Share this
dnsUNFILTERED: Jason Slagle, CNWR
Podcast > Episode 44 | January 05, 2026
Mikey Pruitt (00:00)
Welcome everybody to DNS unfiltered. I'm here with the one and only Jason Slagle, president at CNWR. Jason, how are you?
Jason Slagle | CNWR (00:08)
I am good. It's been a long couple of weeks and just getting through things.
Mikey Pruitt (00:15)
Every time I see you on the Internet, you're like, on a plane, at a show. Doing a talk. You're very busy.
Jason Slagle | CNWR (00:23)
Yeah, it's one of those things that I actually keep intending to pull it back in, right? Like it's, I'm an MSP. Like I have no legitimate reason to attend nearly the number of conferences that I attend. However, I enjoy it. And so I've actually made it aware to the company that I plan to spend about 20 % of my time giving back and trying to make the industry better. So it's that time, but I am getting pickier. Right? Like I'm starting to not go to shows unless I'm speaking.
Mikey Pruitt (00:49)
So that is my first question. And you're going to hate this word, but I'm going to use it anyway just to see your reaction. So you're very well respected in the MSP space. Some would say an influencer, perhaps. I'm sure you don't like that term. But why do you think it matters to give back using your words?
Jason Slagle | CNWR (00:51)
Uh, I'm going to give you the reason I'm going to give you two reasons, right? Like the one is we all should try to make the world a better place, right? Like we, like that is the legacy we leave is trying to make things better than we got them. That's the altruistic reason. The selfish reason is we're screwed. Like the industry is just screwing up. We just keep doing stupid things and we're not taking cybersecurity seriously enough. And eventually we're going to screw up enough that the business model just doesn't work anymore.
Like either we're going to get regulated out of existence or, or people are just going to stop doing business with business with MSPs because they have such a bad time doing it. Right. So I'm basically trying to cut that off by trying to make people less stupid.
Mikey Pruitt (01:54)
Great way to put it and that's actually question four but we're going to talk about it now because one of the things you're really good at is calling out vendors, MSPs, enterprises like you're not scared to call people out on being stupid using your words. What do you think it is that let's just say MSP specifically what are some of the things that they're focused on that are either a waste of time or not important or things that they should be focusing on more?
Jason Slagle | CNWR (02:21)
So generally, I don't think anyone sets out and goes, you know what, I'm going to be stupid. So stupid is often a product of not knowing. And I think it's like there are the things you know, the things you don't know, and the things you don't know you don't know. And in most cases, I think the gap with a lot of MSPs are the things they don't know they don't know. So I think that if you boiled it down
Matt Lee talks about it and says it really well. He has a whole post is actually best performing post ever was he stuck a Post-it note on the monitor that just said MSP and he's like, I'm an MSP now. There's literally no test or there's no body of anything that you have to do to claim that you're an MSP. You just wake up one day and go, you know what? I'm a help desk tech that thinks I can do my job better than my boss can that is tired of working. And now you're an MSP that comes with an entirely large body of things that you didn't think about.
Right. It comes with security that you may not have had to do in your previous help desk job. comes with running a company. comes with figuring out how things like profit margin and cost of goods sold and all sorts of these other business concepts that you have to figure out. And I think the reality of it is that most MSPs, when they start this journey, they just don't know any better.
And they don't know enough to even realize how big the gap is. mean, I can speak from my own personal experience that when I started going to, uh, when I went to my first, was an IT nation connect show. went to in like 2017 or 2018, it was eye opening. It's like, there is a whole world of stuff here. Like I had the technical stuff I've always been good at, but there was like a whole world of business operations and service management and all this stuff that I had never given any thought to. And that really helped.
prove us as an organization. So yeah, can get, my LinkedIn tag literally calls me the grumpy beard. I can get snarky, I can be direct, but usually it's not really out of malice, it's out of us just wanting people to be better. if no one's willing to call out the fact that you're doing something stupid because everyone's laughing behind your back about it, like.
Somebody should do you the favor of calling out that you're doing something stupid
Mikey Pruitt (04:32)
So you come from like that technical side. Did you put a post-it note on your monitor one day and say, I'm an MSP? that kind of what happened?
Jason Slagle | CNWR (04:35)
Man, we can go way back. So CWR was actually an internet service provider in the late nineties called Solido Internet Access. 2002, my business partner, who's slowly working on retiring, bought, sold it, right? But the buying company wanted to be an ISP, but we had this like small consulting practice that me and him and a couple others did that they didn't want. Right. So Alan, my business partner spun that off.
I stayed for a bit, right then I left. went to enterprise, I went to another MSP or an ISP. I kind of bounced around for about 10 years. I came back and we were a consulting firm focused essentially on one whale customer, still a customer to this day for what it's worth. But about 2015, that whale customer got bought.
And I was very afraid we would lose the revenue. So it's like, okay, well, we used to do all this other consulting. We largely pushed it away because this giant company was paying us everything we needed to go. What's it look like to do that again? We kind of pivoted. Like I made the decision, you know what? This MSP business model seems great. And we just went from there. So kinda like in a roundabout way, we were a traditional consulting firm that kind of pivoted into the MSP space.
Mikey Pruitt (05:54)
Why you think MSPs, like you mentioned in 2017, you went to IT Nation and you were kind of overwhelmed with the things you didn't know you didn't know. What do you think are the key pieces that businesses don't know? Is it more of the business side of things or the technical side of things?
Jason Slagle | CNWR (06:13)
I think it's a fork, right? Like, so I think that you have two classes of MSP. You have the MSP that is a guy that's, or a girl or person that is good at sales and marketing that says, man, I can make an awful lot of money in the IT services space. And they hire, help this guy or two, and then they hang a shingle, right? And then you get the technical people that do the same thing.
Right. They both have blindnesses to the other side of their role. Like I will openly admit, right? Like I can have a conversation with somebody and probably convince them that they need to buy something. Right. But I suck at their traditional sales stuff. Like I don't ask for clothes. Right. I don't try to push things forward. Like I, just, it's weird and awkward. And unsurprisingly, if you've seen my LinkedIn posts, I find it kind of gross. Right. Like, so I don't, so I've had to hire people that do that better than I do from the technical standpoint.
We are a quickly evolving industry. Technology is a quickly evolving industry. I watch a lot of YouTube content that's about what we call vintage computing. Vintage computing is less than 50 years ago. I'm 45 years old and the computer content that I watch that is considered vintage computer are the computers I used in my youth.
We are an industry that has gone from essentially systems that were constructed out of gate level, right? Like 7,400 series logic, or even older than that, like the 4,000 series logic, right? Like, you you talk about like a PDP 1134 or something like that was like literally card cages of all this discrete logic to like literally running AI models that can almost or maybe pass the Turing test in a span of less than 50 years.
Mikey Pruitt (07:44)
I was going to say that, isn't that how Alan Turing and team cracked the enigma machine with just gates?
Jason Slagle | CNWR (08:04)
Yeah. I mean, and this is all happening in less than 50 years, right? So the pace of change and the pace of play is it's just it's earth shattering, right? And what happens is, again, you get somebody that has like domain specific knowledge on like Windows workstations and maybe even Windows servers, right? So they're good at this thing. They miss all of the.
giant amount of it. miss all the security stuff. They maybe don't understand networking. They definitely don't understand software development. And the converse is definitely true that most software developers can't system admin worth anything. and, and so they, again, they just don't know it exists or they, think it's good enough. And unfortunately, right? Like I was just having this conversation with somebody in the office, like less than probably 15 years ago, we used to brag about system uptime.
Like I had a system that was up for a thousand days without rebooting. A thousand. Yeah. We, we literally moved it on a UPS. Like we moved offices. It was on a UPS. I literally unplugged the UPS, unplugged the computer from the monitor and the network and carried the UPS and the system to a car so that we could drive it across town without losing the uptime. We were so proud of it. That's 15 years ago, maybe 20, but it was in recent history - that you could have a system up a thousand days without rebooting it. And it wouldn't get hacked. and so they just don't know any better, right? Because the world is ever changing and everyone assumes that because it's been good and because we've been able to do it this long, right? Like, ⁓ I've done this all along and I've never been hacked, right? Like, but that's no guarantee you won't be tomorrow.
Mikey Pruitt (09:26)
And it was, and it was amazing.
Before we get into hacking, I wanted to go deep into that a little bit. Maybe talk a little vibe coding after that.
You were talking about the jack of all trades versus the very highly specialized person. How do you think which personality or skill set does the MSP benefit from more or in now and maybe in the future?
Jason Slagle | CNWR (10:10)
I would generally say that most MSPs would benefit more from breadth than depth, right? Unless you very, very specialize your ideal customer profile and only take on one vertical, right? With one client size that requires one stack, right? So if you're doing like dentist's office and they all run Dentrics, right? You can depth up all you want there.
But the reality of it is that you're much better off understanding a little bit of a lot, right? And if you, it, because it gives you the ability to see the fact that, okay, I know this thing exists, but I don't know how to do that thing. I'm trying cause what Google, especially chat GPT is really good at driving you down the road and doing that stuff these days. Right? Like I, I actually argue that a college course and how to use Google is probably something that most like a computer science courses need. but
Even if you don't do that, right? Even if you don't, even if you don't Google it and find the answer, you can always hire an expert. Right? Like the option exists to, to subcontract to an expert. The other side of that is like, I'm, we, had a consulting firm in town here. They ended up getting bought by a P company and imploded. They had the smartest people I know in almost every topic area.
They had like the best VMware guy I've worked with, had the best Cisco networking guy I worked with. But if you had a problem that involved both of those things, they couldn't fix it because no one understood both. Right? So the network guy would go, it's not my problem. The VMware guy would go, it's not my problem. It's probably the storage guy's problem, right? Like, it's literally a Spider-Man meme. They're pointing at each other. Yeah.
Mikey Pruitt (11:44)
That's funny.
So let's get into some hacking topics. So cybersecurity has fast become like the third wheel of MSPs or whatever. It's a very heavy portion of MSPs business these days. I would argue that might be shifting into AI now, but before we get to that, let's talk about that later.
