Ep.4 - The Only Difference Between A Startup And A Scaleup Is Liquidation Preference [Startups]


In this episode, Holly describes how it's possible to accidentally found a company and Morgan explains how that sounds awful and she'll probably never do it.


Transcription


Holly:0:00

I've got Excel open and I daren't close it.

Morgan:0:03

Why?

Holly:0:04

I've got a file open in Excel I haven't saved.

Morgan:0:08

Is it a file that's propping up the entire UK financial system?

Holly:0:14

Just my very small part of it .

Morgan:0:17

What's a startup, Holly? Actually give us the general definition and then tell us why it's wrong.

Holly:0:24

It depends who you're talking to-, and in what context, a lot of people use the term startup just to mean any new company. I find that quite frustrating because generally I think people want to talk about Silicon Valley startups, scale ups , unicorns, and those kinds of things, but then will apply the same term to just any company that is new and new could vary as well. And I think what I think of as a startup is probably different to what a lot of people think of a startup . But yeah, I can give you just a good example of how naming the stage that a company is at in their journey can be quite difficult. So what types of, you know , metrics do we have to measure where a company is at in their journey? The first could be number of employees. Second could be , uh , revenue. Another could be the series of investment that they're on, just their age in years. And the difficulty there is, depending on which company you're talking about could have wildly different things in those metrics. For example, when Instagram sold to Facebook, they only had 13 employees. That company was worth a billion dollars . So depending on what metric you're using, it's like, it doesn't necessarily match very well. And like I said , some people will just apply the word startup to any new company. So you could have something like a small accountancy firm or something that's probably never gonna exceed five or 10 employees, no matter how old it gets. 20 years in, and it's still only got a handful of employees. And yet people would use the same word to describe that as they would to describe something like Instagram at the point in which it sold.

Morgan:1:51

Okay. And I guess that's why you disagree with that definition? Or is it because you take issue with the fact that it's too blanket, too broad?

Holly:1:59

I just don't like the word, it's too widely applied and therefore becomes meaningless. When you say startup company, then people are applying the word startup to literally every company you may as well, just not use that term. You just as well say company. So we should have some better term to describe the different categories of companies and the different stages that those companies are in their journey.

Morgan:2:20

Sure. Okay. So from that perspective, then when do you no longer consider something a startup ? Is there a certain size that a company gets to a certain net worth or perceived value? A round of funding?

Holly:2:35

I don't actually, use the term startup . The question of, at what point does a startup stop being a startup to me and- some of these terms are really difficult and it , and it really depends on context for the organization. If you were to try and define what a startup is, you're gonna come across a range of companies that are very, very different. You could use startup to just mean any new company, say less than three years of trading, but you'd be talking about something very different. If you're talking about a venture backed company and that term startup could be applied to both. But typically when people think startup kind of like the romanticized ideal of a startup is a venture backed company. I would use the term scale up to those companies to distinguish between that the company that's scaling through venture, but then you get into the difficulty of, okay, now we're bumping into different terminology. 'Cause we could be talking about venture capital. We could be talking about angel investment. We could be talking about bootstrapped companies. Would you ever start a company?

Morgan:3:36

Um, no I like myself.

Holly:3:40

Wow.

Morgan:3:40

I've, I've seen you do it, and it looks horrible. Not only that- oh my God I shouldn't say all of these things because then if I decide to start my own company, I've kind of screwed it from the beginning. I think you need to ask me that question again and we need to restart 'cause I don't want people to, to listen to this just in case I do start my own company. When I have a midlife crisis.

Holly:3:58

I am definitely on the record as saying I will never start a company probably about 30 minutes before I was like, oh , might start a company. Morgan, have you ever considered starting your own company?

Morgan:4:11

Mmmm, no. Thank you for asking. Okay. And you run a start up . Does that annoy you? That I , that I call it a startup ?

Holly:4:26

No, no, it doesn't annoy me at all. Like I say , it's a meaningless word, so.

Morgan:4:32

Okay. So tell me about yours then- your company.

Holly:4:36

So I run a company. Years ago I think I would've been quite vocal in saying that well I'll never start a company. I'll never own my own company in the traditional sense. And then very quickly after that begun plans to build a company and build a software product. Uh , so, so I own a company and we have built a software product that does vulnerability management. So we look for , uh , vulnerabilities in systems and present those to , to customers in, in interesting ways. Where this came from is my experience working cyber security and, and working as a penetration tester and finding that an awful lot of how companies handle vulnerability information is just really terrible. So using software to solve some of those problems. There's a funny thing that you could say , uh , to some degree, one of our biggest competitors is Excel. There's a large number of companies out there who store all of their vulnerability information in Excel. A lot of companies store it in generic ticket management systems. So , so things like JIRA and while those work, they're not, they're not tailored to the problem space . So you , you could get by, but they're not necessarily gonna have some of the features that you'd want.

Morgan:5:45

And so what kind of features do you offer then that those generic ticket management systems and Excel don't have?

Holly:5:52

The problem in some part stems from this traditional way of doing security testing where , uh , there's a lot of pentesting companies out there that still will do a security test for you, write a report, submit that report to you as a PDF. You know, so it's a , a document created with something like Word and then, then converted into a PDF. And what that company then wants to do with that information is PDF is just like the worst possible tool to supply that to them. Companies might want to do things like , uh , assign specific vulnerabilities to different members of the organization. They might want to mark vulnerabilities or tag vulnerabilities with , with certain , uh , information. For example, they might want to accept a vulnerability, but not just perpetually. They might want to say, today we accept this vulnerability, but that should be reviewed in three months or something like that. They might want to share that information with third parties. They might want to aggregate that information. So maybe you've got three years worth of pentesting and you want to be able to compare that data in some way, or maybe they just want to be able to handle that data in such a way that they can process it or convert it. PDFs aren't great for processing, converting, tagging , marking, assigning. So our platform is- in part that's one- one of the features that it has is to make just handling that information a lot, a lot easier from our point of view, the idea would be it's just an all in one system, you would just use that, that platform, but it's our software, it's our IP . We can extend it in anywhere that we want to. And um , yeah , there's no reason why we couldn't integrate with anything that has an API . And of course we also have an API . So if somebody, you know , doesn't wanna use our front end, but wants to just push and pull data from it, then that works too . An example of that could be if we are doing a security test for a company, so say companies come to us for just a traditional pentest and we're supplying information to them through the vulnerability management platform, but that's not the end state for them. Maybe they're a real big fan of JIRA . Uh , they can just pull it out or out of the VMP and then push it into wherever they would prefer it. They could push it into an Excel spreadsheet if they were really enamored with that tool.

Morgan:7:46

I feel like we spend so much time on this podcast talking about Excel, we should probably rename it. So you worked in pentesting then- security consultancy, and this problem annoyed you so much as a consultant that you decided to design a solution for it. 'Cause I work on the , the other side of this problem where I'm constantly kind of consuming pentest reports and vulnerabilities and using the sorts of processes that you described, spreadsheet based tools and ticket management systems and so on.

Holly:8:15

It's not uncommon for companies to be started because somebody feels pain in a process. So they make a solution to that. And then that grows out into a company. And the truth is the , the way that I interact with our software and the way that our testing team interacts with our software is , is different to how a lot of our customers do. It solves , uh , different problems for different people. But yeah, delivering penetration testing is painful in a couple of places. A really good example of this would be if I find a , a critical vulnerability in a system, I want to be able to very quickly communicate that vulnerability to a customer. A lot of companies aren't set up in such a way that you have asynchronous secure communications with third parties. There's a lot of pentest companies that will resort to doing things like saving the data in a zip file and encrypting it with a password and then texting the password to the user and emailing them the , the file. Um ,

Morgan:9:04

<Laughs> I've never, I've never experienced that. I don't know what you're talking about. Yeah , no, absolutely not.

