Listen to the podcast
Read Transcript
Erick and Rich discuss Veeam’s bold attempt to invent a whole new kind of data-focused platform for the age of AI, as well as why and how to earn your way to more and better client referrals. Then they’re joined by Danny Jenkins, CEO of ThreatLocker, for a thoughtful conversation about why AI security risks make left-of-boom, zero-trust security more important than ever. And finally, one last thing: evidence that those “triple washed” bags of lettuce aren’t always triple washed.
Discussed in this episode:
S**t Happens in AI. Veeam Says It Has the Answer.
ThreatLocker launches Zero Trust network and cloud access to stop credential-based cyberattacks
Lettuce introduce you to the live frog found in this grocery store salad bag
Some guests on this podcast are clients of Channel Mastered. Compensation plays no part in their appearance or the content of the discussion unless the episode they appear on is a “bonus episode” explicitly labeled as sponsored.
Transcript:
Rich: [00:00:00] Want to know what the smartest people in the SMB channel are reading? Check out Channelholic, the industry blog from me, veteran technology journalist and analyst Rich Freeman. Covering managed services, AI, cybersecurity, and M&A, Channelholic delivers sharp analysis and insider perspectives trusted by MSP executives, technology vendors, and IT investors alike.
If you want to understand where the channel’s headed next and why, check out Channelholic at www.channelholic.new. And three, two, one, blast off, ladies and gentlemen. Welcome to another episode of the MSP Chat Podcast, your weekly visit with two talking heads talking with you about the services, strategies, and success tips you need- You need
to make it big in managed services. My name [00:01:00] is Rich Freeman. I’m one of your co-hosts. I’m also the chief analyst at Channel Master, the organization responsible for this show. I am joined side by side virtually this week with your other co-host, our CEO and chief strategist at Channel Master. His name is Erick Simpson.
Erick, we’re back.
Erick: We’re back, Rich. We are back from a short hiatus.
Rich: Which is entirely my fault. So we went dark on you for two weeks. We apologize for that. It’s a bad news, good news story. The bad news is that two weeks ago I was at a conference in New York that we will be talking about in just a moment, and the morning that we were gonna record that week’s episode of the show, I woke up and was just really ill, and texted Erick, “There is no way we’re recording this episode.”
And thankfully Erick was very understanding about that. And then shortly after that I flew away to Europe on vacation, so week two was the good news piece of the story there. I was on break last week. So we disappeared on you for a couple weeks, but we’re back.
Erick: Well, [00:02:00] Rich, a slight correction, though.
We were gonna record two episodes-
Rich: Yes …
Erick: so that we didn’t have a little short hiatus, and you got sick, and I’m just so glad you’re back and healthy. I think when we chatted yesterday you were in the upper 90% of recovery and having enjoyed a fantastic vacation. I hope that you are back at it and ready to go, ’cause we got lots of news to cover.
Rich: Let’s let’s get to it then. Two weeks ago when I got ill, I was attend- I was in New York City attending Veeam’s VeeamON event in in Manhattan. And it was an interesting one. I- it’s been a little while since I’ve been to one of Veeam’s shows. And there are, just like at any show you- th- there’s gonna be product news any time you go, but there was particularly interesting product news, and I’m finally getting a chance to talk about it a little bit on the show here.
And part of what makes the sorta core product announcement that Veeam made during the conference is they’re not just… I- it would be interesting if they were trying to define a new [00:03:00] product category with the thing that they launched. They’re actually trying to define a new platform category.
It was a very ambitious launch that they announced, and this is really the strategy that they’re gonna be building around for a number of years to come here. Now, the jumping off point for that strategy is in many ways a familiar one for Veeam. Veeam is a company best known for data protection.
Data, as we know, is absolutely core to AI- And as we also know when, whenever data is concerned in-inside or outside the context of AI things can go wrong. Or as I put it in my column, and we’ll link to my Channel Hog column about this if you wanna read further on this and if you’re with your kids, cover their ears, shit happens with AI with data rather at any time, but especially with AI.
And the shit that can happen, Erick, is the familiar stuff, the security related stuff. It could be ransomware for example or exfiltration. Th-there’s also the familiar kind of accidental fat finger deletion of of [00:04:00] in- So there, there are all the things that have gone wrong with data for a long time, but there are all sorts of new things that can go wrong with data now in the AI era.
And you could get bad answers from an LLM because it’s based on inaccurate, obsolete, incomplete data. You can get an accurate answer that you shouldn’t be getting, like how much money is the CEO making? How much money is the guy in the cubicle? Information that isn’t supposed to be public can be revealed by an L- LLM.
You can get information that is a very convincing hallucination, and you make decisions based on that information. And then in particular, and this is already an issue, but it’s gonna be a huge issue going forward, is there can be an agentic mishap involving data. We are all familiar Pretty much any day, if you hunt around, you will find a story about an agent, a well-intentioned agent going rogue and doing something it shouldn’t do.
And random recent example an AI coding agent used by a company called [00:05:00] Pocket OS deleted the entire production database and all the associated backups in nine seconds. Just blew it all away in nine seconds. So that’s today when there are just under 29 million agents, according to IDC, in circulation out there.
We are headed to a world where there will be 2.3 billion of them, according to IDC, by 2030. They’re gonna be moving very fast. You’re not really gonna see what they’re doing most of the time and they’re gonna make mistakes like that. They, and not just deleting production databases, they’re gonna make wrong decisions, et cetera.
And this was what Anand Eswaran, the CEO of Veeam, called out from on stage at the conference explaining what’s going on. He said that the new failure isn’t just a breach. The thing you need to be f- thinking about now isn’t just security, isn’t just a breach. He said it’s actually a wrong decision which you take, executed at machine speed before anyone notices.
This is the world of [00:06:00] agentic AI that we’re entering right now. The only answer to this problem, Veeam believes is a new kind of platform. Something that in one unified package combines security and backup things that Veeam has been doing for a while, with governance, with privacy, with compliance, all of the different issues related to data, all of the different ways shit can happen.
You wanna have one view, one entry point to managing all that and controlling all of that. And so Veeam has created what it says is, and I think they’re right the first product that kind of fits first platform that fits in this category. It’s called the Data AI Command Platform. Hugely oversimplifying, it’s designed to do four very useful, I think, things.