So cybersecurity, I've seen actually you and Matt Lee on stage talking about evil jinx. Basically, it's super easy to hack somebody or super easy to set up a hack, maybe not to hack somebody, get them to click maybe a little bit harder like some social engineering stuff. But it's actually not that hard to set up some infrastructure to fulfill some malware delivery.
Jason Slagle | CNWR (12:41)
Mm-hmm.
Mikey Pruitt (12:45)
What do you think is the biggest thing that we're missing in that? Like are we protecting the right things, I guess is my question.
Jason Slagle | CNWR (12:52)
Yes-ish. If you ever talked to a security guy, every answer you ever going to get is going to be, depends. there with black and white does not exist in our world.
All of these things are a spectrum, right? And so what you have to realize at the high end is that the threat actors are businesses too, right? They have call center reps, have affiliates they have to pay out. They have cost of goods sold, right? They track all of these things that you probably expect a normal business to track and
So the reality of it is, is that a lot of the defense and a lot of the protection, a lot of the blue team side stuff we do, it's not necessarily about perfect defense because perfect defense does not exist, right? Like that, well, it does. it kind of, kind of like, correct. Computer locked in a safe at Fort Knox is pretty close to as secure as you're going to get, right? Like, but like, you know, the confidentiality, think integrity availability is like the CIA triad.
Right? Like availability of that system is zero. So you have failed. Right? so everything is about trade-offs. I, and I think that what a lot of MSPs don't do correctly in a lot of enterprises don't do correctly either, is they don't recognize that there is a continuous gradient between the payout to the threat actor and the amount of money or amount of effort they're going to spend attempting to compromise you.
Right. So if you're a million dollar company, on average, the bad guys are going to take three to 10 % of revenue. Right. So in a million dollar revenue company and by the way, they know your revenue because they stole your finances. Right. Like, so they know how much money you're making. They have your PNL. So just assume they have your PNL on your balance sheet. So they know how much they, probably have your insurance policy too. So they know how much your insurance is willing to pay. They are going to demand three to 10 % of revenue. Right.
And the way that splits out is some amount of it. think roughly 50 % of it will go to the ransom or the initial access broker, potentially in some cases, like the affiliate group may get 20%. It's like a pie. split up and they're not willing to spend a whole lot of human effort for a 30 to a hundred thousand dollar payout. It's just not big enough for them to spend a lot of effort. So you only need to secure against stupid automated things.
Right. You, you, the, the task at hand isn't, you have to be completely, defensible. Everything has to be completely locked down. just have to be good enough that it's not worth their time. And I think a lot of MSPs fail there because ideal customer profile with regards to size and revenue and into a certain extent, industry is more important in cybersecurity than in any other space in our industry because.
the amount of tools and the amount of like nonsense you throw at it, a hundred percent varies by that size of that payout. Right. So it makes sense, right? That's, can't forget where we're going with this, but I think you were asking like what we get wrong. And I think that's the thing we get wrong the most is that we try to, we try to assume naively that we can protect everything and we can't, we just have to protect enough to make it not worth it and get them to move out to an easier target.
Mikey Pruitt (16:17)
Wow. That's not what I was expecting.
So what's your strategy then? I know "it depends", but like if you're an MSP, and your customer has - let's say $10 million ARR - What is your strategy?
Jason Slagle | CNWR (16:34)
Yep.
⁓ well, I mean, our strategy is we have a, that's right in our wheelhouse, right? So we are, my ideal customer profile is, about 15 to maybe about 150 users for fully managed. typically won't take on anything below 15, ⁓ unless they're regulated, which changes the math a little bit. And I won't take on anything above 150. I'll do co-manage, but you know...
Mikey Pruitt (16:59)
So you say no sometimes?
Jason Slagle | CNWR (17:04)
Oh, we say no a lot. Yeah. Not all revenue is good revenue.
That's not the only reason we say no. That is a reason. Yeah. That is a reason to say no. There are other reasons. And we have a security stack that I believe offers enough protection in that range that they're going to move on to easier, more lucrative targets, right? Like we have a multi-layer EDR stack using a couple of different vendors. We have MDR everywhere. We have SIM everywhere these days, right? With 24 seven monitoring on it with a good security awareness program, right?
But like things I don't do, I'm not doing any zero trust stuff right now, right? It's like the cost of that stuff is still really high. It's not high because the products are expensive. It's high because the labor to maintain it is high, right? It's fragile. It breaks a lot. It results in a lot of tickets, which result in lot of labor. No one considers that on the MSP side, how much time you spend administering a tool. And I believe we have a good stack.
that DNS protection, can't, I would be remiss on your podcast if I didn't say that. I believe that that is the correct amount for the size of organization we support, right? It's too much for like a 10 user shop and it's probably not enough for a 400 user enterprise, but it's good enough for what we do.
Mikey Pruitt (18:20)
That is interesting. I'll tell the story of CNWR's DNS filtering journey. So you're somewhere else, I forget. Came to DNS filter, switched, yeah, umbrella, switched to Zorus from DNS filter before DNS filters or is for the same company. And now we got you back. I'm so excited.
Jason Slagle | CNWR (18:28)
Yeah, you did. You did.
Yeah, it's been an interesting journey in this space, right? Like you guys, yeah, I mean, the core DNS filter products was and is very great. Like you had, there were a couple of very specific things that caused you to lose us, most notably the fact that I had to whitelist every single IP a customer would come from.
and you became a support headache because somebody in a cable mode would get a new IP and then they couldn't resolve anything anymore until I updated something. I think you've since fixed that.
Mikey Pruitt (19:10)
Roming clients is a better option, but anyway, go ahead. You're like, don't do roaming. You're right, true.
Jason Slagle | CNWR (19:12)
It is. They don't work everywhere though. I can't run a Roaming client on that raspberry pie.
Mikey Pruitt (19:19)
The DNS filter, specifically ecosystem with the Zorus tooling, is going to get very, very nice in the next month or so. So I'm looking forward to that. In fact, I'm looking forward to what you think about it more than what I think about it. You're going to be either very, very happy or just silent, which is also good. If you've ever seen Jason on the internet, silence is a good thing.
Jason Slagle | CNWR (19:44)
actually, ironically enough, when you bought Zorus, I was in discussions with Matt about moving back to DNS filter because you had fixed the thing that caused us to migrate. we have the agent-based approach also has some downsides, right? Like in, you know, it'll air a little bit of dirty laundry. You guys don't, Zorus doesn't necessarily play nice in domain controllers.
And so the answer is, just don't run it on domain controller. And it's like, that in many organizations is literally the most important system. Why would I not want to run it there?
Mikey Pruitt (20:11)
Yes, I know.
It's actually funny that DNS filtering, generically like ecosystem, there's a lot of other ⁓ vendors kind of popping up. And I'm curious if it's because people have realized that DNS filtering is just a very easy thing to implement and maintain. And you kind of mentioned this with like the zero trust ecosystem, like one specific tool vendor popped in my head when you said that. And I was like, yes, I've heard the story and the maintenance headache alone.
Jason Slagle | CNWR (20:29)
Yeah. ⁓
Yeah, no, no, you don't want to, yeah,
you're going to get me, you're going to get me in trouble if you, if you drive me, if you, if you drive me down that road. But what I'll say is what I, I will tell you what I know. There is a third party that is licensing the threat feeds incredibly cheap now. So the cost to stand up.
Mikey Pruitt (20:40)
Is too much. Listen, we're not naming names. Let's move on to AI.
Jason Slagle | CNWR (20:58)
A service is really low. And so a bunch of vendors are jumping on that and trying to play the, we're just going to price you out of the market game. But the quality of that threat feed and the other stuff that goes along with it probably isn't there. I'm going to get angry texts from at least two people for saying that. Yeah.
Mikey Pruitt (21:13)
Sorry about that. But it's true.
like the quality of the data is really all that matters because you and I, can, almost anyone can block DNS calls with like a host file on your, on your machine or, ⁓ yeah, or a pie hole or whatever. Yeah. It's like super easy to block. It's the, what you should block is that is the hard part. But anyway,
Jason Slagle | CNWR (21:21)
Yep.
I just run DNS mask and load in a zone file.
Well in
yeah, and you guys did the DNS filter side for sure had like you had a good robust any I was gonna laugh and joke that are we gonna talk about BGP and any cast and the problems that TCP with any cast DNA You guys did a good job with your any cast infrastructure and you know making it fast and work well
Mikey Pruitt (21:52)
Speed is the name of the game. Speaking of speed, let's talk about building things with AI. So I watched a podcast with you and Matt Lee and Ash. What's Ash's last name? Ashley Cooper. So the three of y'all were talking about basically vibe coding, which is like my favorite, my currently favorite thing. You were talking about how you vibe coded an app for your popcorn kernel scout troops. So tell me about that a little bit.
Jason Slagle | CNWR (21:54)
Yep. Yes.
Cooper.
Mm-hmm.
Mm-hmm. Still
doesn't work. It's closed, but it still doesn't work. Yeah, so after months and months and months of basically crapping on the entire concept of Vibcoding, I decided before I crapped it on anymore, I should actually just try it. I was pleasantly surprised that it was relatively difficult to get the coding agents to spit out insecure code, right? And that Clawed code in particular, until...
fairly recently, he was doing a really good job of writing code. And sometime in about the past month, they've like, it's, gone brain dead and it is now like ridiculously stupid and I'm fighting with it all the time. But, ⁓ I have vibe coded and released a couple of projects on GitHub. one that, ⁓ imports data from Proler to the reporting platform called Plex track that we use for assessments. another one that's, this is a DNS tie in.
another one that can calculate typo squatting permutations. It supports calculating them. It integrates with the open SRS API to check to see if they're available, optionally register them, clone the website of the target and put the clone up on the website, proxying traffic for like credentials and stuff to them while logging them locally. So I made a very, very evil tool in like 90 minutes and it's kind of cool.
