Author Archives: Jeremiah Grossman

InfoSec Start-up Advising and Product Recommendations

Posted on by
As a long-time InfoSec veteran and entrepreneur, I’m often asked by company founders to join their advisory board and lend a hand. Sometimes the founders need someone with experience they can trust to bounce ideas off of, provide guidance on how to scale their business, point out the many pitfalls to avoid, make key introductions, and so on. I’ve been in this advisor role for many years, as well as mentoring more than fifty young businesses over the last five years alone through a startup incubator. Making this contribution has been highly rewarding, both personally and professionally. It leverages the many successes and mistakes I’ve made in my career to help others. Advising and mentoring is something I plan to continue doing for the foreseeable future. The only downside is that due to time constraints, I have to be extremely selective. 

When I come across a hot new start-up, I fully research the company, try out the product, research their target market, meet the management team, speak with a handful of customers, and if I have something useful to offer, only then do I feel comfortable enough to get involved. Oh, another requirement is that none should be competitive with one another. Because I do my homework and have a deep understanding of the information security industry, I’m often asked by colleagues what companies I’d recommend in a particular space or a product to solve a particular enterprise problem. For those interested, below is where I’ve placed my bets and what I’m recommending.

Full Disclosure: I’ve a financial interest in most of these companies below, but not all of them. And if I don’t have a stake, it doesn’t mean I won’t recommend them — I can be just as impressed otherwise. I’ve also indicated where I serve in an official advisory capacity.


Anti-Bot

FunCAPTCHA (Advisory Board)
“FunCaptcha is the fastest and most effective way to protect your website from spam and abuse. We stop billions of spammers every year for clever brands that monetize their registrations and content.”


Anti-Virus / Endpoint Protection (Enterprise)


SentinelOne (Employed)
“SentinelOne unifies endpoint threat prevention, detection and response in a single platform driven by sophisticated machine learning and intelligent automation. With SentinelOne, organizations can detect malicious behavior across multiple vectors, rapidly eliminate threats with fully-automated, integrated response capabilities, and adapt their defenses against the most advanced cyber attacks.”


Bug Bounty / Security Crowd-Sourcing

Bugcrowd (Advisory Board)
The pioneer and innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of tens of thousands security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. Bugcrowd also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements. Bugcrowd’s proprietary vulnerability disclosure platform is deployed by Tesla, Pinterest, Western Union, Fitbit and many others.”


Website Vulnerability Assessment 

“WhiteHat Security is the leading provider of website risk management solutions. Sentinel, WhiteHat’s flagship product, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the flexibility, simplicity and manageability that organizations need to take control of website security and prevent Web attacks. WhiteHat Sentinel is built on a Software-as-a-Service (SaaS) platform designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies, lowering your overall cost of ownership.”


Security Risk and Vulnerability Intelligence

Kenna Security (Advisory Board)
“Kenna is a software-as-a-service Risk and Vulnerability Intelligence platform that accurately measures risk and prioritizes remediation efforts before an attacker can exploit an organization’s weaknesses. Kenna automates the correlation of vulnerability data, threat data, and 0-day data, analyzing security vulnerabilities against active Internet breaches so that InfoSec teams can prioritize remediations and report on their overall risk posture.”


Security-in-the-SDLC / Security Requirements 

SD Elements (Advisory Board)
“SD Elements automates software security requirements based on your project’s technology, business and compliance drivers. SD Elements eliminates security vulnerabilities in the most cost effective way, before scanning begins.”



AppSec Vulnerability Remediation

“AsTech Consulting is a security consulting company which helps clients understand their risks and what to do about them. As independent security specialists, we employ very experienced security professionals, more than half of which have over 15 years of relevant experience.”


Runtime Application Self-Protection (RASP)

“Prevoty provides a new RASP (runtime application self-protection) capability, enabling applications to protect themselves. Unlike traditional security approaches that try to defend against hackers at the network layer, Prevoty works inside the application itself and the analysis engine is smart enough to actively prevent anything malicious from executing. ”


Browser Security & Privacy

“We have a mission to save the web by increasing browsing speed and safety for users, while growing ad revenue share for content creators.”