One is to create a comprehensive map of an organization’s data, and not just where are the data bases located, but what’s in those databases. A truly detailed, granular, comprehensive map of an organization’s data. And [00:07:00] then it will also catalog the permissions and policies associated with that data.
It will enforce those policies in real time before an agent has a chance to do something weird. And then if an agent still or a human manages to do something weird, it will help you automatically remediate that issue. So a-again they’re defining a new platform category, one that didn’t really exist before.
I, I should point out purely from a vendor strategy standpoint, that’s very interesting because Veeam like a year ago if we had been talking about Veeam, I would’ve said they’re in a kind of a weird place, Erick. They’re data protection specialists at a time when MSPs and their customers want platforms that include data protection, but to be standalone anything is kinda difficult.
So where, what are they gonna do? And what they could have done, obviously, is create a security platform. It looked in some respects like that’s what they were going to do. What they opted to do instead was invent a whole new kind of [00:08:00] platform and attempt basically to own the market that they’re inventing.
It’s a very crafty interesting strategy that I didn’t foresee, and we will see how that works out for them. From the standpoint of the folks in our audience though, Erick, there is also a partner opportunity to consider here because as we know backup is an incredibly commoditized service to be offering your customers right now.
Security less but everybody you’re doing business with right now, you can get security services as an end user from any MSP for the most part out there right now. But if you can sit down with a customer and say, “We’re gonna have a strategic comprehensive conversation about all of the data related risk that AI subjects you to.”
“I’m gonna help you get all of the value the digital transformational value out of AI that you can get. But I’m also going to help you understand, control, mitigate all of the data related risk associated with that.” That’s not a conversation any [00:09:00] and every MSP can have today. And it’s a bigger, more interesting service and value add that you’re providing.
And so potentially instead of charging the kind of commoditized rates that you charge for backup, this becomes a premium service that you can deliver that helps you command more margin. So interesting strategic move by Veeam. Interesting strategic and growth opportunity for Veeam partners.
Erick: Very interesting, Rich. Yeah, so I was taking a lot of notes because there’s a lot to unpack here. Yes, we, you talked about, AI hallucination. What can affect data? Data leakage, rogue AI. We see these stories all the time. I love the c- the the quote that you shared.
It isn’t just… the threat isn’t just a breach, it’s the wrong deci- it’s- it’s not a breach when a breach happens, it’s a wrong decision executed at machine speed that goes undetected or maybe even not even being monitored, right? I got a few questions because, this is definitely something that we have, I haven’t [00:10:00] seen before.
It sounds like you haven’t seen it yet either. And yes, we see the typical backup vendors that we all know moving more towards building out more kind of security focused platforms, integrating, like expanding this, the one platform for the MSP kind of a thing. So this is a very… the thought that came into my head was when you were saying, what they’re doing and just stepping out.
Fortune favors the bold. It’s a very bold kind of move, creating your own category. And, we’ve known, we know from conversations we’ve had in the past that, that’s probably the most valuable thing any business trying to penetrate a market, more, more powerful approach is to try to create your own category so you cannot be compared against anybody else, right?
It’s like MSPs think, oh we talk about this a lot, right? We go to lots of conferences, Rich, and we’re walking down The expo hall and thinking, what makes this particular booth’s message different or unique than everybody else’s? [00:11:00] Because we think, oh, immediately, “Oh, you guys are kinda like this or that,” right?
It’s like that story of the, what, four or five blind men and the elephant, right? Everybody thinks the elephant’s a different thing. So creating your own category is very bold, strategic. And some of these features really do seem to… i… Some of them sound familiar, but the the permissions, policy ID, identifying that stuff and enforcement, I think having a platform that kind of goes out and collects this, is it using AI itself, Rich?
I’m curious, because doing a comprehensive data map crawling is, step one in any kind of AI discipline, we’ve heard from experts is you’ve got to, wrangle your data. You’ve got to figure out where all the data is, and you’ve gotta normalize it, and you’ve gotta tag it, and all this other stuff to prepare it for good, proper use of AI so we can, try to reduce the AI hallucination and data leakage and all these other things, right?
And then in the remediation, so is it using [00:12:00] AI? And in the remediation component, you mentioned if a user and a human makes a mistake, it can help you remediate it. Will it also do that if an AI platform goes rogue and does something crazy like that as well?
Rich: Yeah. So that I’ll do the second question first, and the answer is yes, basically.
If shit happens, it’s gonna clean it up. And so whether it’s a human responsible for that shit happening or an agent the idea at least is the platform’s gonna get involved. And in answer to the first question, yes, AI is involved. I didn’t mention this, but the big signal that they were up to something at Veeam came late-ish last year.
I wanna say last October. Veeam acquired a company called Security AI, S-E-C-U-R-I-T-I AI and that it’s I- best thought of as a data security posture management company. There’s a lot of security AI functionality built into the data AI command platform, basically. By combining the traditional Veeam data protection stuff with the security AI stuff, you get this [00:13:00] data AI platform there.
And I don’t know if you caught it, I grinned just a little bit when you asked me that question because right after the keynote and the general session, I went back to the media analyst room and one of the analysts who was there just kinda asked me, “What did you think?” And I told him more or less what I just told you, and I said, “What did you think?”
And he looks at me and he goes, “What does Veeam know about AI?” And I thought what do you mean?” And it was a perfectly legitimate question. Sure. ‘Cause what he’s saying is, th- they just told us for 90 minutes that AI makes mistakes, AI screws things up, and they’re also telling us we’re using AI to protect you from that.
I need to have some confidence that their AI is really good and really capable of doing that. And so he, he hadn’t done… I was finished with my Veeam executive edit- interviews by that point, so I didn’t get a chance to ask him. He was going to get his chance, and I I wish I… I should probably follow up with [00:14:00] him and see what did they tell you?
Yeah. ‘Cause this was what he was gonna ask them. So yes, they’re using AI, and that raises some some interesting questions.
Erick: Yeah. And, it sounds like they’ve been planning this now for, it’s like this, the vision of, if you, if they, if you got a inkling of it last October, that means that they’ve been thinking about it long before then, making these strategic acquisitions.
