Join Us at Black Hat USA 2019

August 3rd – 8th, 2019, Las Vegas

Black Hat USA is back for the 22nd year, bringing together leaders in the information security industry, including the provider of the most comprehensive vulnerability and breach intelligence, Risk Based Security.

If you’re attending, then we’re excited to see you there.

Expert Presentations


Jake Kouns, CISO, Risk Based Security
2:40-3:30pm on Wednesday, August 7 at Mandalay Bay CD
Format: 50-Minute Briefings | Track: Cyber Insurance

This session will provide information on the current data breach landscape and then discuss how Cyber Insurance is being integrated into a risk management plan. Information Security professionals and incident responders are in many cases unaware of how the cyber insurance process works when there is a data breach and do not understand the requirements that can affect the incident response process.


Jake Kouns, CISO, Risk Based Security
11:00-11:30am on Wednesday, August 7 at Booth #1620

The Brinqa platform connects, models and analyzes all relevant security, context and threat data to deliver knowledge-driven insights for vulnerability prioritization, remediation and reporting. And now, with the VulnDB connector, you can integrate the leading source of vulnerability intelligence to empower you to make the right risk decisions. In this session you’ll learn why Better Data Matters, and see a demo of how VulnDB intelligence integrates into the Brinqa environment.

Meet With Us at Our Hospitality Suite

We’re excited to extend an invitation to the Risk Based Security Hospitality Suite, conveniently located in Mandalay Bay.

Catch your breath, grab some swag and chat to our team about your information security challenges. We’d be pleased to give you a personal demo of our products.

Just click below and we’ll work with you to schedule a time that works.

Join the Fun


5:30-7:30pm on Tuesday, August 6
Aureole Restaurant, Mandalay Bay

Join GuidePoint Security and Risk Based Security for drinks, snacks and a few surprises! The Aureole lays claim to being amongst the finest restaurants in the United States, with an impressive outdoor patio that makes for one of the most beautiful settings on the Las Vegas Strip.

There’s plenty of space, so bring your whole team, but this popular event is expected to sell out so don’t forget to RSVP.

A Scanning Solution is Only as Good as the Vulnerability Data That Drives it

We had some great conversations at JFrog’s user conference, SwampUp 2019. Brian Martin, our Vice President of Vulnerability Intelligence, took part in an all-star keynote of experts where he discussed how our VulnDB® service helps secure JFrog Xray user pipelines.

The integration of VulnDB allows DevOps teams to discover, receive notifications on, and help remediate vulnerabilities in third-party libraries and dependencies early in the development cycle. As JFrog puts it, “a security scanning solution is only as good as the database of vulnerabilities that drives it.” Driven by Risk Based Security’s comprehensive data, Xray with VulnDB is the best security intelligence solution on the market for developers. 

Why does data from VulnDB give you an edge?

VulnDB is the most comprehensive source of vulnerability data available, with almost 69,000 vulnerabilities that are not found in CVE or the National Vulnerability Database (NVD). As Brian shared in his SwampUP keynote presentation, an average of about 70 new vulnerabilities are disclosed every day. This is an alarming volume, especially if your organization isn’t seeing the complete picture. That’s why our rallying cry is #BetterDataMatters. VulnDB is so much more advanced than any other database because we are looking for vulnerabilities and we speak with the DevOps community to ensure we are monitoring the libraries they are using. VulnDB includes more vulnerabilities, and carries more metadata and research on entries. This allows you to arm your organization with the most complete and up-to-date information available so you can make data-driven decisions to effectively manage and prioritize risk mitigation.

Taking this to mind, let’s look at some real-world applications. Recently, Sophos put out a very thought provoking article. The article made some very interesting points:

  1. Most vulnerabilities aren’t exploited, and if they are, they tend to have a high CVSS score.
  2. There is apparently no relationship between the proof-of-concept (PoC) exploit code being published online and the start of real-world attacks.
  3. In order to patch vulnerabilities, a “reference tagging” machine learning model is the most efficient method.

Sophos based their conclusions on data provided in a whitepaper that researchers from Cyntia, Virginia Tech, and the RAND Corporation published. The findings were extremely engaging, however, the data used to support these claims is lacking…comprehensiveness. 