Hack Yourself First: Jeremiah Grossman

Continue reading InfoSec Start-up Advising and Product Recommendations

Posted in SBN

InfoSec Start-up Advising and Product Recommendations

Posted on by
As a long-time InfoSec veteran and entrepreneur, I’m often asked by company founders to join their advisory board and lend a hand. Sometimes the founders need someone with experience they can trust to bounce ideas off of, provide guidance on how to scale their business, point out the many pitfalls to avoid, make key introductions, and so on. I’ve been in this advisor role for many years, as well as mentoring more than fifty young businesses over the last five years alone through a startup incubator. Making this contribution has been highly rewarding, both personally and professionally. It leverages the many successes and mistakes I’ve made in my career to help others. Advising and mentoring is something I plan to continue doing for the foreseeable future. The only downside is that due to time constraints, I have to be extremely selective. 

When I come across a hot new start-up, I fully research the company, try out the product, research their target market, meet the management team, speak with a handful of customers, and if I have something useful to offer, only then do I feel comfortable enough to get involved. Oh, another requirement is that none should be competitive with one another. Because I do my homework and have a deep understanding of the information security industry, I’m often asked by colleagues what companies I’d recommend in a particular space or a product to solve a particular enterprise problem. For those interested, below is where I’ve placed my bets and what I’m recommending.

Full Disclosure: I’ve a financial interest in most of these companies below, but not all of them. And if I don’t have a stake, it doesn’t mean I won’t recommend them — I can be just as impressed otherwise. I’ve also indicated where I serve in an official advisory capacity.


Anti-Bot

FunCAPTCHA (Advisory Board)
“FunCaptcha is the fastest and most effective way to protect your website from spam and abuse. We stop billions of spammers every year for clever brands that monetize their registrations and content.”


Anti-Virus / Endpoint Protection (Enterprise)


SentinelOne (Employed)
“SentinelOne unifies endpoint threat prevention, detection and response in a single platform driven by sophisticated machine learning and intelligent automation. With SentinelOne, organizations can detect malicious behavior across multiple vectors, rapidly eliminate threats with fully-automated, integrated response capabilities, and adapt their defenses against the most advanced cyber attacks.”


Bug Bounty / Security Crowd-Sourcing

Bugcrowd (Advisory Board)
The pioneer and innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of tens of thousands security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. Bugcrowd also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements. Bugcrowd’s proprietary vulnerability disclosure platform is deployed by Tesla, Pinterest, Western Union, Fitbit and many others.”


Website Vulnerability Assessment 

“WhiteHat Security is the leading provider of website risk management solutions. Sentinel, WhiteHat’s flagship product, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the flexibility, simplicity and manageability that organizations need to take control of website security and prevent Web attacks. WhiteHat Sentinel is built on a Software-as-a-Service (SaaS) platform designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies, lowering your overall cost of ownership.”


Security Risk and Vulnerability Intelligence

Kenna Security (Advisory Board)
“Kenna is a software-as-a-service Risk and Vulnerability Intelligence platform that accurately measures risk and prioritizes remediation efforts before an attacker can exploit an organization’s weaknesses. Kenna automates the correlation of vulnerability data, threat data, and 0-day data, analyzing security vulnerabilities against active Internet breaches so that InfoSec teams can prioritize remediations and report on their overall risk posture.”


Security-in-the-SDLC / Security Requirements 

SD Elements (Advisory Board)
“SD Elements automates software security requirements based on your project’s technology, business and compliance drivers. SD Elements eliminates security vulnerabilities in the most cost effective way, before scanning begins.”



AppSec Vulnerability Remediation

“AsTech Consulting is a security consulting company which helps clients understand their risks and what to do about them. As independent security specialists, we employ very experienced security professionals, more than half of which have over 15 years of relevant experience.”