Holly:9:09

Yeah. So, so , um, there's, there's a , there's a couple of different problems. The , the first I is, I probably want to able to report information to a customer asynchronously. I might want to be able to drip feed them. I think I've found of vulnerability. I've confirmed the vulnerability, it allows me access to this. I can pivot on this to gain access to that, and kind of tell a story about this vulnerability. I also want to be able to share that information with them securely and having to call 'em up is gonna be a pain because if I'm talking to them over a phone , the information might be too technically dense to just effectively give it to them over the phone. Or it might be the case that my primary contact then needs to hand that onto somebody else. So they acknowledge it's a vulnerability, it's something they want to handle, but maybe they need to get a dev on the phone or a sysadmin or something like that. And then you find yourself repeating and going back over everything you've just spoken about. So what , what we can do with the , with the VMP is as I start- discover a vulnerability and start triaging . It's still adding that information, evidence that can go straight into the platform. And then when I want to tell the customer about it, there's a few different ways we can handle that, but the platform can notify the customer automatically a vulnerability above a certain rating has been found, or I can send them a message or send them an in-app notification or can call 'em up and say, hey, check the platform. And they've got everything that they need to understand that without having to worry about me, texting them a password to an encrypted zip file or something, and if they then need to hand that on to somebody else, or if they need to discuss it internally, they can assign it to a team member or they can add notes. They can have a discussion within the application itself. So it really saves for that kind of , uh , awkward nature , just sharing information. I think anybody who's used an email thread versus a ticket management system, email threads work so far, but they're not great for archiving data. They're not great if there's multiple participants and they're also not great from an asynchronous point of view where you want to be able to create a message, update that message several times. And then at some future point the- the customer , another contact might come in and , and pick up that and they want just the latest information in the thread. Email systems, aren't great for that.

Morgan:11:04

They're also like really bad for the planet and I don't think anybody realizes this, like the carbon impact and the footprint of using emails as your primary source of communication and business is dreadful. And they're really, really just not pleasant to, to deal with the vast majority of the time.

Holly:11:20

I think most people are pretty comfortable in saying email is rarely the best solution.

Morgan:11:25

It's from like the seventies, right? How much tech have we got from the seventies that's still relevant and useful today? And like the best option , like the best option, the best solution.

Holly:11:36

That's a really difficult conversation because if you look at crypto a lot of crypto is really old. Diffie-Hellman, for example, when, when was that first- in 1975? Diffie-Hellman's a , a great algorithm for exchange, but it's from the seventies.

Morgan:11:50

I mean, not typically how I would've approached that question but sure. Yeah. Okay. Um, just for anybody who's confused by that exchange crypto means cryptography.

Holly:12:04

Doge.

Morgan:12:06

Mm it's a no from me. Okay. So you've, you've built what seems like a pretty comprehensive solution to what is , um , undoubtedly quite a painful process in the security space- in this industry, I've kind of worked in a few different places and nowhere's been particularly great at pentesting- some places are better than others. And I think like-

Holly:12:27

Doesn't even, it doesn't even to have to be pen testing . Like I said , that is just how I interact with it. And , and the way that I would use our platform. But, I mean if you are doing internal scanning, if you're doing , um , dev based testing or all of those kinds of things, it's just vulnerability management, right? It's just, we have data about systems that we want to keep track of.

Morgan:12:43

In my experience, the places that have been best at kind of risk management, vulnerability management, pentesting, all of those processes, have been the places that focused more heavily on collaboration and using tools like Slack and ticket management systems.

Holly:12:59

It's another example of something you're talking about here that just becomes painful when dealing with vulnerability information, but the platform makes it easier. Some companies, if they're doing like a traditional pentest and they'll , they'll find a bunch of vulnerabilities and they'll give some ID to the vulnerabilities and it might just be as like 1, 2, 3, 4 , or if there's different sections like the web app infrastructure, mobile applications, it might be a section number and then a vulnerability number. The problem then comes about where, when some of those vulnerabilities have been fixed or often worse yet when they've been partially fixed or the context has changed and you then want to refer to vulnerabilities in the reports. So for example, a company might do a pentest, find 10 vulnerabilities. Three of them get fixed. Does the new report now have vulnerabilities one to seven, but vulnerability number seven in this report is not vulnerability number seven from the previous report. That kind of mixing of IDs and making it difficult to reference a specific vulnerability is quite frustrating. Whereas of course from the platform based approach, you just send a link to somebody, the link doesn't contain anything sensitive. You send a link to them and say, click this. And then they've opened the vulnerability that you're talking about, or you can assign it to somebody or , or share it with somebody. So yeah, just that kind of like- which one are we talking about? That problem becomes much easier as well.

Morgan:14:14

How does your experience then of starting a software, a cybersecurity software company differ from, I suppose, like standard perception? What people think starting a company is like, is it less glamorous because it's cybersecurity, or is it easier to get funding because it's cybersecurity? Like how, how is that different?

Holly:14:32

Yeah, let's talk about how would somebody start a company? Because in theory it's really easy , right? Within the UK, you just send a message to Companies House and you say, I'm starting a company, you just notify them of this. And there's maybe some fees to pay . Maybe you don't yourself send the paperwork to Companies House, but you get an agent, likely an accountant to fill that paperwork in for you to incorporate the company. But you send a notification to Companies House and you say, hey, I'm starting a company. But how do you actually get going? How do you actually get, get trading? And of course, starting a company tax capital, right? Takes money, to start company. You'll hear all of these different stories of, you know, I started a company with 50 quid in my wallet and nothing else, or I started my company with 5,000 pounds and nothing else. And very often a lot of these stories that, that isn't really the case. And it's the same as when people say, you know, oh, I , I bought a house when I was 18. It was really easy. And then you actually start digging into those stories and you find a out that there's , there's something else going on. For example, generational wealth. When it comes to actually starting a company, you need some money to get off the ground. It depends on the kind of company that you are- you're founding as to how much money you would need. If you are running something like a consultancy and you're effectively for the early days , just gonna work as, you know , a contracted employee, you might need very little to get started. Maybe you just register a domain, set up an email address, make a very basic website. And then you start selling consultancy services and , and that's completely legitimate. And that is one way into business. Even into running a software company, you could found a very small consultancy for the sake of bringing in some money to fund the company, to get you off the ground. The flip side of that is, is having savings, put a whole bunch of money away. And then when it comes to starting the company, you have what we might refer to as runway, which is just some money available, which is disposable income from savings. You could start a company by getting into debt that could be by going to a traditional bank and convincing them that you have a good idea for a business and likely showing them a business plan- we should definitely talk about business plans and how useless those are. You might have a business plan , uh , and , and show the bank can convince them that your idea is good and that you can make it work and they might lend you money. Or you might borrow money in otherwise like getting lots of credit cards and borrowing money in that way. Or you might borrow money from friends and family, and you might have a bunch of friends that you can all convince. I've got a really good idea, gimme a thousand pounds and all of your friends together, maybe you can get enough money together to get that started. Or you could go to something like a venture capitalist or an Angel investor. So starting companies takes money somewhere between just registering a domain and getting started right up to the most complex examples. That might be things like regulated businesses like pharmaceuticals, starting a pharmaceutical business is gonna take an awful lot of capital because of course, you've got the actual , uh , research to conduct developing the product. And then the product has very likely some regulatory requirements which would involve costs. So you have this spectrum of you can get started just by rage quitting your job and saying, screw it. I'm gonna register a domain and tomorrow I'm self-employed, right up to a pharmaceutical company where it might take you three to five years to even begin really trading. One- one of the weirdest things about starting a company is people , uh , will presume they know everything about your company in ways that can be like quite surprising. You , you have people who somebody said to me the other day, they're like, oh, you guys just, you just do training, right? That's all all that you do is just deliver training. And it's like, we, we do deliver training, but it's a small part of what we do. It's certainly not you know , what , what we're building the growth focus for the business is gonna be, it just comes about because we're technical people and we can talk about vulnerabilities and , and those kinds of things. But this person, just made the presumption that all that we do is training or you'll have people who make the presumption that all that we do is pentesting. You have this idea as well that if you've met somebody several years ago, they'll presume that nothing in your life has changed and you haven't advanced in any way. An example of this , um , somebody a little while ago now said that I'm not very good at public speaking and that's fine. That's an opinion. Some people might genuinely think I'm not good at public speaking, but I asked them why they said that, what , what was it about my presentations that, that they thought could do with some improve? And they were referencing a talk that I gave eight years ago. And it's just like, okay, that was one of the very first talks that I ever gave . You know, it might have even been like the second one. So it's just like , um , hey, context has changed. I've improved them and working on different things now.

