Cats, Board Games, and Analyst-Centric Threat Intelligence: Speaking with Pulsedive Co-founders Dan Sherry and Grace Chi
Reading time: 17 minutes
Two heads are better than one, and the same rings true when starting a company. You can have the idea, the entire business plan set out, the drive and desire needed, but there might be something missing. This is where most founders turn their focus to the search for a perfect co-founder. A co-founder that complements their skills, helps them turn their ideas into reality, brings a fresh perspective, and is there to support them.
Dan Sherry started Pulsedive with the goal of combating the sensory overload that comes with the noise generated by open source threat intelligence. The growing wealth of open source intelligence data doesn't necessarily make OSINT easier. On one hand, you can access almost any information you need, but on the other hand, you must also navigate and discern the relevant data, essentially finding a needle in the ever-growing haystack.
After looking for someone to help him shape his idea from the ground up, Dan, who is more tech-oriented, found Grace Chi with her vast experience in product marketing and related fields. With their two starkly different backgrounds, but entirely complementary expertise and skills, Dan and Grace were able to shape Pulsedive into what it is today.
We had a chance to chat with Dan and Grace and hear about their experiences working as co-founders, their biggest strengths and how exactly they complement each other, as well as their business philosophies on building both an analyst- and community-centric platform. You'll also find out what the early start of Pulsedive looked like, the differences between well-run and poorly-run SOCs and the common challenges they face, and how cats can, in fact, be very good business advisors.
SecurityTrails: Dan, you began Pulsedive as a solo founder and then Grace joined you as a co-founder. How did this journey go?
Dan Sherry: I spent a period of time at the start looking for a co-founder, long before Grace joined, but finding the right person is tougher than it sounds. First, you need to get them on board with your vision, because they will likely need to leave their day job to earn less than the market average, building something that is statistically likely to fail. Second, they ideally need to complement your skills, which might mean searching outside the industry. If they aren't already in your network, you might need to put your trust in a total stranger, and they would need to put their faith in you, your experience, and your observations about the market landscape.
What is some advice you would give to entrepreneurs that are looking to find a co-founder or partner? What is something nobody tells you about the process of finding and having a co-founder?
Dan: It's more likely you already know someone who would make a good fit than finding someone. Because you are giving them significant equity, you have to really trust that person. I've found that you don't really know someone until you've actually worked with them. Working at the same company as someone is not the same as working on a project together.
Additionally, try to gain some knowledge of the domain you're looking for a co-founder to cover. Consuming business knowledge, learning from others, and teaching myself marketing and design, helped me recognize people who know what they're talking about.
The hardest part, that nobody tells you, is once you find the right fit, you need to convince them to join your tiny company, in a crowded market, for not that much pay.
Grace comes from marketing related-positions, and Dan from a technical background. How do two stark backgrounds actually work for you and bring such positive outcomes in running a company?
Dan: Our approach from the start was to build the marketing right into the product. People could jump into the experience we were aiming to deliver, rather than hitting just the marketing content. This choice is a challenge because it's hard to balance what each user might be looking for: CISOs might want to see use cases and ROI, but analysts might want to get right into the weeds. So how do you get them both to where they want to go without compromising the other's experience?
Grace's expertise has been integral in answering this question from early on. I used to call her for feedback on the UI and we continue to work closely designing Pulsedive and solving these challenges. You need UX, marketing, and industry experience to build a great product, and if you miss any one of those, the product falls short of its potential.
Grace: By mixing our backgrounds, we integrate all the key perspectives that feed important company and product conversations:
- What functionality do we need to focus on to make a difference to our users? Why?
- What's feasible and the best way to technically approach this issue?
- How does this impact the company while keeping us focused on our mission?
- How do we demonstrate this in ways and places that make sense to users looking for what Pulsedive offers?
Your distinct and different backgrounds give each of you a unique perspective when running a company, and a cybersecurity one at that. Grace, you actually have a BA in Art History and Behavioral Neuroscience, and worked numerous positions in product marketing. How did you find your way into cybersecurity, and how have you leveraged your past experiences and education to succeed in, what seems to be a very different industry?