Matley and I are working on another thing that, does some GitHub vulnerability scanning. and yeah, the big one that I'm working on right now is the popcorn tracking system for it's called corn tracker. It's for scouts. was going to call it corn hub, but I figured that'd me out of kicked out of scouting. so it's corn tracker. ⁓ and it supports basically managing the entire life cycle of scout popcorn sales, mostly because I was tired of dealing with the Google sheet. Now, ironically enough.
I made it so complex that it's broken with a variety of bugs that prevent me from using it and still sale starts Friday. So I'm going to have to start on my spreadsheets anyway while I fix it the rest of the way.
Mikey Pruitt (24:15)
So, and I believe you described this popcorn kernel app, not corn hub, when before we started as it got a little bit more complicated as time went on, because you were like, you built like kind of a proof of concept. You're like, this is great. It's kind of working. And then you kind of thought of some other features or some changes and that got a little out of hand and now it's in a broken state.
Jason Slagle | CNWR (24:24)
Yeah.
Yeah,
it is. what happens is, right? So the thing that I think most people do wrong when they, they start doing this is they go straight to implementation and I don't, right? So I treat the AI development tool like a developer, right? Like I manage, I have two, three developers on staff here, right? Two Java devs and a web dev on staff that work on a big project.
And so I've managed developers and I understand requirements gathering and all the other things that go along with it. And if you treat the things like developers, it does a really good job, right? So it's like, here are my high level requirements. Let's go ahead and write a PRD, a product requirement document. You know, let's break this up into sprints that we believe we can accomplish in two weeks. By the way, it can do a two week sprint in like 20 minutes. So it's really fast compared to a normal developer. but the estimates it produces are about correct as far as if I had an actual developer doing them.
⁓ And then one of the things I usually do is I'm like, I need you to prompt me on this and ask me clarifying questions, at least five and up to 20. So it will think and it'll think, and I'm actually using multiple, very complex multi-agent workflow that's like, it'll go ask Gemini Pro, and then it'll ask like OpenAI, and then the two of will talk and get consensus, and I'll come back and ask me questions. So starts asking me like,
Would you like to support multiple councils for this? And I'm like, Oh, that's a great idea. I could totally like just offer this to other scouts later. And then it's like, do you need to be able to support multiple units? Yeah, great. Okay. Do you need to support hierarchies and units? Yeah, that seems like it makes sense. Do you need multiple levels of hierarchy? Yeah, why not? Let's do an unlimited number of levels. And so pretty soon this, this very simple like replacement for a spreadsheet with some JavaScript on the backend is not like 200,000 lines of Python code.
It's Postgres on the back end, which is basically what SuperBase is, is basically product-sized Postgres. So it's already Postgres. Yeah. And so it's complicated. I've got the present challenges I'm having right now are largely UI, UX driven. like, didn't think, like it didn't think about the users of it when it wrote the flows. So they're just kind of clunky.
Mikey Pruitt (26:22)
That's how it goes. When are you going to add super bass or or Firebase or something?
Okay. Yeah.
nice.
Jason Slagle | CNWR (26:46)
And there's some minor issues with things like context filtering, right? Like I wanted to make sure from the very beginning that it'd have information leakage between councils and stuff. So there's like a whole filtering middleware that it, yeah, it's just, it's a mess, but it's close. I hope to have it finished and working probably not this weekend because I have a music festival by sometime next week.
Mikey Pruitt (27:09)
So this app you built, basically, did it change your mind about vibe coding, for sure? Well, I guess.
Jason Slagle | CNWR (27:17)
That one didn't, but yeah,
it's probably changing it back slowly, because the code has gone brain dead in the past three weeks.
Mikey Pruitt (27:23)
Well, you know you can just start over. This is what you do. This is what you do audience. Right now you go, hey, write a summary. ⁓ read me, read or read me for this project. And then you throw that back into a fresh thing and maybe tune it a little bit. Tell it to use a couple of UI libraries like chakra and whatever. Yeah, gotta have some tailwind and just start over. like that, that no, all it's going to take is another 20 minutes. And then.
Jason Slagle | CNWR (27:26)
Yeah, I know.
Mm-hmm.
Mm-hmm. it is. Yeah, it's using tailwind. Yeah.
Yeah,
I could. you know, part of this at this point becomes like, I am really persistent and I'm like, I'm not going to let this thing beat me. So I will, I will get through it. I don't know that you would have better results at some point. I was like, is this sunk cost fallacy? And should I start over with an MVP, which is actually what I needed. I decided it was not, just because.
I have at least two units locally that want to use it, right? My old pack would use it and then my troop would use it. So I do need some of that functionality. But you know, what I'm really doing is it, I'm gone back to actually coding some of the parts of it myself. Like I did, I won't have it right with the exception of CSS and HTML, cause I am absolutely terrible at that. I won't have it right in a language that I don't understand. Right? So this is all Python.
This is Django Python in this case, because I made an early on decision that like, because this is essentially a crud, that Django was a good, it was a good use case for that. Yeah.
Mikey Pruitt (28:48)
Web App,
So do you think this experience you've had with AI is making you a bit more comfortable using it, obviously, for that dev stuff, but also in your work as an MSP? So have you are good.
Jason Slagle | CNWR (28:58)
yeah.
I
yeah, I'm making people are going to be cranky because I'm like vibe coding open source alternatives for some of the like tools we use in our space that really should just be. Features and art tools. I've got right now. ⁓
Mikey Pruitt (29:18)
Wait, wait, wait,
wait, this isn't why you built the DNS app, it? no, we're in trouble.
Jason Slagle | CNWR (29:21)
No, no, no, no, no,
no, no, no, was just like we were like shooting the shit somewhere and doing that. ⁓
Mikey Pruitt (29:27)
Also, also
check out ⁓ DNS twist, which is a typo enumeration and eyewitness, which is, which is pretty slick. Anyway.
Jason Slagle | CNWR (29:31)
Yep. I'm aware of that. Yep. Yeah. Yeah. It does. ⁓ I'm not familiar
with that one. know DNS twist. no, I've got one right now. Like I've got a problem where, right? Like much like every MSP out there, have agreements and keeping track of costing on them is a pain in the butt. Like the support for tools to sink those costs over are very up in the air, whether or not they work.
⁓ I am about to release a product. I actually just finished like a module on it right before we got on this thing. that basically it, it's a modular system that supports doing that, at least with the manage, and it'll be open source. So I'll throw it up on GitHub when it's ready. It's to solve a problem that honestly, I think that the PSA should just support natively, but it doesn't at least not well. and, ⁓ it's going to have a variety of options, but it, it.
Definitely competes with at least one tool in our space, right? And I feel a little bad by doing that. The other one that I'm passively working on is I haven't found we use a tool to do TBR management. The tool's fine. It works okay, but it's missing a bunch of features and it hasn't really had new development in a while. So I just decided to write my own tool. It's got those features that are missing. And that one.
That's the first project I started with and I've paused it for now to get better at using these tools before I moved back to it. It's probably about 60 % of the way there. And as soon as I'm done with this popcorn stuff, I'll probably come back to it and finish it up. And that'll be the same thing. That one I'll probably release open source, but then I may use like a SIP like model where if you want me to host it, I'll charge you a hundred bucks a month or something just to cover costs because it's like.
That one, it runs in like five containers, right? It's, it's a very containerized app with like our front end, a backend, a service layer. Like it's yeah, it's got, yeah, it's using, it's, it's Python. It's using celery, which then requires reddit. Right? Yeah. Yes. It's, it's a pretty, it's, it's very awesome. but it, it does things like, it'll manage the entire life cycle of a TBR, which is like, I need it. I need TBRs coming up, you know,
Mikey Pruitt (31:17)
Redd Pinchgrass, all the jazz.
Jason Slagle | CNWR (31:34)
10 days before this ticket gets created for this information, six days before this ticket created, right? So it's, it's largely an orchestration engine to handle making sure the tickets get created. ⁓ one of the things I'm at like tinkering around with is it can go out and get all the tickets that the clients put in in the past since the last TBR and then summarize them for the account manager. So he has like a good idea of what to talk for. It's using an, a LLM local LLM to do that. It's, it's all kind of neat stuff.
Mikey Pruitt (32:03)
Speaking of local LLMs, I saw today that there was a, I think it was NYU, like a research group or something that they bundled Olamma and GPT OSS, the OpenAI open source model into a piece of malware. I think it's called prompt lock. called it. So have you seen that? they're, it's like from a month ago or so. Yeah. So they,
Jason Slagle | CNWR (32:17)
Yep. Yep.
Yep. Yeah, that's not new. That's not new. That's a couple weeks ago. Yeah, yeah. Yeah.
Mikey Pruitt (32:29)
They were
able to have like the malware just query and vibe code itself into jumping over hurdles kind of thing.
Jason Slagle | CNWR (32:35)
Yeah.
Yeah. Well, I mean, a lot of this comes down to how our anti-EDR anti-malware systems work. They are a hundred percent using like, yeah, they say they're not, they say they're AI based, they're not signature based, they're a hundred percent signature based. It may be the signature, maybe behavior, but it's signature based, right? So if you write a new novel piece of malware, you typically get, and I know this from when I did the,
Mikey Pruitt (32:46)
signatures.
Jason Slagle | CNWR (33:02)
What was the hack it the huntress thing I did with John Hammond a handful years ago where I was doing AV bypass and I would write like a novel piece of basically malware and we were just using the meterpreter shell but I would I would obfuscate the meterpreter shell and I would throw it at a system right I would run it through virus total it would get zero detections but 18 hours later everything would detect it
Right. So it's a race and you know what, honestly, if it takes 18 hours for the people to take the virus total feed and update their signatures and stuff, like you, if you're running it locally, you don't, you're done by then. Right. Like you, it's, basically, it's lowering that time period a lot in that model. I have it here running locally. There's probably a lot of systems that just would not run on honestly. Uh, but yeah, I think the small version of it is like.
Mikey Pruitt (33:51)
That's
There's no GPU or not a sufficient GPU to run it.
