Inside a purple team: Pentesting, vulnerabilities and other key skills

We love red teaming here at Cyber Work, and this week we're excited to explore a topic just few shades down the spectrum: purple teaming! Luke Willadsen of EmberSec dives into the ways combining red and blue team operations can help stress-test your security department — and explains the benefits of a purple team better than we've ever heard it before. He also has some great stuff to say about the importance of soft skills like writing, reporting and, most crucially, empathy, since it may feel like a pentester holds the security team's career in their hands.

Luke Willadsen currently serves as a security consultant with EmberSec, a By Light company. He began his cybersecurity career in the U.S. Navy, where he trained to conduct offensive security operations for the Department of Defense. He participated in daily computer network exploitation missions in support of national intelligence requirements and protection against foreign nation-state sponsored hackers. After separating from the U.S. Navy, Luke joined the start-up company IronNet Cybersecurity where he conducted penetration tests and vulnerability assessments, while also providing product development support and threat hunting capabilities. Following his time at IronNet, Luke worked as a director at a security consulting firm, where he specialized in red teaming, penetration testing, intelligence gathering, threat hunting, digital forensics and technical writing. Luke has an M.S. degree from Eastern Michigan University and is CISSP, OSCP and CEH certified.

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

[00:00] Chris Sienko: It’s a celebration here in the studio, because the Cyber Work with Infosec podcast is a winner. Thanks to the Cybersecurity Excellence Awards for awarding us a Best Cybersecurity Podcast Gold Medal in our category. We’re celebrating, but we’re giving all of you the gift. We’re once again giving away a free month of our Infosec Skills platform, which features targeted learning modules, cloud-hosted cyber ranges, hands-on projects, certification practice exams and skills assessments.

To take advantage of this special offer for Cyber Work listeners, head over to or click the link in the description below. Sign up for an individual subscription as you normally would. Then in the coupon box, type the word Cyber Work, c-y-b-e-r-w-o-r-k, no spaces, no capital letters, and just like magic, you can claim your free month. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week.

Enough of that, let's begin the episode.

[01:04] CS: Welcome to this week’s episode of the Cyber Work With Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.

It’s no secret that we like talking about red teaming here on Cyber Work, and why not? It’s a fun topic. Our episode on how to become a pentester was also quite popular with listeners. So today we’re going to put some chocolate in that peanut butter and talk about purple teaming, the tag team combination of red team offensive security and blue team pentest defensive security and figure out the best methods of stress testing our security departments with our guest.

Luke Willadsen currently serves as a security consultant with EmberSec, By Light company. He began his cybersecurity career in the United States Navy where he trained to conduct offensive security operations for the Department of Defense. He participated in daily computer network exploitation missions in support of national intelligence requirements and in support of protection against foreign nations’ state sponsored hackers.

After separating from the United States Navy, Luke joined the startup company IronNet Cybersecurity, where he conducted penetration tests and vulnerability assessments while also providing product development support and threat hunting capabilities. Along his time at IronNet, Luke worked as a director of a security consulting firm where he specialized in red teaming, penetration testing, intelligence gathering, threat hunting, digital forensics and technical writing, and did a little cooking on the side. Luke has an MS degree from Eastern Michigan University and is CISSP, OSCP and CEH certified.

Luke, thanks for joining us today on Cyber Work.

[02:40] Luke Willadsen: Hey, thanks for having me.

[02:41] CS: Yeah. That’s a very impressive roster of things that you’ve done over the years. We want to sort of start up by breaking down where you got started, where you got the bug and so forth. Let’s start with how and where did you first get interested in computers and tech? How far back does that go and when did your journey sort of move specifically into things like vulnerability assessments?

[03:05] LW: Sure. My father brought home a Packard Bell 486 with MS-DOS when I was – I think I was in kindergarten, and he taught me how to use the command line to set up and play games and how to use an MS-DOS-based Word process. We had a dot matrix printer as well.

[03:26] CS: Load Jumpman,1,1. Yeah.

[03:30] LW: I’ve had a love affair with computers since I was very little.

[03:35] CS: Okay. This has been with you the whole time then. Yeah.

[03:38] LW: I would say that. I ended up in the Navy, as you mentioned, working a variety of cybersecurity-based intelligence – I ended up earning my bachelor’s degree in cybersecurity and my master’s degree in technology studies while I was on active duty. So I walked out of the Navy and I felt like I was ready to roll.