Looking further into the data provided, it’s apparent that the researchers relied very heavily on security sensors based on CVE IDs, meaning that only vulnerabilities within CVE were being considered. This means that there are almost 69,000 vulns being missed in this study. To make matters worse, security scanning devices tend to cover half of the vulnerabilities in CVE, which makes the subset of data even smaller. 

In addition, Risk Based Security believes the machine learning models used in the study may have mis-categorized focused attacks. In situations where someone determines that a remote target is running specific software, then tries a comprehensive list of attacks against it, a detected attack would likely be labeled incorrectly. Since the researchers were basing their findings off of CVE data, it is highly likely that their sensors were not aware of specific vulnerabilities, resulting in a label of “Generic XSS” for example. This could have skewed results.

Last, these type of reports typically don’t share their full methodology, let alone what they are capable of matching against. This means that there is no way to reproduce or validate their findings. Unfortunately, if the research is solely based on CVE data it means that several vendors performing a similar study will also provide the same rough figures. CVE is the industry “standard,” yet it is missing a huge amount of vulnerabilities, with many of them possessing high CVSS scores and affecting major vendors. As previously stated, “a security scanning solution is only as good as the database of vulnerabilities that drives it.” 

#BetterDataMatters. We would be very interested if the findings presented would be the same if more up-to-date data was used.

Interested in learning more about Risk Based Security’s suite of products? Click here to schedule a demo and see how much more comprehensive VulnDB is compared to other security solutions on the market.

Kick Off #RSAConference 2019 With Us

2019’s RSA Conference is just over a week away. Once again we are joining forces with the good folks at GuidePoint and sponsoring Monday night’s Social Hour reception. Come kick off the conference with us – and our latest integration partner Splunk – with some friendly conversation over food and drinks.

Where: Temple Club

540 Howard St (just up the street from the Moscone Center)

When: Monday, March 4, 2019

6:30 – 8:30 pm

All are welcome but registration is required. Don’t miss out, register here.

We’ll also be exhibiting this year! Come visit us at booth #6285 in Expo North. We’ll be there to talk about all our latest integrations, our new partnership with JFrog, and of course the latest features in VulnDBCyber Risk Analytics and YourCISO. Be sure to swing by early before the supply of VulnDB bug swatters runs out!

We hope to see you there!

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

Start the New Year Off Right! Join RBS in Exploring More from Cybersecurity to Cyber Risk at the 12th e-Crime & Cybersecurity Conference in Germany on January 23, 2019

It is imperative that companies evaluate, build, and mature their cybersecurity processes and select risk analysis and security products that lead to profitable business outcomes.

According to a survey published by Bitkom, Germany’s IT sector association, “Two thirds of Germany’s manufacturers have been hit by cyber-crime attacks, costing industry in Europe’s largest economy some €43 billion.” As a result, cyber professionals are constantly tasked with understanding the P&L impacts of key risk mitigation techniques.

Knowing these facts, many companies are asking, “How can cybersecurity integrate with existing risk management infrastructure?” And more importantly, they need to know how they can build cybersecurity processes that focus on the most important business outcomes.

Risk Based Security EU would like to help. That is why we are sponsoring and attending the 12th e-Crime & Cybersecurity Conference in Germany this January.

 RBS knows that when you understand the risks, you can better manage and select the right security. If you’d like to know more, we’d love to help you with the maturation process from simple cyber-security to cyber risk management.

We hope to see you at the beautiful Steigenberger Frankfurter Hof for the 12th e-Crime & Cybersecurity Conference in Germany.

Reach out to Michael Mortensen at [email protected] to book a time-slot while at the conference to discuss what Risk Based Security’s Cyber Risk Analytics and VulnDB can do to help meet your unique needs.

[Webinar] The Data Breach Landscape – Trends and Highlights Through September 2018

Q3 2018 Data Breach QuickView Report was released last week. Let’s dig in and talk about what it all means!
Join us this Wednesday for a fun and informative look at the breaches and trends shaping the data loss landscape through the third quarter of 2018.
Webinar At A Glance:

  • Wednesday, November 14, 2018
  • 12pm Eastern
  • 30 minutes

We hope you will join us and look forward to sharing our findings!

