AP2T Labs: Rethinking Cybersecurity Awareness (EP 878)

Hello friends, Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals and managed service providers where we help you run your business better, smarter and faster. We are in the midst of its folks. We are, I don't know, maybe halfway through the IT Nation PitchIT incubator program. 

And we are doing these vendor profiles and we're helping people move on down the road, hopefully get to get them to the final three at the stage in Orlando, Florida at IT Nation Connect. We'll see who gets that grand prize of 70 grand, second prize of 30 grand and what lucky vendor would get a set of steak knives. Should be fantastic. 

But enough of that, let's get on with today's PitchIT contender. I have a first time guest on the show. Tried to do it before, but it seems as though it's got to be with a program like this. 

Reese Tuttle with AP2T Labs. Reese, how are you? I'm good. How about yourself? I am doing good. 

So let me get this question out of the way. I actually have two questions to get out of the way. Okay.

One, did your dad give you any tips about being on this show? The one tip he did give me is, it was about an hour ago and he goes, you do know you're going to be on camera, right? And I was like, really? He was like, yeah, so you might want to change. I'm going to go change, put myself together. That was the biggest tip he gave me.

Really? But he said that you're really awesome to talk to and to not stress out. All right. Well, yeah, certainly don't stress out over me.

The second question I have is, you heard me stumble when I went to go say the name, even though I've looked at it and practiced it and stuff. AP2T Labs. Anybody that says, man, that's a mouthful. 

Can you change it? Yeah, I've thought about it. The only reason we haven't is because it's an acronym for Advanced Persistent Threat Training Labs. We actually based it off of the military. 

You have to get used to it. It's an over and over thing. It's AP2T Labs. 

I had to practice. I hear you. So, good luck.

Thank you. So, let's now get to the idea of, you guys are kind of relatively new. Was it two years now? Actually, last October.

Oh, that's it. Was it something we talked about before? Maybe I talked with your dad and it was in the works? Yeah. So, I've been doing this for a while. 

However, we were in some partnerships, did some other ventures, things of that sort. A lot of the technologies that we built before last October did get put into this company and formed what AP2T Labs is now. Gotcha.

However, we got funding in October. And so, that's really when we actually got off the ground and started getting a lot more exposure. Alright. 

So, yeah. Money makes things real, doesn't it? Yes, it does. Alright. 

And AP2T Labs. So, you're a cybersecurity company specializing in advanced threat research and training. And you've put together a learning management system for cybersecurity awareness.

And you do simulated attacks and all that stuff, right? Yeah. So, we do cyber threat research and awareness training. And so, essentially, our whole thing is researching scammers and what's going on right now and what are they going to be doing next.

We do that through collaboration with reformed scammers, reformed hackers like Jesse Tuttle. And we create simulations for companies that we can do on them. So, we give them a safe space to fail.

And then we also make our own training that we try to keep short and engaging and lively so people can learn from that as well. Alright. You did mention your dad by name.

I was going to say that a little bit later, Jesse Tuttle, who is on tour this summer with the ASCII group and is having a fantastic time there. Let me ask this because, yes, we know your dad. We know you're super, super smart.

I didn't go down your list of accolades, but let's just say the fact that you have – you got more degrees by the age of 18 than most people will have in their entire lives. Even those that go off and do their doctorates and all of that stuff. But the question really is going to be, when it comes to PitchIT and surviving in this channel, is what makes AP2T Labs different and better than anybody else? Yeah, and this is a really interesting question in the sense of I think there's a sort of well-roundedness when it comes to AP2T Labs.

We take a different approach when it comes to our simulated attacks and even our training. So our simulated attacks, I always ask MSPs on average, how many phishing emails or scam calls or scam messages would you say your clients or your business's clients are getting? And I've even had upwards of like 30 a day. And so I always say then, so how frequently are you sending out your simulated attacks? And in most cases, it would be phishing training.

And I hear at best monthly. And I always think, why? Because in the real world, obviously, it's just beyond phishing too, but they're getting hit daily and you're doing training once a month. And so our whole thought process is looking for an initial high failure rate and then slowly working the failure rate down within a company.

If we can see that they are learning from their failure, that's exactly what we want to do. And so we've took that approach and our training goes hand in hand with that. Our training is short and to the point.

And the whole thing that we want to do is give them more exposure, build up their muscle memory by a daily touch, daily awareness training. And I don't see many people doing that yet. And I think that makes us quite different than a lot of the competitors, not just because we're doing more than phishing.

We're doing text, voice, postal mail. I think it's also because people forget that we're trying to actually make humans less vulnerable and not just check a box for compliance. And that's our whole thing.

All right. Did I hear you say postal mail? So you're sending out physical pieces of mail? Yeah. So actually, funny story.

We're moving from early beta stages into early adopter. And when we were in early beta a couple months ago, we were doing some test scams and things of that sort. And one of the biggest things that we're introducing is postal mail scams.

It's always been a thing, but it wasn't talked about a ton. And we did some postal mail scams. And literally a month later, the FBI issued a warning about postal mail scams are on the rise again.

