yeah, congratulations, by the way.

Speaker 1: 11:10

You just recently announced the integration with Netscope, so very cool, yeah, very excited about that.

Speaker 3: 11:16

All right, russ, so how did you guys get together to form this company, and where did you come from before?

Speaker 2: 11:23

So Paul and I met. Originally we worked at Lending Club. This was 2015 and Lending Club was building out their security program and preparing to go public. So Paul and I were under a lot of pressure, alongside other folks, to deliver some technology and move the bar forward on a lot of initiatives when it came to information security and privacy. So we formed a quick, deep bond there and we both have an entrepreneurial spirit at heart. So it worked out great when we were both thinking about starting a company. So why did you pick?

Speaker 3: 12:00

you as the CTO? Was it like the short straw, or you were just the geeky one?

Speaker 2: 12:07

No, it was natural because Paul and I worked together in kind of like the business and technology left and right hands for a number of different larger security initiatives at Lending Club. He was influencing and building bridges with other parts of the business and I was building technologies to support some of the stuff that we wanted to accomplish. So we were often looking at a problem together, advancing kind of the technology with stuff that I was writing or building and trying to influence people to use it and show the value. So we were kind of we were road showing and building tools together there and kind of like a business within a business, so to speak. Right, so your security were you like CTO, because you knew?

Speaker 3: 12:56

technical security really well, or were you more just playing technical in general?

Speaker 2: 13:01

So my background, my professional, background is in deep packet network inspection and intrusion detection and then general software engineering and automation. So I was writing a lot of software to connect tools and automate manual tasks right. So I'm the technical co-founder responsible for first primarily building the technology but then building the team that now does it. Man, that's an interesting twist to go from DPI to security to security.

Speaker 3: 13:33

So how did you get to the AI part then?

Speaker 2: 13:40

AI was a natural kind of a natural option in terms of the problem space. It's actually even more obvious now to most people that making sense of unstructured language is one of the primary pain points of third-party cyber risk management and due diligence. Right At the time, I was working on tools for prediction, inference, for detection capabilities like anomaly detection and other things for SOC-related event and incident response, and I think, as a technologist in general, I'm just deeply interested in where I see the world going and it's hard to deny that artificial intelligence is here to stay and it's going to be a central component of technology moving forward. So you guys chose LLM.

Speaker 3: 14:35

RAG style right, and so one question would be what is the reference material for the RAG? Is it like just standards, or how do you leverage RAG in the type of work that you guys do?

Speaker 2: 14:54

Yeah, so the general capability that we're working on is powered by a number of different kind of fundamental prediction or artificial intelligence methods, right. So RAG is one part of the architecture or the general kind of like approach. We use traditional transformer models, we use NLP pre-trained models, we use a dataset that we've been building since we were founded and technology we've been designing since we filed for the patent in 2016,. I think Back then, transformer models or GPT was kind of not really a thing, right, but we knew that artificial intelligence was going to power the product. In terms of RAG, at Viso, we basically use a combination of traditional embedding and semantic search re-ranking alongside these transformer models, which allow us to do effectively of what we call building an assurance model alongside references to detected language that substantiate the efficacy of controls. So we're really really great at pulling out language that represents kind of a known control answer to a question or evidence to support the existence of a certain maturity level in a security program.

Speaker 3: 16:30

Interesting. So basically in this case here. So first of all for people who are listening or watching, so go over what is LL and RAG stand for again.

Speaker 2: 16:41

So large language model retrieval augmented generation architecture is kind of a newer but now kind of standard approach of leveraging the power of a pre-trained generative model that can essentially generate language a large language model like OpenAI's ChatGPT alongside maybe a proprietary or custom data set and answer questions about it. So OpenAI wasn't trained on your company's ISO report or your internal knowledge base, but you want to use that capability to generate language alongside your data set, and so retrieval augmented generation allows you to do that.

Speaker 3: 17:30

Okay, so, like in general, like. So RAG usually goes and says like, hey, I'm going to give you this answer. Then I'm going to go back to reference documents to make sure that these answers are consistent with the reference, and I'm going to show you what references did it. Are you using the references here? Are they going to be like my FISMA and my ISO standards, or are there other type of references that you're using? Right?