[04:02] CS: Well, okay. Yeah. So tell us about your development within the security sphere. Tell us more about the US Navy and sort of what you learned there and how it sort of transitioned to red teaming and pentesting and so forth.

[04:17] LW: Sure. While I was in the Navy, I definitely observed some pros and cons during my six years of active duty service, but I would say that the training provided for those that quality is probably the best schooling that I’ve ever had. I was in an accelerated program that covered everything from operating system basics, logic, to introductory and intermediate programming, networking, network security, offensive security and military intelligence methodology.

While I was going through this school, my test scores ended up qualifying me to pursue another school that was offered in Maryland. So the goal of this course was to prepare you to conduct offensive security. Following about two years of training both in the classroom and on the job, I was ready to run operations.

[05:22] CS: Okay. So those are pretty fast ramp-up then, wasn’t it?

[05:27] LW: It was very fast. I was someone that had limited programming knowledge and was comfortable on the command line when I came in to – It was almost like a crash course and everything you could ever need to know in cybersecurity.

[05:44] CS: Yeah. So those were fairly intense sort of days and schedules I would imagine in terms of accelerated learning and whatnot.

[05:51] LW: They were. They certainly were. I recalled many nights studying with my classmates while everyone else was out having fun, we were still studying.

[06:01] CS: Yup, and it all paid off. So yeah, I want to talk a little bit about the big focus of the show. We like to talk about not only sort of your journey, but also like careers in general. Since your career does far seems to focused primarily on different aspects of vulnerability assessment, could you tell me a little bit about the day of a vulnerability assessor? What is the average day look like? What are some tasks that you’re doing every day? What are things that you need to be really good at to thrive in a profession like this?

[06:31] LW: Sure. I will say the part of doing business in this sector is analyzing how peers are doing it. And I’ve done a lot of research into what other companies are putting out. Just a caveat, that my experience may differ from other’s experience. But for me, a typical day starts off with maybe 30 minutes to an hour of threat research. What’s the latest ransomware that’s come out? How does it work? Are there new vulnerabilities that are out there? That kind of stuff.

[07:07] CS: Yeah, it’s basically the human version of like your malware, anti-malware doing its updates every morning or whatever. You’re like, “Okay. What’s out there? What’s happening next?” Okay.

[07:17] LW: This is definitely a job where things could change in a day and you need to stay on top of it every day.

[07:24] CS: Any particularly crazy things happened in the last couple days here that you have noticed?

[07:29] LW: Well, there was a very large DDoS attack. I think it was maybe two days ago against many carriers in the US, and as well as I think Facebook and – I can’t remember everyone who was a victim, but it was huge and there were a lot of major services that were offline. Reading the app direction on that, how did that work and everything has been – I need to read more personally.

[07:56] CS: Okay. More research needed.

[08:00] LW: Sure.

[08:01] CS: Go ahead. I’m sorry.

[08:02] LW: I’m sorry. Once I’ve kind of done my days reading, catching up, there’s usually a little bit of check-up or maintenance on our infrastructure. If you can imagine, we have all these security controls and standards that were telling you you need to apply to your systems. Well, when we’re conducting an assessment of another organization systems, their data is going to have to pass through our systems. So we had to apply that same rigor to the infrastructure we’re using to assess our clients. Just making sure everything is up-to-date, patched, that kind of stuff.

[08:41] CS: Yeah. Okay.

[08:43] LW: And then – Oh, go ahead.

[08:44] CS: No. No. No. By all means. I’m sorry. I keep jumping in for some reason. No need to –

[08:47] LW: No problem. Once I’ve kind of finished with that, I might take a look at any potential new clients or business development opportunities that we have. And then, of course, the greatest part of my day is doing natural work for our clients.

[09:02] CS: Yeah. Okay. What does that entail necessarily or what are some of the sort of main – Because I know it’s different for every client, but like what are some of the main structures of things that you do for your client?

[09:15] LW: Oh, sure. With EmberSecm, we’re doing vulnerability assessments, penetration testing, red teaming. Further beyond for clients that have specific niche requests, maybe something like purple teaming, and that is just going to involve – We try to be in constant communication with our clients to keep them up-to-date in everything we’re doing. There’s going to be some collaboration with our clients as well as diving in, getting technical as well.