Runtime Application Self-Protection (RASP)

“Prevoty provides a new RASP (runtime application self-protection) capability, enabling applications to protect themselves. Unlike traditional security approaches that try to defend against hackers at the network layer, Prevoty works inside the application itself and the analysis engine is smart enough to actively prevent anything malicious from executing. ”


Browser Security & Privacy

“We have a mission to save the web by increasing browsing speed and safety for users, while growing ad revenue share for content creators.”

Hack Yourself First: Jeremiah Grossman

Continue reading InfoSec Start-up Advising and Product Recommendations

Posted in Uncategorized

What keeps me in the security industry

Posted on by
It’s common for long-time information experts like myself to be asked what keeps us in the security industry. Some say it’s a good stable job that nicely pays the bills. Others find the work interesting and enjoy the constant intellectual challenge. Some the like the people, the community, the culture, and exchange of ideas. Of course for many, it be some combination of all these things. For myself, while each of the above plays a part, I must admit those haven’t been my core reasons to stay on for a long time now.
Like I’ve said many times in the past, the Internet is single greatest invention we’re likely to witness in our lifetime. The Internet is a place that now connects over 2 billion people. The Internet is how we communicate and keep up with friends and family. It’s where we shop. It’s how we learn about ourselves and the world. It’s where bank and pay bills. It’s what entertains us and how we get from place to place. It’s how we better ourselves. Entire economies are now dependent on the Internet. If you think about it, we’re often more open and honest about our most intimate secrets with the Google search box than any our closest confidants. There is not a single person among us, or perhaps anyone we know, that won’t be online today. Something this important, this vital to the world and to humanity, must be protected. The Internet.
The time each of us has in this life is limited and far too short. Every day is a gift. And in that time few people ever get an opportunity to be a part of something greater than themselves. A chance to make an impact and to do something that truly matters. Internet security matters. So for me, to play even a small part in helping to protect the Internet and the billions of people connected feels like a good way to spend ones life time. That’s why I’m still here.
In the immortal words of Dan Geer, “There is never enough time. Thank you for yours.”

Hack Yourself First: Jeremiah Grossman

Continue reading What keeps me in the security industry

Posted in SBN

What keeps me in the security industry

Posted on by
It’s common for long-time information experts like myself to be asked what keeps us in the security industry. Some say it’s a good stable job that nicely pays the bills. Others find the work interesting and enjoy the constant intellectual challenge. Some the like the people, the community, the culture, and exchange of ideas. Of course for many, it be some combination of all these things. For myself, while each of the above plays a part, I must admit those haven’t been my core reasons to stay on for a long time now.
Like I’ve said many times in the past, the Internet is single greatest invention we’re likely to witness in our lifetime. The Internet is a place that now connects over 2 billion people. The Internet is how we communicate and keep up with friends and family. It’s where we shop. It’s how we learn about ourselves and the world. It’s where bank and pay bills. It’s what entertains us and how we get from place to place. It’s how we better ourselves. Entire economies are now dependent on the Internet. If you think about it, we’re often more open and honest about our most intimate secrets with the Google search box than any our closest confidants. There is not a single person among us, or perhaps anyone we know, that won’t be online today. Something this important, this vital to the world and to humanity, must be protected. The Internet.
The time each of us has in this life is limited and far too short. Every day is a gift. And in that time few people ever get an opportunity to be a part of something greater than themselves. A chance to make an impact and to do something that truly matters. Internet security matters. So for me, to play even a small part in helping to protect the Internet and the billions of people connected feels like a good way to spend ones life time. That’s why I’m still here.
In the immortal words of Dan Geer, “There is never enough time. Thank you for yours.”