Grace: I've always been drawn to varied fields, mostly out of pure intrigue, "learning for the sake of learning." Experience in wide-ranging disciplines supports lateral thinking, which overcomes groupthink or playing into the status quo.
There's the rigor of empirical, scientific methods from neuroscience. And there's a deep psychology in understanding the context and impact of the audience/artist/patron/object in art history. During my time in real estate and supply chain, I witnessed the challenges of adopting newer technologies in legacy industries still relying heavily on non-digital processes. It taught me how to constantly ask and answer "why."
I got my first taste working with an Israeli cyber startup on pre-launch research. That's also when I reached out to Dan for his perspectives and got involved with Pulsedive. My curiosity about the industry, technologies, and people kept growing from there. Security moves fast, as a new(er) field of its own with an astonishing volume of research every week. But it still has deep systemic challenges that need to be addressed and teams who need solutions.
Dan, you've been in the industry since your early starts while attending university for your BS in Cybersecurity. You also had some really entertaining and exciting projects. Tell us a bit about how MeloDroid and Hoboken Tap came to be?
Dan: This question is a blast from the past. Both were trying to solve problems I had personally, and both were early attempts at monetizing my passion for using code to build tools that help others.
Back when iPods were popular and Samsung was still on the Galaxy S, I used to love iTunes, but it wouldn't sync with my Android phone. So I built something myself in college to sync them. I kept adding features like desktop notifications, a duplicate finder, and a remote control Android app. I knew there was a need, but I didn't invest much time into learning how to grow the tool into a business and gave up prematurely.
A few years later, while attending school in Hoboken, NJ and bar hopping, I thought it would be cool to have a website listing every bar and their specials, so it would be easy to make plans any night of the week. It gained popularity, but that was also around Pulsedive's initial inception. Ultimately, it wasn't worth the time and effort to continue maintaining the bar data so I sunset the project.
Every great success is built on failures, and I like to think both of these projects helped prepare me for Pulsedive.
What did the beginnings of Pulsedive look like, and the journey to starting it?
Dan: Inception
Pulsedive started from my own frustrations as an analyst. I used to work incident response at a financial services company with a mature security organization for the time. They were consuming a ton of data from a variety of sources, and it was hard to keep track. When an alert came in, I would have to remember to check a dozen places, both private and open source. There was a clear need to have this data organized into a single repository. On top of that, with so much noise coming through, we spent a lot of time and energy vetting the data before it could become actionable.
Around this time, threat intelligence platforms started coming out, and I assumed the need would be met. But I kept having more ideas, from what a good solution could look like to how it would be used and my vision started to go beyond and in a different direction than what the industry was churning out. So I started building.
Foundation
At the start, finding the right co-founder to complement my skills was a big challenge. Eventually I realized no other person would materialize to take my idea from code to a functioning business, and I took it upon myself to be that person. I learned as much as I could on my own, talking to people I knew with MBAs, listening to podcasts, reading articles, blog posts and books, attending events, networking with other early-stage founders, and scheduling calls with successful founders, CEOs, investors, and even salespeople in the industry. I consumed everything I could find about startups, launching a business, marketing, funding, and growth.
Validation
After I built a prototype, I took calls with analysts to get feedback and see if it was a viable solution. From that feedback, I saw there was something there. While I knew it could not compete at the time, there was potential and it was going in the right direction. When I felt ready, and when Pulsedive progressed far enough, I left my job and went off on my own to give it a shot.
Growth
I'd love to say we were a raging success, but like many other companies, we are still on that journey. We're constantly learning new things, with ups and downs all the time. But we have traction and a solid foundation of passionate users and customers, and that is something I am really proud of. I'm very excited for the future, and can't wait to publish what we have planned.
What's peculiar about Pulsedive is its analyst-centric approach. How would you explain that approach in the threat intelligence domain, and how does it differ to the target-centric one?
