Just as a river takes unexpected turns, so too does a career journey. Our special guest, Jason Ostrom, began with an eye towards federal law enforcement but found himself swept away into the world of Linux and security engineering for startups. A chance encounter with a mentor opened the door towards a career in cybersecurity, and the creation of a game changing pen test tool. Discover the story behind his first presentation at a hacker conference and how the early days of parenthood influenced his journey.
Ever wonder why a broad skill-set trumps specialization in cybersecurity? Jason breaks it down, emphasizing why IT experience, soft skills, and understanding the business context for executing vulnerabilities can make or break your success in this industry. Whether you're on cloud nine or keeping it grounded with on-prem projects, Jason explains why adaptability is crucial and how to keep your skills sharp and marketable.
Lastly, Jason demystifies the process of presenting at cybersecurity conferences and how to become a SANS instructor. The desire to teach or earn a SANS certification burns in many, but the path can seem obscured by smoke. Jason clears the air, providing a transparent look into the pros and cons of this career move. If you're fascinated by the world of pen testing, this episode will shed light on the various types and the importance of gaining broad experience before selecting a specialty. Buckle up, this ride with Jason is not one to be missed.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
I was going, Jason. It's been a long time since we last talked, even over video. I'm really excited for our conversation today. Yeah, hey.
Speaker 2:Joe man, thanks for having me on. This is a. I'm super pumped about this. But yeah, how you doing, man, it's. It's been a while and in fact we, we actually go way back, don't we? Yeah?
Speaker 1:At a very interesting place, especially for someone coming like straight out of college, learning it, and then being put into an environment where you have to troubleshoot complex issues without touching a keyboard or a mouse, can't go to the bathroom without a supervisor, like what a what an interesting set of circumstances.
Speaker 2:Oh yeah, there's definitely interesting customer with that. I think we can actually say it was a three letter agency. That's the most we can say. But uh, were you working for a security vendor? There was like a PAM, privilege identity access management or something like that.
Speaker 1:Oh no, I'm sure if I was working with a PAM solution I would have like pulled my hair out. What, what little hair I had at the time. I was working with a E nine one. One vendor.
Speaker 2:Hmm, yeah, it wasn't E nine one. It was a telephony related solution project we were working on, so that makes sense.
Speaker 1:Yeah, yeah, that I mean even you know. Thinking back, I didn't think of how much you know security work I would actually have to do, uh, when I was on site at that agency. The reason being is that, you know, when you're going on site you're told you know by the person who's in charge of all of it at that company at that time that oh, this is jitik certified. We're good to be there. You know they always want to make security changes, but we're certified, so we're good to go Right. And then you guys start hacking away at this thing right right in front of me, asking me questions like well, why, why can I do this? If it's certified, why can I do this? So why does it break after you run this stick? And you know, it's like me, six months, maybe eight months at the time out of college still learning you know the alphabet of IT is like, well, I don't know. I guess I got to go crack open a book in the hotel room because apparently I'm not leaving this site until we figure it out.
Speaker 2:Yeah, that was certainly trial by fire on learning on that. That's the definition. Good experience overall, though, yeah. So hey, congratulations on your, on your kid. By the way, I won't get personal or anything, but congrats on that. That's awesome.
Speaker 1:Yeah, absolutely, I mean it's. I appreciate that it's. It's been challenging for sure. I guess it's it's fun and rewarding to have kids. It absolutely is. It's just that first year, right, that is just like it's brutal, absolutely getting over the hump there, and it's not easy to work at a nine to five job doing a podcast, doing consulting and all the other things that I do, right, and if I it's, it would be impossible to do all of that, really any of that, without having my wife stay home.
Speaker 2:I wish I could give you some negative advice, but just one day at a time really pushes you through. But it does get easier, it does get better, right.
Speaker 1:So, jason, you know I like to start everyone off with how you got into IT, how you got into security. The reason why I do that is because I have a lot of audience that it could be their first time, you know, going down the path of trying to get into IT or trying to get into security. Maybe they're doing a career change and hearing everyone's path into it, you know, maybe lets that one person know like, hey, it's possible, this person did it. Maybe it's possible for me too. Maybe I can do this thing. You know, what was your origin story like?