Morgan:19:06

Um , I mean, I would hope so to be fair because you give approximately 400 conference talks a year. That's a slight exaggeration, but there , there was a stretch recently where within like, yeah, within like three days you had four or five events?

Holly:19:21

I do about 50 presentations a year.

Morgan:19:23

It's a lot, that's quite a lot. It's like one a week on average.

Holly:19:27

I was waiting for that. I was about to say a lot of people say one a week, but very often it it's more like two or three in a day or two. Yeah . And then I might not do one for a few weeks. Yeah . They do tend to bunch up. So starting a company, one of the weirdest things for me straightaway was just people guessing, and then being surprised when their guesses were wrong, not entirely accurate.

Morgan:19:48

I think you said initially when we were talking about this, that people were expecting you to start a consultancy, because that was the sort of background that you came from. And then you kind of started a software company and built a product. So I imagine those were some interesting, fun conversations to have.

Holly:20:05

So that is the biggest thing. People , um, when somebody who has worked in consultancy starts a company they very often just presume. It is a consultancy that you're doing, which it makes sense, but it's just surprising to me that people don't check or at least like go on the website, you know , like you wanna know what we're up to- check us out on LinkedIn or , or , or AkimboCore.com. It's , it's all on there.

Morgan:20:27

Yeah .

Holly:20:27

And it , and it might be because we've done something. So a customer asked us if we could deliver security awareness training, because they had seen me publicly speaking, they they thought I was a good speaker. And they thought the stuff I was talking about was pertinent to their team. So we delivered some security awareness training for their team, but that isn't, or certainly wasn't a service that we advertised. They, they hadn't like seen a billboard with our company name on it and that , that we do security awareness training had come to us for that. But when somebody hears that we have done that, they then get this impression of like , oh, you just do the security awareness training it's like, that's a very small part of what we do. So I mentioned , uh , venture capitalists and Angel investors. Again, I'm generalizing a little bit here and there's a couple of variations on this , but an Angel investor, generally speaking is gonna be an individual investor. This could be somebody who has previously started a company and had a successful exit. So they have money to invest in new companies. And Angel could just give you money to get started. When we're talking about money to get started, we're talking about pre-seed and seed funds. It's just like the getting off the ground money. And an Angel investor might be interested in a business because they have specific knowledge and expertise and they think they can help. So they've started a cybersecurity company previously, you are doing a cybersecurity company, so they want to get involved, or it might just be that they have available funds. And actually they , they don't wanna get involved in , they don't want to be on the board. And those kind, they just trust you or are interested in your company enough to give you that money. I said , I said , trust you as if they're just gonna give you the money and leave it. You are, of course it's a diluting event. So you're giving a percentage of ownership in the company for an amount of money. That that's how that relationship works. Venture capital is going to be different to an Angel investment in terms of an Angel is an individual. Typically could be a , there could be several Angels , um-

Morgan:22:13

A choir of Angel Investors.

Holly:22:17

Uh , with, with a venture capitalist, venture capitalist is , is gonna be a firm of professional investors and they'll have LP. So they'll be receiving money themselves from things like very wealthy organizations, pension funds, those kinds of things. These, these companies who have uh huge amounts of money to invest in their current venture pools. So they might have say 8 billion of available funds, and they're gonna invest in a range of companies, a portfolio of companies in one part to , to hedge their bets. But because they're looking for the very rare unicorn outcome and where a company is very successful and delivers a 10 times return- a hundred times return. So a venture capital firm is gonna be involved in your company. They're not just buying a percentage of ownership, but they're probably buying preferential shares. And they're probably taking some significant control of the business. What I mean by that is they are going to sit on the board.

Morgan:23:12

On the flip side of that though, I've, I've only done a little bit of reading about it, but it doesn't sound like VC is accessible for everyone. It sounds like there are massively underrepresented minorities in the kind of startup founder entrepreneurialship space. Um, and there is stat that I saw earlier today that was like in the like 2009 to 2019-ish period, something like only 38 VC funded companies were founded by Black people .

Holly:23:46

So , Um, yeah, there , there is a lot of challenges in terms of who actually gets funded. And that can be , uh, minorities. It can be , um , gendered. It can just be geographical. You know, we hear about out Silicon Valley startups because that was where all of the money was going, and you might have the option of moving to Silicon Valley or moving to London so that you can be close to the VC firms. So you can get those introductions so that you can get those people on the board and you can get the capital in. But yeah, just that there is a , a problem with companies aren't funded evenly across all minorities. That is true.

Morgan:24:32

Is there anything that you're aware of that's like working to combat that? Are there specific like Angel investors or VC funds that look to maybe disproportionately fund kind of female founded or like BAME founded startups that-

Holly:24:47

Yes, definitely there , there is definitely firms out there that focus on those things. There's definitely firms out there who are taking those opportunities that are being ignored by others. And of course there is areas here that are outside of my expertise and just things that I haven't looked at. For example, I will habitually talk about investment into America, investment into San Francisco investment, into UK investment into London. And there's a lot of startups in Africa, for example, that have a huge market potential and huge innovation in those regions that, yeah, they have their own challenges and they don't necessarily have those same opportunities, but there are some companies out there who've identified those problems and are seeking those companies out. One of the things is you might imagine, can be founders who've been successful. They themselves have started a company in those areas. Or as one of those minorities, female founded companies who then might say, okay, I've had success, but I'm not gonna pull up the ladder behind me. I'm gonna go and seek out people who are like me and , and fund those as well. So yes, the direct answer is yes, there are , um , some people working in that space, but that is still a problem. Definitely is still a problem.

Morgan:25:54

Do you think that's something that you would do in the future?

Holly:25:56

Become a VC?

Morgan:25:58

Yeah. Or like an Angel investor or something? Yeah.

Holly:26:04

Um. Yes, I think, I think I probably would, there , there is , um, there's different ways of approaching that, of course, like the late stage stuff, because it's like, do you become an Angel investor and invest in lots of companies and then spend your time assisting those companies and sitting on their boards and helping them through their challenges? Or do you just start another company and work on company number two kind of thing and , and build in that way? Or do you approach a venture capital firm and work with them on their portfolio companies? There's a lot of options right now because we're early stage. All I'm focused on is like, I just wanna build things. And like, I'm just like, hey, if, if company number one went away we'd just build company number two. And I think right now that's probably just, just my immediate focus. If , if you ask me in eight years time, I probably have a different opinion.

Morgan:26:55

Yeah, sure. Okay. So do you wanna be the CEO or the CTO? CIO I suppose?

Holly:27:01

CEO.

Morgan:27:02

Yeah?

Holly:27:03

CEO. Yeah . Yeah , yeah .

Morgan:27:08

So , um, you said that Akimbo was bootstrapped , but you recently got some funding. What was your experience with getting funding? What kind of funding did you get and how was that?

Holly:27:19

Yeah, so AkimboCore won an innovate competition. So innovate UK. This is government funding. This is money into the organization to perform research and development. So we put a proposal together to , um , innovate that said, we intend to build this product. We described our product through a proposal that is long as my dissertation from university. Very, very long proposal in terms of, this is what we're building. This is the team that is building it. This is our expertise. And then all also , including things like recommendations from potential customers. So companies that we've approached where we have said, this is what we're intending on building. Would you be interested in this and those companies saying, this sounds great. We think this is potential gap in the market or a potential interesting product put all of that together. And we , um , submit it to innovate . Innovate is a , is a grant funding competition. So a large number of companies. And I don't have the exact statistics on here, although I'm sure somebody could take a look , um, at some of the published data, or do some freedom of information act requests and find out about how many companies submit and things like that. But many hundreds submit proposals and then innovate has an amount of funding available. What we have said is of course, the , the product that we're building, which is a vulnerability management platform, and we have some innovative ideas for how that could work and how vulnerabilities could be found in the future. And we successfully convinced innovate that it was a good idea, and we were successful in and won that competition.