Sponsorships! Speaking Engagements! And Bears, OH MY!

Risk Based Security Events, Sponsorships and Speaking EngagementsWe’re just kidding about the bears. The Risk Based Security team has a lot of exciting events on the calendar for October. First we’re off to Orlando to sponsor Splunk .conf18. Then, Jake Kouns is hopping transport to speak at the Wall Street Journal Pro’s Small Business Academy event along with other industry leaders. Next, the Risk Based team is hosting a booth at GridSecCon 2018 in Las Vegas. And finally, Jake’s dropping some industry knowledge at Richmond IEEE Power and Energy Society back in RVA. Details on these events are provided below.

Splunk .conf18

We’re sponsoring Splunk .conf18, Splunk’s premier education and thought leadership event for security and IT professionals. Are you attending? Come see us at our booth! We’d love to chat about vulnerability intelligence, data breach statistics and trends, and, of course, sandwiches. We’re just kidding about the sandwiches. Click here for details and to register. Where: Orlando, FL When: October 1 – 4

Wall Street Journal Pro’s Cybersecurity Small Business Academy

Jake is speaking at the WSJPro Cybersecurity Small Business Academy conference on day one of the event: two days of expert insight, practical guidance, training and specialist advice to help executives and senior practitioners build and manage cybersecurity strategy delivered by the Wall Street Journal’s WSJ Pro Cybersecurity team. Find out more about the event here, and register to attend. Where: Monarch Beach Resort, Dana Point, CA When: October 15 – 16

GridSecCon 2018

NERC’s Electricity Information Sharing and Analysis Center and the Western Electricity Coordinating Council are hosting the eighth annual grid security conference in mid-October. Risk Based Security team members, as well as other industry and government cyber and physical security experts will be there to collaborate on emerging security trends, policy advancements, and lessons learned related to the electricity industry. Come visit our booth! We can’t wait to see you, so click here to register. Where: Flamingo Las Vegas, Las Vegas, NV When: October 16 – 19

Richmond IEEE Power and Energy Society

The importance of securing the nation’s critical infrastructure from malicious actors is gaining momentum. The IEEE Power & Energy Society is the world’s largest forum for sharing the latest in technological developments in the electric power industry, with chapters located around the world. We’re pleased to be able to support the education efforts of the local Richmond chapter with a presentation in late October.  Jake will be the speaker for the Richmond IEEE Power and Energy Society, for a talk that might just include a reference or two to CyberSquirrel1.

Where: 2501 Grayland Ave, Richmond, VA 23220 When: October 26, 10:30am EST

RBS Hits The Road In September

The Risk Based Security team will be participating in some exciting events in September. Inga Goddijn will be sharing her industry knowledge at an upcoming webinar hosted by our partners at Privacy Ref. Additionally, Risk Based Security will be on the ground in Colorado, attending the Cherwell Global Conference 2018. We’ll close out the month in Detroit at the Auto-ISAC Summit. Details on these events are provided below.

Privacy Ref’s “Data Breach Review | Third Quarter” Webinar

Listen to Inga Goddijn during Privacy Ref’s “Data Breach Review | Third Quarter” webinar as she shares her extensive knowledge on data breach statistics and trends. Where: Webinar: Click here to register. When: Wed, Sep 12, 2018 1:00 PM – 2:00 PM EDT

Cherwell Global Conference 2018

We’re thrilled to partner with Cherwell, and we’re looking forward to meeting up with you at the Cherwell Global Conference 2018! Risk Based Security team members will be on site, to meet and mingle, and we’d love to chat with you about Risk Based Security and our partnership with Cherwell. Registration for the Cherwell Global Conference 2018 (#cgc18) is required, so be sure to sign up here to attend. Where: The Broadmoor Hotel & Resort, Colorado Springs, CO When: September 18 – 20

Auto-ISAC Summit

The 2nd Auto-ISAC Cybersecurity Summit is set to build on the success of the inaugural event last year, and we didn’t want to miss it. With the exciting new innovations and technologies for automotive and autonomous vehicles, staying staying ahead of emerging threats requires a concerted effort to work together across the automotive ecosystem to share ideas and strategies. We’re sending Risk Based Security team members to the summit to collaborate and hear more about the cybersecurity issues unique to the auto industry. Come visit our booth! We can’t wait to see you, so register here to attend. Where: Motor City Casino, Detroit, MI

When: September 25 – 26

Thoughts On The NTIA Software Component Transparency Meeting

I was able to attend the NTIA meeting on Software Component Transparency on July 19th, 2018 hosted in Washington, D.C. at the American Institute of Architects. The meeting was webcast and might eventually be published for others to watch in the future.