[09:51] CS: Okay. Yeah, I mean we’ve had several episodes on red team operations, because it’s super exciting and there are lots of like cool ethical considerations you can get into, and we’ve had a few penetration testers on as well, and those have been very popular, but we haven’t really had a chance to talk to someone who knows bout purple team operations, which is this combination of red team and blue team or pentest operations.

For those of us who are new to the whole – This sort of alternate color coding system, how does a purple team work as supposed to just a red or just a blue and how do you explain this back and forth between red and blue team work. What they contribute to each other in terms of vulnerability knowledge and the way they work in tandem?

[10:30] LW: Sure. Purple teaming is basically conducting a red team operation or penetration testing while collaborating with your client’s blue team.

[10:42] CS: Okay. So you’re providing the red and they’re providing their sort of in-house penetration testing team? Is that what it is?

[10:50] LW: Typically, they’re providing the blue team. There are security guys who are going to be conducting, monitoring or responsible for security policies and the day-to-day of keeping your enterprise secure both at a technical and a management style level.

[11:10] CS: Okay.

[11:13] LW: On the red side, we’re going to target areas that are maybe defined by the client as a special need, and we’re going to usually execute a variety of use cases or attacks or techniques knowing full well that the blue team is watching. So our goal is to achieve compromise through this variety of test cases. The blue team’s goal is to evaluate their security controls and their procedures. Instead of conducting red teaming or penetration testing and presenting the client with like a report of what we found after the engagement is over, we are communicating and collaborating like on a real-time or at least a day-to-day basis.

[12:06] CS: Okay. There’s a little more sort of internal, external communication, than whereas a read team has got kind of a black box element where you’re sort of – You’re necessarily telling them all that you’re doing until that you’ve already done it and then you reported on it.

[12:19] LW: Exactly.

[12:20] CS: Okay. Can you give me some – I don’t know if there are concrete examples, but some examples of the types of vulnerabilities that you might miss by doing just blue team or just red team operations. How does this double layer system do its work better?

[12:34] LW: Sure. One that comes to mind immediately for me is in a past gig I was assessing the network boundaries between an organization’s corporate enterprise and their secure data enclave. Actually, I can’t remember if it was PCI or PHI or what was in this secure enclave that required it to be segregated from the rest of their enterprise. But they only allowed like very specific types of communications between these two network segments.

Earlier in the engagement, I had gained access to an administrative system and we found that this administrator system happened to be allowed by directional SSH communications. Sorry SSH is a secure shell. It’s a secure encrypted remote shell used by administrators. We found that there were two pipes that this administrative system was allowed to communicate into this secure enclave. It was SSH and then SMB, which is a Microsoft protocol for Windows to Windows communications. Sorry if that's a little overly technical.

[13:54] CS: Please. No. I appreciate clarifications, because we get people from all different sort of levels of knowledge and people who are just looking in for the first time to see if they’re interested in this. Yeah, please feel free to break it down that way.

[14:07] LW: Sure. The client's engineers were confident that we wouldn't be able to use these ports to gain access to the enclave, but we are able to demonstrate that we could deliver malware over SMB, and the malware had nowhere to go. It had no one to talk to except on this single pipe that was used for SSH, the other communication protocol we’re talking about.

So we’re able to upload malware and have it communicate over the port reserve for SSH. If their firewall is configured to only allow unilateral communications or if it were performing stateful inspection, which is where it doesn't just look at the ports of a communication. It looks at the data that's actually being exchanged and to recognize it as invalid.

Essentially, that gap was identified. And their blue team was watching it happen and they were saying, “You can do this. You’re not going to get in this way.” So we got in that way and then we figured out a way to prevent that from happening again. It was a great boon to them to find out that this was one of two routes that we found we could get in, get unauthorized access to their secure enclave. Sorry. The TLDR for that is that –

[15:43] CS: That was awesome. Yeah.

[15:43] LW: The blue team had protections in place that were intended to only allow a few necessary communications between their corporate zone and their secure zone, and the red team demonstrated they could piggyback on these necessary communication protocols to get access to this restricted secure zone. And then the blue team was able to write a script to both detect this type of activity and they were able to adjust their firewall rules to prevent this type of attack from happening to them in the future.

[16:16] CS: In our pre-show, when we're emailing back-and-forth and stuff, the phrase stress testing your defensive team came up. Is that basically what you're talking about here that you’re sort of testing their assumptions of how safe they are in real-time like that?