Dan: First, we address the needs of the role. There are several different threat intelligence roles to take into account. You have engineers who deploy solutions and make threat intelligence work with the rest of their environment, and researchers and threat intelligence analysts who dive into the data and publish insights and research. We do a great job of catering to both of these roles by making it easy for users to integrate our data and search across it.
We also address the needs of the incident responder or SOC analyst. Typically, when an analyst gets an alert with an IP or URL, they want to know, "should I care?" They need to answer that question and move on. We make it easy for them to come to a conclusion quickly.
Second, we use automation primarily to aid response rather than initial detection. It's very difficult to do risk scoring or to automate detection and alerting. We take a different approach, doing what we can in those areas, but more importantly providing critical information and context for the analyst to make an informed decision. We provide a high-level summary, highlight the important points, and make our scoring transparent. If they don't trust our scoring or analysis, we provide the raw data and tools to empower them to make those determinations for themselves as quickly as possible.
Grace: Exactly what Dan described. In short, it's about convenience without sacrificing quality for everyone who needs threat intelligence, wherever they need it. We work directly with the users (analysts, engineers, hunters, researchers, program managers, SOC directors) to provide a frictionless experience. That's why, for example, the product is the website, the results show up directly after searching, and the API returns the same results as the GUI. The core purpose of supporting organizational security and mitigating risk is unchanged, but we're geared towards providing value from the get-go and growing with our users' needs into other products.
What are the main challenges organizations face when trying to maximize results from threat intelligence and its positive impact on their security posture?
Grace: This is what we hear from our users:
- Being able to evaluate and truly understand coverage, relevance, and fidelity across providers
- Limiting noise (popping off alerts like champagne bottles on NYE)
- Having confidence in quality, timeliness, and transparency of data sources
- Easily automating collection, enrichment, and correlation, from a technical standpoint
- Being able to use the data immediately and in the future
To the point, seamlessly taking advantage of good, actionable data that's available in a timely manner. Augmenting internal work with external intelligence to successfully reduce workflow steps.
Besides being analyst-centric, Pulsedive is also a community-centric platform. One of the core philosophies behind Pulsedive is its aim to allow organizations of different cyber maturity levels and individuals of varying levels of skill access to a wealth of threat intelligence data. How do you structure your offerings to achieve just that?
Grace:
- For students/enthusiasts who just learned that CTI is a thing, we provide a platform to play around in, that doesn't require personal information or sophisticated know-how.
- For resource-strapped individuals and teams with no time or money to spare, we share core CTI research functions to save steps and make it simple to work with open source/free tools.
- For teams mature enough to automate and integrate their processes, our API is flexible for customized solutions and on-demand enrichment/searching, whereas our Feed streamlines ingestion and automated alerting, blocking, and high-volume enrichment.
By matching what we offer with where our users are at, we not only process community-sourced intelligence that's unique to our systems, but give back as much as we get. In a way, we're growing with our community.
Pulsedive helps SOC teams access contextualized data and prevent false positives. Besides being prioritized and avoiding wasteful false positive investigation, what are some other differences between a well run SOC, and a badly run one?
Grace: A great discussion topic, so much so that I collected answers from current SOC team members on what makes a well run SOC.
Management
- Willingness to invest in skills training, budgeting, tooling
- Communicating/celebrating value brought by the (often tedious and repetitive) work of the team
- Trust in team members to solicit and address critical feedback
- Giving agency to analysts to bring in new ideas and tools to improve the workflow
- Having both technical and soft leadership skills (very rare!)