Jason Slagle | CNWR (33:57)
Yeah, well, you
can you can run all that stuff with without GPU is just slow. But like, honestly, do you care? You know, no, I'm only getting like 100 tokens a minute. It's like, but I'm only writing like a thousand lines of code, right? It's it's going to be done in three minutes anyway, no matter what. Yeah, the smallest one, there's 20 billion tokens. So you would need a system that has at least probably 32 gigs of RAM if it doesn't have a GPU to run that.
Mikey Pruitt (34:02)
Yeah, it's just super slow.
The malware doesn't care.
Yes,
So all this AI experimentation and the buzzword, are you seeing things around CNWR that you're retooling that could have AI pieces of the workflows?
Jason Slagle | CNWR (34:35)
Uh, to answer the indirect question, I have no plans to replace humans with AI at any point in the future. Uh, but we are using AI to augment humans wherever I can reasonably make that happen. Uh, we in, I'm starting to work on more and more use cases. lot of it's just manual effort right now. Like I'm definitely using AI to analyze tickets and go like find areas of opportunity with regards to like automation.
or efficiencies that we can gain. We're using AI a lot to help with things like statement of work, right? Like, and, stuff like that, that, you know, they're just, they're not, they're tasks, process documentation, right? Like it's, AI is great at stuff like that. And honestly, humans are not great at some of it. The ChatGPT generates a way better statement of work than I do.
It might require, you know, five minutes of editing from my standpoint, but it took me an hour to write it before, right. And it's better than what I produced, like generating and then spending five minutes editing it is better than what I would push it an hour.
Mikey Pruitt (35:42)
Yeah, the, think AI is really good at the stuff we don't really want to do or not good at. But the thing like we're doing right now, having this conversation, like the, this is what humans should be doing. Like having conversations with each other, with our customers, with our clients, with our coworkers and, and learning from each other and let AI handle the mundane, maybe emailing back and forth type of thing, scheduling meetings. But I do want to go back to kind of where we started at about.
Jason Slagle | CNWR (35:54)
Yeah.
Mikey Pruitt (36:12)
your presence online like LinkedIn and YouTube and all this credibility that you've that you've kind of garnered. Authenticity, I guess, is a really good word for it. So that what do you think happens when people come across your content? Like, what do you what are what do you want them to feel or experience?
Jason Slagle | CNWR (36:33)
I don't know. It's actually, it's a really interesting place to be in because I didn't really make any active effort to get into the position I'm in. I am happy that I've ended up here. And I try not to take it for granted. I consider myself the person willing to say out loud what everyone else is thinking or.
are saying internally, right? And I don't, I don't think a lot of the things I say are earth shattering or groundbreaking. They're the culmination of discussions in, in research and reading and a bunch of other things that come across it. And the thing is, is that like 95 % of people, they're just never going to speak up. I somehow have landed into this world where I just generally don't care enough to think about what those people think. So I'm just going to do it anyway.
Mikey Pruitt (37:25)
Would you encourage those people with the 95 % who don't speak up to actually do that?
Jason Slagle | CNWR (37:31)
Yes, but I know that that's unlikely to happen. Yeah, I mean, it is it's one of those things like the world is it's an interesting place that most people are always going to be passive consumers and the I try to speak I try not to abuse the position of power that I've somehow gotten into right like occasionally I get it wrong occasionally I put my foot in my mouth and drive down the wrong road. I have
definitely punched down in a couple of cases where I probably shouldn't have. I will openly, you'll occasionally see a post from me where it's like, you know what, that didn't hit. Like that was a mistake. Like upon further research, I was wrong. And I think that being part of it comes with being willing to admit that you were wrong and being willing to admit that people are fallible. And, you know, I consider myself a scientist in many ways, right? Like a lot of my troubleshooting comes from scientific method.
And I think Kelvin described it best, Kelvin Tegelar. I have a series of loosely held, strongly believed convictions, right? So it's like, I, with further information, I 100 % can and will change my opinion on almost anything. But like it, I need that extra context and that extra information. And until I get it, it is what it is.
Mikey Pruitt (38:50)
So basically, people are not going to speak out. So you do it for them. And sometimes you're wrong, and that's fine. We're humans.
Jason Slagle | CNWR (38:57)
Yeah. Yeah.
I mean, it, everyone's humans, right? Like, and you'll see that like, I've actually been quieter recently about it because one of the things that, you know, getting into this position has afforded me is the ability to affect change that before I had to be very public to affect. I can affect it privately now. Right. So I can change behavior without having to call people out publicly. That's actually a great place to be in. Right. It's like, if I can get, if I don't have to call out
poor behavior and I can just text somebody or I can hit somebody on the back end because they're doing the wrong thing. makes, and it makes the world so much better place. I don't need to be the grumpy guy. just need the behavior to change.
Mikey Pruitt (39:40)
Regarding CNWR, I know that, didn't you guys absorb or merge ⁓ purchase Lawrence Systems MSP business? So what do you think is next for your MSP and then for yourself? Like, what are you looking forward to in the next year or two?
Jason Slagle | CNWR (39:50)
Yep, about two years ago we did.
Yeah. So, you know, we're actually told my account team today that like to send out a readiness survey to clients to figure out what they're thinking as far as AI goes, right? Like it's the genie's not going back in the bottle. So I think that's the next wave, the next forefront that we're going to see in the MSP space. And there's a lot of people that have been predicting this. They're not wrong. As much as I'd hate to, as much as, you know, at 45 years old, it's like, Oh God, a whole new thing to learn.
⁓ I would hate to be able to, or like to be able to just take a rest for a little bit, but I'd also probably get really bored. I think that's probably the next forefront. we'll start doing some more stuff there. Honestly, you know, our growth rates where I'm happy, as far as me in the future, you know, I found that I really do enjoy educating and public speaking, right? So I don't want that to go away. I'm being a little more selective about where I do it. just.
because it takes so much time away from the business. But I anticipate a world where that happens more, right? Like I, and I would be remiss if I also didn't mention cyber rise, like, which is the charity that Matt Lee, Robert Choffee and myself have spun up and, we're trying to use our influence and our knowledge to help MSPs that have a really bad day, right? If you're an MSP and you have an incident, you can go to msp911.org.
We have some coaching we can provide you in very limited circumstances. We might be able to get you some hands definitely can help you with some stuff like scripting. You'll see that coming on our GitHub soon to some scripts that Chet GPT and I wrote to help do ⁓ some ransomware recovery stuff. We're also working on some framework mapping stuff, right? Which is practical advice to MSPs as to how the product set like.
DNS filter can map to what CIS controls, right? To help MSPs cut through the marketing BS, right? You get a lot of these companies out there that'll say, solve these seven CIS controls and they're not lying, right? Like, but honestly, you know, if you want to take them to its logical conclusion, like our mental, like Ninja can solve a hundred percent of the CIS controls, right? If you're willing to put the effort into using it to write all the, the code on that, all of them, but probably 80 % of them.
to write the PowerShell and stuff like that for it to run the hardened systems, right? But out of the box, doesn't solve any of them. So we're trying to demystify that, to try to cut through it. And then the last one we're doing is probably the one, I mean, I'm excited about MSP911, but it sucks because like when we're doing good, it means somebody else is having a very bad day. The one I'm most excited about is the hackening. So Matt and I did a talk where we attempted to pop about 26 MSPs, seven we actually took a swing at.
Mikey Pruitt (42:26)
Mmm.
Jason Slagle | CNWR (42:36)
ended up turning it into a series of conference talks. And now what we came out of that is we're actually developing college curriculum. And I think we've got a program chair there that is probably going to get us our first college that we're trying to get online sometime next year. And the idea is we're taking a capstone class and we're pairing up college students in their senior year. We're pairing them up with an MSP where they attempt to do a semester long pen test and write the full report and everything.
And then we have people in the information security spaces, the cyber security space that are going to grade those reports and give the clients feedback. So the students get hands-on real world experience, not in a lab. The MSPs get free pen tests essentially. And every, I think everyone wins. Yeah.
Mikey Pruitt (43:22)
So when you popped a few MSPs, that means you did some pen testing and were successful. Is that what you're saying?
Jason Slagle | CNWR (43:30)
No,
we ⁓ so we did not have a full breach situation, but we definitely had findings.
Mikey Pruitt (43:36)
⁓ okay. You're like, hey, friend.
Jason Slagle | CNWR (43:39)
Yeah,
you know, it's one of those things that like, you know, we talked about it earlier with the, ⁓ the level of effort and the amount of time and effort that people put into things. If you are targeted by a well-funded motivated threat actor, it is almost entirely undefensible. Right. If China wants into your MSP, they're in, like you are not stopping that generally, right? Like they have an almost unlimited number of resources, right? Like anything's at their disposal.
Mikey Pruitt (43:55)
You're done.
Jason Slagle | CNWR (44:10)
We did okay for the amount of effort we put into it. did better than I thought we would do. We did worse than Matt thought we would do. We'd do better than I thought we would do. But there are definitely, there are more things there, right? Like we didn't, we definitely drew the line in identity and identity is where everyone's attacking now, right? Like if we give a talk called how it hack you, I'm going to call up and pretend to be, I'm going to call a system engineer.
Mikey Pruitt (44:28)
Mm-hmm.
Jason Slagle | CNWR (44:36)
I'm gonna do research on your company. I'm gonna find out the name of a non-privileged user, right? Like a office admin or something, right? I'm gonna call in from maybe from one of your clients, who knows? I'm gonna call in, I'm gonna pretend to be that person, right? And my goal is to get on a system that you are less guarded about. I don't really care where I land, I want in. Once I'm in, it's a lot easier.
Mikey Pruitt (45:00)
You think social engineering is still the easiest way? Yeah.
Jason Slagle | CNWR (45:02)
Mm-hmm.
Yep, it is. mean, especially if you consider fishing and it's a type of social engineering, which I do, it's, a hundred percent. It's something like 80 % of attacks involve a human in some way. Right. So yeah, it is, it is still the biggest threat factor.
Mikey Pruitt (45:20)
Well, you heard it here first folks. Jason, thank you so much for joining me today. I appreciate it. Now you have to get to a scout meeting. So go pop that popcorn.