Speaker 2:Yeah, great question, man. I'm super excited to be on this podcast. So my story is I actually started out cutting my teeth in IT before I really got into cybersecurity. And I'll make one point which I think is different than today when you see a lot of college graduates going straight into cybersecurity, infosec jobs, you know where they're doing pen testing or something of that nature. I had to kind of cut my teeth with IT so I was doing kind of Linux engineer, sysadmin, slash network engineer, security engineer for a few years for startups, before I even got into cybersecurity where I started doing, you know, penetration testing. I think I didn't do my first pen test until about 2004. Yeah, so when I graduated from college it's interesting, Joe I was really interested in law enforcement, federal law enforcement, going into the FBI, and at that time you had to have like four years of undergraduate experience after college if you weren't master's degree. So I was like you know what? I'm going to do some cool IT stuff for a few years because I got to get some experience under my belt, something and I'm going to do computer crime squad, FBI type stuff. So I was kind of going down that path of like I'm going to do IT and security for a while to get some good experience, but my ultimate goal is law enforcement. And then I kind of fell into something where the whole FBI thing fell through and I found another pathway. But I was inspired by someone who was a mentor of mine and I wrote a tool and I did a blog. I wrote this pen test tool. I was working for a pen test mill, so to speak, doing back to back pen testing over and over again, and my boss at the time is a brilliant guy by the name of John Kindervog. He's done done a lot of zero trust stuff. He was my boss, my mentor at the time, and I was deathly afraid of speaking at conferences and he convinced me to speak at my first hacker conference and I presented this tool called VoIPOPPER, a network pen test, kind of a UC pen testing tool and it kind of took off for me there. I decided you know, I want to do something cool in the community to kind of give back to the community. And they didn't have kind of taken off and I started speaking at conferences like DEF CON and I kind of got the bug on doing research and so I was really heavily involved in VoIP and UC pen testing at the time. This is kind of like the mid 2000s. So it's kind of where I went off into getting into a niche and I say it's going to be a generalist, but it's also good to have a specific area within cybersecurity to specialize in, you know. But yeah, that's kind of to answer your question. That's kind of my story. I really got into pen testing and doing research and I'm also happy to say that that tool I wrote, VoIPOPPER, is actually still included in Cali Linux to this day, which is hilarious because the tool was like was like written in 2005 type frame. So but yeah, kind of answer your question on how I got started. And then I kind of connected with you, I think around 2014 when, when I was heavily involved in the VoIP UC security world.
Speaker 1:Yeah, yeah, that was. That was definitely an interesting time, for sure. But you know you touch on a really important part of what I would view as a successful journey. Right Is getting a broad range of experience and then dialing it in, and that's what I always recommend to people. You know, I mentor some people coming out of college, coming out of different security bootcamps, and even with the security bootcamp experience, I still recommend that people get experience in IT. Right, because when you're in IT, when you're in help desk, you're learning how to talk to people under stressful situations. You're learning how to even negotiate with people. When you're 100% correct, you couldn't be more correct and this other person who's a higher rank than you is, you know, wrong or not 100% correct and it bugs you, it eats at you. Right, you have to find that middle ground. You have to develop those soft skills that will carry you forward in security, because you can probably do the security work you know from a technical perspective right, like you could probably technically do it, but you would not make any friends, you would make a whole lot of enemies. Your tools would probably be ripped out the day that you leave and you're not going to make you know really that much progress and so it's important to really get that generalized experience and then dial it in. You know, over time, as you get more experience Is that kind of how you thought about it as well when you started going down this journey. You know, when you realized that federal law enforcement wasn't working, it's like, okay, well, maybe I'm going to find a specialty. Then, you know, maybe I'm going to dial something in and get really good at it.