This was our first time attending (though we really should have been at the previous meetings), and the meeting was well done from our perspective. Allan Friedman, who was the moderator/facilitator, was quick to point out how these meetings can be chaotic and have their moments, but I really didn’t see that in this session. Perhaps it was a sign of people playing well in the sandbox together. There were a lot of different perspectives due to having security vendors, software vendors, end consumers, and government agencies in attendance.

As a new attendee, I went into the meeting intentionally focused on listening and learning as much as possible, rather than expressing my opinions or having my comments viewed as pushing our VulnDB product. This was really challenging at times. I’d encourage other outspoken security practitioners in our industry to give it a try! When focused only on listening, one tends to hear all that is said rather than concentrating on what to say next. So, while I was biting my lip a lot to make sure I was hearing everything, I decided to take my own extensive notes. Here are my thoughts and observations from the meeting.

Almost all participants’ comments kept coming back to vulnerabilities.

  • This makes sense as the main use case for everyone is to understand if they are using vulnerable libraries in their own software, but the meeting wasn’t intended to focus much on the vulnerabilities themselves. Rather, the purpose was to focus on the “SBoM” topic (Software Bill of Materials), so many times it was stated: “Let us focus on the SBoM.” However, the SBoM is so closely tied to the vulnerability aspect that it repeatedly came up in conversation. This validates the critical relationship between the SBoM and vulnerability interaction.

CVE is incomplete.

  • This isn’t news and has been the case for a decade. We should collectively just agree that this will not change dramatically or sufficiently enough to provide a service for proper vulnerability management in the next decade. Either way, it was refreshing to hear so many people acknowledge that CVE/NVD is incomplete.
  • Despite a general consensus that it’s inadequate, many vendors in the room still stated that they only use CVE! This is pretty horrible for the security ecosystem. At what point are there potential legal implications for a company that knowingly relies solely on incomplete vulnerability data?

It is important to know that libraries are often not researched properly.

  • Just because there isn’t a known or published vulnerability doesn’t mean the library is secure. As an example, one new Risk Based Security (RBS) client couldn’t find 40 products in VulnDB that they wanted to monitor and wasn’t sure if it meant that there were no known vulnerabilities in those products or if we weren’t monitoring them. We have support plans that allow our customers to ask for products and libraries to be researched. In this case, 20 of those products (50%) then investigated by the RBS research team were found to have vulnerabilities in them! So, it is important to recognize that unless someone is incentivized to spend the time to find the vulnerabilities and disclose them, then it isn’t happening.

Make sure you are using the “right” libraries.

  • This is another reason why an SBoM is so important from a strategic standpoint. Organizations need to implement more problem management/root cause analysis on the products and libraries that they are using in their software. Too many companies play whack-a-mole with vulnerabilities, and are only using data from CVE, which makes it an even bigger problem
  • There are some libraries or components that are not going anywhere for many organizations. Even if they wanted to get rid of one, they would find it difficult or even impossible. However, it is important to know more details when there are options and most definitely prior to selecting a new library.
  • Reviewing an SBoM and then seeing which libraries are most likely to put you at risk for a compromise is essential these days. Vendor and product ratings can help accomplish this: these ratings let you understand the code maturity of the libraries, and the history of how long it takes for a vendor to get fixes published etc.

Library upgrades can often introduce breaking changes.

  • This makes it extremely challenging to rush these fixes into your own codebases. For this reason, libraries that are built with security in mind, and don’t have a lot of vulnerabilities to begin with are, obviously, preferred.  We publish Code Maturity metrics among others in VulnDB to give clients perspective on how many vulnerabilities and work they can expect to maintain security for each library.
  • Furthermore, there are a lot of vendors (and even security vendors), who believe that most vulnerabilities don’t need to be fixed; they reason that if it isn’t exploitable by their analysis, then it is not worth addressing.