Morgan:28:45

Congratulations. Very happy for you.

Holly:28:49

Thank you. It's a very long process.

Morgan:28:53

Did it feel better afterwards?

Holly:28:57

No. No.

Morgan:28:58

<Laughs>

Holly:28:59

Wow. That's a great question. Do you feel better after receiving investment? I think. Okay. So there's gonna be some differences based on like everybody's experience and the kind of investment and I'm sure , um- in Lost and Founder, that book that I told you that you should read, there is a scene where they receive investment so they- they receive venture capital and Rand. He does something like tries to buy everybody in the bar, a drink, and you can imagine like this huge bar just full of people, you know, they've been told by the investment company that they'll , they'll , they're happy to receive the investment, but the money's not necessarily in the bank, but this just idea of the initial feeling of just like success and the initial feeling of just like you tried to do this thing and you've accomplished this thing. I don't think like that. And I , and I don't think at any point I was ever necessarily happy. Like I'm sure there was a day where , where we got told. To , to be clear to people who've never looked at innovate funding previously. I worked on the grant proposal in July when we're putting together this proposal, you know, this 10,000 word document about what we're gonna build, how we're gonna build it, what the current market looks like, what our cagar is , who our competitors are, all of this information, the deadline for submission was in August. And then the project start date was the 1st of February. So just this huge amount of time between like working on trying to convince them. And then also there's the day in which you're told you're successful, but then due diligence begins. So it's like we have selected your project. We intend to invest in your project, but we need to do , uh , financial checks. We need to be more specific about much funding, how the money's being spent, all of those kinds of things. And between, you know, the due diligence and actually the project start date was maybe three months, again, quite a long period of time. And I think the whole time, whilst I'm very happy that we were successful and I'm very happy that people think this project is a good one and think our product is good and liked our prototype. I, this whole time, I've just been so absolutely raring to go. And I just want to get started. And I just want to build the thing and I just wanna talk to customers and I just wanted like, what's next, what's next? What's next that I don't today feel like there was ever actually a point in which I went. Yeah, that's awesome. I can't believe we won . I just think a second. I got that email. That's just like, okay, great . Like start building , like , and getting kind of reigned in.

Morgan:31:25

Do you think maybe that's like , that's a quirk of your personality though? Like I've seen you after you've passed like really important exams , um, I like saw you when you graduated from your master's degree and you were never like, oh yeah, I did a really cool thing. Like I'm proud of myself. You're always like what's next?

Holly:31:41

Yeah, yeah. Yeah. So I think , um, the frustration for me was being ran by an event in terms of being told that we were successful. But then our project start date being three months later. Like that's just, that was very difficult for me 'cause I just wanna get started and , and you can't necessarily, but yeah, I think that's just a part of my personality and a part of many founders personalities and many CEOs, personalities, like take the action, do the thing, build the thing,

Morgan:32:08

Being a type A yeah. Being a type A personality. Yeah. And on a weekend you're like, I'm not relaxing hard enough, I need a new hobby. <Laughs> Okay. We've kind of covered why you started this company then how did you go about it?

Holly:32:26

I don't think we have covered why I started the company. I think I sidestepped the question. Um, so-

Morgan:32:32

I think we covered it. That's about as , that's as much depth as we're getting from you on it. You're like, I saw a problem and I fixed it.

Holly:32:38

Yeah . You asked the question. Why did you start a company? And then I talked about how I started a company. Um,

Morgan:32:45

You didn't really talk about how you started your company either though.

Holly:32:49

I just answered a different question 'cause it was easier.

Morgan:32:51

Yeah. But you didn't answer either of those questions. So why did you start your company?

Holly:32:56

So there's two questions here. This , why did I start a company and why did I start Akimbo? Or if you know what I'm saying, there it's like the idea of, oh, I want to start a company. Like what's my motivation to be a founder versus what problem is the company solving? So I think answered that . What problem is the company solving vulnerability management and discovering vulnerabilities? What I did , I start a company because the alternative options of course are doing things like approaching the company that you currently work for and submitting the idea to them and building out from within an existing company. There's a lot of people who do that. There's a lot of people who work for companies come up with a good idea and then they build it out from, from their existing company, either as just a project or it might become a whole new department. There's a couple of main factors for , for me, the first one was creative control over the project of actually being able to build it in the way that I wanted to build it. And a big thing here. I , I guess it's for some people might consider it like the difference between a true startup and an established brand is it was very, very important to me that through the process of developing it, we would constantly go to customers and feedback on what is it that they want and what is it that they're like? So this is a concept that comes from The Lean Startup, a book by Eric Ries that he refers to as validated learning. So he has this concept of a cycle where you build, measure, learn, you build a prototype and then you build on it and it's iterative development. And I was a big fan of that. I wanted to build software and then be pushing changes to the, that software constantly. So if a customer messaged us with some improvement that they wanted or some small change or some benefit that we could give them, I didn't want that to go into a three month change cycle. And yeah, don't worry. That'll be in version two and it'll come out Q1 of next year. I wanted to be able to go. That's a good idea. I can see how it would benefit you, it's a small change. It'll be in the system by this afternoon. Or sometimes that might be something for us because we use our own software as well for delivering our own services. And it might be like, oh, actually this thing that I'm trying to do, there's some inconvenience in the UI or some , you know, there's some better way of doing this. It's like, great. Let's just, let's just push it and let's do proper agile development. I think sometimes when people think of agile development, you know, think they're thinking of a couple of weeks for a sprint and I'm thinking of doing four pushes to production a day . So one of the reasons that I started a company as opposed to working in a company was I worked in consultancies and for consultancy to spawn out a software product, very, very different way of working very, very different skill sets . And , and I couldn't see that being compatible with that company and secondarily having some really strong opinion and about how it should be developed from, from the customer's point of view and , and how it should be , uh , published.

Morgan:35:28

Okay. That makes sense. Thanks for answering my question. <Laughs> There's a point when you are starting a company where , um , by nature of what you're doing and the way that you establish things, it's very small. And I think you would have to again, either be confident enough in your skills or in the people that you've started that company with to know that you could execute minimum viable product or , or whatever it is that you are aiming to, like straight out of the gate in enough time to kind of deploy a parachute as it were when you jump off the cliff. Whereas I think like a community project or something that gives you, I dunno , sort of a , a softer approach, a little bit more freedom and the stability to continue to work and to continue to wear the golden handcuffs while you're working on your side projects. But I guess there are lots of nuances in there about whether or not that's feasible and there are other ways that you could make it work. Like, can you stay in your current role and reduce your hours, condense the days that you work, work part-time so that you don't run out of funding or your bills still being paid while you are starting your company, do you have savings there's , there's a whole bunch of other options and things to consider in that.

Holly:36:43

Yeah, this is interesting, 'cause it kind of points to a whole range of different kind of like starting a company aspects 'cause one of them is like funding. So like where does the money come- how, how do you afford that? But another side to it is as you point out, depending on what it is that you're building, it might not be money that you need. It might be time. So yeah , out one way of doing it is you could start out by establishing the company as a side project, something that you do on evenings and weekends. And one of the big difficulties now certainly for anyone who works in technical roles is you might actually find that you're contract restricted from doing that - an awful lot of companies just contract it , that you cannot start a company or be involved as a certain percentage of ownership of another company, or they might have intellectual property clauses. Or even if you build something in your own time by contract, they might claim ownership to that. There's certain restrictions to, to what can be done there. But certainly if it's competitive with their business, there might be some difficulties there that then leaves people with either renegotiating a contract or changing positions so that they free themselves up from a contract. Or it might be like you said , doing things like, oh, can I work part-time or can I get just a different role that would allow me to be more flexible? So for example, you could work independently as a consultant and more like a contractor as we would call it to bring in some money to pay the bills whilst you build the company. So that might not necessarily be a long-term goal, but you're just looking at paying your rent and buying food . Uh , also another thing that we haven't considered is people accidentally starting a company. So for example,

Morgan:38:07

How do you no , whoa , whoa, whoa, whoa. How do you accidentally start a company? There's no- I've never tripped and accidentally emailed Companies House. How do you do that?