Speaker 2:Yes, absolutely. I could not agree with you anymore. I think we're saying the same thing here and I think is cutting your teeth and IT and getting that strong foundation before getting deeper into cybersecurity. For example, if you're talking about something like penetration testing as a use case, an example, joe, it's all about context and business context, right, when you're executing vulnerabilities to show business risk, if you're you know straight out of college and going in and you're doing pin testing and you're you're exploiting vulnerabilities and flaws, but you don't have that business context to know how the vulnerabilities impact the business and disruption of revenue, it revenue, operations it's a major deal, right. And just having that experience to sit down with network engineers, developers, system administration, cio and CTO is being able to talk to them. So that's one key point and I think that's different than today's market, right, because you see a lot of people going straight in with little to no experience. And I'm not I'm not hating on anyone or anything, I think just the marketplace has changed and they're saying that there's a dearth of skills and the skilled cybersecurity people, but then it seems like you have a lot of people going in that haven't formed that strong foundation. So I totally agree with you there. And then, relating to my story, yes, when I decided that I was going to have a different path than the FBI, I basically decided well, I kind of want to make a name for myself, I want to create like a cool tool and give back to the community. I'd already been doing the pin testing a while and, and so I think it helped me to get better, to have that specific knowledge but also kind of a generalist for like network and app pin testing, but also specific to VoIPUC, and creating that tool really helped me as a practitioner. And I think also there's there's another kind of lesson learned here. It's like Joe, I think in my career I've learned when you go too deep into the rabbit hole and become too much of a specific skill on something, that, for example, with VoIPUC, at the time it was really, really hot. You know a lot of people were speaking at conferences, it was like the cool kid and it kind of died in its popularity and now VoIPUC is not considered a hot topic. Now it's like cloud security and you know, machine learning and all that stuff. But I think it's good to have a generalist approach but also being adaptable and flexible to like changing what your specialty area is is what I was saying. So I'm getting in more kind of changing the conversation. But yeah, it's generalist versus specialist. On your experience and I found when you go too deep in the rabbit hole, you kind of box yourself in which might limit yourself. So sometimes it's good to take a step back and be like I'm going to be a generalist. I think you'd apply that to anything like cloud security, cloud architect, whatever. Right now that's the hot area and there might be lots of specialty areas within that. So each cloud provider is a whole world. Within that cloud provider they might have 600 services and so you could be spending a lot of time on one thing. Does that make sense? It's kind of like how has your experience been on that?
Speaker 1:Yeah, yeah, I think that makes a lot of sense. When you were discussing being a generalist while having a specialty right, it reminded me when I was trying to make the jump into cloud security and be more specialized in cloud security, because I saw that that's where everything was going. I had to do still a lot of other projects that were on-prem based, not based in the cloud. I got zero cloud experience from those projects, but I still had to do it and I still kept up the skill set in a way and convinced people like hey, I'm a generalist, yes, I do focus on the cloud, but at the end of the day, I can do just about anything, which is it's not an easy thing to do and that makes you better.
Speaker 2:I mean obviously that makes you better. Right, improved your skills and your marketability.
Speaker 1:Right, yeah, because I'll give you an example. I was going to go work for a large mortgage company here in the Midwest and I interviewed for a cloud security role and after I had accepted the offer, the manager called me and said hey, I actually have this urgent project I would need you to work on because everyone else is bogged down with work. It's not cloud security related, but I only need you to do it through the end of the year and then you can pick up the cloud security work. And I said, okay, well, I'll do it until how? About October 31st? And then November I started doing cloud work and he agreed to it, and so I you know, full blown rolled out this cloud web proxy that I've never worked with before. You know, I've rolled out a proxy before, but it definitely was not this solution. So I kind of knew what to do, but at the same time it acted very differently. And so you're learning the nuances and I I rolled out this solution 100% by October 31st. I kept up my end of the deal, and then they had to keep up their end of the deal because you know, they know, that that frustrates me, right. Like the benefits of having this podcast is that it kind of allows potential employers to hear my personality beforehand, to know my, my thought pattern, you know, without me having to tell them like, hey, I find this to be kind of insulting when you sell me one thing and then you tell me to do another, and it's confusing for me, it's disappointing, you're going to get my hopes up and then I'm going to be disappointed. It's not a good look, you know. But but they were able to overcome that by just being upfront with me, you know. I think that that's what's important and also, you know, when you're trying to specialize, also being open to that possibility, right, someone may say, hey, you're a specialist in this tool, we also need you to touch this, you know, be open to it, because as soon as you start pigeonholing yourself, you know that field is going to evolve right, like we're seeing, or we saw the traditional firewall basically go extinct overnight with what's called the next gen firewall, and now they're still calling those next gen firewalls like the newer version. They're calling that next gen, right, but you have to relearn this tool. It has additional capabilities, additional things that you need to learn and components.
Speaker 2:Yeah, absolutely. There's so many great insights in this podcast when in the discussion you have but you, you, you bring up a good point too about learning by doing. You know when you created your proxy and hands on the keyboard, skill development, which I think is still important, no matter where you are, even when you go into management just to practice. Some of that stuff is really good.
Speaker 1:Yeah, absolutely. So. You mentioned a little bit about getting into the, the speaking circuit, talking at different conferences and whatnot. As someone that is looking to potentially do that in the next 12 months, how in the world does someone get started in that? The daunting task of, you know, speaking in front of hundreds of people, even tens of people, will make anyone nervous, in my opinion. Like, how do you get past that? What do you decide you're going to talk on? The issue that I have, personally, is thinking that what I have to talk about is actually important enough to talk about it. I feel like I'm still the dumbest person in the room on stage, just like all right, yeah.