You would think that, they, their AI approach and, intelligence will be defensible because these are the questions that now arise, right?
Rich: Yeah. Yeah. Exact- and and again, I, if if this thought the analyst posed to me had occurred to me, I would have asked that ’cause I would be really interested to hear what they have to say.
But you’re absolutely right.
Erick: Yeah. Yeah. Interesting. Will this now create, others following in the wake of this very bold move? We’ll have to see.
Rich: Yeah. Yeah. I hadn’t really thought about it all [00:15:00] that much, but y- if you look at the security platform makers, the CrowdStrikes and Palo Altos of the world, how hard would it be for them to take the security functionality and the endpoint or the data protection functionality they have and either add or use, ’cause some of these guys already have DSPM funct- can they kind, build a package that does the same kind of thing?
What… It’ll be an interesting thing to see going forward.
Erick: Yeah. Coming from the security side, then they could build, buy or, partner or acquire a backup solution because they’re already in the AI space is what you’re hinting at then.
Rich: Yeah. Yeah.
Erick: Yeah.
Rich: Erick, I’ve been starving for a tip of the week for multiple weeks here, and it’s finally time to get one, so let’s dive into it.
And this week’s tip has to do with every MSP’s favorite lead generation source.
Erick: It is, Rich. Nice setup. Thank you. And we’re talking about referrals as a sort- as a source of lead generation. [00:16:00] And, in my MSP and every MSP in the evolution of MSP, we probably begin our business, living off of referrals from existing clients, and that really never goes away.
What I think might happen, Rich, when MSPs get a little bit more mature and they’re investing in, direct marketing and things like that it shifts. It’s we wanna be predictable about, the revenue that we’re going to generate. And as referrals are very unpredictable.
You could have a bunch of referrals, you could have no referrals. There’s feast or famine. And the strategy around maintaining a high level of good referrals is what we’re going to talk about today. Because no matter what we’re doing from a lead gen and a marketing perspective, Rich, referrals should be the easiest opportunities we ever have to close business.
And I think it’s one of the reasons why when we speak with MSPs, Rich, they tell us, “Hey, you know what?” S- sit me down in front of a client and, I’ll close that business. And [00:17:00] I think when I’m speaking to MSPs, the question that I fail to ask is how was that lead generated that you’re closing so easily?
Was it a referral or did you h- was it a cold lead? Did it come in from some marketing you did? Because there’s a difference, right? These warm referrals are typically easier to close. They come with authority, right? And if you do it right and have a system around it, they can be… You can potentially predict a little bit better how much revenue you can potentially generate.
And there’s a math formula in my brain that, I’ve been n- noodling with Rich, and it’s how many QBRs are we having? How many satisfied clients do we have? How m- how much strategic value are we delivering to these clients? How good are we at getting the client to recognize our strategic value?
How… and helping them grow their business. And, that cheese moves a lot, right? And when we’re sitting with clients, what we tend to feel is we’re spending– we try to spend [00:18:00] I think in the early days of our business growth, we’re trying to spend as much time with every client as possible.
When we think of these are the only clients we have, we’ve got to make sure that everybody is happy. But as we mature, Rich we find that not every client merits that type of attention, and I think it’s one of the, it’s one of the friction points when we’re developing a QBR process. I’m talking about strategic business reviews where we’re sitting down with a client and not just going over a scorecard or a report card of how many, viruses we killed and, tickets we closed and things like that, but more strategically valuable information like we’re starting to see MSPs begin to have around AI and governance and security nowadays, right?
We’ve got to segment our clients into that kind of ABC methodology. Your C customers are probably the folks that may not merit a true quarterly strategic meeting. They might not merit a biannual meeting. They might not merit an annual meeting. It is as needed for those folks. [00:19:00] The B clients may be biannually.
There’s a budget factor in this formula in my head, and there’s a a performance from a growth perspective formula in my head. Are they growing? Are they stale? Are they stagnant? Do they have budget? We might see them a couple times a year maybe less. The A clients you’re gonna see much more frequently.
These are the folks that have budget, that see the value. You’re delivering value. You’re meeting with them quarterly. Heck, Rich, we had clients that we would meet with weekly sometimes, for sprints because there were some things that they really needed our help with, and they valued our opinion.
These are the clients that would email us, ahead of a budget meeting and say, “Hey, we’re having our annual budget review meeting. Can you guys, send somebody? Can you come in, Erick, and sit in?” Oh, you betcha I’ll be there with bells on, right? So what can we do, Rich, to really think about how to leverage referrals in a way that Are, is [00:20:00] more predictable and not to replace, marketing and things like that, but again, the value of these referrals should be the priority.
And the, there’s a double-edged sword when we’re getting referrals from clients Rich? It’s because sometimes when we’re much more mature than, a startup MSP, like in our early days, we would sit in for every referral meeting, and we would get pulled into all kinds of crazy technology conversations.
“Hey, can you guys do this?” And we had never even heard of it before. “Oh, yeah,” the salesperson would say, “We do that.” And then we’d have to go figure it out and, that was not a winning combination. But when you’re focused on a specific vertical, you have a specific s- specialization, call it cybersecurity, call it whatever it is, and you tend to gather clients within that vertical or that need that specialization, or you’re an expert in a specific platform and you’re growing your client base that way, those referrals tend to be a little bit better because you’re not just, “Oh, I’ve got a, [00:21:00] a, a pool cleaning service that runs, an old SQL Server.
It’s a buddy of mine. Can you go help him?” It’s more of something that fits within your wheelhouse. And as you grow, you’re gonna collect these larger clients and move in that direction. So here are three things to think about, Rich. These referrals, the first thing that I’ll say, they’re earned They’re not asked for.
And what I mean by that is, I used to tell MSPs all the time, “Hey, every QBR, make sure you don’t leave without asking for a referral.” It’s like trust, right? For someone to say, “I’m gonna, in- introduce you to a client of mine.” And this isn’t just simply here’s their number. When we’re asking for a referral, we’re banking on that trust that we built for the client.
They know that we’re delivering great value to them, and they want to make sure that whoever if they refer us to somebody, it’s because we’re delivering great value to them, and they see the value of introducing us to that other person. Because you know what? We’ve experienced this in general life.