[16:33] LW: Definitely. and I think another example that captures this is that – And this one is less technical. On the red side for one client, we tested about 50 or so different ways, known ways to bypass an endpoint security product and then execute malicious code on a client system. And the blue team observed each attack in their endpoint security console, and their endpoint security product caught about 9 and 10 of these bypass attempts.

For the attempts that were not caught by it, caught or blocked by endpoint security, the team was able to develop strategies for alerting on and preventing these additional security bypasses. I would definitely call that stress testing. But, I mean, there's a lot of different ways that you can stress test a defensive team, and I think purple teaming is definitely one of these methods. But, really I think any offensive security style work can contribute to stress testing.

There is such as a vast amount of technology that modern companies are implementing or should be implementing to prevent intrusion, and stress testing, it makes sure that things are all working as intended and we’re detecting, preventing the type of issues and that can compromise your organization’s security or integrity.

Companies employing firewalls since endpoint protection – Sorry. Endpoint detection and response, antivirus, email filtering, so much more. So stress testing is just to make sure things work as they’re supposed to. Does your email filtering works? Well, let's craft a phishing email with a malicious payload and see if it gets blocked.

[18:34] CS: Right. Okay. I mean, this sort of brings up in my mind, like this seems like such a natural combination, this having the red team happening in the moment, but also in the sort of active collaboration stance with the blue team. And it seems like such a natural handshake and I don't feel like purple teaming is like the law of the land. I'm curious why people don't do it this way more often. I usually hear like – They just had a red team attack against us or we’re just using our blue team for this. This seems like such a natural combination. Why is this not sort of standard operating procedure, or is it? Maybe I just haven't heard it.

[19:15] LW: Well, I think that purple teaming is potentially a label that isn't in everyone's vocabulary. And what I mean by that is, last year, I was conducting a penetration test for a fairly large client and they said, “Hey, we want to buy a penetration test from you.” And they said, “We want our blue team to sit and sidesaddle with you guys and watch you guys as you do it so that we can see if our protections are adequate. I’m like, “Oh, you mean purple teaming?”

I think that it's being done in other ways than if you Google purple teaming. There are ways that people are doing similar activities outside of that particular definition. But I don't think that people who want a purple teaming engagement, that those are the only people who have done a collaborative red-blue style assessment before. I think that probably maybe in at least a third of the engagements that I work, there is that kind of real-time collaboration going on.

[20:27] CS: Okay. A lot of what people call red teaming is something closer to purple teaming maybe.

[20:31] LW: Sure. Now, there is kind of a more refined purple teaming methodology that you can try to following. But that doesn't mean that you can't reap the benefits of the collaborative nature of purple teaming itself without calling it purple teaming.

[20:51] CS: Okay. I guess to turn things around then, what are the actual benefits to doing just a straight red team attack and not having – What are you what are you looking for differently by not putting your pen testing department in part of the operation?

[21:10] LW: Sure. One thing to keep in mind is that when testing, we’re testing more than technology. We’re also testing people. If the blue team or the defensive people, if they don't know that we’re coming, and with a red team assessment, potentially we can assess the response of the client. How is there alerting? Are the proper personnel being alerted? Is there a call tree structure setup? Are they prepared to react to this? Because they don't know that in a true red team style engagement, they don't know that it is consultants or contractors that are in their network. They just know that someone's in their network. So they can really asses their own in-house people and policies a little better maybe with that style of red team engagement.

[22:13] CS: In those cases, are they sort of generally told there might be a red team attack sometime down the line or are they told absolutely nothing and just left to sort of determine?

[22:24] LW: It varies client to client. There's no right way. I think because different clients are operating at different levels of maturity, and maybe the security manager wants his people to know that – His or her people to know that, “Something's coming. You guys should be ready for it. Because part of the reason we’re getting this test done is we want to pass this audit, or we want to make sure we’re ready for this audit. So you guys and girls, get yourselves ready for this.”

[22:58] CS: Okay. Moving on from the sort of like nuts and bolts of this to the career aspect, we always like to talk about career strategies. So what are some first steps for people who might want to understand and get involved with these types of vulnerability assessment positions as like a career? Also, I guess since red team and even pen testing positions feel like kind of advanced level skills to me. What are some of the first steps you would take to sort of put you on this path?