Some vendors in attendance focus only on fixing vulnerabilities that have public/known exploits.

  • While this is a valid criteria to help prioritize, only fixing these vulnerabilities is a very concerning approach. For the most part, the exploitability of a vulnerability is not fully known until it actually happens and at that point it is too late for people to scramble to apply fixes.
  • To further complicate this approach, there are often times when there are disagreements on what is considered exploitable by different vendors and researchers. Discussions around a vulnerability that can be exploited versus likely to be exploited can be highly contentious. Some vulnerabilities seem straight-forward while others seem theoretical, but history has proven many times that “theoretical” may be the infamous “famous last words”. One person’s “theoretical” issue is another person’s working exploit.
  • Year over year, we see approximately 30% of vulnerabilities with a public exploit or sufficient details available to trivially create one.  Here were some quick statistics I pulled right after the NTIA meeting:
    • 2017 (6892) – 21,834 total vulnerabilities – 31%
    • 2018 (3566) – 11,674 total vulnerabilities – 30%

Mapping of packages/components to common standard is going to become even more important.

  • CPE is painful to work with as it is. For tracking vulnerabilities in libraries it is even less useful, and no one is generally suggesting that this be the standard moving forward. There are quite a few other standards including SWIDSPDXCycloneDXPackage URL, and others.
  • There was a lot of discussion at the meetings on naming standards and which one is the best. The truth is that currently none of them really meet the needs of everyone. While each standard seems to have its supporters and people lobbying that it be used, we hope that one will ultimately be picked as the recommended approach. PackageURL appears to solve most of the mapping issues alone, but from the meeting it looks like some form of SPDX combined with PackageURL might be the best approach forward.

Security Through Obscurity is still important to many vendors.

  • This concept is still a big issue for a lot of vendors and was on people’s minds during the meeting. Most vendors don’t want anyone to know their attack surface as it could be used against them. Many also don’t want attackers to know any vulnerabilities as well, but that is simply impossible.
  • While a lot of people believe that security through obscurity isn’t a valid approach, in some ways knowing this information does help focus researchers or motivated/funded attackers to research the software that they need to use to accomplish their goals/attacks.
  • Many vendors and companies just do not want to provide a SBoM at all. Everyone has some skeletons in the closet from old libraries or things that have not been done quite as they should have along the way, such as:
    • Using libraries without honoring the license
    • Using outdated and vulnerable libraries

Make sure others outside of IT security are involved in the SBoM conversations.

  • There are many other departments at an organization outside of security that are interested in an SBoM. This includes procurement and legal as they need this information as well. Instead of trying to push this solely as a cyber security issue, it is important that each organization engage other departments including those involved with ITIL processes, and hopefully they will be included in future NTIA meetings as well.

The meeting went over a lot of topics and was very productive overall. Solving the SBoM situation is complicated but needs to be done sooner rather than later. It appears the issue for some organizations is largely already done and just needs some additional aspects pulled together to make it more effective, and for other organizations to get on board with a single standard. Too many forks, too many disparate things, leads to more problems as we have seen with prior ‘standards’.

Based on the first NTIA meeting, it was encouraging to see that more attendees appeared to agree on this topic than do not. It will be interesting to see what additional material and accomplishments can be produced via subsequent working groups, and we at RBS are excited to continue to be part of the process.

Join RBS At Hacker Summer Camp 2018

  • Tuesday August 7th
  • At the Aureole in the Mandalay Bay
  • From 5:30pm to 8:00pm
  • If you would like to meet with our CISO, Jake Kouns and our Chief Research Officer, Carsten Eiram, contact us and we will get a meeting scheduled for you!


    Cyber Risk Analytics

    Security ratings and data breach intelligence for better vendor risk management

    vulndb 3.png

    182,000+ Vulnerabilities and Counting
    The definitive source of vulnerability intelligence, tracking over 20,000 vendors and over 60,000 vulnerabilities without a CVE!