Speaker 2:So great question Is this something you're thinking about doing? Just curious.
Speaker 1:Oh yeah, yeah, I definitely want to do it. It's just about making that jump.
Speaker 2:Yeah. So it's a huge leap. In that very first one I'd say there's no getting around it. It's painful and nerve-wracking and hard on the first one, but it gets easier. So, to answer your question, I had a great mentor, john Kinervog, who kind of got me started on it. So I could say, if you have someone you can co-present with, like, do the research together. It makes it kind of a team effort and it kind of takes a little bit of pressure off of you because you're not failing, you're failing with one other person the risk of doing that. So that's one idea and I think. I think what I did is I had first already created the research first, before I worked on the presentation, and then started pedaling it to the conferences, which I think is important, because once I spoke at my first conference I started getting the bug and I wanted to do it. And what I started doing which I don't do anymore is I started working on CFPs and presentation proposals with great ideas and if I got accepted I would let the research evolve as I was getting ready to present, versus doing the research first and finishing it and then having the presentation evolve when you apply for the CFPs. Does that make sense. So, instead of doing it the CFP first and then doing the research, kind of finish the research or at least get halfway through it and then start thinking about how you want to present that to the world. The other piece of advice I can give is, man, find something that inspires you, that you're passionate about, and letting it evolve organically. Because when I created the tool and I started first doing it, it was from the pen testing I was doing. It was like a lesson learn, case study from a real pen test and it kind of evolved into something I just want to share with the community, kind of like a case study. So I think, yeah, I'd say, first finding something you're happy and passionate about that you can grab onto, kind of maybe like a hobby of some sort. I've kind of gotten back into this now and I've created some new tools on my GitHub and I've started kind of getting back into the speaking. But I'm taking a different approach. Like I said, I'm waiting until I'm done with the tool and the research and then I think, well, that would be cool to show this here or there. I'm not in a rush, it's kind of like enjoying the process. It's not a marathon. It's like the grind of letting things evolve more naturally. And then, hey, how can I present this at a conference?
Speaker 1:Yeah, I think it's definitely more of a process right of deciding the topic and whatnot and kind of, I guess, doing the research and setting that end goal right, Like DEF CON, for instance. Maybe in January you submit the paper, get approved and then you're working towards that goal. I think I definitely need that goal or that target date right to motivate myself to get the stuff done on time and make the progress that I need to make. I think it's more about at this point deciding what I want to talk on and maybe not even worrying about the value that it provides to the community necessarily Not to say that I don't want to provide value, but I think I get hung up on that too often and it holds me back where it's like well, is this providing value? Am I, am I doing anything good here? That's my opinion. Yeah, I see what you're saying, To kind of change gears here. You're also a sans instructor. You kind of you kind of glanced over that left, that left that fact out. Right, you know how in the world does someone become a sans instructor? Like, do you have to have, like you know, all their certifications, prove that you have this industry top tier knowledge and go through the process like that, or you know what is that like? Because everyone knows, you know, sans certifications is the gold standard and security. There's nothing else on the market that beats it. But it's also very expensive. So finding an employer that will pay for it is like absolutely critical. It's like a gold mine. You don't just, you don't just leave that employer.
Speaker 2:Yeah, absolutely it is. They are expensive, but I am kind of biased I think. I think they're worth it. But so how to get started? So my quick little story on that is Sands does have different programs that also offset some of the costs as well. I'll mention this too. They have a program called work study Joe, where you can, you can apply and get discounted tuition and you kind of help out and assist as a moderator, facilitator for a sans class, but you get greatly reduced tuition. So they do have a program that allows you to take a class and not pay the full price. So as far as entry into it and getting started on it, I think what you have to do to get into it is you take a sans class. So you have to find a way to take a sans class. Or you take a certification exam for one of the jacked sans certifications and if you score I think this the score is 90% or better you get invited into the program where you can be a TA for the class. Now, this isn't for all the classes but some of the more technical classes. Hands on, they have what are called virtual TAs or TAs. So you're helping out, assisting students with the labs and that kind of gets you potentially into the instructor development program as a TA. You start helping out, getting more and more hands on experience and you get to know the instructors and they can recommend you and you kind of get vetted and recommended that way. And then you kind of there's a whole program that you start proving yourself once you're in that program, where you start you know you do a little co teach like a partial co teach and then you go up to where you're doing half a day co teach, where you're teaching half the day with another sans instructor and you flip that to the other day and then you eventually do a teach on your own. So it's a meritocracy. You have to prove yourself and so forth. But there's always an entry point right, there's always a starting point. So the the starting point is probably within the whole sans community. You either have to pass the exam and prove yourself with a score or you have to take the class and improve yourself with a score and then it goes from there.