Hack Yourself First: Jeremiah Grossman

Continue reading What keeps me in the security industry

Posted in Uncategorized

What keeps me in the security industry

Posted on by
It’s common for long-time information experts like myself to be asked what keeps us in the security industry. Some say it’s a good stable job that nicely pays the bills. Others find the work interesting and enjoy the constant intellectual challenge. Some the like the people, the community, the culture, and exchange of ideas. Of course for many, it be some combination of all these things. For myself, while each of the above plays a part, I must admit those haven’t been my core reasons to stay on for a long time now.
Like I’ve said many times in the past, the Internet is single greatest invention we’re likely to witness in our lifetime. The Internet is a place that now connects over 2 billion people. The Internet is how we communicate and keep up with friends and family. It’s where we shop. It’s how we learn about ourselves and the world. It’s where bank and pay bills. It’s what entertains us and how we get from place to place. It’s how we better ourselves. Entire economies are now dependent on the Internet. If you think about it, we’re often more open and honest about our most intimate secrets with the Google search box than any our closest confidants. There is not a single person among us, or perhaps anyone we know, that won’t be online today. Something this important, this vital to the world and to humanity, must be protected. The Internet.
The time each of us has in this life is limited and far too short. Every day is a gift. And in that time few people ever get an opportunity to be a part of something greater than themselves. A chance to make an impact and to do something that truly matters. Internet security matters. So for me, to play even a small part in helping to protect the Internet and the billions of people connected feels like a good way to spend ones life time. That’s why I’m still here.
In the immortal words of Dan Geer, “There is never enough time. Thank you for yours.”

Hack Yourself First: Jeremiah Grossman

Continue reading What keeps me in the security industry

Posted in Uncategorized

I’m joining the fight against malware and ransomware with SentinelOne

Posted on by

Today is a big day for me. I’m contributing to a company called SentinelOne, but I really don’t think of it as a job. I’ve accepted an opportunity to work side by side with other brilliant and highly motivated people where we’re all helping to solve important and challenging InfoSec problems. In this case, malware and ransomware. You see, more than anything, I want to make a positive impact on InfoSec. As I’ve said many times, we who work InfoSec are responsible for protecting the greatest invention we’ll see if our lifetime — the Web, the Internet, and the billions of people using it every day. That’s our mission, our calling. As such, I’ve always kept a evolving list of our industries biggest challenges, which I include in most of my slide decks.


  1. Intersection of security guarantees and cyber-insurance
  2. Explosion of Ransomware
  3. Vulnerability remediation
  4. Industry skill shortage
  5. Measuring the impact of SDLC security controls

The only problem on the list I haven’t gotten the chance to work on is ransomware, an incredibly effective and fast-growing form of malware that’s taking over. I’ve long railed hard about the crap antivirus products on the market and the billions of dollars people and companies spend annually to effectively make themselves less secure. Yes, that’s right, I said LESS secure. The FBI recently published that ransomware victims paid out $209 million in Q1 2016 compared to $24 million for ALL of 2015. Some non-trivial percentage of those ransom dollars will be used for R&D, so the smart money says ransomware will quickly get even more sophisticated and out of hand. And to that point, in recent and well publicized news, ransomware is also responsible for disrupting the care of patients in a few hospitals. This can’t be allowed — lives are at risk!

In my life after WhiteHat, I looked at ton of companies and interesting opportunities where I could lend a helping hand, of which there was no shortage. My inbox was crushed with many worthy projects, but I knew I had to choose wisely. Then out pops a company with some super cool tech and few have heard of them, SentinelOne. SentinelOne is right smack in the middle of the malware/ransomware war, for which Gartner calls next-generation endpoint protection (NG EPP). I met with the founders, the team, all super cool and passionate people. A real gem of a start-up. I felt strongly that I needed to join this fight. Plus, I’ll be working on some exciting stuff behind that scenes that I can’t wait to share with world. Good things take time, so please, standby!