You refer somebody, like somebody who’s [00:22:00] working on your, auto mechanic, your house, whatever, and you get a referral of a bad contractor, and, you’re kinda like, “Hey, buddy. You sent this guy over here, and now, you left me with a, a pile of junk. It’s not working.”
So it’s a reputational thing as well. So three things to think about to build, to earn that ability for clients, not even to wait until you ask them, but to think about you and have you top of mind for referrals. Again, you’re gonna identify your happiest clients. Now, of course, nobody wants unhappy clients, Rich, but among all your clients, you can ABC that CSAT score, right?
And say, “Who are my most satisfied clients, the clients that see the value that, want to support my business as much as I want to support their business?” That’s a special client relationship, right? So identify those folks. Those are the ones you’re going to perfect this with and expand it over time.
And ask for one referral directly. Be specific. Here’s the other one, right? [00:23:00] Where MSP’s kind of, “Hey, do you have anybody we can help?” Hey, you know what? You know what we do, here’s where we’re focused, here’s where we’re moving, here are our specializations in case we haven’t reminded you lately.
We’re looking for clients that look like this, right? So this kind of puts the guardrails around somebody referring you to a vertical market or somebody that just isn’t a great fit. And then the embarrassment of you you know what? That really doesn’t fit our model,” and you don’t want that friction either.
Or you try to help them and it fails because you’re just not an expert at whatever it is they need, and then that gets back to the referrer, and good luck getting another referral out of them Reg? And then give them a reason to refer you. When we’re doing business with these A clients, chances are that we’re doing projects, that we’re helping them strategically with things that help them grow their business.
And you can share a success story with them about the last project or the performance or things like that to remind them of the [00:24:00] value that you’re delivering to them so that they can process that when they’re thinking of the right folks to introduce you to. And, an old kind of approach or a historical approach would be ask for two or three referrals hoping you’ll get one
Rich: All sorts of thoughts there.
And so in, in no particular order I’ll just say but a f- a first thought about referrals generally, I was s- semi-joking, this is every MSP’s favorite source of leads. And a kind of a key thing to, to note there is referrals are a great source of lead.
Mike Schmidtmann, one of my favorite sales and marketing experts for MSPs, will often say, “Referrals are your best source of leads. You should absolutely be pursuing and cultivating referrals.” The thing I would add to that though is referrals should not be your only source of leads. Unless you’re getting so, so successful at getting referrals and converting those into clients generally speaking, you wanna be combining referrals with other sources of [00:25:00] leads.
I really like the point you made about the value attached to… that basically not all referrals are alike. And understanding what are the kind of referrals that you most want, what are the ones that have more value versus less value I think is an important way to kinda think about this.
And in particular, you were talking the starting point there was begin with your happiest clients. And I would maybe add to that, okay, within my universe of happy clients, which are the ones maybe that are closest to the vertical industry, the technology specialist? I… If I’m building out my skillset, I’m specializing in an industry or a solution or something like that referrals in that area are gonna be more valuable, relatively speaking, than other referrals that you would get from happy clients who are pool cleaners and so on.
I like that a lot actually, that idea that referrals are good. You wanna get referrals. You wanna be thoughtful about where you get them from, and the kind that [00:26:00] you’re, you are most interested in getting.
Erick: Yeah. Great insight there, Rich. Ab- absolutely the things that I, didn’t verbalize, you picked up on right away.
And I’ll answer one question that, seems to pop up all the time from partners is like how do I compensate? Can I use something to incentivize my clients to give me referrals?” And you know what? I used to have all these great strategies to do that, and today, sitting here, I say- I, I would not recommend creating a cookie cutter kind of a, “Hey, we’re gonna give you 10% off your next invoice,” or, “We’re gonna give you a gift card,” or things like that.
I think what I would recommend MSPs try is just straight up asking for those referrals. And if you’re delivering value, your client and you’re important to the client and you built a rela- And again, this is a relationship thing, okay? You’ve gotta work at it.
And if the client is invest- as invested in your organization as you are in theirs, [00:27:00] they will want to give you referrals. One thing that I’ll mention that’s a little extra tip Interview your client first and ask them who are their ideal clients? Who are they interested in building a business around?
What do the- what does that ICP look like? And look through your existing client list, and I’ll bet, Rich, you might have one or two clients that you might, think about referring to them. Think about attorneys, think about accounting firms. Those were two of our straight up vertical markets.
We had plenty of referrals that we could bring, and then I would bring some a lot. I would pick a really, good client and say, “Hey, would… i’d like to introduce you.” And do- and you’re creating this referral network now, right? So they experience you giving them referrals, then they feel obligated to do that in return.
And when I said earlier that we’re gonna create a more predictable way of doing this, you’re creating now [00:28:00] a process around referral generation among your existing clients. So you can bring that client a referral. Say, “Hey, next time we meet, let’s exchange. I’ll bring a referral, you think of somebody for me.”
And you get them to agree to that, and you do that thing, and now you’ve started off a great relationship. And, bl- the reason I say let’s not, create a cookie… And nobody wants to feel the same. We’re talking about your best clients. You’re gonna try to introduce a framework that everybody can participate in as a thank you or reward.
I learned this from a, I sent a referral over to a, it was an MSP actually that I had worked with years ago and helped them transform their business. And he went off and was doing some EOS consulting, Rich, so entrepreneurial operating system consulting. And I sent him an MSP. I said, “Hey, I’m gonna connect you guys.”
And great referral. [00:29:00] Just, knowing what he did and what the MSP needed, I connected them. And tha- he thanked me, and about three weeks later, I received this really nice leather carry-on bag, like very nice, in the mail with a note from him. “Thank you very much. I really appreciated the referral you sent me And that stuck with me.
So think about that, MSPs. Give a thoughtful thank you appreciation, and this could be, weekend getaway at a resort for the person that referred you and their significant other, or something unique that’s an experience. This was, to me, nobody had ever done that to me before, so it really sticks out.
It was very nice. But think about that, and don’t come up with kind of this generic, “Hey here’s our referral program.” No we’re beyond that with our A clients, and they should be beyond that with us, and we’re gonna appreciate them in a manner appropriate with the value we place on the [00:30:00] relationship in addition to the referral.