Welcome everybody to DNS unfiltered. I'm here with the one and only Jason Slagle, president at CNWR. Jason, how are you?
Jason Slagle | CNWR (00:08)
I am good. It's been a long couple of weeks and just getting through things.
Mikey Pruitt (00:15)
Every time I see you on the Internet, you're like, on a plane, at a show. Doing a talk. You're very busy.
Jason Slagle | CNWR (00:23)
Yeah, it's one of those things that I actually keep intending to pull it back in, right? Like it's, I'm an MSP. Like I have no legitimate reason to attend nearly the number of conferences that I attend. However, I enjoy it. And so I've actually made it aware to the company that I plan to spend about 20 % of my time giving back and trying to make the industry better. So it's that time, but I am getting pickier. Right? Like I'm starting to not go to shows unless I'm speaking.
Mikey Pruitt (00:49)
So that is my first question. And you're going to hate this word, but I'm going to use it anyway just to see your reaction. So you're very well respected in the MSP space. Some would say an influencer, perhaps. I'm sure you don't like that term. But why do you think it matters to give back using your words?
Jason Slagle | CNWR (00:51)
Uh, I'm going to give you the reason I'm going to give you two reasons, right? Like the one is we all should try to make the world a better place, right? Like we, like that is the legacy we leave is trying to make things better than we got them. That's the altruistic reason. The selfish reason is we're screwed. Like the industry is just screwing up. We just keep doing stupid things and we're not taking cybersecurity seriously enough. And eventually we're going to screw up enough that the business model just doesn't work anymore.
Like either we're going to get regulated out of existence or, or people are just going to stop doing business with business with MSPs because they have such a bad time doing it. Right. So I'm basically trying to cut that off by trying to make people less stupid.
Mikey Pruitt (01:54)
Great way to put it and that's actually question four but we're going to talk about it now because one of the things you're really good at is calling out vendors, MSPs, enterprises like you're not scared to call people out on being stupid using your words. What do you think it is that let's just say MSP specifically what are some of the things that they're focused on that are either a waste of time or not important or things that they should be focusing on more?
Jason Slagle | CNWR (02:21)
So generally, I don't think anyone sets out and goes, you know what, I'm going to be stupid. So stupid is often a product of not knowing. And I think it's like there are the things you know, the things you don't know, and the things you don't know you don't know. And in most cases, I think the gap with a lot of MSPs are the things they don't know they don't know. So I think that if you boiled it down
Matt Lee talks about it and says it really well. He has a whole post is actually best performing post ever was he stuck a Post-it note on the monitor that just said MSP and he's like, I'm an MSP now. There's literally no test or there's no body of anything that you have to do to claim that you're an MSP. You just wake up one day and go, you know what? I'm a help desk tech that thinks I can do my job better than my boss can that is tired of working. And now you're an MSP that comes with an entirely large body of things that you didn't think about.
Right. It comes with security that you may not have had to do in your previous help desk job. comes with running a company. comes with figuring out how things like profit margin and cost of goods sold and all sorts of these other business concepts that you have to figure out. And I think the reality of it is that most MSPs, when they start this journey, they just don't know any better.
And they don't know enough to even realize how big the gap is. mean, I can speak from my own personal experience that when I started going to, uh, when I went to my first, was an IT nation connect show. went to in like 2017 or 2018, it was eye opening. It's like, there is a whole world of stuff here. Like I had the technical stuff I've always been good at, but there was like a whole world of business operations and service management and all this stuff that I had never given any thought to. And that really helped.
prove us as an organization. So yeah, can get, my LinkedIn tag literally calls me the grumpy beard. I can get snarky, I can be direct, but usually it's not really out of malice, it's out of us just wanting people to be better. if no one's willing to call out the fact that you're doing something stupid because everyone's laughing behind your back about it, like.
Somebody should do you the favor of calling out that you're doing something stupid
Mikey Pruitt (04:32)
So you come from like that technical side. Did you put a post-it note on your monitor one day and say, I'm an MSP? that kind of what happened?
Jason Slagle | CNWR (04:35)
Man, we can go way back. So CWR was actually an internet service provider in the late nineties called Solido Internet Access. 2002, my business partner, who's slowly working on retiring, bought, sold it, right? But the buying company wanted to be an ISP, but we had this like small consulting practice that me and him and a couple others did that they didn't want. Right. So Alan, my business partner spun that off.
I stayed for a bit, right then I left. went to enterprise, I went to another MSP or an ISP. I kind of bounced around for about 10 years. I came back and we were a consulting firm focused essentially on one whale customer, still a customer to this day for what it's worth. But about 2015, that whale customer got bought.
And I was very afraid we would lose the revenue. So it's like, okay, well, we used to do all this other consulting. We largely pushed it away because this giant company was paying us everything we needed to go. What's it look like to do that again? We kind of pivoted. Like I made the decision, you know what? This MSP business model seems great. And we just went from there. So kinda like in a roundabout way, we were a traditional consulting firm that kind of pivoted into the MSP space.
Mikey Pruitt (05:54)
Why you think MSPs, like you mentioned in 2017, you went to IT Nation and you were kind of overwhelmed with the things you didn't know you didn't know. What do you think are the key pieces that businesses don't know? Is it more of the business side of things or the technical side of things?
Jason Slagle | CNWR (06:13)
I think it's a fork, right? Like, so I think that you have two classes of MSP. You have the MSP that is a guy that's, or a girl or person that is good at sales and marketing that says, man, I can make an awful lot of money in the IT services space. And they hire, help this guy or two, and then they hang a shingle, right? And then you get the technical people that do the same thing.
Right. They both have blindnesses to the other side of their role. Like I will openly admit, right? Like I can have a conversation with somebody and probably convince them that they need to buy something. Right. But I suck at their traditional sales stuff. Like I don't ask for clothes. Right. I don't try to push things forward. Like I, just, it's weird and awkward. And unsurprisingly, if you've seen my LinkedIn posts, I find it kind of gross. Right. Like, so I don't, so I've had to hire people that do that better than I do from the technical standpoint.
We are a quickly evolving industry. Technology is a quickly evolving industry. I watch a lot of YouTube content that's about what we call vintage computing. Vintage computing is less than 50 years ago. I'm 45 years old and the computer content that I watch that is considered vintage computer are the computers I used in my youth.
We are an industry that has gone from essentially systems that were constructed out of gate level, right? Like 7,400 series logic, or even older than that, like the 4,000 series logic, right? Like, you you talk about like a PDP 1134 or something like that was like literally card cages of all this discrete logic to like literally running AI models that can almost or maybe pass the Turing test in a span of less than 50 years.
Mikey Pruitt (07:44)
I was going to say that, isn't that how Alan Turing and team cracked the enigma machine with just gates?
Jason Slagle | CNWR (08:04)
Yeah. I mean, and this is all happening in less than 50 years, right? So the pace of change and the pace of play is it's just it's earth shattering, right? And what happens is, again, you get somebody that has like domain specific knowledge on like Windows workstations and maybe even Windows servers, right? So they're good at this thing. They miss all of the.
giant amount of it. miss all the security stuff. They maybe don't understand networking. They definitely don't understand software development. And the converse is definitely true that most software developers can't system admin worth anything. and, and so they, again, they just don't know it exists or they, think it's good enough. And unfortunately, right? Like I was just having this conversation with somebody in the office, like less than probably 15 years ago, we used to brag about system uptime.
Like I had a system that was up for a thousand days without rebooting. A thousand. Yeah. We, we literally moved it on a UPS. Like we moved offices. It was on a UPS. I literally unplugged the UPS, unplugged the computer from the monitor and the network and carried the UPS and the system to a car so that we could drive it across town without losing the uptime. We were so proud of it. That's 15 years ago, maybe 20, but it was in recent history - that you could have a system up a thousand days without rebooting it. And it wouldn't get hacked. and so they just don't know any better, right? Because the world is ever changing and everyone assumes that because it's been good and because we've been able to do it this long, right? Like, ⁓ I've done this all along and I've never been hacked, right? Like, but that's no guarantee you won't be tomorrow.
Mikey Pruitt (09:26)
And it was, and it was amazing.
Before we get into hacking, I wanted to go deep into that a little bit. Maybe talk a little vibe coding after that.
You were talking about the jack of all trades versus the very highly specialized person. How do you think which personality or skill set does the MSP benefit from more or in now and maybe in the future?
Jason Slagle | CNWR (10:10)
I would generally say that most MSPs would benefit more from breadth than depth, right? Unless you very, very specialize your ideal customer profile and only take on one vertical, right? With one client size that requires one stack, right? So if you're doing like dentist's office and they all run Dentrics, right? You can depth up all you want there.
But the reality of it is that you're much better off understanding a little bit of a lot, right? And if you, it, because it gives you the ability to see the fact that, okay, I know this thing exists, but I don't know how to do that thing. I'm trying cause what Google, especially chat GPT is really good at driving you down the road and doing that stuff these days. Right? Like I, I actually argue that a college course and how to use Google is probably something that most like a computer science courses need. but
Even if you don't do that, right? Even if you don't, even if you don't Google it and find the answer, you can always hire an expert. Right? Like the option exists to, to subcontract to an expert. The other side of that is like, I'm, we, had a consulting firm in town here. They ended up getting bought by a P company and imploded. They had the smartest people I know in almost every topic area.
They had like the best VMware guy I've worked with, had the best Cisco networking guy I worked with. But if you had a problem that involved both of those things, they couldn't fix it because no one understood both. Right? So the network guy would go, it's not my problem. The VMware guy would go, it's not my problem. It's probably the storage guy's problem, right? Like, it's literally a Spider-Man meme. They're pointing at each other. Yeah.
Mikey Pruitt (11:44)
That's funny.
So let's get into some hacking topics. So cybersecurity has fast become like the third wheel of MSPs or whatever. It's a very heavy portion of MSPs business these days. I would argue that might be shifting into AI now, but before we get to that, let's talk about that later.
