Savage Security has been acquired
And yes, this is a ‘good news’ sort of acquisition
Honestly, the only bad thing that comes to mind when I think about our acquisition, which has already been a few months in the works now, is that Kyle and I (and our customers) will miss the Savage name and brand dearly. We spent a LOT of time building our philosophy and the brand naturally grew around it. Savage is actually my grandmother’s maiden name (no, I’ve never used it as the answer to a security question), but the name’s small ‘s’ meaning always spoke to the heart of what we do: plow through all the noise, assumptions and bullshit in this industry to find the most effective ways to keep employees, customers, systems and data safe.
The philosophy won’t be changing.
In fact, our only bad news leads us to the best news: we were approached to be acquired by another company has the same philosophy and independently came to a lot of the same conclusions we did.
Our History with Threatcare
I first worked with Marcus Carey at a consulting firm where I was picking up some side work and he was building their online portal. I was fascinated by the idea of performing a pentest that didn’t result in a written report. The customer would just log into the portal and everything was already there for them. This was in 2012, I think. Already, Marcus was associated with some of the ideas that eventually inspired Savage Security.
Come 2013, and Marcus is publicly sharing a tool called ‘ThreatAgent’.
Already, we’re chatting and collaborating on ideas, even if it is just on Twitter.
2014 — Marcus starts something called FireDrill.me and we chat about it on Twitter.
2015 — The service is renamed to vThreat and we miss a chance to chat in person at Black Hat. I miss Derbycon for the first year and miss meeting Marcus there, too. In October, we have our first formal briefing on vThreat and I get my first chance to create an account, play around with the product and start giving direct feedback.
2016 — Marcus prepares what he calls v2.0 of vThreat and I write up his company for 451 Research.
Not long after, Kyle Bubp and I have that fateful rant-filled, but delicious lunch. At this lunch, we both realize how sick and tired we are of the industry’s comfort level with its own lack of action. Before the lunch is over, we both resolve to do something about it. The idea of Savage is born.
Over the next 6 months, we build the business in our spare time.
2017 — Savage Security goes public in April. Marcus rebrands as Threatcare and later on, introduces Violet, which we covered. As Threatcare begins adding staff and growing in earnest, we form a formal partnership. We want to use Violet on our consulting engagements and Threatcare could use our help with marketing resources and product feedback.
Later in the year, we announce our subscription services — the result of deconstructing everything good and bad about the current state of security consulting. We come to the conclusion that expensive, monolithic ad-hoc services provide little value to all but the largest and more mature organizations. A description that doesn’t fit 99% of the businesses we come into contact with.
Threatcare + Savage = CyberEureka
Not only were we providing more targeted assistance on a more frequent basis to our subscription clients, we were using Violet to do it. Unbeknownst to us, Threatcare continually gets asked about services, services, services. “Violet is great, but we also need some hands-on help,” was the common refrain. At some point, it clicked for Marcus and he called us up.
“Brah, I’ve got an idea. You ready for this?”
If you’ve never experienced Marcus when he has an idea, it’s infectious. Idea Marcus gets you pumped up. Something about that let that lets-build-some-amazing-shit-right-now enthusiasm infects you… and before you know it, you’re sold on it.
One of my weaknesses is my ever-present optimism. No, I’m not humble-bragging — if I’m not careful, this optimism will lead me to over-promise and under-deliver. That’s where Kyle steps in with my reality check. Despite Idea Marcus and Optimist Adrian, Kyle and I spent a few weeks weighing what was best for us, our customers and the business. We did our due diligence and Marcus’ logic was sound. The pairing made sense.
Back at 451 Research, I often observed that vendors with services could have it easy — if they leveraged honest feedback from services into product R&D, they’d never be blind-sighted by major design flaws or common customer issues. We’ll retire the Savage brand, but our services will have that same ‘Go Savage’ philosophy behind it, with the added benefit of Violet’s automated simulations.
In addition, one of the things I was eager to do at Savage was to help vendors improve their products’ success with customers. But, Threatcare is a vendor and vendors are weary of other vendors, right? That’s traditionally true, but I don’t see any long-term success for our clients in this industry if vendors can’t work together.
I see Violet as a key piece we’ve been missing in this industry — a product that can tell you whether or not we’re getting value from all our other products. It can reveal whether or not they’re working correctly, or are working at all. It can test the response and effectiveness of MSSPs. It can hold the industry’s feet to the fire, true, but we won’t solve this industry’s problems through shaming. Our goal is first and foremost to make it easier and simpler to defend the enterprise and that’s not going to happen through a vendor-on-vendor legal deathmatch tournament.
Through partnerships we’ll find and fix flaws quickly. Working with customers and the community, we’ll form new best practices and find better ways to configure tools and mitigate attacks. We’ll find a way for defenders to gain confidence in their own tools and take the advantage back from attackers.