Rich: All right. Excellent advice. The this has slaked my thirst for a tip of the week after thr- a three-week absent, and absence rather, and great stuff. Folks Erick and I are gonna take a quick break right now. We’re we’ve got more great stuff coming for you after the break, ’cause we are gonna be joined by Danny Jenkins.
He is the CEO of ThreatLocker. ThreatLocker recently introduced a a new credential theft product. We’re gonna get into the whole topic of credential theft with him. We’re gonna talk about the the subject that he knows probably as well, if not better than anyone in the managed services security world, which is zero trust security, and obviously that’s something to think about in a serious way in the AI era.
Stick around, folks. We’re gonna be right back for you with Danny Jenkins of ThreatLocker
Welcome back to part two of this episode of the MSP Chat Podcast, our spotlight interview segment, where we [00:31:00] are very pleased to be joined by the CEO of ThreatLocker. His name is Danny Jenkins. Danny, welcome to the show.
Danny: Rich, thank you for inviting me today.
Rich: I find it nearly impossible to believe that anyone in our audience is unfamiliar with ThreatLocker or Danny Jenkins, but there’s gotta be somebody out there who fits that description.
So just to kick things off, tell folks a little bit about yourself and about ThreatLocker.
Danny: So e- essentially I’m CEO and co-founder of ThreatLocker. I am, I would like to say, a nerd. I’m a security guy. I love technology, and what we’ve done here at ThreatLocker is really change the way the world thinks about security from an open world with detection and response to really zero trust, block by default, allow what you need, and made that super easy for the MSP community.
Rich: So I, i- in any interview I do that’s gonna touch on zero trust, almost always the first question is, how do you define zero trust? Because as there are various definitions out there. So what is the ThreatLocker definition of zero [00:32:00] trust, and then how widely adopted is that model of zero trust in your view among MSPs right now?
Danny: Okay. So I’ll give the high level overview of what zero trust is first and what zero trust really means is least privilege. If you remember the days they used to call the cloud hosting, zero trust used to be called least privilege. But essentially what it means is to grant access where access is required.
It’s not about making life difficult in order to perform a function or a job. And whether that’s for a user, a service, a node, a device, it doesn’t matter. What ThreatLocker does is we provide tools. And that could be, first of all, blocking untrusted software. The implied trust method of blocking or s- blocking software is, hey, we’re gonna allow everything and just block what’s bad.
What ThreatLocker does is says, “We’re just gonna allow the software you need and block everything else.” That includes ransomware. We validate devices, whether it be a mobile device for zero trust cloud access. We have network a- zero trust network access to provide secure access to network devices without opening ports on your firewall.
But essentially it’s multiple modules, but what it really means is let’s just take [00:33:00] away permissions where they aren’t required, whether it’s Zoom has too many permissions or Angry Birds has too many permissions or PowerShell does, and let’s just give them what they need, which makes the user’s life really easy because they don’t have any problems, but also means you’re secure.
So when something g- happens like an exploit or vulnerability, the damage is contained, if not completely stopped
Erick: Danny, as a former MSP I equate zero trust to be like a firewall. Nothing can get in unless you allow a few things in. What is it about zero trust that makes it so difficult for MSPs and their clients to understand?
Danny: So I don’t th- I don’t think I think the problem is Rich kicked it off by saying, “Can you define zero trust?” And, I hate the world of cybersecurity where we are, and if you notice at most of our booths at trade shows, it will say things like, “Block untrusted software.” And the reason we do that is because it’s so hard for MSPs to even know what it means.
You’ve got people saying, “We’re a zero trust EDR.” There’s no such thing as a zero [00:34:00] trust EDR. So you’ve got loads of marketing things in there. The reality is there’s just a lot of noise in the industry, but it really isn’t difficult. It isn’t difficult to understand. What you need to know is, hey, we’re just gonna figure out what we need in our environment, and ThreatLocker helps by learning automatically, and then we’re gonna allow that and we’re gonna block everything else.
That’s what zero trust means, whether it’s a network connection, and a firewall is the first and original example of zero trust. We’re gonna shut down all ports, we’re gonna open the ports we need. We do it at a software level, we do it an app, a ringfencing level, we do it at a cloud access level for things like Microsoft 365.
We’re just gonna allow trusted devices into our tenant. That’s what zero trust means. And I think for MSPs it’s a little bit scary because they’re like, “Am I gonna have loads of noise?” The reality is you have a lot less noise. You have no phishing attacks, or no successful phishing attacks. You have no malware.
You have no ransomware. You have no one sending your client a Screen Connect login when you have a zero trust platform because y- you’re now in control of the environment. You get to manage it as you should do [00:35:00]
Rich: So your your most recent product launch at ThreatLocker, one of them anyway, just a few weeks ago during your Zero Trust World Conference, was a credential theft solution.
So talk a little bit about how big an issue that is, how big a threat or a risk factor that is for MSPs and their customers and where that kind of fits into the Zero Trust vision.
Danny: Okay, so a- and it’s interesting ’cause w- i- in ThreatLocker we never go into a product development saying, “I’m going to develop something.”
And when we started ThreatLocker to begin with, we were like, “We need to stop malware. We need to stop ransomware.” And the … If we’d gone out and said let’s go and build an EDR,” that wouldn’t have solved the problem. So what we did is we went out and said, “Let’s build application control,” ’cause that’s how we stop ransomware, and the same applies here.
We had two problems to solve. One is people having their credentials stolen over and over again. And I use the word stolen, people giving their credentials away over and over [00:36:00] again. And I think this c- came very real when our sales team had given away credentials to their Office 365 that accepted a dual factor push.
They’ve authorized the device ’cause the … And we’d set it up so you can only a- access your email from devices authorized, but the user can authorize it themself. And then an attacker had gone into an account, we obviously locked it down and detected it, but at that point, someone’s already in the account.
And then to make things worse, we did a phishing test against our own engineers, and even our engineers gave away their credentials. So that was the first thing we wanted to take care of. We wanted to make sure that if you work for ThreatLocker or you’re a ThreatLocker customer, and s- one of your employees, one of your users gives away their credentials, the impact is zero to nothing.