So cybersecurity, I've seen actually you and Matt Lee on stage talking about evil jinx. Basically, it's super easy to hack somebody or super easy to set up a hack, maybe not to hack somebody, get them to click maybe a little bit harder like some social engineering stuff. But it's actually not that hard to set up some infrastructure to fulfill some malware delivery.
Jason Slagle | CNWR (12:41)
Mm-hmm.
Mikey Pruitt (12:45)
What do you think is the biggest thing that we're missing in that? Like are we protecting the right things, I guess is my question.
Jason Slagle | CNWR (12:52)
Yes-ish. If you ever talked to a security guy, every answer you ever going to get is going to be, depends. there with black and white does not exist in our world.
All of these things are a spectrum, right? And so what you have to realize at the high end is that the threat actors are businesses too, right? They have call center reps, have affiliates they have to pay out. They have cost of goods sold, right? They track all of these things that you probably expect a normal business to track and
So the reality of it is, is that a lot of the defense and a lot of the protection, a lot of the blue team side stuff we do, it's not necessarily about perfect defense because perfect defense does not exist, right? Like that, well, it does. it kind of, kind of like, correct. Computer locked in a safe at Fort Knox is pretty close to as secure as you're going to get, right? Like, but like, you know, the confidentiality, think integrity availability is like the CIA triad.
Right? Like availability of that system is zero. So you have failed. Right? so everything is about trade-offs. I, and I think that what a lot of MSPs don't do correctly in a lot of enterprises don't do correctly either, is they don't recognize that there is a continuous gradient between the payout to the threat actor and the amount of money or amount of effort they're going to spend attempting to compromise you.
Right. So if you're a million dollar company, on average, the bad guys are going to take three to 10 % of revenue. Right. So in a million dollar revenue company and by the way, they know your revenue because they stole your finances. Right. Like, so they know how much money you're making. They have your PNL. So just assume they have your PNL on your balance sheet. So they know how much they, probably have your insurance policy too. So they know how much your insurance is willing to pay. They are going to demand three to 10 % of revenue. Right.
And the way that splits out is some amount of it. think roughly 50 % of it will go to the ransom or the initial access broker, potentially in some cases, like the affiliate group may get 20%. It's like a pie. split up and they're not willing to spend a whole lot of human effort for a 30 to a hundred thousand dollar payout. It's just not big enough for them to spend a lot of effort. So you only need to secure against stupid automated things.
Right. You, you, the, the task at hand isn't, you have to be completely, defensible. Everything has to be completely locked down. just have to be good enough that it's not worth their time. And I think a lot of MSPs fail there because ideal customer profile with regards to size and revenue and into a certain extent, industry is more important in cybersecurity than in any other space in our industry because.
the amount of tools and the amount of like nonsense you throw at it, a hundred percent varies by that size of that payout. Right. So it makes sense, right? That's, can't forget where we're going with this, but I think you were asking like what we get wrong. And I think that's the thing we get wrong the most is that we try to, we try to assume naively that we can protect everything and we can't, we just have to protect enough to make it not worth it and get them to move out to an easier target.
Mikey Pruitt (16:17)
Wow. That's not what I was expecting.
So what's your strategy then? I know "it depends", but like if you're an MSP, and your customer has - let's say $10 million ARR - What is your strategy?
Jason Slagle | CNWR (16:34)
Yep.
⁓ well, I mean, our strategy is we have a, that's right in our wheelhouse, right? So we are, my ideal customer profile is, about 15 to maybe about 150 users for fully managed. typically won't take on anything below 15, ⁓ unless they're regulated, which changes the math a little bit. And I won't take on anything above 150. I'll do co-manage, but you know...
Mikey Pruitt (16:59)
So you say no sometimes?
Jason Slagle | CNWR (17:04)
Oh, we say no a lot. Yeah. Not all revenue is good revenue.
That's not the only reason we say no. That is a reason. Yeah. That is a reason to say no. There are other reasons. And we have a security stack that I believe offers enough protection in that range that they're going to move on to easier, more lucrative targets, right? Like we have a multi-layer EDR stack using a couple of different vendors. We have MDR everywhere. We have SIM everywhere these days, right? With 24 seven monitoring on it with a good security awareness program, right?
But like things I don't do, I'm not doing any zero trust stuff right now, right? It's like the cost of that stuff is still really high. It's not high because the products are expensive. It's high because the labor to maintain it is high, right? It's fragile. It breaks a lot. It results in a lot of tickets, which result in lot of labor. No one considers that on the MSP side, how much time you spend administering a tool. And I believe we have a good stack.
that DNS protection, can't, I would be remiss on your podcast if I didn't say that. I believe that that is the correct amount for the size of organization we support, right? It's too much for like a 10 user shop and it's probably not enough for a 400 user enterprise, but it's good enough for what we do.
Mikey Pruitt (18:20)
That is interesting. I'll tell the story of CNWR's DNS filtering journey. So you're somewhere else, I forget. Came to DNS filter, switched, yeah, umbrella, switched to Zorus from DNS filter before DNS filters or is for the same company. And now we got you back. I'm so excited.
Jason Slagle | CNWR (18:28)
Yeah, you did. You did.
Yeah, it's been an interesting journey in this space, right? Like you guys, yeah, I mean, the core DNS filter products was and is very great. Like you had, there were a couple of very specific things that caused you to lose us, most notably the fact that I had to whitelist every single IP a customer would come from.
and you became a support headache because somebody in a cable mode would get a new IP and then they couldn't resolve anything anymore until I updated something. I think you've since fixed that.
Mikey Pruitt (19:10)
Roming clients is a better option, but anyway, go ahead. You're like, don't do roaming. You're right, true.
Jason Slagle | CNWR (19:12)
It is. They don't work everywhere though. I can't run a Roaming client on that raspberry pie.
Mikey Pruitt (19:19)
The DNS filter, specifically ecosystem with the Zorus tooling, is going to get very, very nice in the next month or so. So I'm looking forward to that. In fact, I'm looking forward to what you think about it more than what I think about it. You're going to be either very, very happy or just silent, which is also good. If you've ever seen Jason on the internet, silence is a good thing.
Jason Slagle | CNWR (19:44)
actually, ironically enough, when you bought Zorus, I was in discussions with Matt about moving back to DNS filter because you had fixed the thing that caused us to migrate. we have the agent-based approach also has some downsides, right? Like in, you know, it'll air a little bit of dirty laundry. You guys don't, Zorus doesn't necessarily play nice in domain controllers.
And so the answer is, just don't run it on domain controller. And it's like, that in many organizations is literally the most important system. Why would I not want to run it there?
Mikey Pruitt (20:11)
Yes, I know.
It's actually funny that DNS filtering, generically like ecosystem, there's a lot of other ⁓ vendors kind of popping up. And I'm curious if it's because people have realized that DNS filtering is just a very easy thing to implement and maintain. And you kind of mentioned this with like the zero trust ecosystem, like one specific tool vendor popped in my head when you said that. And I was like, yes, I've heard the story and the maintenance headache alone.
Jason Slagle | CNWR (20:29)
Yeah. ⁓
Yeah, no, no, you don't want to, yeah,
you're going to get me, you're going to get me in trouble if you, if you drive me, if you, if you drive me down that road. But what I'll say is what I, I will tell you what I know. There is a third party that is licensing the threat feeds incredibly cheap now. So the cost to stand up.
Mikey Pruitt (20:40)
Is too much. Listen, we're not naming names. Let's move on to AI.
Jason Slagle | CNWR (20:58)
A service is really low. And so a bunch of vendors are jumping on that and trying to play the, we're just going to price you out of the market game. But the quality of that threat feed and the other stuff that goes along with it probably isn't there. I'm going to get angry texts from at least two people for saying that. Yeah.
Mikey Pruitt (21:13)
Sorry about that. But it's true.
like the quality of the data is really all that matters because you and I, can, almost anyone can block DNS calls with like a host file on your, on your machine or, ⁓ yeah, or a pie hole or whatever. Yeah. It's like super easy to block. It's the, what you should block is that is the hard part. But anyway,
Jason Slagle | CNWR (21:21)
Yep.
I just run DNS mask and load in a zone file.
Well in
yeah, and you guys did the DNS filter side for sure had like you had a good robust any I was gonna laugh and joke that are we gonna talk about BGP and any cast and the problems that TCP with any cast DNA You guys did a good job with your any cast infrastructure and you know making it fast and work well
Mikey Pruitt (21:52)
Speed is the name of the game. Speaking of speed, let's talk about building things with AI. So I watched a podcast with you and Matt Lee and Ash. What's Ash's last name? Ashley Cooper. So the three of y'all were talking about basically vibe coding, which is like my favorite, my currently favorite thing. You were talking about how you vibe coded an app for your popcorn kernel scout troops. So tell me about that a little bit.
Jason Slagle | CNWR (21:54)
Yep. Yes.
Cooper.
Mm-hmm.
Mm-hmm. Still
doesn't work. It's closed, but it still doesn't work. Yeah, so after months and months and months of basically crapping on the entire concept of Vibcoding, I decided before I crapped it on anymore, I should actually just try it. I was pleasantly surprised that it was relatively difficult to get the coding agents to spit out insecure code, right? And that Clawed code in particular, until...
fairly recently, he was doing a really good job of writing code. And sometime in about the past month, they've like, it's, gone brain dead and it is now like ridiculously stupid and I'm fighting with it all the time. But, ⁓ I have vibe coded and released a couple of projects on GitHub. one that, ⁓ imports data from Proler to the reporting platform called Plex track that we use for assessments. another one that's, this is a DNS tie in.
another one that can calculate typo squatting permutations. It supports calculating them. It integrates with the open SRS API to check to see if they're available, optionally register them, clone the website of the target and put the clone up on the website, proxying traffic for like credentials and stuff to them while logging them locally. So I made a very, very evil tool in like 90 minutes and it's kind of cool.