Hack Yourself First: Jeremiah Grossman

Continue reading I’m joining the fight against malware and ransomware with SentinelOne

Posted in Uncategorized

I’m joining the fight against malware and ransomware with SentinelOne

Posted on by

Today is a big day for me. I’m contributing to a company called SentinelOne, but I really don’t think of it as a job. I’ve accepted an opportunity to work side by side with other brilliant and highly motivated people where we’re all helping to solve important and challenging InfoSec problems. In this case, malware and ransomware. You see, more than anything, I want to make a positive impact on InfoSec. As I’ve said many times, we who work InfoSec are responsible for protecting the greatest invention we’ll see if our lifetime — the Web, the Internet, and the billions of people using it every day. That’s our mission, our calling. As such, I’ve always kept a evolving list of our industries biggest challenges, which I include in most of my slide decks.


  1. Intersection of security guarantees and cyber-insurance
  2. Explosion of Ransomware
  3. Vulnerability remediation
  4. Industry skill shortage
  5. Measuring the impact of SDLC security controls

The only problem on the list I haven’t gotten the chance to work on is ransomware, an incredibly effective and fast-growing form of malware that’s taking over. I’ve long railed hard about the crap antivirus products on the market and the billions of dollars people and companies spend annually to effectively make themselves less secure. Yes, that’s right, I said LESS secure. The FBI recently published that ransomware victims paid out $209 million in Q1 2016 compared to $24 million for ALL of 2015. Some non-trivial percentage of those ransom dollars will be used for R&D, so the smart money says ransomware will quickly get even more sophisticated and out of hand. And to that point, in recent and well publicized news, ransomware is also responsible for disrupting the care of patients in a few hospitals. This can’t be allowed — lives are at risk!

In my life after WhiteHat, I looked at ton of companies and interesting opportunities where I could lend a helping hand, of which there was no shortage. My inbox was crushed with many worthy projects, but I knew I had to choose wisely. Then out pops a company with some super cool tech and few have heard of them, SentinelOne. SentinelOne is right smack in the middle of the malware/ransomware war, for which Gartner calls next-generation endpoint protection (NG EPP). I met with the founders, the team, all super cool and passionate people. A real gem of a start-up. I felt strongly that I needed to join this fight. Plus, I’ll be working on some exciting stuff behind that scenes that I can’t wait to share with world. Good things take time, so please, standby!

Hack Yourself First: Jeremiah Grossman

Continue reading I’m joining the fight against malware and ransomware with SentinelOne

Posted in Uncategorized

Life is Better without Username Reuse (email aliases FTW!)

Posted on by
Facebook, LinkedIn, Amazon, PayPal, Yahoo, Google. We keep accounts with many of these websites. They and many others use email addresses as the first half of the classic username and password combo. They do this because email addresses are unique and double as a reasonably secure communication channel with the user. And of course we often sign-up for things online to receive information by entering our email address. All this email address sharing, while technically nothing being wrong with it, unfortunately causes several highly annoying problems. These problems can be solved, or at least made far easier to deal with, by leveraging email address aliases. An email alias is where you create one or more email addresses that all send to the same account, vaguely similar to desktop folder shortcuts.

With email address sharing / username reuse, by far the biggest problem we run into is spam. And the more we share and reuse our email addresses across systems, the bigger the spam problem becomes. Sometimes websites sell our email addresses. Other times they share them with third-partie business partners, and from time to time they get leaked in a data breach. Whatever the case, once an email address is out there, it’s out there. No taking it back and no amount of mailing list opting out will help. I know. I’ve tried.

There are other problems too. Anyone who knows your email address can easily determine what systems you’re using (i.e. “This email address is already registered.”). This issue is not only a privacy issue, but a potential security issue as it makes it easier to target your account via brute force, phishing, password recovery hacks, etc. And of course when you have several online accounts, you’re constantly notified via email, which explodes your inbox. Creating rules in your email app using strings in the subject or content body helps, but doing so isn’t easy and never comprehensive. When all these problems are tied to your email email address, there is no escape. You can’t easily kill or change your main email address because all your friends, family, and business contacts use it too.