And and what we came up with that was what we call Zero Trust Cloud Access. What that does is essentially provides an app on your phone, an app on your computer, the built-in ThreatLocker agent on your computer. Every connection is verified. We verify the application, we verify the device.
So even if I [00:37:00] was to give you my Office 365 credentials right now, my username and my password, if I was to accept that dual factor push, you would not be able to get into my account ’cause you do not have my device and you don’t have my computer, and this really stops phishing. And that was the best way we could do this.
But we also wanted to make sure it was completely seamless to the user. They weren’t interrupted, their voice wasn’t interrupted on a Teams call. So we wanted to get away from VPNs, use really secure brokers, and that’s how we ended up building s- Zero Trust Cloud Access. And the second one was Zero Trust Network Access
Erick: Yeah, I had a follow-up question on cloud, your cloud access tool, Zero Trust Cloud Access.
Yes. It’s, that’s gotta be quite a moving target, Danny, to try to protect from the myriad cloud locations and applications, and everything that everyone uses and takes for granted, and stores their passwords on their phones and just accesses everything. So what are the unique challenges that you had to overcome to provide such a [00:38:00] comprehensive security tool for your customers?
Danny: What we needed to do was find a way that with every cloud app you access, it can only be accessed through a trusted device. And th- but we also wanted to do it in a way that wasn’t gonna slow down a user. So we looked at things like, hey, I’m gonna go and create a VPN. That’s just slow. It’s gonna slow down their access.
If they can’t connect, things go really, … They can’t get on the internet on their phone and people get mad. So that was one of the biggest things we had to overcome, and the same with Zero Trust Network Access. It’s like, how do we make this faster? And I wanna give you an example, ’cause if you look at ZTNA solutions, you’ll often see they’ll use some kind of VPN client in a tunnel.
And I went off and set up a gigabit internet line direct access to a server, and I got, say, 960 megabits a second download speed from that server, and the same applies to Zero Trust Cloud Access. We then said, “Well- What if I was to route this through a VPN? So we say the only way you can get onto this Microsoft 365, Salesforce, ConnectWise, Kaseya login, all of these [00:39:00] portals, the only way you can get in is if you’re coming from this secure network.
The problem was is we are losing 60%. So if we take some of the best VPN technologies or the fastest, say, like something like Wireshark, WireGuard, sorry now we would then say my speed is now 3 or 400 megabits.” So what we did is we said, “That’s not gonna work.” So first of all, we carved out the exact protocols we needed to route.
The second thing we did is we said we’re going to use a broker wherever possible, rather than using VPN tunnels. So when I’m on my machine, I can access a file server in the office as if I’m in the office, and I was still getting 930 megabit speeds versus 300 megabit on a VPN. So that was probably one of the biggest things, and we actually ended up throwing multiple revisions of this project away because I’ve said, “No, the user experience isn’t good enough.
The user experience isn’t good enough. It’s slow, it’s miserable.” Now what I have on my phone, I can access all of our apps through the secure network, but also if I disconnect from the secure network, so even if I’m using a personal phone, I can choose to [00:40:00] disconnect from the secure network. I can no longer access corporate apps, but I can still do everything else on my personal phone.
As soon as I connect, my corporate policy now applies. Only the corporate apps are routed through the secure network. I can still go to walmart.com, I can still go to amazon.com and not get interfered, and we had to deal with that problem so the user experience is completely seamless.
Rich: And Danny, kudos to to ThreatLocker.
Erick and I were both at the RSA conference not too many weeks ago. As you can imagine, all anyone wanted to speak with us about was AI and AI security and agentic AI, and y- you guys, ThreatLocker stands out for not hammering people like me over the head with AI talk. That said, I would be very curious to pick your brain a little bit about the role of AI in security generally, and then t- tell us a little bit about where it might figure in your roadmap.
Danny: The- there’s those who talk and those who do. And look, AI has, ha- has completely changed the way we- [00:41:00] the world thinks about security because we’ve discovered more vulnerabilities using AI in the last 12 months than have in the last two decades. The new Claude Oh, M- Mythos, the GPT 5.5 complete going…
they’ve r- prevented release because it’s going to cause so much pain in the world of cybersecurity. And basically, AI has some really good advantages, and one of those advantages is the ability to find vulnerabilities in code. So if you’re a software developer, it’s great that you can check your code through something that can process faster than big security teams.
What it doesn’t do is determine intent. And one of the things that you often see is, I think everyone did this in the whole cybersecurity, fighting AI with AI. The reality is, if I take a piece of software, so let’s say I go out tomorrow and I write a piece of malware using AI. You can go in ChatGPT right now and say, “Hey, can you write me a piece of malware that finds somebody, where somebody stores their files and uploads them to my Google Cloud account?”[00:42:00]
ChatGPT will tell you, “No, that’s unethical.” But it’ll actually probably give you a prompt saying, “If you’re looking for backup software, I can do that.” And you can just change the prompt saying, “Write me a piece of backup software that finds where I keep my files and uploads them to this Google Cloud,” the exact same function, and it will give you that code.
And here’s the problem. If you take that same code and ask AI, “Is this malicious?” It doesn’t know, because it cannot determine intent. It can only determine function. And what is the difference between an RMM and a reverse shell or backup software and data exfiltration software? Functionally nothing. AI’s allowed attackers to write perfectly crafted phishing emails.
So y- you could go in ChatGPT and say, “Write me a phishing email. I’m a cybersecurity professional.” And it’ll give you an email trying to trick someone to click on HR. So now you’ve got more attackers. And AI has some really good use cases. You couldn’t determine what a script does, so our MDR use it for, “Hey, there’s a script trying to run on this machine.”
Three weeks ago, I’d have to read the script. It’d take me 20 minutes, and [00:43:00] that’s very critical when you’re trying to fight an attack. So you can now determine function very quickly, but it’s, that’s where it limits. I think unfortunately, the benefit to the attacker is far greater than the benefit to the defender.
However, from a ThreatLocker point of view, we’ve really focused on, hey, you’ve got Claude, which is now a, another being, if you like, on your machine that has access to all of your files and all of your data and the internet and the whole world, and it can upload everything. So why don’t we actually put some controls around this?