Speaker 2: 17:54

So in the RAG architecture in general, you can kind of pick your poison in terms of data sets. It just needs to be language and it could be multimodal as well. For us, it's really anything that could have language related to security In our problem space. Obviously there's a number of examples of common compliance frameworks, like an ISO cert and statement of applicability or a SOC report, but we can take websites, we can take PDFs, questionnaires, really anything that has language in it, and use that to interact with and derive kind of control efficacy information. And I would say to your point about taking detections or references and then checking to see if they're an answer, or rather generating an answer and then looking at a detection to see if it supports it. It's kind of like the other way around. So ask a question or interrogate embedded language to derive what those detections might be and then determine whether they're actually substantiating a correct answer to that question. For instance, you know.

Speaker 3: 19:13

I'm just fascinated with the companies that are trying to deal with LLM and AI in general. Llm as an AI is a pain in the ass. Now, do you ever fight with your LLM? Do you ever say like no, that's wrong, and it comes back as the same thing over and over again? You know many times you prompt it to not do that. Do you ever get in those situations? Or has your LLM been really nice to you? Well, we don't have one LLM.

Speaker 2: 19:39

First of all, we're kind of similar to the approach of leveraging multiple different methodologies of inference and prediction. We also don't necessarily we don't have lock-in, it's one single large language model. At that said, like we are firmly grounded in retrieval and that pun is kind of intended there when I look at kind of the results of our we call it intelligent question response or prediction control, prediction, artifact intelligence. You know, what I look for is whether we're serving accurate information and we present the detections alongside them so you can understand whether the answer makes sense or not, right?

Speaker 3: 20:31

I mean, how do you make sure like I find LLM is flaky at times, right, so to use it for security kind of baffles my mind a little bit, but obviously you guys know what you're doing. Like a good example is you can say, hey, tell me about these five things, and it really focuses on two of them or three of them, right? So do you do like repetitive calls and say here's my governance I want to look for, and then you call it separately in order to keep it focused? Or how do you? I mean, what's your design of interacting with, like I get you know, tensorflow's and neural networks, because they're a little bit more structured, but the LLM to me is a very flaky technology for detail work, I find it. So do you? What do you do to make sure it doesn't freak out on its responses?

Speaker 2: 21:20

So I think the primary kind of control that you have is around the embeddings and source material.

Speaker 2: 21:28

And so a large language model given, you know, view shot and specific prompts, embedded references and language, you know it's very it's not often, it's very infrequently going to produce, if not ever, a kind of like a hallucination, so to speak. When I get frustrated with like, or if I were to get frustrated with the systems that we're building, it wouldn't be because of the large language model. It's more of the our capabilities of really taking a really massive data set and and whittling it down to what's actually relevant to the, to the question or the type of information we're looking for. And that's actually less about the large language model and it's more about the retrieval side. You know, are we, could we be saving context by by using inference in some other way? Are we? Are we using kind of weighted algorithms incorrectly and semantic search, re-ranking or some other method that that takes the input and and finds the relevant source material? The large language model I think is is not necessarily as consequential for for our use case right.

Speaker 3: 22:54

So you feel like it's more programming and less prop than generic.

Speaker 2: 22:57

Absolutely, yeah. Yeah, we found success with Anthropic, with OpenAI, with Bedrox and and Amazon large language models. You know, assuming the embedding and other architecture is aligned well, they're all suitable for us.

Speaker 3: 23:14

And, at the end of the day, like so. So, obviously, from a, I won't use the word governance, right, but you're trying to say, by the way, first of all, I think it's a very interesting thing that we switched from talking about third-party risk to a lot of times you're using the word trust, right, do you? First of all, how do you feel about those two words, risk and trust?

Speaker 2: 23:33

So, so I we recognize that you know the risk management function is interacting with vendors in their efforts to produce information and build trust right. I think that when we established the company and the name we were thinking about, you know a central place that you could rely on for accurate information, because in the space of third-party risk management there's a Say it.

Speaker 3: 24:01

say it, who do you?

Speaker 2: 24:04

There's a trade-off between speed and accuracy, and I think you know we don't want to make that trade-off. So what we provide is kind of like this reference material. The RAG architecture is kind of a perfect use case for it. I think that it's been very exciting to have a product that's been building around. You know this kind of use case but you know, when we produce information, we always produce a reference to it, right? So, for instance, you know this company might have a problem or they might rely, they might need you to implement a certain security control because they don't and here's where they say that right. Or here's where the SOC2 has an exception that you might be interested in. Not necessarily like just trust us, this is a medium-risk vendor. Or, you know, don't ask us where the. Don't ask us where the data comes from. Just trust us, right? No, you can actually see and interact with everything that we're using to produce the assessment.