My solution to these problems, which has been working great, is by using email address aliases based on custom domain name. For example, my personal domain is jeremiahgrossman.com. So as an example, I create a new email alias that’s just for Facebook, like fb@jeremiahgrossman.com. Or on Paypal it would be pp@jeremiahgrossman. You can technically use any email alias for this purpose, even a random one. When email is sent to these aliases they automatically forward to my main email address. I never reuse these email address aliases for any other than their intended use, and never use my main email address to register for anything if I can help it.

It does cost a few bucks to pay for domain name and email hosting, but it ain’t much these days and the value is WAY worth it. When things are set up this way, I can be reasonably sure that any email to these aliases, that is supposedly from them, is legit and not a phishing scam because no one else knows the email address / username I used. And since the particular website is only using the email address alias I gave them, inbox rules are way easier.

Then if the email address is leaked, gets spammed out, or whatever, I can just kill it off, create another, and change the account email address / username. The up front work is a little tedious, but again, worth it. And the best part, when you have your own domain name, email aliases are essentially free — I’ve about 100 now. And there is no reason you can’t use any old crap domain name either.

Good luck!

WhiteHat Security is a leading provider of website security services.

Continue reading Life is Better without Username Reuse (email aliases FTW!)

Posted in Uncategorized

Life is Better without Username Reuse (email aliases FTW!)

Posted on by
Facebook, LinkedIn, Amazon, PayPal, Yahoo, Google. We keep accounts with many of these websites. They and many others use email addresses as the first half of the classic username and password combo. They do this because email addresses are unique and double as a reasonably secure communication channel with the user. And of course we often sign-up for things online to receive information by entering our email address. All this email address sharing, while technically nothing being wrong with it, unfortunately causes several highly annoying problems. These problems can be solved, or at least made far easier to deal with, by leveraging email address aliases. An email alias is where you create one or more email addresses that all send to the same account, vaguely similar to desktop folder shortcuts.

With email address sharing / username reuse, by far the biggest problem we run into is spam. And the more we share and reuse our email addresses across systems, the bigger the spam problem becomes. Sometimes websites sell our email addresses. Other times they share them with third-partie business partners, and from time to time they get leaked in a data breach. Whatever the case, once an email address is out there, it’s out there. No taking it back and no amount of mailing list opting out will help. I know. I’ve tried.

There are other problems too. Anyone who knows your email address can easily determine what systems you’re using (i.e. “This email address is already registered.”). This issue is not only a privacy issue, but a potential security issue as it makes it easier to target your account via brute force, phishing, password recovery hacks, etc. And of course when you have several online accounts, you’re constantly notified via email, which explodes your inbox. Creating rules in your email app using strings in the subject or content body helps, but doing so isn’t easy and never comprehensive. When all these problems are tied to your email email address, there is no escape. You can’t easily kill or change your main email address because all your friends, family, and business contacts use it too.

My solution to these problems, which has been working great, is by using email address aliases based on custom domain name. For example, my personal domain is jeremiahgrossman.com. So as an example, I create a new email alias that’s just for Facebook, like fb@jeremiahgrossman.com. Or on Paypal it would be pp@jeremiahgrossman. You can technically use any email alias for this purpose, even a random one. When email is sent to these aliases they automatically forward to my main email address. I never reuse these email address aliases for any other than their intended use, and never use my main email address to register for anything if I can help it.

It does cost a few bucks to pay for domain name and email hosting, but it ain’t much these days and the value is WAY worth it. When things are set up this way, I can be reasonably sure that any email to these aliases, that is supposedly from them, is legit and not a phishing scam because no one else knows the email address / username I used. And since the particular website is only using the email address alias I gave them, inbox rules are way easier.

Then if the email address is leaked, gets spammed out, or whatever, I can just kill it off, create another, and change the account email address / username. The up front work is a little tedious, but again, worth it. And the best part, when you have your own domain name, email aliases are essentially free — I’ve about 100 now. And there is no reason you can’t use any old crap domain name either.

Good luck!

Hack Yourself First: Jeremiah Grossman

Continue reading Life is Better without Username Reuse (email aliases FTW!)

Posted in Uncategorized