Laws of the forest

The forest, huge and wild, a digital landscape formed by nature’s own processes and humanoid activities and neglect throughout decades. The forest does have human-made laws and inescapable natural law though.

Security awareness program professionals are often too constrained in their ability to execute. In which case, the top three limitations are usually lack of leadership support, limited budgets and lack of time. Of the three, lack of leadership support seems to have the greatest impact on awareness program maturity, followed immediately by the inability to engage employees and change behaviours, indicating that programs are not “sticking” the way leaders would like.

Conventional pentesting covers the finding of technical vulnerabilities, as many as possible. The limitations on such processes include time and budget constraints, a limited scope, every effort being made to make the tests as non-disruptive as possible, and having a heavy IT focus. Real black hat adversaries do not follow such ethical codes and are mostly unrestricted in their actions.

Bug bounty programs allow companies to leverage the hacker community to improve their systems’ security posture over time continuously. And they come with their own challenges. They are hard to manage and expensive to run if an organisation does not plan accordingly or lacks cybersecurity maturity.

A gray hat red team can better simulate real attackers, yet does have to consider legal and corporate policies when operating. This has implications on how realistic certain scenarios can be played out – and some scenarios can be played out on paper or via tabletop exercises.

Blue teams may have to deal with organisational policies, rules, and politics, understaffing, insufficient budgets, employees who undo and undermine security efforts, and a leadership not taking the threats seriously enough. In which case, there is likely a “security debt”, a buildup of application and infrastructure vulnerabilities in an IT environment that can increase the odds of a breach and impede effective cyber defense.

Purple teaming is one of the most effective ways to help grow your defenses quickly and help improve the maturity of the organisation quickly, especially when having an internal offensive security team that can work with the blue team throughout.

There is no shortage of cybersecurity training and certifications for security professionals, yet most programs are focused on session completion, not outcomes. This outmoded approach to training does not translate to measurable improvements in cybersecurity knowledge, skills, and judgment that lead to long-term resilience.

Our services

Large organisations and corporations can afford to use colourful teaming (and even then, the budget is often too small). Smaller organisations can probably not afford such costs at all. And there is no one-size-fits-all. Currently perceived states differ, even within an organisation, making it impossible to see a common ground to start from. And a feasible and agreed-upon desired state is also essential for any colourful program.

Meanwhile, as long as there are vulnerabilities, users are at risk. It is incumbent on security professionals and researchers to prevent, find, and fix these vulnerabilities, before an attacker takes advantage and harms users.

We offer low-budget support for programs with similar security stances. Depending on our current financial state, we are even offering free (gratuit) services to not-for-profits and activists.

Low-budget or free does not necessarily mean services are of low value. On the contrary. Contact us in the Unseen University to discover how we could work together.

Important note

You do not have to wear a pointy hat or grow a beard. We just use unserious seriousness (or was it serious unseriousness) to maintain our sanity when in paranoia mode.