    Security Program Platform For Your Supply Chain

    Tools, templates, monitoring options and fractional CISO advisory solution for improving the security of your vendors



    Security Vendor Sales Pitches and Empty End Point Promises

    With the RSA conference coming to an end, it is always interesting to see all the different security vendors and the various promises that they make about their products’ capabilities. While some vendors tout old and broken solutions as new and groundbreaking, for the most part we see products marketed around hot buzzwords such as blockchain, artificial intelligence, machine learning and orchestration. 

    One of the best booths at RSA this year, was from F.A.K.E Security which pretty directly called out the industry. While we aren’t sure who is behind this at this point, it was a pretty epic troll regardless and calls out a lot of what we see as wrong in the industry. There was no doubt that the battle for endpoint security products continue to rage on from what we could tell from walking the RSA floor. More and more vendors are claiming that they can stop any sort of attack, any vulnerability, ransomware or anything else that keeps you up at night for that matter. We recently came across a sales person from an endpoint firm, who took it a step further by promising to solve the whole vulnerability management challenge by sharing the following on LinkedIn about their product:

    No harm comes from vulnerabilities by themselves. A lot of harm comes when they are attacked.  Defenders are squeezed between two false choices: patch all possible vulnerabilities; or identify, detect, and respond to all possible attacks against all possible vulnerabilities. There is a much easier way. Moving Target Defense disables the actuating mechanism common to all zero-day attacks. So you don’t need to identify individual attacks, which is impossible anyway; and you’re protected even without patching since attacks are prevented before a vulnerability can be compromised.

    In our opinion, they are creating a false premise in order to push their product. Defenders are NOT “squeezed between” those “two false choices”. Both are antiquated ways of thinking that no-one (hopefully) subscribes to these days. Even though it sounds amazing to be able to just install a small endpoint security tool and never have a worry about patching again, it’s just not a realistic or serious solution to the challenge. The old adage: “If it sounds too good to be true, it probably is” comes to mind. The mature way to deal with vulnerabilities is having access to reliable and comprehensive vulnerability intelligence. This allows organizations to efficiently prioritize their resources to best secure assets against the vulnerabilities that pose the biggest threat to them based on impact, attack vector, importance of the asset, exploit availability just to name some factors. Some vulnerabilities pose a significant threat and require immediate attention; others can wait or even be ignored. 

    Unfortunately there are security companies that may attempt to peddle their products by promising a panacea to the vulnerability management challenge. They may use fancy phrases like “Moving Target Defense” and incorrectly suggest that “around 80% of all breaches have a memory compromise”. The problem is that injecting a DLL file into processes to work various in-memory “magic” does not protect against exploitation of all vulnerabilities or even an acceptable subset. Any claims to the opposite are ignorant at best and dishonest at worst. The approach is not even novel.

    Fortunately, while companies peddling their products in this manner have gained some clients, most typically quickly disappear again or rebrand with the next buzzword and generally aren’t taken seriously. It is also important to bear in mind that the typical organization’s network is comprised of more than just some Windows endpoints. These types of specialized endpoint tools will not protect against improper access restrictions to administrative features in the organization’s routers or other devices. They also won’t protect against hard-coded credentials in their ICS/SCADA systems or similar backdoors. CSRF, XSS, and SQL injection attacks in their web applications also won’t be blocked. It won’t even protect against Heartbleed, though some vendors may try to argue that they do protect against the follow-up attacks

    We’d like to make a request to security companies out there: Please have some integrity and make it a focus to educate and work directly with your sales staff so that they refrain from making misleading comments, where your product is incorrectly pushed as the answer to the larger challenge of proper vulnerability management. While your product hopefully does bring value, if it is being oversold, you are not part of the solution, but part of the problem with this industry.  We recognize that sales departments have a tough challenge of getting organizations attention with all of the products out there, but it is something that companies need to be mindful of and it is even something that at RBS we work very hard with our own sales team to make sure our messaging is technically accurate.

    Believe us, we actually do love any kind of dialogue or debate about vulnerabilities and how to help organizations from a technical, business, metrics, or even a process standpoint. However, it is an eye twitching moment, when we see the sales or marketing angle is falsely promoted.