Speaker 1:Hmm, you know, in your own sans certifications, which certification would you say is was the most difficult for you to get? I would assume the G-Pen. If you have it, it would be the easiest right, because you were a pentester. I think that's an easy assumption to make, but maybe that's not true.
Speaker 2:Yeah, great question. When I started out teaching for sans, they had a program called sans mentor, sans community instructor, which they don't have that anymore, and so I was going to tell you that was kind of the way to get started is as a sans mentor you do small little teaching groups, which is a great way to get yourself exposed to teaching. But yeah, when I got started I was involved in the 504, which the GCIH exploits incident, handling that class and then the 560 G-Pen were kind of the classes. Now, another thing is I started as a student man. I I've always been a lifelong learner, I'm a big fan of sans classes. So how I kind of got started with sans is I was a student paying for the classes. I got lucky because my employer and this is something maybe to think about and recommend to others, there are companies that do support their employees to take sans classes flat out. So in the interviewing process, if that is something that's valuable to you, you could actually negotiate with your employer to say, hey, what's the tuition budget per student? And with one particular employer I said I want to take two sans classes a year and they said done, and so that was kind of negotiated up front. So maybe this is something even someone early on in their career can be looking into, because when you have your employer sponsoring you on this, it makes it so much easier to get started, joe. So I was very fortunate in that and that's how I took some of these classes like forensic incident response 504, forensic 508 in the G-Pen, and so back to your question. I started out as an instructor in 504 G-Pen and the hardest class for me was during COVID. I had to pivot over to the brand new cloud penetration testing class 588. I don't know if you heard of this class, but at the time around COVID in 2020, this is a brand new class and a lot of the instructor opportunities shut down because 588 was a brand new class and I happened to know the instructor. He kind of invited me on and said hey, do you want to have an opportunity to teach this class? So, to answer your question, the GCPN the cloud penetration testing was the hardest thing to pivot over to because it was just a brand new class and the content was so much more like a site reliability engineer type pen tester, network system, app pen test. It was just more challenging content for my background in, like G-Pen and app pen testing. So does that answer your question?
Speaker 1:Yeah, yeah, I think so. I mean it's interesting, right, Like you would think that a pen tester really of any caliber, that the skills would translate easily across, like on-prem and cloud and whatever it might be, right, Like containerized environments and whatnot. But that's not always the case, you know, and I guess that there's a reason why there's different specialties, right, Like there's physical pen testers. If you want to break into a building or infiltrate a facility, you know there's people that carry around lock picks and you know different methods of bypassing, you know biometrics and all that sort of stuff, right. And then, if you want to, you know pen test the actual network. There's a different specialized person for that. So it only makes sense that there's a specialized, you know cloud pen testing skill set. Honestly, I never really thought about it like that. It makes sense, though.
Speaker 2:Yeah, yeah, you bring up a great point Honestly, like the pentesting methodology and approach is, you know, if you have network or app pentesting, it's similar, yet different, right? So the difficult thing, I think, to wrap your mind around if you're kind of new to it and we have a lot of people in the class that are like very experienced pentesters, either internal red team or consultancy type pentesters, and so I think the difference is kind of like you're using the cloud control plane to carry out attacks, whereas you have to shift your mind because, like in the 90s and 2000s, it was coming in through the front door into a data center on premise where you know you had network services that were vulnerable on the edge of the network or apps. And now, with cloud pentesting, it's more. You're using the cloud control plane. So it's like how do I use the AWS CLI and the Azure AZ to carry out attacks? How am I carrying out attacks with Kubernetes and containers, with kube cuddle, and so, yeah, it's like you're coming in through the front door, but there's also, you know, there's an overlay network and an underlay and you're coming in through the cloud control plane. So wrapping your mind around that, you know, and all the different cloud services is definitely a little bit of a shift, so to speak.
Speaker 1:So are you basically trying to use the cloud's control plane against itself to gather information and have it disclose more information than it should, or how does that work? Because that's a very interesting technique. That's a very interesting method.