Speaker 3: 25:12

Now, one thing different I see from you guys, from some of the other third-party risk groups it seems like you actually talk to the company you're evaluating, you go in there, you help, you know, you look at their stuff, as opposed to just scanning them from the outside.

Speaker 2: 25:27

Right, so you can provide artifacts yourself on behalf of a third-party. If you've gotten them somehow, you can point us to a business. We have a large network of information we've gathered that's publicly available. But oftentimes you need to interact with that business and the experience for them is actually perhaps the most important. And we make it very easy for a third-party to respond to an information collection effort and provide whatever they have to substantiate their security program, whether it be a SOC 2 or you know some questionnaire they answered for somebody else already. We'll take it all and we'll help our client make sense of it.

Speaker 3: 26:10

Okay, now does the client ever just? Has anybody come to you yet and said you know what, could you just run your own process against my company? Has anybody ever done that approach and say hey, you know what? Can you tell me if I should trust myself?

Speaker 2: 26:25

Sure. So we have, you know, products around trust in your own internal trust function. We allow you to build your own profile and add artifacts, interrogate it with questionnaires or questions. We expose artifact intelligence through Slack, for instance, to do chat-offs. So, for instance, if you're tired of answering questions about your own security program internally, your colleagues can ask of your intelligence those same questions through Slack or through the application right. This is a key component of affording our vendors or the third parties interacting with our product a much more friendly experience as the product develops. But today we don't primarily serve like a trust building function or trust profile yet Interesting you ever think about.

Speaker 3: 27:25

I mean, jeremy, I just think of all the possibilities for this. Like one, I'm just envisioning my head like everybody on Slack talking to each other and instead of having one try to tell me where it sees problems, to my risk, it just goes ahead and writes the procedures I'm missing, right? I mean it just seems. It seems, if you're going to have, if you're good enough to tell me what's a problem, you should be good enough to tell me how to solve it. I don't know. What do you think of, jeremy?

Speaker 1: 27:52

I think that's an interesting spin on the platform, but probably not the route Not the business model, not the business model. Yeah.

Speaker 3: 28:00

Did you guys raise money Russ?

Speaker 2: 28:03

Yeah, we've raised money. We've founded the company in 2020. We had our first customers then and raised seed round. We raised money again in 2021. Yeah, we're venture backed and growing, growing is an important part.

Speaker 3: 28:21

Trinket is not a never any good. See, I'm already stuttering, not even on a beer number two.

Speaker 1: 28:27

Yet so how was your experience this year at RSA? Now that it's like officially less COVID in the world, right, everyone was back in person for the first time, and in mass. How was that experience?

Speaker 2: 28:43

RSA is pretty surreal. I think these larger. I'm a DEF CON guy, not a black hat guy, right, but now I'm at black hat, now we have a booth at RSA. It's been a really interesting learning experience. It's not my comfort zone, but that's great. I love that. For me, rsa is probably like a lot of folks, like a reunion, so to speak. Now I used to work in San Francisco, right near Moscone, so RSA was like do you want to go? Stop by the floor on lunch? And now it's kind of a pilgrimage and I'm speaking with customers, I'm speaking with team members at our company and catching up, and it's just so much different now for me. I'm very happy to see it back. After. You know, I remember the RSA in 2020 kind of. It was sketchy, it was very sketchy. But anyway, it's great.

Speaker 2: 29:54

I mean you walk the floor and it's just.

Speaker 3: 29:55

you know we're back, baby Right, exactly Like everyone's here again, and you know, sure, yeah, I was gonna say we're supposed to meet with, with that company, the, the same company that does behavioral. God, it's a game, but anyways. So we're supposed to meet with them, the people were supposed to meet with them.

Speaker 1: 30:16

One of them died from.

Speaker 3: 30:16

COVID. Oh, ouch One of them. They had COVID. Oh, it was terrible. It was like, oh my God, I'm glad we didn't go to that one.

Speaker 1: 30:25

Yeah, yeah, so as far as as far as customer response, like, let's say, demand leads, viable leads or maybe even close customer contracts. Which was better for you this year? Rsa or Red Hat or Black Hat? I said Red Hat, Black Hat, Dude White Hat.

Speaker 2: 30:49

You know, rsa this year was kind of more productive, I think. For me Black Hat was nice because I ended up going to DEF CON afterwards and, and you know, again, for me, like I'm, I want to get back into CTF. I want to, I want to be. You know, I had a blast in the, the large language model, ctf.