[23:26] LW: Sure. This is my own personal opinion, and you can take this or leave this, but I think that the first thing a person should ask themselves if they want to get into cybersecurity work, even just vulnerability assessments, is are you comfortable working with the command prompt or shell? If that's something that you're familiar with, you should study it and see if it's something that maybe you have the knack for.

But some people, they just – They see the command prompt and they see the little flashing cursor and they know they’re supposed to type something, and that's overwhelming and too much. You know what? That’s okay, because –

[24:05] CS: Right. So many choices.

[24:07] LW: There are other positions in cybersecurity that you don't have to get on the keyboard in that way. You can work in security policy and auditing or hundred other areas.

[24:20] CS: Risk assessment or – Yeah.

[24:21] LW: Sure. If you are comfortable on the command line, then I would say you should pursue some entry-level certifications that will help you build – You want to build a foundation in both networks and security. In my opinion –

[24:42] CS: So like a Net+, Security+ combo possibly?

[24:44] LW: Yes, and it’s just scary to say Security+, Net+ and maybe the CEH. They’re great entry level courses that will really help you build a strong foundation both offensively and defensively and kind of just understanding networking and information technology.

[25:04] CS: Okay. Is there any sort of like hands-on type lab situations or whatever you'd recommend or sort of like ways apart from just the study? I mean, does study give you sort of hands-on elements or like – Especially if you don't really have like a support system around you or whatever, like what are some ways that you can sort of like test this out in your bedroom?

[25:26] LW: Sure. There's an organization that provides free training called Cybrary that I have gotten a lot of use from as well as – I guess back in 2009 when I was just starting to learn about this stuff. I walked into a Barnes & Noble and bout a Security+ book, and I read it cover to cover, and that was great. I learned a lot. I mean, for me personally. But I definitely think there's a lot of online resources available out there.

Now, I haven't had to step back to what I would call introductory stuff in a long time. But I can definitely say that Cybrary, and there’s some other that are similar as well as reading.

[26:19] CS: My opportunities say, enter code Cyber Work for one free month. We have also have a skills –

[26:25] LW: That too.

[26:27] CS: But yes. No. Yeah, there are those options out there, and I guess we’re just – More than anything, more than sort of like the programs or whatever, we just want people to sort of understand that this is not an unattainable thing and that it's not – The sort of barrier to entry is pretty low. Like you say, if you get a book of the library or you test out with some of these skills assessments, like you can get a pretty good sense early on whether this is a thing you’d be comfortable with doing for the rest of your life, right?

[26:57] LW: I would certainly agree. To expand that even further, prior to going to college and getting in this service, I was a cashier at Walmart for a long time. Self-study and, of course, the opportunities the military provided me. But it's not something that people can't get into. It really is an approachable field.

[27:25] CS: Okay. Moving to the other side of the coin, the hard skills, obviously, like you said the command line, and you send the actual sort of like scripting, encoding and defensive things. What are some of the soft skills that people who do red teaming and blue teaming need to have to really succeed?

[27:45] LW: Oh, sure. One soft skill that I think is probably like the most important is creativity or ingenuity. Sometimes gaining access to the machine that your client is worried about and they want you to assess sooner require you to think outside the box. You might have a combine several different hacking techniques or maybe you might had to invent your own new technique. That’s an amalgamation of different coding languages and maybe some kind of windows-based vulnerability. It could be anything, and the more creative that you are, the more likely you're going to find success I think.

Another soft skill – I don’t think writing is a soft skill, but communication. We could call that as soft skill. And as a member of the security team, either working for your own organization or as a consultant to other organizations, you need to be able to effectively communicate to your stakeholders. What is the problem? How do you fix it? To follow that up further, I think the compassion is actually a key soft skill. You’re often the bearer of bad news.

[29:16] CS: Yes. Yeah. Sure.

[29:18] LW: Your conclusions can affect people in unforeseen ways. If you report on – If you discover and report on gross negligence within a certain department of IT for your client, that could cost someone their job. Or if you have to tell somebody that there's no way they're going to pass their audit unless they make an exceptional amount of changes, you need to be compassionate and respectful. Rumor that you’re to people on the other end of the line.

[29:48] CS: Yeah. And that’s, unfortunately, not a given for people who might be just interested in the sort of ones and zeros of the job. Yeah, you got to be able to have almost a doctor bedside manner-like rapport I imagine.