Speaker 2:Yeah, so potentially yes, and so the idea is that you could take the authorization key material from whatever the cloud provider is, whether it's GCP, aws or Azure a identity like a programmatic access key in AWS. So you're taking that as your starting point and saying what are the privilege escalation and attack pathway primitives for a developer or an admin within AWS environment to abuse the network or a non-privileged programmatic access key? How can they pivot unauthorized to another S3 bucket or how can they elevate their privileges to become root or whatever the scenario is. So yes, you can do black box approach, but you can also say let's start with some key material data, like a cloud identity, and let's see how what can be abused within the environment.
Speaker 1:That's really interesting. And then I assume there's a different set of rules of engagement for that sort of work, right, Because you have to kind of get whatever AWS will allow it to be pentesting their environment, and if it deviates from that you'd probably have to get special approval in one time right, correct, yeah.
Speaker 2:And the beauty of it, the cloud providers each have documented their terms of service for their services. So you can go to their Pintest page. You can basically scope out each one of the services that's allowed. Some of them you don't even have to get permission to Pintest, some of them you do, and some of them are prohibited type of activities. So you do have to kind of map it out that way. But yeah, I mean, the idea is a customer, you can test from the outside to get unauthorized access to a cloud environment or gain access, like if you can do code execution on a developer's laptop, you can actually extract off their key material, right? So at that point it's become a control playing cloud Pintest to see how you can pivot using the SDK, right? Or another scenario is within the rules of engagement, and this is kind of something we encourage is like what if you tell the customer, let's just assume that a developer was phished, right, and that someone got access to a programmatic access key, right? So let's start the Pintest with the key you've provided us, the customer, that's non privileged key, and so that's a part of the Pintest. It's just included to see what are the privileged escalation attack pathways.
Speaker 1:Interesting. So, Jason, what are you working on or creating right now? You mentioned before you created the VoIP tool. I'm wondering if you're creating any new interesting tools right now.
Speaker 2:Yeah, man, I love that question too. Now I'm back in the community creating new tools, and I have tools planned and I have a huge list of tools that I have in my software roadmap, and so one of the tools that I released, that I've been working on the last three years, is called Purple Cloud. Have you heard of Purple Cloud? Yeah, I have mostly from you, yeah yeah, so Purple Cloud is up on GitHub on my GitHub but it's basically a simulation tool that allows you to create your own cyber range, and it's focused on Azure and it allows you, using Terraform it's an infrastructure as code simulator allowing you to create like eight different types of use cases for your own custom Azure security lab, and so you can create it and you can pretend like you're a blue team or a network defender, like a cloud architect, cloud security engineer, or you can practice Pintesting techniques against it, and it's your own sandbox and your own Azure account that you spin up with Terraform and then you destroy it when you're done. So that's one tool I created, and I created another reconnaissance tool called Cloud Edge. It's coded in GoLang, kind of has a novel approach, but it's basically a cloud reconnaissance tool that loads in all the IP addresses of the cloud providers into memory and then does performant lookups of an IP address or a DNS domain, mapping that IP to the cloud provider service, and all of this is automated. It's a recon tool that helps for bug bounty, but can also be Cloud forensics and investigations when Cloud assets are used for attacks. You can use it to look up and find an IP and map it to that Cloud provider. Wow, yeah, those are two of the recent tools that I've done, and I'm working on Purple Cloud for AWS. I'm working on a new version of Purple Cloud for AWS. Oh, okay, that's what I was talking about. I have a software roadmap. I'm going to finish it first before I look at conference stuff. I get your thing on conferences where sometimes you just put in the CFP and do it, but with software I have to get it done and then I'm going to put in for the CFP, right, yeah, those are the two tools that I've worked on recently. Yeah, but I also work for SANS full-time. I do DevOps for SANS. That's a whole other story.
Speaker 1:That's like a whole other podcast, basically. Well, jason, I'm always very conscious of my guest's time. When I say it's a certain amount of time, I tend to stick to it, or at least I try to. Before I let you go, how about you tell my audience where they could find you, where they could find tools that you're developing and any other information that you may want to put out there for people to get ahold of you?
Speaker 2:Yeah, sure, I'm happy to connect my GitHub repo where my tools are. I have a different handle. It's GitHub slash, my username, which is, I know Jason, it's I-K-N-O-W. Jason. I know Jason. A little play on, I know Jason, or whatever. My Twitter. I'm trying to get more active on Twitter, but you can reach out DM and so forth. My Twitter handle is security puck. It's just security puck, as you would expect. Yeah, those are the good ways to reach out.
Speaker 1:Awesome. Well, thanks, jason. I really appreciate you coming on and I hope everyone enjoyed this episode.