- Visibility and relationships outside of the SOC to the rest of the organization
Operational Clarity
- Standardization and accountability in workflow/ticketing/reporting and naming conventions
- Transparency and documentation in origin, history, flow, and final determinations of actions taken or not taken, such as alerts
- Network visibility and open dialogue with users or clients for further context when needed
- Measurements and metrics on what's working and what's not (such as repeat FPs) to continue improving; without this, it may fuel ineffective "check the box" mentalities to close or escalate issues
- Thoughtful tooling, specific solutions evaluated only after identifying a "why" need and calculating value
Any tool is only as good as the users and team that wield its powers, hence why we're big supporters of our SOC users in the weeds every day. When it comes to team-wide tools, never skip the strategic and operational steps to ensure it's a worthy "buy," so upgrades like a commercial API or Feed are properly implemented and support business goals. How would product "X" really fix existing problems, address areas for improvement, or enable team capabilities to scale?
Dan: Grace has the better answer, but from my personal experience, communication with other teams, both formal and informal, is important so any potential issues or high-priority incidents can be resolved quickly, and organizational goals can be tackled together. Siloed teams who don't communicate often leave a lot of potential for improvement that's never realized.
Besides threat intelligence, what are some of the places where it's good for organizations to start filtering out the noise?
Dan: Great question! Administrative tasks largely hinder productivity, especially when you take into account neurodiversity. Many people in this industry are passionate about security and their roles. Do everything you can to keep their focus on what they love and reduce unnecessary distractions.
It's hard for me to focus on things I'm not passionate about, like tracking my time or goals for the year. Even writing emails can be draining. When working in IR at my last company, we had someone who handled all of that and it made the team more productive. With Pulsedive, Grace runs much of the operations and I've been able to push out more new stuff because I can focus on building the product.
What are your two favorite features you've brought out so far?
Dan:
On-Demand Scanning. If we don't already have the data, Pulsedive can perform on-demand active scans. Thus, we're not limited to our data set. Even if we don't have relevant historical context, we can still provide the rich behavioral and threat infrastructure-related data that our users rely on.
Defanging & Copying. I also love the auto defanging and re-fanging and the click-to-copy UI elements. It's often the "little things" that users appreciate.
Grace:
Preview Panes. Re-imagining and bringing preview panes across Pulsedive's platform was a major win for our pivot-heavy users.
Instant Benchmarking. In addition to sharing all the raw data, we put a lot of thought into how to summarize and present the most important data. Our risk scoring answers fundamental questions about suspiciousness and why. Just a few weeks back, we released helpful notes comparing raw Property data values to what's normal, or often seen with other risky indicators.
What are some features we can look forward to?
Dan and Grace: Right now, we're addressing a current market gap for individuals (analysts, responders, researchers, and passionate hobbyists), who need more advanced research and vetted, aggregated data at affordable prices, by launching Pulsedive Pro. It has highly requested features like screenshots and integrations to favorite tools, for less than a dollar a day.
We publish new capabilities and improvements regularly, and there's a lot more on the roadmap that we're excited to keep sharing. We welcome any readers who have feature suggestions or ideas to email us or chat with us directly in our Slack workspace!
For the final question, we have one that has been on the minds of anyone who's read your bios on the Pulsedive website: Grace, what is your favorite board game and Dan, what are you cats' names?
Dan: I rescued Jasper and Binx (brothers) about 3 years ago. They lived outside my apartment and I took them in after the neighbor started doing trap-neuter-release. A few months ago, I took Sadie in. She's still so feral, I couldn't pet her even after 6 months, but I'm not one to give up easily!
Grace: I gave his cats a band name: Sadistic Jar Jar Binks.
I play Spirit Island when I want to think so hard my brain hurts. It's a thematic, cooperative strategy board game with expansions and elemental characters with varying levels of play complexity.
When I want to stress out over short timelines and limited resources/budget, but not about Pulsedive, I go for XCOM (the board game). Expert difficulty is perfect for a group of 4 to panic about a global alien invasion. The game pairs with an app with a timer and randomized enemy actions - and intense background music. Perfect 2020 vibe.
Final words
After a bit of a pause, we're back with our interview series! Make sure to follow Dan and Grace to be the first to know all Pulsedive updates and new features and don't forget to follow us on Twitter to be tuned in for the next interview we have prepared for you.