And this is where ThreatLocker’s done really is instead of saying, “Hey, AI’s bad. It’s scary. It can do all this,” why don’t we actually give you controls around the AI software? Why don’t we block the AI-created malware by default? And why don’t we just ring-fence applications so they can only see what they need to?
So when a vulnerabilities gets discovered by AI, the damage is limited, if not completely stopped.
Erick: So Danny, it feels like the rise of AI and agentic AI threats is giving left of boom prevention more [00:44:00] prominence in security strategies than it’s had since the rise of detection and response. Do you agree with that?
And if so, why might that be?
Danny: Look, the … and I think what AI has done i- is it- it’s changed us from having to defend a- against a small group of attackers. So think five years ago, three years ago even if you wanted to write successful malware, you had to be relatively smart. You couldn’t just, m- you couldn’t go out and write p- code.
A- anyone in the world couldn’t do that. There’s a few million people in the world that could write successful malware, and then that malware would get used for a certain amount of time, and then it would get added into a database as bad. And that world existed, and people made money in that world.
AI has changed that, so now anyone can write malware, anyone with a computer. So we’ve gone from a couple of million people to six plus billion people that have the ability to create malware. The problem has always been important to address through left of boom. It’s always been, let’s put locks on our door.
Let’s stop untrusted software. Let’s ring-fence [00:45:00] application. Let’s take away permissions. Let’s verify devices before we allow access to email. They’ve always been the solutions. The problem is now we’re no longer fighting two million people, we’re fighting six billion people that have access to a computer, and the speed in which malware can be created and attacks can be launched is unbelievable.
We saw one of the biggest medical companies in the world get shut down by someone in the damn desert in Iran. That’s … Okay, they probably weren’t in the desert, but 99% of the country’s internet was shut down at the time, and they still managed to take down one of the world’s biggest medical companies, and that’s what we’re dealing with now.
Whereas, before, Russia scared me because they have some really smart developers in Russia. Now you don’t need to be a smart developer. You can just get a computer, and you can create cyberattacks, and that makes left of boom much more important. I think it was always important, but much more critical and likely to be attacked if you don’t deal with it left of boom.
Whereas maybe three years ago, your probability of being attacked in the next five years was 10 to 15%. Now it’s more like 40 to 50%. [00:46:00]
Rich: Yeah. And, and you touched on Anthropic’s Mythos Preview model. You’re talking about the scale and the speed of the threat landscape out there right now.
So I’d love it if you could dive a little bit deeper into the implications of AI in terms of finding vulnerabilities and the impact that’s gonna have on MSPs and end users. B- beyond the context of ThreatLocker and zero trust, just w- what do you see coming for us thanks to models like Mythos Preview?
Danny: Okay. Let’s start with the positive stuff. Let’s face it, the MSP industry hasn’t been great at writing vulnerability-free software. We’ve had too many cyber attacks because of code bugs and that’s because MSP companies are typically created and started by MSPs that aren’t necessarily security developers.
So if we look through history I, and I won’t say any names, but if you think about the big RMMs, we’ve all seen them get hit. The screen connection software, we’ve all seen it get hit. So on the positive side, [00:47:00] these developers now have toolkits that will help them write better code, and that’s the good news.
The bad news is there’s 50,000 pieces of software out there that’s never been properly written that now can be thrown at a model, and it can tell us all the vulnerabilities. Which, so from MSP point of view, you now have to defend against all those attacks right down to the sound driver or the the encryption software or the zip software or the webcam software.
All of these are potential entry points into your customer’s network, and you have to figure out how to defend against them when a lot of these companies aren’t going to go and do their code reviews and patch their softwares as quick as attackers are going to look at it. On the pos- another positive side, this is huge opportunity.
You cannot go onto a major website right now, a major news source, without hearing about Mythos or GPT 5.5 or the world is going to end because of these cybersecurity concerns. Your customers are reading this. You can present this to your customers. You can come in and say, [00:48:00] “Look, we are here to defend you.
The world’s changed. We’re no longer fighting some guy called Vladimir in Russia, we’re fighting the Terminator. And we need to step up our game, and we need to come in and increase your security and put proper controls in place while allowing you to adopt AI and be secure.” And customers are willing to
They’re not stupid. They can read the news, are more likely to create opportunity for MSPs. You guys are in the best opportunity right now because people need solutions, and as long as you present them correctly you’re the people that can come in the knights in shining armor and say, “Okay, we wanna help you implement AI, but we also wanna make sure that you don’t get your ass handed to you by a machine.”
Erick: Danny, I appreciate you putting a positive spin on the threat and the fear that’s going on out there. So is ZTNA the magic bullet? What are the most important steps that MSPs should be thinking about implementing right now [00:49:00] today?
Danny: Okay. So I will tell you, and we’ve got 12 items on our SKU list right now, but I’m gonna tell you the most important things you could do.
First thing is still block untrusted software. If you do not need something, do not let it run, and ring-fence the applications that can run so they can’t see more. That is the biggest thing you can do to stop mi- the Mythos risks and just malware in general. Okay. The second thing is, a- and I’m…
is gonna be focus on your network. And ZTNA might not even be relevant. So Zero Trust Network Access provides, allows you to take away a VPN and give secure network access to your customer’s networks. In most MSPs, 70, 80% of your customers aren’t, don’t have servers on their network. So ZTNA may not be something that you even need to consider, but if you are publishing remote desktop servers or QuickBooks servers or file shares, ZTNA is one of the things you should be looking at.
Zero Trust Cloud Access, SASE solutions, basically saying, “I’m gonna lock down my O- Office 365 account so only these IPs can log in. I’m gonna lock down my ConnectWise or my Kaseya account so only these IPs can log in.” And [00:50:00] securing access to validate devices is really important. So I think that’s probably more important.
So I think in terms of the things you should do first of all, block untrusted software, ring-fence applications, and the next thing to do is make sure on your network, if you do have a network, there’s no open ports. So if it’s a local network you don’t need to use ZTNA, but using some kind of dynamic ACLs on your network, validating devices, even locally, really important.