So, yeah, we are doing postal mail scams and a lot more to come. OK. So that made me think of something else, because I saw on and I forget which social media platform it was on.

But it was somebody talking about the elderly that are getting attacked with their phones, their mobile phones, with either apps or things of that nature. And I know that I've only heard of one other company that talked about the idea of trying to do some training based around apps, because those aren't part of the internal business structure that most of us are used to. Where do you where do you stand on that? Yeah. 

So as it comes when it comes to apps, what I first think of when it comes to apps outside of a business realm is social media. And you're 100 percent right. I feel like social media was one of those things that kind of just got handed to us.

And it was like, here, have fun. And we never really learned how to properly use it. And we are currently patent pending on the way that we do our training and attacks.

And a lot of that comes from learning from intelligence online. And a lot of that intelligence, believe it or not, is just public information that was put out there on social media platforms. And so I think, number one, we are definitely obviously training on your privacy and cherishing your privacy and being careful what you post online.

And if you get a random message from your friend on Instagram or Facebook asking about a possible opportunity, they probably got hacked. If it doesn't seem like it's from them, it's probably not from them. Simple things like that.

But with every single platform, not even just social media, with every single platform, there's always information that you could give away. And that can always be used to take advantage of you. And that is something that we teach heavily.

All right. So sorry to take you off track there. But let me ask you this. 

I assume that you are also getting a ton of feedback going out of beta into early adopter. What's the best feedback that you've heard about your program or what is, I guess, the biggest challenge that you're hearing from MSPs? Actually, yeah, I got two. So for the feedback side of things, what made me really happy when we were doing our test piloting is, number one, getting feedback on just interaction with our platform.

That has been fantastic. I have never done much UX UI myself. And so getting a lot of feedback on that has been awesome.

The other thing is I've gotten a lot of feedback from people saying like how real our simulations can be. And obviously going into this, I had a goal of them being real. And I was like, yeah, they're real. 

They feel real. We're simulating what's really going on. But hearing other people say like, you guys just simulated a scam I got two weeks ago. 

That was it was kind of like a validation for me. Like, OK, so we are at least on the right track when it comes to that. Is there always room for improvement? Yes.

The biggest struggle that I've seen and we have figured out a way to make it work. But when it comes to awareness training platforms, if you don't already have one, they're becoming required for insurance and things of that sort. So you'll have to get one. 

But most insurance providers look for a very, very low fail rate. Otherwise, your rates go up. And what a lot of people have been struggling with is because we aim for a high fail rate and then working our way down to a low fail rate because that's the results of people learning insurance gets upset about it.

So we've actually made it possible for us to be stacked on top of another solution. So if you have another big provider, you can stack us on top as well and use us for training and things of that sort. And then they will also make sure that your insurance rates don't go up. 

All right. So when you say stacked, does that mean that you're kind of integrating with other packages as an add on or are you talking about just being bundled together? How is how does that work? Yeah. So it's essentially just adding us into your stack as of right now when it comes to integrations and things of that sort.

We don't have many integrations. However, our entire solution was designed to be multi-tenant and API first. So any integrations in the third party platforms should create a seamless experience as if it was built by us natively.

OK. So this kind of gets me going back to a question I was going to ask you later and I tabled it. But when you're talking about these high failure rates, one of the things that I have seen businesses do, and I've got one client in particular that I can think of for myself, that I know that when a simulation test starts, the first person in the office gets it and then starts to announce to everybody else, hey, today's testing day.

I know that I've talked to some other people where they've talked about randomizing it so that one, the test isn't the same day to not every user gets the same test that day. So they can't warn each other about it. Are you guys doing any sort of randomization like that or yours? When you talk about real world stuff, how different is it than what we're used to? Very, very different. 

So our platform, we took a completely different approach than the whole campaign aspect, the testing and things of that sort. So we do attacks by default, a minimum of once a day. And as you heard me say earlier, we do that because that's what they're experiencing already.

So we do that daily. And it is also randomized. So we are we are not campaign based.

All you do is you sign up with us, load in their user list, and we have a sliding bar that you can select what level one through nine of attack you want. You select that and it will automatically send out attacks daily. As we advance later on, one of the biggest things with the patent pending thing is learning from the way the end users have interacted with different scams that we've done.

So if there's a certain user that is more susceptible to, say, a voice call, we are going to send them more voice calls and maybe put that with some of the intelligence that we've got online. So every single attack is curated. And later, it's going to be even more specific to each end user individually.

So announcing the campaign or whatever won't necessarily work because they're all randomized. They're all different. And if you fail, you get the testing on the spot. 

All the questions are different. They get reversed. You cannot do quizzes back to back to just make sure you pass or whatever, because the whole point is really to get you to learn.

So took a completely different approach. That's fine. That works.

Now, the other question, of course, will be, how can MSPs, you know, one, add this to their stack at a cost effective point? Can they generate revenue or anything like that? How does your platform fit in that regard? Yeah. So when it comes to revenue and things of that sort. So our solution works as a standalone awareness training platform. 