Speaker 1: 31:18

I found pardoned.

Speaker 2: 31:20

Which team did you go with? Well, this I hadn't been participating in a while. The last time, the last time I was, I was alongside folks in Samurai. That was years ago and you know, if I think about Black Hat this year, I think I think about meeting a lot of other startups and talking about challenges and going to market and some some executives and go to market kind of. For me is more about kind of like hearing directly from the customer and first. I don't know if it was just coincidence, but RSA this year was was kind of more productive and so far as we were, I was able to kind of meet with current customers and build, build stronger relationships and and maybe close a few deals.

Speaker 1: 32:10

That's good. More importantly, when you were at Black Hat, did you get to race in the Lamborghini? No, I did not.

Speaker 2: 32:17

No, I'm jealous, though I uh Would you like Paul to do that?

Speaker 1: 32:21

Not fair.

Speaker 2: 32:23

I don't know if Paul got to, I know a couple of people did. I was really happy to see that, that that the giveaway kind of was successful in that way right.

Speaker 1: 32:31

Was? Did you do something similar in RSA or did you just do that for Black Hat? For those who don't know, yeah, if you would have gone to the Black Hat conference this past August and Las Vegas, you would have had a chance to race or drive. Perhaps is a better way, Uh, in a Lamborghini Gallardo somewhere in Vegas, just for stopping by the booth and visiting the Visto Trust guys, Vice Trust guys.

Speaker 2: 32:58

Yeah, everyone's trying to attract people to their, their booth and and that was, you know, the thrill seekers stopped by, I guess, uh, there was two people who got, who got selected, and they both, you know, they showed up. I don't know why they wouldn't, but I, because sometimes I kind of feel like you know, uh, and I heard they both had a blast, so that's, that's cool.

Speaker 1: 33:21

Yeah, right on. So as we approach the close of our session um, we always like to do a, a speed round kind of questions hit you up with a few things back to back. We throw out a softball. What's your favorite sport? Hockey, nice. Now you've, you've plus one favorite team Don't say the, don't say the Avalanche.

Speaker 2: 33:48

Um, the black ops, probably probably second in line for your don't, don't say this team, but yeah.

Speaker 3: 33:55

You know, I used to have that, one of the. You know, remember the old hockey games where you have the sticks and you slide the guys and spend them. Yeah, paul, hockey always had. It was always like to me it was always uh, the blackhawk hacks versus the blues. They're there. That was a very popular combination.

Speaker 2: 34:11

I always saw. I always played USA versus Canada in those games.

Speaker 1: 34:15

Yeah, that's the bubble hockey.

Speaker 3: 34:18

That seems to be like the three dimensional players. My guys were like two dimensions. That's how I get an expensive set right there, sorry.

Speaker 1: 34:28

So are you a Badaard fan or um what's? Who's your favorite player?

Speaker 2: 34:32

I mean happy and happy with the dark fan. I think like everyone is really anxious about about that. I, you know, I lived in Chicago and, um, it was a few for a few years before and then, during their kind of like Rain, uh and uh, it was just, it was just another reason to fall in love with that city. Everyone was behind everyone's, behind all their sports teams, so much, and it was very exciting. I only got into hockey later in life.

Speaker 3: 34:58

Um, yeah, it's a sweet Jersey, though it's a sweet Jersey, I think it's consistently voted.

Speaker 2: 35:05

You know top, top design and you know, I think, like they have the full support of the, you know first nations, or you know other, you know other folks. So it's, it's great. It's great in that way too. Right Like they're, they're properly representing, making an effort to do that, all right.

Speaker 1: 35:22

So what's your uh, what's your opinion on the rumor or what's your opinion of why Corey Perry was kicked off the team? I?

Speaker 2: 35:29

mean, I think it's total, total nonsense. I don't know what happened, but you know, at the end of the day I wasn't very happy about Perry being on the team anyway, so not that disappointed.

Speaker 1: 35:41

He was chasing cups.

Speaker 3: 35:43

Oh, I know, you know, Jeremy, I just have to say Paul said he didn't like hockey.

Speaker 1: 35:47

I know so we're not having Paul back. We like Paul back.

Speaker 2: 35:52

Paul and. I are like Paul and I are liking a lot of ways Um, and we obviously we work really well together, but we're there's a lot of things we're not very similar on, and I think hockey fan is definitely All right. What's your favorite food? Uh, home baked sourdough bread.