Matley and I are working on another thing that, does some GitHub vulnerability scanning. and yeah, the big one that I'm working on right now is the popcorn tracking system for it's called corn tracker. It's for scouts. was going to call it corn hub, but I figured that'd me out of kicked out of scouting. so it's corn tracker. ⁓ and it supports basically managing the entire life cycle of scout popcorn sales, mostly because I was tired of dealing with the Google sheet. Now, ironically enough.
I made it so complex that it's broken with a variety of bugs that prevent me from using it and still sale starts Friday. So I'm going to have to start on my spreadsheets anyway while I fix it the rest of the way.
Mikey Pruitt (24:15)
So, and I believe you described this popcorn kernel app, not corn hub, when before we started as it got a little bit more complicated as time went on, because you were like, you built like kind of a proof of concept. You're like, this is great. It's kind of working. And then you kind of thought of some other features or some changes and that got a little out of hand and now it's in a broken state.
Jason Slagle | CNWR (24:24)
Yeah.
Yeah,
it is. what happens is, right? So the thing that I think most people do wrong when they, they start doing this is they go straight to implementation and I don't, right? So I treat the AI development tool like a developer, right? Like I manage, I have two, three developers on staff here, right? Two Java devs and a web dev on staff that work on a big project.
And so I've managed developers and I understand requirements gathering and all the other things that go along with it. And if you treat the things like developers, it does a really good job, right? So it's like, here are my high level requirements. Let's go ahead and write a PRD, a product requirement document. You know, let's break this up into sprints that we believe we can accomplish in two weeks. By the way, it can do a two week sprint in like 20 minutes. So it's really fast compared to a normal developer. but the estimates it produces are about correct as far as if I had an actual developer doing them.
⁓ And then one of the things I usually do is I'm like, I need you to prompt me on this and ask me clarifying questions, at least five and up to 20. So it will think and it'll think, and I'm actually using multiple, very complex multi-agent workflow that's like, it'll go ask Gemini Pro, and then it'll ask like OpenAI, and then the two of will talk and get consensus, and I'll come back and ask me questions. So starts asking me like,
Would you like to support multiple councils for this? And I'm like, Oh, that's a great idea. I could totally like just offer this to other scouts later. And then it's like, do you need to be able to support multiple units? Yeah, great. Okay. Do you need to support hierarchies and units? Yeah, that seems like it makes sense. Do you need multiple levels of hierarchy? Yeah, why not? Let's do an unlimited number of levels. And so pretty soon this, this very simple like replacement for a spreadsheet with some JavaScript on the backend is not like 200,000 lines of Python code.
It's Postgres on the back end, which is basically what SuperBase is, is basically product-sized Postgres. So it's already Postgres. Yeah. And so it's complicated. I've got the present challenges I'm having right now are largely UI, UX driven. like, didn't think, like it didn't think about the users of it when it wrote the flows. So they're just kind of clunky.
Mikey Pruitt (26:22)
That's how it goes. When are you going to add super bass or or Firebase or something?
Okay. Yeah.
nice.
Jason Slagle | CNWR (26:46)
And there's some minor issues with things like context filtering, right? Like I wanted to make sure from the very beginning that it'd have information leakage between councils and stuff. So there's like a whole filtering middleware that it, yeah, it's just, it's a mess, but it's close. I hope to have it finished and working probably not this weekend because I have a music festival by sometime next week.
Mikey Pruitt (27:09)
So this app you built, basically, did it change your mind about vibe coding, for sure? Well, I guess.
Jason Slagle | CNWR (27:17)
That one didn't, but yeah,
it's probably changing it back slowly, because the code has gone brain dead in the past three weeks.
Mikey Pruitt (27:23)
Well, you know you can just start over. This is what you do. This is what you do audience. Right now you go, hey, write a summary. ⁓ read me, read or read me for this project. And then you throw that back into a fresh thing and maybe tune it a little bit. Tell it to use a couple of UI libraries like chakra and whatever. Yeah, gotta have some tailwind and just start over. like that, that no, all it's going to take is another 20 minutes. And then.
Jason Slagle | CNWR (27:26)
Yeah, I know.
Mm-hmm.
Mm-hmm. it is. Yeah, it's using tailwind. Yeah.
Yeah,
I could. you know, part of this at this point becomes like, I am really persistent and I'm like, I'm not going to let this thing beat me. So I will, I will get through it. I don't know that you would have better results at some point. I was like, is this sunk cost fallacy? And should I start over with an MVP, which is actually what I needed. I decided it was not, just because.
I have at least two units locally that want to use it, right? My old pack would use it and then my troop would use it. So I do need some of that functionality. But you know, what I'm really doing is it, I'm gone back to actually coding some of the parts of it myself. Like I did, I won't have it right with the exception of CSS and HTML, cause I am absolutely terrible at that. I won't have it right in a language that I don't understand. Right? So this is all Python.
This is Django Python in this case, because I made an early on decision that like, because this is essentially a crud, that Django was a good, it was a good use case for that. Yeah.
Mikey Pruitt (28:48)
Web App,
So do you think this experience you've had with AI is making you a bit more comfortable using it, obviously, for that dev stuff, but also in your work as an MSP? So have you are good.
Jason Slagle | CNWR (28:58)
yeah.
I
yeah, I'm making people are going to be cranky because I'm like vibe coding open source alternatives for some of the like tools we use in our space that really should just be. Features and art tools. I've got right now. ⁓
Mikey Pruitt (29:18)
Wait, wait, wait,
wait, this isn't why you built the DNS app, it? no, we're in trouble.
Jason Slagle | CNWR (29:21)
No, no, no, no, no,
no, no, no, was just like we were like shooting the shit somewhere and doing that. ⁓
Mikey Pruitt (29:27)
Also, also
check out ⁓ DNS twist, which is a typo enumeration and eyewitness, which is, which is pretty slick. Anyway.
Jason Slagle | CNWR (29:31)
Yep. I'm aware of that. Yep. Yeah. Yeah. It does. ⁓ I'm not familiar
with that one. know DNS twist. no, I've got one right now. Like I've got a problem where, right? Like much like every MSP out there, have agreements and keeping track of costing on them is a pain in the butt. Like the support for tools to sink those costs over are very up in the air, whether or not they work.
⁓ I am about to release a product. I actually just finished like a module on it right before we got on this thing. that basically it, it's a modular system that supports doing that, at least with the manage, and it'll be open source. So I'll throw it up on GitHub when it's ready. It's to solve a problem that honestly, I think that the PSA should just support natively, but it doesn't at least not well. and, ⁓ it's going to have a variety of options, but it, it.
Definitely competes with at least one tool in our space, right? And I feel a little bad by doing that. The other one that I'm passively working on is I haven't found we use a tool to do TBR management. The tool's fine. It works okay, but it's missing a bunch of features and it hasn't really had new development in a while. So I just decided to write my own tool. It's got those features that are missing. And that one.
That's the first project I started with and I've paused it for now to get better at using these tools before I moved back to it. It's probably about 60 % of the way there. And as soon as I'm done with this popcorn stuff, I'll probably come back to it and finish it up. And that'll be the same thing. That one I'll probably release open source, but then I may use like a SIP like model where if you want me to host it, I'll charge you a hundred bucks a month or something just to cover costs because it's like.
That one, it runs in like five containers, right? It's, it's a very containerized app with like our front end, a backend, a service layer. Like it's yeah, it's got, yeah, it's using, it's, it's Python. It's using celery, which then requires reddit. Right? Yeah. Yes. It's, it's a pretty, it's, it's very awesome. but it, it does things like, it'll manage the entire life cycle of a TBR, which is like, I need it. I need TBRs coming up, you know,
Mikey Pruitt (31:17)
Redd Pinchgrass, all the jazz.
Jason Slagle | CNWR (31:34)
10 days before this ticket gets created for this information, six days before this ticket created, right? So it's, it's largely an orchestration engine to handle making sure the tickets get created. ⁓ one of the things I'm at like tinkering around with is it can go out and get all the tickets that the clients put in in the past since the last TBR and then summarize them for the account manager. So he has like a good idea of what to talk for. It's using an, a LLM local LLM to do that. It's, it's all kind of neat stuff.
Mikey Pruitt (32:03)
Speaking of local LLMs, I saw today that there was a, I think it was NYU, like a research group or something that they bundled Olamma and GPT OSS, the OpenAI open source model into a piece of malware. I think it's called prompt lock. called it. So have you seen that? they're, it's like from a month ago or so. Yeah. So they,
Jason Slagle | CNWR (32:17)
Yep. Yep.
Yep. Yeah, that's not new. That's not new. That's a couple weeks ago. Yeah, yeah. Yeah.
Mikey Pruitt (32:29)
They were
able to have like the malware just query and vibe code itself into jumping over hurdles kind of thing.
Jason Slagle | CNWR (32:35)
Yeah.
Yeah. Well, I mean, a lot of this comes down to how our anti-EDR anti-malware systems work. They are a hundred percent using like, yeah, they say they're not, they say they're AI based, they're not signature based, they're a hundred percent signature based. It may be the signature, maybe behavior, but it's signature based, right? So if you write a new novel piece of malware, you typically get, and I know this from when I did the,
Mikey Pruitt (32:46)
signatures.
Jason Slagle | CNWR (33:02)
What was the hack it the huntress thing I did with John Hammond a handful years ago where I was doing AV bypass and I would write like a novel piece of basically malware and we were just using the meterpreter shell but I would I would obfuscate the meterpreter shell and I would throw it at a system right I would run it through virus total it would get zero detections but 18 hours later everything would detect it
Right. So it's a race and you know what, honestly, if it takes 18 hours for the people to take the virus total feed and update their signatures and stuff, like you, if you're running it locally, you don't, you're done by then. Right. Like you, it's, basically, it's lowering that time period a lot in that model. I have it here running locally. There's probably a lot of systems that just would not run on honestly. Uh, but yeah, I think the small version of it is like.
Mikey Pruitt (33:51)
That's
There's no GPU or not a sufficient GPU to run it.