Holly:38:18

<Laughs> I'll give you , I'll give you a couple of examples. So, so one of them, it might be that you do something as a hobby or a project and then you get the opportunity to commercialize it. So you do that could be real kind of modern, simple example. You start a YouTube channel and it becomes popular. And then YouTube gives you the opportunity to commercialize that through advertisements or maybe companies approach you for sponsorships and those kinds of things. And you might therefore have to set up as a company so that you can handle the tax around those payments and things like that. Um , or maybe you start an open source software product and you know, you build something and it becomes really popular and you want to be able to offer paid-for support. So the software remains open source, but your time can then be acquired as a consultant. So it might be that you never intended to start a company, but you find yourself in a position where you think it's a , it's a good idea. Or maybe it's just a passion thing. It's just like you start this side project and it's, it's consuming your time. And it's the thing that you love to do. And there is this possibility that, that it could pay you and you wanna move away from a nine to five and , and work on that.

Morgan:39:20

Okay. So, accidentally-

Holly:39:21

And you fall over and accidentally email Companies House.

Morgan:39:24

Yeah. As you do. I think that's , there's a TikTok in there somewhere.

Holly:39:28

That's the thing to mention though, it's like at what point have you started a company? 'Cause everybody talks about companies. And certainly my experience for people talk about my company. The company started the day that it was incorporated as if I just woke up one day and thought I'm gonna start a company and then that's it. We were incorporated. And of course it's not , for me, it was a little bit more than 18 months before we incorporated that I started building the network to enable me to do this. So that simple things like finding design, who can help working out things like , um, how actually do you incorporate a company? What actually can an accountant help you with? How does payroll work? All of those kinds of things. How does tax work? So kind of building the understanding to enable you to then found. So yeah, for me, it was a little over 18 months between the project being an idea in my head, me , I actively making steps towards it , it having a name. And then one of , for me, the last steps was incorporating.

Morgan:40:25

Are you allowed to tell us what its original name was before you called it a AkimboCore?

Holly:40:30

Manta, as in mantaray.

Morgan:40:32

Ooh . Why?

Holly:40:35

Brilliant question. Um, why AkimboCore? Why, why is the company named what the company is named? And there's different ways that people would come up with it , maybe that's like their pets name or something like that. Or a lot of companies of course that out with the founders name , um , or some joining of the , of the founders name . So Andre Horowits there , A16Z, things like that, where they just joined the two names together. For me the original name, the manta was just a project name . It , it was a way to be able to talk to people about it before it had an name. So when you're talking to designers to get , uh , content produced and those kinds of things, it's just an easy way of communicating with that person. What it is that you are talking about, especially if you need to differentiate things. So for example, for this podcast, we had the , the graphics created right that the Pango created and the designer that we used , the illustrator was an illustrator that I used previously. So having a name for a project is really useful to , to be able to differentiate two things. So there's like the project name, which, which I originally had, which is meant . And then after that, there's a long period in which you want to come up with a company name and there might be some internal intention there. Maybe there's just a name that you like, but you might have to consider things like, can that name be trademarked? You might have to consider things like is the domain of it is the social media sites available. And those kinds of things, there's a couple of different ways you can do it. You can just go. I like the sound of this name. This is what I , I wanna name my company. You can read a marketing book or an SEO book and, and go down the route of this name means nothing, but it will score highly from an SEO point of view, a lot of different ways to produce it. Um , one of the key things for me with, with choosing a name 'cause of course you come up with , uh , a few ideas and then you see which one sticks and which one feels right? One of the big things for me was it was easy to say over the phone and the other person know what you meant and know how to spell it. So that's one of the, one of the difficulties. Um , I have definitely worked for, for you companies where people, even customers constantly mispronounce or misspell of the company name from like a marketing SEO and sales point of view that that's not a great thing. My delivery driver still cannot pronounce my company name . Akimbo. It's not that hard.

Morgan:42:49

Like they've never seen an action movie ever. We haven't named the Pango yet . Actually that's outstanding on our actions list. I'm gonna add a , a ticket to the backlog.

Holly:43:00

Yeah, we haven't named the Pango it's funny cuz it wasn't something that I even thought about until you, until you mentioned it, but we definitely need to name the Pango.

Morgan:43:07

Yeah. I'm feeling something alliterative.

Holly:43:10

Insert long pause whilst we both start thinking of names. Naming things is very difficult though and counting, but naming things is very difficult. Um, I think one of the things as well, you might stumble onto a name and then become enamored by that name. And then it , it can't be used for some reason- there's another company that already uses that name, rhe domain's not available or you really like it, but nobody can spell it and , and all of those kinds of things.

Morgan:43:33

Yeah, absolutely. Um, is there a good time in your life to start a company?

Holly:43:39

Oh, so there's this idea in people's minds that people start companies very young and there have been some companies like that where people have dropped out of college and started a company at like 18, 19 20. And there are companies that are founded by very, very young people, even more extreme examples than that. But the truth is statistically, the , the median edge for people founding a company is more like 40. So , um , if I remember correctly, it's the range of 35 to 45 for , for people starting companies. Is there a good time to start a company? Yes. And it's gonna depend massively on the context for one thing, the more companies you have worked at, the better idea you'll have of how companies work and how customer relationships work. It's like management skills, right? A lot of people learn how to be good managers by having bad managers. And then you kind of pick up on all , all of these things that just, I'm not gonna do it that way kind of thing. So that experience can be useful. Also, if you are doing something like a consultancy side , it's just the more experience that you have of delivering that service that are making better at it, or maybe just plainly more certified and that might be more desirable in the market. So that, that all kind of indicates that later is gonna be beneficial. You , you also will need some cap , you need some money to start the company that depends on some companies can found just with a few spare pounds to register a domain then , but other companies might need many tens of thousands in capital just to get off the ground. So again, that pushes you into later in life, likely where to save money, unless you're independently wealthy or you can borrow from friends and family. So all of those things would say later in life, but then you do start to get to the opposite of what we mentioned earlier, which is the golden handcuffs. So having kids, having relationships, having car payments , having rent, those kinds of things, also just having the idea and then being able to execute on it. You know, you just need a certain amount of experience of, of how the world works. So I , I would probably put the , the ideal age to start a company over thirty, but there'll be plenty of people out there who'll have wildly different experiences and , and will put it wildly differently.

Morgan:45:42

You're such a nerd.

Holly:45:43

Thank you.

Morgan:45:46

Yeah. So Akimbo was started , um, just over 18 months before you were officially incorporated. What was the hardest part of that, that 18 months before you officially incorporated?

Holly:45:59

Oh man, what was the hardest part prior to incorporating. A lot of the early things that you stumble on become kinda laughable after you've been running for a while ? And it's a great point because one of the ways of just kind of reducing that tension is having a good network and um , talking to other people who founded companies and finding those resources and those people that you can ask questions to. That could be questions about funding, questions about actually just running a business. How does tax work? What are national insurance contributions? What's payroll? All these things. A lot of those early problems are first time founder problems, and the second time around you , you wouldn't have them. So there's definitely distinction between like the problems of a company in its early stages and the problems of a founder in their first go . But yeah, I think the big thing for me at the beginning was getting the confidence that the thing that you think is a good idea other people think is a good idea because just 'cause you felt that pain or just 'cause you think it's an improvement doesn't mean it is. And also for some companies, your product doesn't have to be a little bit better than what they're already using because of the , um, switching costs, right? So if they've got a product already and then the product in that context might just be like an Excel spreadsheet or something, right. They've got a way of achieving that thing currently. And if you're like 5% better than that, they might not want to put the effort into changing to use your products. Your product has to be a lot better enough to give them that activation energy to go through switching costs and working out, hey, first of all, this thing that I wanna do, would anyone actually pay me for that? Secondarily like what is the market rate ? So this thing that I'm trying to do and then building up from that difficulties around things like, okay, I wanna build software. How long is that gonna take me? Or maybe there's some engineering decisions and you're like, okay on paper theoretically, I should be writing this in Rust or insert other language here. And then it's like, okay, do you have the technical capability to achieve that? You know, maybe it's not technical skills that you're lacking, but maybe there's business skills. Very often you'll find companies found with two founders that bring complimentary , but different skills, commercial and technical or business manager and technical skills that are common. So yeah, for me, the early stage stuff now is , is pretty laughable. It's just like how does tax work and those kinds of things.