Speaker 1: 36:10

Interesting, yeah, yeah.

Speaker 2: 36:15

Yeah, I got a starter. I'm fermenting, you know, for starters, and fermenting kombucha, make my own kombucha.

Speaker 3: 36:25

That's what you should have brought. You should have brought some of that.

Speaker 2: 36:27

I should have. Yeah, I didn't have time, I'm sorry.

Speaker 1: 36:32

I wonder how hard is that process to make kombucha?

Speaker 2: 36:35

It's not hard, it's easy. It's a little bit time consuming. It's definitely easier than brewing beer, that's for sure. Yeah, it's all about timing.

Speaker 1: 36:44

You know that's it. It's like a slimy mushroom at the end of the day is what. It is right that you're drinking. Yeah, I don't know. I like it. I just never looked in too deeply into what's under the covers there.

Speaker 3: 36:59

It's a good thing. I didn't either, so you brought that up. Now I'm going to like oh man, so what's your?

Speaker 2: 37:05

favorite. I mean, these are all microbes and they're delicious Sure. Yeah, embrace nature's.

Speaker 3: 37:15

Hop's really isn't that slimy though. So, Russ, I mean, I think the other softball question on the end is what's your favorite DEF CON story? Everybody has like a true DEF CON story. Is it one that we can talk about?

Speaker 2: 37:31

I have a friend that that had broke their leg at DEF CON, let's say doing some physical pen pen testing work. That was pretty, pretty gnarly Sanction testing work.

Speaker 1: 37:47

What's that it was like on the, on the, on the, in the heat of the moment, some pen testing work, or was it sanctioned, or does that matter?

Speaker 2: 37:57

It's nice. Yeah, I can't say there were, there were somewhere, there weren't supposed to be. Let's just say that. And yeah, I mean, a highlight for me is always just like connecting with with old folk, old pals, right. I mean like it's like it's like times stand still there, right? Yeah, Every time I go back and meet, meet up with friends and former colleagues, it's like we're back in the sock and we're having a blast. It's great.

Speaker 1: 38:27

I think the last question I have for you is how did you come up with the logo and is there some significance to the hand and the eyeball, and sure?

Speaker 2: 38:36

Yeah, so the inspiration comes from the Hamza. It's kind of a known kind of icon and meant to protect from evil. And you know, I think we we like it because it's striking, but it also has that kind of storied, kind of ancient, you know, story of protection from evil and I do think that we are a trusted source of information that helps people avoid problems, protects, protects, unicents, right, and for that reason I'm really, I'm really happy with it.

Speaker 1: 39:18

Well, that's great. I think it's cool. I when I first saw it I was like, hmm, hieroglyphics, where did this come from? I started trying to dig into the iconography, came up with some interesting wackadoodle stuff and some you know.

Speaker 2: 39:33

but yeah, and vice so the name. It's an acronym for vendor information security oracle. Okay.

Speaker 1: 39:44

That is a nugget. It was like how did you come up with the long eye versus short eye approach to the word? That was my concern. Okay, yeah.

Speaker 2: 39:53

Yeah, I think it's. There's a Spanish word for for light and shedding light it's. It all works well together. It's great it's. If you dig into it, it really makes a lot of sense, right.

Speaker 1: 40:08

Well, you know what, and we want to thank you for joining us this week on the beers and bites podcast. It's been a great conversation.

Speaker 2: 40:17

Hopefully the pleasure has been mine. I really appreciate it. It's been great chatting and congrats to all of y'all. Success and like yeah, you can sign up for free at for vice. So at viceatrustcom, slash sign up.

Speaker 3: 40:33

We should have snuck out of the bird beginning. I think we can do that again.

Speaker 1: 40:38

Yeah, I want to actually thank 818 brewing because that was a very good beer and again it's called the snuggles and if you're in the Southern California beer aisle you might be able to find it, especially if you're in the valley. So definitely check it out.

Speaker 3: 40:56

I really think they should have been called care beer. You know, like care beer, here we go and he has like a little little sign on his tummy.

Speaker 1: 41:04

That's perfect. I think we have a new logo idea. Give away, that's right, well, thank you everyone. Once again, like us subscribe? There's buttons here here.

Speaker 3: 41:16

Here, I don't know what are these things?

Speaker 1: 41:18

Some actually is going to put them in there.

Speaker 3: 41:20

But we'll see Smash it Whatever it is smash it Awesome.

Speaker 1: 41:24

Thank you, Take care.