[30:00] LW: Yes, you really do.

[30:02] CS: Yeah, and write a report. For small and medium businesses or any organizations that don't already have a comprehensive vulnerability security protocol. I mean, obviously, huge enterprises are going to have full teams or whatever. Do you have any sort of advice to begin starting something like that for a small organization? What’s the best way to assess the level of vuln assessment and regular stress tests your company might need and also can afford?

[30:29] LW: Honestly, each organization, every business organization enterprise is unique. The solutions and no specifications that work for one organization may not work for another. This isn’t in a pitch for EmberSec specifically, but there are so many good firms out there today. You should look to professionals that can help you within your budget.

I would say that some things to consider just from the get go however are like what are your IT resources? What do you use them for? How much do you have and what kind of data is stored on that and what is the risk of you losing that data? If you're capable of asking yourself all of those questions, then you'll be better served finding the specific group that can help you. But if not, there are professionals out there who can analyze all that for you and tell you what you need and how to do it.

[31:46] CS: Okay. We already talked about certifications. So I’ll skip over that. But one of things I always like to ask about, because while many of our guests have been known what they wanted to be for a long time, some people get a little stuck in their current job, whether they find themselves in their fifth year in a call center, whatever, but people who are thinking of transitioning over to this role. What are some actions that they could start today or tonight that would move them closer to this type of work? I mean, it sounds like obviously getting a book or doing some sort of free skills testing. Do you have any other sort of thoughts on sort of moving the mindset as well as just the raw data?

[32:28] LW: Sure. Well, I mean, my skills come from a variety of on the job military experience, on the job consulting experience, a bachelor’s degree in cybersecurity, a master’s degree in technology studies, self-studies, certification prep. You don't need all that to get into cybersecurity. You don't need to walk over to your recruiter's office and take an oath. But you do need to have goals.

I think a worthy goal – And let's say you are comfortable on the command line. You understand the knowledge body of Security+, Net+. I think a worthy goal is to attain the CISSP and to commit the proper hours and to study for it. To me, the CISSP is the Holy Grail. If you have a CISSP, you understand the basics of almost all of the technology you’re going to run into within business IT, and you’re going to understand how an information security program works.

With that foundational knowledge, all that's left is for you to specialize. And a lot of times, if you have that foundational knowledge, there’s a lot of firms that will let you write on the door and then say, “We’re going to teach you your niche over here.” It’s a fantastic, fantastic certification, and I’m being paid say this.

[33:57] CS: Right. Yeah. No. That's awesome, because – I mean, that’s really great to hear, because we've had back-and-forth with certain guests about whether certs are important at all, or whether education, or whether you just got to go out and do it, or we’re not even looking at bachelors anymore. We’re not even look at this or that. But it sounds like there is also like different reasons for doing Sec+ and Net+ in terms of like that gets you the knowledge you need, but like CISSP like really sort of puts you on another level and allows you to sort of – It's almost like becoming like a doctor, like a specialist, like a vascular surgeon or something like that. You have that sort of upper level. Like you know all of the tech that you're going to need to know or whatever, which is different from like everyone – A lot of people have Security+'s that are using them, I suppose. But once you get to that level of knowledge, I imagine that you’re sort of already on the career track a little better, right?

[34:51] LW: Certainly. Certainly. And I think that in the defense of those who argue that certs are necessary, it's really the body of knowledge behind the certification that’s necessary. You don't necessarily need a CISSP to be a good worker in cybersecurity, but the knowledge that is required for you to have passed that test is certainly I think going to make you good at your job.

[35:19] CS: Yet, and it's also going to sort of improve your – Because you were saying about the sort of creativity and inventiveness. If you know every – It's like being a musician and knowing every single –The cycle of it is backwards and forwards. Like you can just do your job better when you have all that sort of knowledge at hand, right?

[35:36] LW: I agree.

[35:37] CS: Yeah. I guess I didn't have this on the question sheet, but you said like getting to different goals in life. Do you have sort of a five-year goal for yourself? Where do you want to move up from here? Are there larger opportunities that you're looking for or a way to take By light or EmberSec to higher places?