Morgan:48:19

Okay. So was there ever a point during that 18 months that you thought it might fail?

Holly:48:26

No. Uh , can you clarify the question? It can't fail before I've incorporated it.

Morgan:48:31

I mean it could, in theory. It could fail afterwards as well. Like no, no stress or anything. Just like , just not what I'm saying. I'm just saying, is there , is there any point where you thought actually, I don't know if I can build this. I don't know if I can, if I can pull this off.

Holly:48:45

Oh , um , no, never. Um, there was never the absolute of, I can't build this. There is always the absolute of, we might not be able to do this fast enough. Certainly when a company's getting off the ground and you have , uh , a certain amount of capital available and you have a , a certain burn rate. So there's some money in the bank and you are spending some money at some rate. You definitely need to gain the confidence that this product hits the market and people start buying it before you run out of money. That's the same, whatever you're doing from just like a consultancy or setting up like an Etsy store or something to, you know , major enterprise software. So that's something that you're always thinking about. No matter how old the business is, no matter how well established the company is, you still need to keep a close eye on those financials and know that there's more coming in than there is going out. And sometimes that can be more complex than people realize as well, especially when people think when you're a salaried member of staff and you get paid at the same cadence, you get paid once a month, the same amount every month for a company, sometimes there's delays in payments. So if you are , for example, being paid by invoice on something like a 30 or a 45 day net payment terms, if you have a bill today and you're getting paid in 45 days, that's a problem. Even if the actual literal figure of what's coming in and what's going out is the same . So there's some , some difficulties like that, but anyone who runs a company will , will almost laugh at those things because it's just the way that companies work. But I know that a lot of people before they start a business, maybe haven't thought about that.

Morgan:50:11

And how much can you plan for those things? Like, to what extent did you almost know what to expect? Is there like a blueprint or something, was there a strategy or a plan that you had in advance to like enable you to deal with those things to kind of take them in stride?

Holly:50:26

Yeah. And it depends entirely what you're talking about. 'Cause one of them could be what if you hire staff and then tomorrow you never make another sale again. And no one ever comes into the business. You're spending money at cadence , but you now suddenly have no money coming. And there's always those things you've always got to do and projections. And you've always got to be looking to grow the company and looking to make improvements and make new leads and, and those kinds of things. So that , that problem never goes away. But specifically, in terms of did the business have a business plan? It depends what you mean by business plan. Because again, people who haven't necessarily started businesses might think of like a very traditional approach to a business plan where you have like a 50 page document that covers like financial projections and the team and all of those kinds of things . And my experience is most modern companies don't have a document like that. If a company is being funded through something like a bank alone, then the bank would likely want to see a document like that, a real traditional business plan, but in terms of how we were built. And in terms of approaches such as what The Lean Startup references, you wouldn't have a traditional business plan like that, it doesn't mean that you don't go through some of the major stages. Like we still have financial projections and we still know what we're doing from a finance side of things. And of course we could still talk about the growth plan for the business and what we're doing with the technology, but it's much more likely to be a simpler, more iteratively developed document. And then you can start looking at things like the lean canvas. The lean canvas is this idea of effectively a one page business plan. Just get everything down in terms of who are your customers, who are your competitors? What is your competitive advantage? What's your USP ? What are your costs? What are your incoming, what are your revenue streams? And you can get all of that down into a , a very compact document, which is , uh , workable and consumable document. And it can be iteratively developed as things change.

Morgan:52:12

I've seen , um , kind of various versions of that. And I think my, my favourite versions of those are a high level kind of 10,000 foot view strategy on a page. That's usually a really good starting point. And then if you need to drill down deeper into that, or look at different kind of performance management ways of setting goal and achieving that, splitting it across like quarters or half of the year or monthly or into sprints or , or however's best for you, it always comes back to a simple, easy to understand digestible high level document strategy on a page. How did you start AkimboCore logistically?

Holly:52:50

How do you mean?

Morgan:52:50

How, how did you do it? Because you didn't just wake up one day and say, I'm gonna start a company today and register with Companies House and have a finished software product by lunchtime. You spent 18 months plus kind of iterating and developing and building a network, as you've said , um , before you were incorporated, what happened after that?

Holly:53:11

So the , the early stages is very much like people might come across terms like MVP and things like that. Really there is an earlier stage to that. MVP is the minimally viable product is the point in which you would go to market best on that strategy. But there is an earlier stage in terms of prototyping, individual features. And then there's an earlier stage than that, which is validated learning in terms of like, do people want this? And you could start a company, go to stealth mode, build everything in secret, never tell anyone about it, worry very much about your intellectual property. Worry very much about first move advantage and those kinds of things and , and just build everything on evenings and weekends. And then one day wake up and say, okay, this is ready. We're at version one, let's go live . And some companies are built like that. And for some people that works well. And if you do need to protect your business through industry secrets, then that might be your only option. The problem with that is you , you might spend years of your life building this, 'cause you're only working in evenings and weekends and those kinds of things, and you get to version one and you finally go to market and you, you missed it. You don't have product market fit. That could be for a range of reasons. The timing is bad. It could be for a range of reasons where you misinterpreted the , the customer desire and what you've built doesn't actually meet their specification or any range of those kinds of problems. So an alternative is building an MVP where you build the minimally viable product to go to market. Then you can iterate best in that. And what you're trying to do there is , is reduce rework. If something has to change, 'cause you haven't got it quite right, change it early, but moving even further back than that, it could simply be just asking companies if we built this thing. Does that sound interesting to you? That could be making a landing page, just registering a domain, making a landing page. You know where at , we're thinking about building this product , uh , are you interested in it? And one of the things that you need to get from that is it's good metrics. So if you make a landing page and you're tracking something like page visits, is that really telling you that people are interested in this product? Or is it just telling you that your SEO is good? A lot of people are visiting the page. Maybe they're visiting the page and the product that you're talking about. Isn't what they thought it was. And they're very quickly turned off from that. So maybe you would have something like an activation steps . You , you make this, we're thinking about building this product, if you are interested in this, sign up to our mailing list and that way you can get people, people are actively saying this thing that you're describing, I want that. Maybe a bigger version of the same thing would be something like crowdfunding. We're thinking about building this product and then people can actually put their money where their mouth is and say, yes, I want this. And I'm willing to pay now before it's actively available to really pay for the development of this product. For a lot of businesses and for a lot of companies that the further back you can get towards that validated learning of like learning at an early a stage as possible the better. For me, one of the very first steps in that 18 month process that you mentioned is, is like prototyping features and , and , and working at like , um , how does this actually work? And would customers want to interact with this system? And sometimes there might be actually a different product that you are building, but as a side effect of that, maybe you have to , uh , build some tool or something and maybe customers are more interested in the tool. Maybe you're a video game company and you in invent some internal messaging system. And then that internal messaging system becomes very popular and you become Slack or maybe it is that your idea was close to what the customer wanted and you just need to adjust somewhat so that you can get that product market fit. Um , so a lot of the early stages were that was, if we build this, how does it work if we build this, how do we make sure it scales? And if we build this, will people wanna buy it?

Morgan:56:49

Yeah. So I think something- I'm hoping that you can leave this in, we're gonna see. Um, something that you mentioned as kind of a dev principle earlier on in AkimboCore's lifetime, was kind of building a platform or a product and having sort of like a dead button or something. A , a feature that hasn't quite been built yet, but-

Holly:57:09

oh yeah. Yeah yeah.