But if you’re hosting externally, ZTNA. But Zero Trust Cloud Access is probably gonna affect more MSPs because I don’t know if there’s a single MSP that hasn’t had a customer call them and say, “Hey, I got phished. Someone’s in my mailbox forwarding all my email.” They’re the most important things. Now all of the other stuff, that’s the icing on top of the cake.
But like ITDR, EDR, MDR, all of that, great stuff to have, but focus on those security controls first, because that’s what’s actually gonna stop the attack. The other stuff’s gonna tell you that someone’s actually in your system.
Rich: Okay. Danny, this has been [00:51:00] great. I appreciate you taking some time out to join us here on the show.
For folks in our audience who wanna learn more about ThreatLocker, wanna get in touch with you, wanna learn more about some of the new capabilities and products we’ve been talking about, where should they go?
Danny: G- go to ThreatLocker.com. If you’re already a customer, you can reach out to your account manager.
Even if you wanna book a new demo, you can go to our website, just schedule a demo. We’ll sit through an hour, show you everything, set you up on a trial, and show you how cool this stuff really is and how it really is gonna stop these cyber attacks.
Rich: All right. Danny Jenkins, CEO of ThreatLocker, thank you for joining us on MSP Chat.
Folks Erick and I are gonna take a quick break now. When we come back on the other side, we’re gonna share some thoughts, final thoughts about this interesting conversation with Danny. We’re gonna have a little fun. We’re gonna wrap up the show. Stick around, we’ll be right back.
And welcome back to part three of this episode of the MSP Chat Podcast. One last thank you to Danny Jenkins [00:52:00] from ThreatLocker for taking some time for us and guiding us through a very interesting, informed conversation about multiple dimensions of what’s happening in security right now. All sorts of different things that we could potentially dive in there on Erick.
The the thing I’m gonna call out … I guess two things first of all. The first was just the confirmation from Danny that AI makes left of boom security even more re- You know, there, there has been, and we’ve talked about this before on the show, there’s been such a focus on right of boom detection and response but it’s harder and harder to detect what AI is doing from a malicious standpoint.
So prevention actually becomes more important in the AI era. And to get, the, his thoughts on that, the confirmation from a ThreatLocker point of view that prevention and therefore zero trust really are even more relevant than they were before from a security standpoint right now I thought was interesting.
One other thing, and this I’m not spilling any beans here, but this is just something you and I chatted about with Danny after the interview. [00:53:00] I forget how it came up, but we, Mythos, the anthropic model and it obviously poses enormous security risk. That came up and and Danny was kinda talking about how that is going to be a essentially a sales and marketing opportunity for MSPs who are savvy enough about it.
The words I jotted down after we disconnected with him was him saying, “There will be winners.” C- companies that don’t, engage in fear-mongering but really sit down with their customers to kinda help them understand how the already very dangerous threat landscape is going to get more and more dangerous and why going forward and really help them understand why they need to invest in left of boom and zero trust.
Mythos provides an opportunity to to ha- convince customers who you’ve had trouble convincing to invest in security in the past, because Mythos is all over the news. At that Vean conference I attended, I was speaking with one of their executives and I brought up Mythos at some point and he just grinned a little bit and said, “That comes up [00:54:00] in every end user conversation I have th- these days.”
So people are reading about it. They don’t quite understand it. You can use that as an opportunity to help them be safer.
Erick: Yeah. And l- like you, Rich I came away from the conversation really understanding more at a deeper level, the more that we focus on the left of boom, the better off we’ll be because then there should be less right of boom activity, right?
After breaches happen and things like that. And, just a couple of tips that he shared around MSPs awareness and, working more towards a zero trust philosophy with their clients and, establishing some of the basic fundamental stuff, to protect their clients, the MFA and things like that, that everybody’s always, touting.
But, y- I think I even, fessed up. I’m like, “Yeah, I haven’t done MFA on everything yet, but I’m getting there. I’m getting there.”
Rich: Folks, that leaves us with time for just one last thing, and this one comes to us from the land down under, [00:55:00] Australia. And, we all I’m guessing 100% of our audience either regularly purchases bagged lettuce or has done so at some point in the past.
I know I make that purchase pretty regularly. And so we’re all familiar with the wording on the front of the package there, triple wash. Here’s an instance of a triple washed bag of of lettuce that somebody acquired in Australia that may not have been adequately wa- washed because the the person a farmer in Australia who acquired this bag of lettuce found not a dead frog in the bag Erick, but a live frog in the bag of lettuce.
And I guess the good news there is the lettuce has been triple washed and so has the frog, so it is, it’s a clean frog. That said my, my goal when I buy a bag of lettuce is really to just come away from it with a bag of lettuce. I don’t need a pet.
Erick: I know. And and we’ll link to that article because there’s a video that shows the guy holding up [00:56:00] his sealed bag of lettuce with a cute little frog in there crawling around but yeah, I think a little bit of a surprise for everybody and I don’t recommend mixing frog and lettuce in your mix
Rich: And as you pointed out off the air, the bad news for the frog it was trapped in a bag of lettuce.
The good news is it had something to eat … And it got freed, so the story has a hap- happy ending, folks. And that’s also our happy ending for this episode of MSP Chat. We thank you for joining us. We will see you in a week’s time. Until then, I will simply remind you as I always do, this is both a video and an audio podcast, which means that if you are listening to us right now but you’d like to check us out on video, you can go to YouTube.
You’re gonna find us there. If you are watching us but you’re into audio podcasts, go to Spotify, Google, Apple, wherever it is you get your audio podcasts, you will also find us there. And wherever it is you find us, please subscribe, rate, review. It’s gonna help other people find and enjoy the show just like you do.
This show is produced by the great Riley Simpson, part of the team with us here at [00:57:00] Channel Mastered, where we help vendors build, grow, optimize thriving MSP channels. You can learn more about the end-to-end suite of services we offer along those lines at www.channelmastered.com. Channel Mastered has a sister organization called MSP Mastered.
That’s Erick and his team working with MSPs to help them grow and optimize their business. You can learn more about that at www.mspmastered.com. So once again, thank you for joining us. We’ll see you in a week. Until then, I will remind you, this thing that we always tell you at the end of the show, you simply can’t spell channel without
[00:58:00] MSP.
Check out more episodes