And like I said, it can also be layered on top of an existing solution. And also for the MSPs that aren't providing awareness training, it's going to become a required standard. We are per seat, per month, per user. 

And one is our lowest level that is just specifically training. Two is what we think a lot of people is going to be. It's phishing and training.

But one of the things is for clients that already have awareness training that may that have already been bundled in by like another service or something like that. It's pretty easy to layer us, like I said, and increasing the MSP service offering to every client that brings the most value to them. And also trying to help eliminate what their most vulnerable thing is, which is their staff.

Not trying to eliminate their staff, but their vulnerability. All right. Before I let you off on your pitch time here, I want you to help me understand what you call edu moments, because when I first heard that, I thought somebody fails a test in one of the I would say my program right now or most programs.

They fail an email test. They get an email afterwards that says, hey, you failed. Watch this video.

Is that your version of that process? So our edu moment is say we send you basic phishing email, send you a phishing email. And it's I don't know, somebody just logged into your Google account. Click here if this wasn't you.

Something simple, something normal. You click it. If it's like a level two edu moments going to hit really, really early because it's not a multilevel, multistage elaborate one that's up in the higher levels.

So the edu moment will walk you through kind of like tool tips and show you this is what would have like what should have set you off a little bit. Here's where you went wrong. This is what to look for next. 

Click next to go to your training video. Go through that. Take your quiz and you're done. 

OK. Simple enough. All right. 

So we're getting close to time here. So let me step back a little bit and let you do your first pitch as if you're getting ready to set the stage for us at IT Nation Connect. Yeah. 

So like I said, haven't done a ton of these yet. But one of the things I always like to talk about with AP2T Labs is why we do this and why we even started doing this. And you guys have heard a lot about the product within this podcast. 

However, when I was growing up, I saw Jesse, you know, reformed. And I saw person after person after person coming to him saying, “I’ve been scammed. I've been blackmailed. 

I'm suicidal and things of that sort. And I noticed, especially when I got into high school, was doing my college capstones and things of that sort. Like this is a really big issue. 

And I wanted to essentially start a movement to stop this. And that's what I envisioned AP2T Labs to be, not just a platform, but I wanted it to be more of a movement where people can stand behind our mission. And I frequently go on stage and talk to people about the realities of scamming.

And everybody looks at the financial loss and everybody looks at the data loss, which is horrible. Obviously, that is horrible. However, there's always a little bit more. 

And that is the human life loss that people don't realize when you get scammed out of $50 USD or when a medium sized company like sends out a $300,000 ransom to some unknown scam group. That is $300,000 USD that could have just been sent to anywhere in the world for any use. That could be making more scams. 

That could be selling people into slavery and sex slavery. We've seen that. That could be funding drug and weapon trade, fentanyl, opioids, all of that.

And it made a whole lot more. It gave me a new perspective of what we're doing and why we're doing it. The reason we're not doing this to just check a box is because we want everything else to stop.

It's like the new form of war, in my opinion. And I saw like it really needed to change. And so that's why I started this and that's why I'm doing this.

And I will say if that's a mission that you can get behind, the platform itself is awesome. And I will talk more about that, obviously. But if the mission and what we're doing is something you can get behind, I ask, keep your eyes on us because we've got a lot up our sleeve.

All right. Reese Tuttle. Reese, can I ask you a personal question? Yeah.

What motivates you to do this? You, as smart as you are and with what you saw growing up, how your dad was, I think most of us would have thought that, you know, somebody as smart as you would go off and do something, separate yourself, all of that stuff. But you are you are tied to his hip. But what is it that motivates you to do this and to stay tightly integrated with your dad? Well, my dad and my entire family is like this. 

My dad is my parent. I'm also his boss and he's also my best friend. And when I was growing up, I asked them questions about everything. 

I asked my dad questions about everything. And I heard his why behind the why on everything and the story behind the story. And I like one of the things that he worked on was a sex trafficking case and trying to take it down.

And that's when I realized, like, oh, this is like a big issue. And I didn't know what I wanted to do necessarily just yet. I knew I was interested in tech and things of that sort.

But what really motivates me and what drives me is knowing that I have a lasting impact on whatever I'm trying to do. And if that is making the people around me safer and making people generally safer, then that's what I want to do. Genuinely, that is what it is. 

The reason why I get up every single day and I'm excited about what I'm doing is because I know every single person, even if it's a slow day or a busy day, it's still a step closer to less lives getting ruined. And that's what motivates me. And it doesn't matter what I'm doing. 

As long as I know I'm doing that, then that's what motivates me and gets me up in the morning. So and Jesse's the same way. So. 

Right. Well, thank you very much for indulging me and answering that. I wasn't part of the part of the script here, but I appreciate it. 

And I do think people love to hear that. Thank you. No, I'm super excited. 

I appreciate it. All right. That's going to do it. 

Votes for this vendor profile for the PitchIT 2025 contest. Listen on. We've got more coming and we will see you in November.

But until then, Holla!