Morgan:57:10

-um , will track interest. So if users want a particular feature, the intent for you to build that feature is there and that'll give you the data to know what to prioritize in your lifecycle.

Holly:57:21

So sometimes these can come up because you build something for you and then customers also want that. So that's really how, for example, our API came out, we architected the system in such a way that it has an API because it makes integrating things at our end easier. And of course it makes integrating things at the customer end easier. So instead of that being an internal API , it's a public API . So sometimes you build things in that way. And other times you might have a series of ideas. So for very often, when we onboard customers onto the platform, we talk to them about what the product is and how the product works. But then we talk to them about what would you want this product to do? If you were to use this, what's your pinpoint ? How would you address this? And hopefully of course, you're gonna end up with a customer describing a perfect problem that your product just solves today. And other times a customer might just come up with a good idea and say, it'd be great if it does this, or we have this weird process internally, it would be great if you could automate that for us. So you end up with effectively just like a desirable features list. And sometimes the desirable features list. You don't know the order in which to build them. And some companies fall foul of building the feature that the loudest company wants, the people who are complaining the most want, and that isn't necessarily what's best for the broader customer base. So you have to come up with some way of prioritizing those features. The problem with that is sometimes asking people isn't always the best thing. Sometimes people have bias that can cause them to describe things in a way that's inaccurate. So example, if you ask people how they drink their coffee, what they tell you in a survey might not actually be how they drink their coffee. So working that out, what does this customer actually want, can be really difficult. But the example that you mentioned could just be adding a button to your user interface and when a user clicks it, it might pop up and say, this feature isn't available right now, but we're working on it. And then what you're tracking is how many users click that button? There's just one example of actually working out if a customer wants it or not, the opposite can be true as well. So our platform is designed in such a way that you just interact with the platform and it's SaaS based . Everything's just in the web interface, but we have a button that would export that data that you're currently looking to, to a word document. And very, very, very often people tell us that they want that button and that's a critical button for them, but we see how frequently people click it.

Morgan:59:44

< Laughs> Solving the PDF problem. Is that quite satisfying though? That statistic? Is it , is it something that you are happy with because you've identified a problem, built something that you think alleviates that, and then that's almost like , um , sense check?

Holly:1:00:02

Validated learning. That's all, that is it's validated learning in , in terms of, if you're gonna spend the effort you , you want to minimize rework and , and you also wanna just make sure that the thing you're building is , is what the customer actually wants. Even if the customer finds it difficult to explain that sometimes just explaining features can , can be difficult. You know, that's why so many people in engineering discussions result to drawing diagrams and getting pen and paper out, or maybe iPad and pencil these days. But-

Morgan:1:00:27

I think we're , uh , we're visual people, but I just think it's such a good way to do things. It's , I've seen waterfall projects from kind of inception to delivery - if they ever actually deliver. Usually what you end up with is completely different to what it was that you asked for initially, everything gets kind of descoped, it's beyond time scales, it's beyond original budget. It doesn't address the initial ask that, it doesn't meet the project requirements. And it it's like you can't really look at it and tell someone that their baby's ugly, but Agile is just, it's easier. It allows you to iterate it. You need to step change because you've delivered something that isn't it, right? Or you need to regress slightly and go in a different direction. You can do that. And it , it doesn't cost you two or three years of dev time and like of your life. It's not gonna massively impact your company. It's lower risk.

Holly:1:01:17

It just allows you to reprioritize as well. If some small feature comes up, that would be a great benefit to a lot of people. You might reprioritizing and get that in the next. Whereas if you are developing everything linearly with very long lead times, it might become the next thing in the list. But if the next thing's not gonna get worked on for three months, that that can be frustrating. And one more thing on the features though, which is interesting, very, very often security professionals talk about the importance of things like multifactor authentication. On our platform you register an account. One of the first things that'll ask you to do is enable multifactor authentication. It is the first in-app notification. You will get, please enable multifactor authentication. We strongly recommend it. We also see the metrics of how many people do that.

Morgan:1:01:56

Do I wanna ask about that one? Um, no , but it is really cool. Um, have you thought about expanding? I know that you're like a baby right now, so it's, it's still very focused on delivering kind of the original mission statement and goal, but anything in wider technology that might be on your roadmap or anything that you'd like to do in the future. And you can absolutely cut this out if you're not allowed to tell me about this.

Holly:1:02:20

Yeah. Uh , Akimbo just received about a quarter of a million pounds in grant funding. So we put together a proposal to expand our vulnerability management platforms, such that we could use machine learning to discover vulnerabilities. Now discovering vulnerabilities through signature based vulnerabilities, scanning discovering vulnerabilities through manual penetration testing is, is still a thing that, that we will continue to do. And it will still be effective in , in the way that is effective. But machine learning brings in a new kind of automation that can bring about just different benefits. One of the examples, there could be something like if we're monitoring a lot of systems and one of the systems seems to change in some way that could be a security event. It could be that that system has been updated, and we might wanna perform a manual security assessment of that. This is that problem of how frequently should you perform pentesting annually and on any major system change, well tracking major system changes can be difficult. So you could use machine learning to monitor systems in that way to work out when , uh , just to notify, hey, you should consider an additional security assessment. Or there's also just a lot of vulnerabilities where discovering that vulnerability could be difficult. For example, something like insecure direct object reference , a vulnerability, where an application might disclose confidential data, but having a signature based vulnerability scanner, knowing that it is confidential data is a difficult problem, but that's already been addressed through machine learning, other areas. So things like data loss prevention using machine learning to determine is this potentially confidential information, be it PII or payment information, or what have you. So that is something that we're expanding into is the use of machine learning within the vulnerability detection engine. And that is effectively a roadmap for the next 18 months of rolling out improvements where some of our plugins will be machine learning based.

Morgan:1:04:01

That's really cool. But right now, all I can think about is our last episode on machine learning and all of the potential problems that you're gonna encounter, like trying to use machine learning to do like heuristics based testing. I really wanna see that. Can I see that without coming to work with you? Can I , can you show me?

Holly:1:04:21

Uh , yeah, you definitely can. So this is one of the things where very often customers really don't care how a vulnerability was detected. If it was old school signature based vulnerability scanner, or if it was a human manual pentester doing something really cool, they don't really care. What they care about is what is the risk of the vulnerability? Is it legitimate? It's not a false positive and how do we fix it ? We don't care about how cool your work was as , as a pentester. So we are just bringing in this new kind of automation to give us just another mechanism for finding vulnerabilities. And from the customer's point of view, it might be no different between on a pentester, pick this up and a machine and an algorithm pointed out that I might want to pay some attention here. Um , during penetration testing, we use automation tools all the time. The fact that they're just gonna speed things up. That could be very simple things like quick lookups for a self-reported version number to see if there are any known vulnerabilities against that system. You don't want me to spend a whole bunch of time finding vulnerabilities if they're just published known vulnerabilities. And yeah, this is just another way of building an engine to direct human attention into saying, hey, you should look at this.

Morgan:1:05:29

No , this is really cool. This is , this is really cool that's all .

Holly:1:05:32

Yeah, there is funny that you mentioned though, 'cause a lot of people are put off because you , you mentioned this machine learning thing and , and then you have all of this marketing problem of people, promising machine learning can deliver more than it can deliver and talking about machine learning as if it is magic and that's not, that's not how we're approaching it. We're approaching it in, in a transparent way. And we can talk about how , how we approach it. Of course it's gonna differ best on each vulnerability. It's gonna differ best on , uh , the context that that we're we're talking about. But , um, yeah, machine learning is not magic. It's just a different kind of automation and it'll benefit us in the same way that automation always has use human intelligence for the difficult things and use automation for the mundane ones.

Morgan:1:06:16

Might you say, work hard and automate?

Holly:1:06:24

Yes.

Morgan:1:06:24

<Laughs>

Holly:1:06:28

It says work hard and automate, on the wall behind me for anyone who's not seen our office before. It's , it's a big, it's a big , uh , philosophical part of the , of the company. You know what? Sometimes human intelligence is absolutely what you need it . If it's something like a business logic, vulnerability, humans are gonna find that easier. If it's something like comparing two large data sets , you know what machine learning is probably better at it. If it's looking up some specific information in a database like a version string or something like that, signature best scanners are probably the best thing that it's just all part of this like works smart thing. Isn't it work hard and automate work hard on the interesting things, work hard on the things that require human intelligence and automate the mundane ones. Don't be wasting time if you can automate something.