[35:57] LW: Sure. My five-year plan is really to see EmberSec soar. I think that we’re refining the procedures and what we think makes up a quality service, and we’re going above and beyond. For one example is like with a common vulnerability assessment, usually you're going to run a vulnerability scanner in a client's environment and you’re going to read the report on all the vulnerabilities, and either some firms give you the automated report or you’re going to write your own report. But because the security landscape has changed in recent years, we’re including a full active directory audit for users that they use Microsoft, and we’re looking for miss-configurations, because recent trends have showed that you are more likely to be owned or hacked or compromised because of something like a misconfiguration with an active directory rather than, “Oh, I didn't path this system, and I got hit by this exploit CVE2016- whatever.” We’re really trying to be a cut above in analyzing what security trends are and providing a service that meets traditional needs as well as where we currently stand and where the future looks like it's going to be.

For me personally, I'm spending a lot of time evaluating what makes up a security program. What are the common threats that affect these security programs and how is this changing over time? Because I want to build or help build the business that is resilient and always current. It's my passion right now.

[38:08] CS: That's awesome. I love to hear that. Also, I couldn't be more thrilled that you mentioned the active directory misconfiguration, because just this morning I was editing a couple of active directory hacking misconfiguration walk-throughs that are going to be on our website resources, that By the time your episode will be up, they’ll already be on there. Everybody jump over there. We’ve got three sort of step-by-step walk-throughs of how these things can be exploited and what to do about them and stuff.

As we wrap up today, do you have any final thoughts or advice about proactive security practices or where it’s going in the future?

[38:46] LW: Sure.

[38:47] CS: We sort of talked about that already. But I mean, I’m thinking more in terms of like more of a crystal ball thing. Do you see like sort of big tectonic shifts coming? Or is it, as you said, with EmberSec that you're just sort of looking to sort of like refine the process more?

[39:04] LW: I’ll just say this. I really think the proactive securities is absolutely crucial. We get new reports of viruses, Trojans, ransomware, you name it. We get every single day of the year. And the hackers in the world are prolific and determined and it really – Honestly, it's not a question of if, but a question of when someone is going to try to hack your organization.

To prove this point, I’ll tell you that I can go into the cloud. I can get on AWS. I can create a virtual virtual machine and just open a single port to the web that does nothing. It just listens. And I can just watch as IP's from Russia, China, Africa, every continent, are just enumerating this. I see attempted exploits being sent over this. And you know what? I've had this port open for 20 minutes. The Internet can be like the Wild West, and that is why proactive security is so crucial, because it's going to happen, and you have to be ready. And proactive security is how you make sure that you're ready.

[40:18] CS: Yeah. This is going be a sort of escalating arms race so to speak. It's not just going to go away one day, I imagine.

[40:26] LW: No. No, it isn't.

[40:27] CS: Yeah. As we wrap up today, if our listeners want to know more about Luke Willadson or EmberSec, where can they go online?

[40:37] LW: Well, you could check out my Linkedin profile or the EmberSec website. I think the EmberSec website is more interesting.

[40:46] CS:, I imagine, or –

[40:48] LW: Yes. Thank you. And we have some great blogs available, and we’re writing more. I’m currently working on a blog that discusses security within Microsoft Azure and Azure Active Directory, which should be ready within the coming weeks. I've got a bit more research to do, but there're tons interesting blogs. We talk about all of our service offerings and the great crew that I work with. Really, is where you want to go.

[41:19] CS: Okay. And I just got a chat from Bradley here. A person says

[41:28] LW: That's what – Yes.

[41:29] CS: Okay. All right.

[41:32] LW: That’s what I meant to say.

[41:33] CS: Okay. Great. All right. Luke, thank you very much for joining me today. This was super informative and helpful, and I hope people get really excited about sort of getting into vulnerabilities.

[41:45] LW: Thanks so much for having me. It's been a pleasure.

[41:46] CS: And thank you all for listening and watching. As always, if you enjoyed today's video, you can find many more on our YouTube page. Just go to and type in Cyber Work With Infosec. Check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. As always, if you wouldn't mind, we would love a five-star review and a nice – A five-star rating and a nice review on your platform of choice. It really has been helping. So we appreciate it. For a free month of the Infosec Skills platform I discussed previously, just go to and sign up for an account. And in the coupon line, type the word Cyber Work, all one word, all small letters, no spaces, and get your free month.

Thank you once again to Luke Willadson and EmberSec and thank you all for watching and listening. We will speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.