Jason Slagle | CNWR (33:57)
Yeah, well, you
can you can run all that stuff with without GPU is just slow. But like, honestly, do you care? You know, no, I'm only getting like 100 tokens a minute. It's like, but I'm only writing like a thousand lines of code, right? It's it's going to be done in three minutes anyway, no matter what. Yeah, the smallest one, there's 20 billion tokens. So you would need a system that has at least probably 32 gigs of RAM if it doesn't have a GPU to run that.
Mikey Pruitt (34:02)
Yeah, it's just super slow.
The malware doesn't care.
Yes,
So all this AI experimentation and the buzzword, are you seeing things around CNWR that you're retooling that could have AI pieces of the workflows?
Jason Slagle | CNWR (34:35)
Uh, to answer the indirect question, I have no plans to replace humans with AI at any point in the future. Uh, but we are using AI to augment humans wherever I can reasonably make that happen. Uh, we in, I'm starting to work on more and more use cases. lot of it's just manual effort right now. Like I'm definitely using AI to analyze tickets and go like find areas of opportunity with regards to like automation.
or efficiencies that we can gain. We're using AI a lot to help with things like statement of work, right? Like, and, stuff like that, that, you know, they're just, they're not, they're tasks, process documentation, right? Like it's, AI is great at stuff like that. And honestly, humans are not great at some of it. The ChatGPT generates a way better statement of work than I do.
It might require, you know, five minutes of editing from my standpoint, but it took me an hour to write it before, right. And it's better than what I produced, like generating and then spending five minutes editing it is better than what I would push it an hour.
Mikey Pruitt (35:42)
Yeah, the, think AI is really good at the stuff we don't really want to do or not good at. But the thing like we're doing right now, having this conversation, like the, this is what humans should be doing. Like having conversations with each other, with our customers, with our clients, with our coworkers and, and learning from each other and let AI handle the mundane, maybe emailing back and forth type of thing, scheduling meetings. But I do want to go back to kind of where we started at about.
Jason Slagle | CNWR (35:54)
Yeah.
Mikey Pruitt (36:12)
your presence online like LinkedIn and YouTube and all this credibility that you've that you've kind of garnered. Authenticity, I guess, is a really good word for it. So that what do you think happens when people come across your content? Like, what do you what are what do you want them to feel or experience?
Jason Slagle | CNWR (36:33)
I don't know. It's actually, it's a really interesting place to be in because I didn't really make any active effort to get into the position I'm in. I am happy that I've ended up here. And I try not to take it for granted. I consider myself the person willing to say out loud what everyone else is thinking or.
are saying internally, right? And I don't, I don't think a lot of the things I say are earth shattering or groundbreaking. They're the culmination of discussions in, in research and reading and a bunch of other things that come across it. And the thing is, is that like 95 % of people, they're just never going to speak up. I somehow have landed into this world where I just generally don't care enough to think about what those people think. So I'm just going to do it anyway.
Mikey Pruitt (37:25)
Would you encourage those people with the 95 % who don't speak up to actually do that?
Jason Slagle | CNWR (37:31)
Yes, but I know that that's unlikely to happen. Yeah, I mean, it is it's one of those things like the world is it's an interesting place that most people are always going to be passive consumers and the I try to speak I try not to abuse the position of power that I've somehow gotten into right like occasionally I get it wrong occasionally I put my foot in my mouth and drive down the wrong road. I have
definitely punched down in a couple of cases where I probably shouldn't have. I will openly, you'll occasionally see a post from me where it's like, you know what, that didn't hit. Like that was a mistake. Like upon further research, I was wrong. And I think that being part of it comes with being willing to admit that you were wrong and being willing to admit that people are fallible. And, you know, I consider myself a scientist in many ways, right? Like a lot of my troubleshooting comes from scientific method.
And I think Kelvin described it best, Kelvin Tegelar. I have a series of loosely held, strongly believed convictions, right? So it's like, I, with further information, I 100 % can and will change my opinion on almost anything. But like it, I need that extra context and that extra information. And until I get it, it is what it is.
Mikey Pruitt (38:50)
So basically, people are not going to speak out. So you do it for them. And sometimes you're wrong, and that's fine. We're humans.
Jason Slagle | CNWR (38:57)
Yeah. Yeah.
I mean, it, everyone's humans, right? Like, and you'll see that like, I've actually been quieter recently about it because one of the things that, you know, getting into this position has afforded me is the ability to affect change that before I had to be very public to affect. I can affect it privately now. Right. So I can change behavior without having to call people out publicly. That's actually a great place to be in. Right. It's like, if I can get, if I don't have to call out
poor behavior and I can just text somebody or I can hit somebody on the back end because they're doing the wrong thing. makes, and it makes the world so much better place. I don't need to be the grumpy guy. just need the behavior to change.
Mikey Pruitt (39:40)
Regarding CNWR, I know that, didn't you guys absorb or merge ⁓ purchase Lawrence Systems MSP business? So what do you think is next for your MSP and then for yourself? Like, what are you looking forward to in the next year or two?
Jason Slagle | CNWR (39:50)
Yep, about two years ago we did.
Yeah. So, you know, we're actually told my account team today that like to send out a readiness survey to clients to figure out what they're thinking as far as AI goes, right? Like it's the genie's not going back in the bottle. So I think that's the next wave, the next forefront that we're going to see in the MSP space. And there's a lot of people that have been predicting this. They're not wrong. As much as I'd hate to, as much as, you know, at 45 years old, it's like, Oh God, a whole new thing to learn.
⁓ I would hate to be able to, or like to be able to just take a rest for a little bit, but I'd also probably get really bored. I think that's probably the next forefront. we'll start doing some more stuff there. Honestly, you know, our growth rates where I'm happy, as far as me in the future, you know, I found that I really do enjoy educating and public speaking, right? So I don't want that to go away. I'm being a little more selective about where I do it. just.
because it takes so much time away from the business. But I anticipate a world where that happens more, right? Like I, and I would be remiss if I also didn't mention cyber rise, like, which is the charity that Matt Lee, Robert Choffee and myself have spun up and, we're trying to use our influence and our knowledge to help MSPs that have a really bad day, right? If you're an MSP and you have an incident, you can go to msp911.org.
We have some coaching we can provide you in very limited circumstances. We might be able to get you some hands definitely can help you with some stuff like scripting. You'll see that coming on our GitHub soon to some scripts that Chet GPT and I wrote to help do ⁓ some ransomware recovery stuff. We're also working on some framework mapping stuff, right? Which is practical advice to MSPs as to how the product set like.
DNS filter can map to what CIS controls, right? To help MSPs cut through the marketing BS, right? You get a lot of these companies out there that'll say, solve these seven CIS controls and they're not lying, right? Like, but honestly, you know, if you want to take them to its logical conclusion, like our mental, like Ninja can solve a hundred percent of the CIS controls, right? If you're willing to put the effort into using it to write all the, the code on that, all of them, but probably 80 % of them.
to write the PowerShell and stuff like that for it to run the hardened systems, right? But out of the box, doesn't solve any of them. So we're trying to demystify that, to try to cut through it. And then the last one we're doing is probably the one, I mean, I'm excited about MSP911, but it sucks because like when we're doing good, it means somebody else is having a very bad day. The one I'm most excited about is the hackening. So Matt and I did a talk where we attempted to pop about 26 MSPs, seven we actually took a swing at.
Mikey Pruitt (42:26)
Mmm.
Jason Slagle | CNWR (42:36)
ended up turning it into a series of conference talks. And now what we came out of that is we're actually developing college curriculum. And I think we've got a program chair there that is probably going to get us our first college that we're trying to get online sometime next year. And the idea is we're taking a capstone class and we're pairing up college students in their senior year. We're pairing them up with an MSP where they attempt to do a semester long pen test and write the full report and everything.
And then we have people in the information security spaces, the cyber security space that are going to grade those reports and give the clients feedback. So the students get hands-on real world experience, not in a lab. The MSPs get free pen tests essentially. And every, I think everyone wins. Yeah.
Mikey Pruitt (43:22)
So when you popped a few MSPs, that means you did some pen testing and were successful. Is that what you're saying?
Jason Slagle | CNWR (43:30)
No,
we ⁓ so we did not have a full breach situation, but we definitely had findings.
Mikey Pruitt (43:36)
⁓ okay. You're like, hey, friend.
Jason Slagle | CNWR (43:39)
Yeah,
you know, it's one of those things that like, you know, we talked about it earlier with the, ⁓ the level of effort and the amount of time and effort that people put into things. If you are targeted by a well-funded motivated threat actor, it is almost entirely undefensible. Right. If China wants into your MSP, they're in, like you are not stopping that generally, right? Like they have an almost unlimited number of resources, right? Like anything's at their disposal.
Mikey Pruitt (43:55)
You're done.
Jason Slagle | CNWR (44:10)
We did okay for the amount of effort we put into it. did better than I thought we would do. We did worse than Matt thought we would do. We'd do better than I thought we would do. But there are definitely, there are more things there, right? Like we didn't, we definitely drew the line in identity and identity is where everyone's attacking now, right? Like if we give a talk called how it hack you, I'm going to call up and pretend to be, I'm going to call a system engineer.
Mikey Pruitt (44:28)
Mm-hmm.
Jason Slagle | CNWR (44:36)
I'm gonna do research on your company. I'm gonna find out the name of a non-privileged user, right? Like a office admin or something, right? I'm gonna call in from maybe from one of your clients, who knows? I'm gonna call in, I'm gonna pretend to be that person, right? And my goal is to get on a system that you are less guarded about. I don't really care where I land, I want in. Once I'm in, it's a lot easier.
Mikey Pruitt (45:00)
You think social engineering is still the easiest way? Yeah.
Jason Slagle | CNWR (45:02)
Mm-hmm.
Yep, it is. mean, especially if you consider fishing and it's a type of social engineering, which I do, it's, a hundred percent. It's something like 80 % of attacks involve a human in some way. Right. So yeah, it is, it is still the biggest threat factor.
Mikey Pruitt (45:20)
Well, you heard it here first folks. Jason, thank you so much for joining me today. I appreciate it. Now you have to get to a scout meeting. So go pop that popcorn.