Morgan:1:07:13

Trick sand into finding problems with itself.

Holly:1:07:18

Yeah.

Morgan:1:07:19

Using machine learning.

Holly:1:07:21

And this is the thing we spoke about in the , in the previous episode, machine learning is great when you have a machine learning problem and it's very not great when you don't have a machine learning problem. And of course we , we've done a lot of, of preamble work here to track that what that , what we're doing is well suited and it's not gonna help for every vulnerability. It's not gonna help for every system, but there's huge areas that , uh , machine then can be used. And I think a lot of people have only ever thought about machine learning in use from the defensive side of things. So using machine learning to detect attacks , I think that's a well established concept. Now what we are doing is that is flipping that on its head. And we , we are using machine learning to detect vulnerabilities within systems. So we're very strongly focused on the offensive side of security.

Morgan:1:08:02

I'm not being very helpful as , as like a co-host right now, 'cause I just think it's awesome. You're like, oh this is what AkimboCore does. And I'm like, oh my God, that's amazing.

Holly:1:08:11

It's funny as well because um, I think sometimes people get, get stuck in their little niche and they think their specific view of security is , is the best. And the only one, and that can be really true of pentesting 'cause pentesting is a romanticized job and honestly it is very, very cool what pentesters are capable of these, these manual ethical hackers. Um, but the truth is I think pentesters would agree as well. If , if something can be automated, why waste time on it ? A pentester doesn't wanna sit there and run a vulnerability scanner. Doesn't wanna sit there and check a system to see all of the updates have been installed, 'cause we should all know missing security updates are gonna be a security problem. And machine learning is just an additional thing that we can do to allow the humans to focus where human intelligence is needed.

Morgan:1:08:53

I think something that's gonna be really useful for this. Well, as like you , you talk about automating this when there's tooling available that can deliver a certain quality of tests , a certain quality of , of security or vulnerability assessment, I suppose it kind of forces consultancies to raise the bar because honestly I I've worked with like definitely at least a dozen consultancies in the last like two years and some of them are atrocious. Like you'll get a report back and it's like the output of Nessus, but they've changed the RAG ratings on it or like something ridiculous like that. And it's really frustrating knowing what the day rates of the average pentest consultancy firm are and what you're paying for and knowing very well that they've only looked at the low hanging fruit . And I think like it is really necessary to drive innovation and improvement in this area. But I think outside of the cybersecurity space, even in the wider tech community, there's still a bit of like I dunno, mystification there's , there's a lot of barrier to entry there. People don't really understand pentesting or how it works and if they do, they tend to go into pentesting and just get paid more instead of improving it.

Holly:1:10:02

Yeah. So sometimes it's just because there is a better way of doing it. So pentesting is great at solving pentesting problems and it it's really good at finding things like , uh , logic vulnerabilities. It's really good at finding those vulnerabilities that are difficult to automate things like confidential data loss , insecure direct object reference those , those kinds of vulnerabilities that are hard to automate, but there are, there are some areas where yeah , it doesn't need those humans. If you've got something like if you're running an outdated version of a piece of software, then a pentester doesn't wanna spend their time reporting those things because they should be automated in some other way. And I think there is , uh , advanced security methods out there that a lot of companies have haven't moved to using yet. An example could be things like compliance as code, a lot of companies that don't have those kinds of practices in place. And it might be the case that companies are currently relying on their pentest to pick up on those flaws when in actuality that could be finding it in a faster way and not, not kind of wasting that human time. Uh , another problem with pentesting of course as well is the frequency of testing. You know, pentesting is an expensive service and therefore some companies are only running it once a year or those kinds of things, and an awful lot can change within a year. And sometimes it might just be a simple thing. Uh , I've worked with companies before who have had flaws be introduced during their testing cycle, which would've been really easy to be picked up by , um , something like a vulnerability scanner or picked up by something like compliances code or even if they just had a more mature approach to building their infrastructure. Something like , um , infrastructure is code so that they don't have these discrepancies between systems and yeah . Is cybersecurity is a huge field and sometimes companies just need help moving up the maturity scale or just need help because they , they don't have some of these practices , uh , in place yet.

Morgan:1:11:42

Do you think that there are maybe certain sizes of companies or certain maturities that they need to have in place before they can get the full like kind of benefit and value out of AkimboCore and your product? Or do you think that it's accessible to everyone? Have you designed it to be something that can be used by like a 10 person company or a massive enterprise?

Holly:1:12:04

Yeah. We have some tiny companies , uh , on the books where , um , we've engaged with them because they they've had a problem. We've talked to them through consultancy or something like that. And actually one of the things with small companies is that they don't have necessarily the in-house expertise or they don't necessarily have a very big team. And that is where automation can help them a great deal if they can automate these things, our system might detect a vulnerability and they might not be able to remediate that internally, but they can then have the confidence to know that it's worth getting a cybersecurity consultant in for that, for that period, because they know that there's a , an issue there.

Morgan:1:12:39

Yeah. Okay. Um, and then I guess the , the beauty of the platform being like cloud native and everything is that it scales really well. It is probably suitable for larger companies as well.

Holly:1:12:49

One of the big things about the work that we do is if we're working with one customer in one industry and we find in some vulnerability, that information can immediately be fed into the platform. And we can look for other companies who, who might have systems deployed in the same way or the same configuration or have fallen foul of the same problem that is kind of like this group improvement. There, we find a vulnerability on one system and can very quickly look to see who else has this technology deployed in that way and help those out too, even if they're just running the software in its most basic form. I think one of the big things when it comes to using machine learning as part of a technology is machine learning has , has got a bad name because very often companies, they don't talk about how it actually works and they don't talk about the capability that it actually has. They point at it as a marketing gimmick to say , we have artificial intelligence, we have machine learning and therefore we're better. Whereas one of the things that that we like to do is , is talk very specifically about how the system works, what its limitations are and how it found something. And like I said, we find that customers don't actually really care whether a traditional scanning engine, a pentester or a machine learning engine found the vulnerability. What they care about is fixing the vulnerability as , as quickly as possible and doing that risk management stuff. But we do like to be open about how this issue was found.

Morgan:1:14:00

I kind of want a demo. Can I have a project demo, please?

Holly:1:14:04

Demo for- I'll do a demo for you now if you want. Tying whole episode together then, we talked about why I started Akimbo and what it was that I wanted to develop. And honestly, the kind of philosophy behind the company is finding any improvement that we can make to security testing. I mean that generically, like if we can improve pentesting, even if that's just a more effective delivery of reports, if we can improve vulnerability scanning through something like more advanced automation, or even if it's just making the customer experience a little , a bit nicer, 'cause we help them manage their data. We're just improving security testing in everywhere that we can.

Morgan:1:14:36

It sounds incredible, in fairness, I've only seen like a couple of parts of it. Um-

Holly:1:14:41

Have you seen the hardening agent ?

Morgan:1:14:44

No?

Holly:1:14:45

Oh my God.

Morgan:1:14:45

Oh my God.

Holly:1:14:46

This episode's over . I'm gonna just demo , um , Akimbo Harden. Have you not actually seen Harden?

Morgan:1:14:50

Can I get some wine before you show me this? 'Cause it sounds like I'm gonna need some. Yeah . All right . All right . Sorry. Sorry guys. I'm I'm gonna go see the hardening agent. Bye.

Holly:1:15:00

Bye.

Morgan:1:15:03

I feel like you should tell me in 10 seconds or less what a startup actually is.

Holly:1:15:11

Running your own company is like being unemployed, but your mother's proud of you.

Morgan:1:15:14

Is your mother proud of you?

Holly:1:15:19

Yeah, I'm a startup founder .

Morgan:1:15:24

That pause was just a little bit too long .

6 views

Recent Posts

See All