Exclusive: Kevin Mandia joins SpecterOps as chair of the board
Kevin Mandia, founder of Mandiant and co-founder and general partner at Ballistic Ventures, has joined SpecterOps, a Virginia-based startup focused on attack path management, as the chair of its board of directors.
Founded in 2017, SpecterOps offers software that allows companies to better defend identities, particularly those used in conjunction with Microsoft Active Directory, Azure AD, Entra ID and hybrid environments. Started by three red-teamers — David McGuire, Jason Frank, and Raphael Mudge — the company also offers penetration testing and security maturity assessments.
In an interview with CyberScoop, Mandia said he is excited to join the board and sees a lot of similarities between where SpecterOps is now and his early days at Mandiant. He hopes to use that expertise to help McGuire — the SpecterOps CEO — avoid potential land mines.
“I was unfunded [at Mandiant], so I didn’t have an institutional investor saying, ‘You need to do this, you need to look this way,’” Mandia said. “I was doing whatever I wanted for seven years. So I think some of the things I learned along the way, the hard way, can maybe save David a few months of decision-making.”
A good portion of that further decision-making will be in relation to SpecterOps’ BloodHound Enterprise, a software tool that allows organizations to map and predict how an attacker can move through a system based on a hypothetical credential theft. McGuire told CyberScoop his company built the tool for its own pen-testing engagements, and then released an open-source version that has been well-received among practitioners. The paid version of the software has also been popular for the company, with SpecterOps saying that new customer acquisition grew more than 125% year-over-year in the second quarter of 2024.
“Where we focus is, ‘Let’s sever lateral movement escalation’ specifically, and no real product out there does that,” McGuire told CyberScoop. “We feel the most excited when we’re removing the adversary and their ability to attack enterprises.”
Mandia has first-hand knowledge of how identity-based attacks can get through the toughest security setups. In 2021, Russia’s foreign intelligence service (SVR) leveraged specific username and passwords to breach FireEye as part of the SolarWinds incident, rather than using a single software backdoor akin to a master key that would unlock all of the necessary data.
“It is a frustrating position to be in,” Mandia told CyberScoop. Organizations “need to understand identity architecture and the risk it presents to your organization. I think that’s an enormous blind spot. We’ve got public companies that help us shut the front door [with vulnerability management]. It is time for a company to help us shut the back door [with identity management] and that’s SpecterOps.”
McGuire believes in BloodHound because the company partly developed it as a way to raise the quality of its pen-testing work.
“Not to throw shade on anybody, but EDRs (Endpoint Detection and Response software) don’t stop us” in pen-testing engagements, McGuire said. “We can bypass almost every security technology from an apex attacker perspective. It’s a little egotistical, but we built the tool to stop ourselves.”
Bravado aside, the work is paying off. SpecterOps has grown significantly over the past year; with employee headcount climbing 40%. Mandia says he will primarily help SpecterOps scale its business as growth continues.
“I learned every lesson on scale the hard way, from a guy in a basement to a CEO of a public company with 3,700-plus employees,” he told CyberScoop. “I look at David, and I see a lot of pattern recognition at a technical practitioner” who Mandia can help guide.
Even with the new role, Mandia says he will continue his work with Ballistic Ventures and his advisory work with Google Cloud.
“I’m a 30-year cybersecurity person,” Mandia said. “This is all I’m good at. I’m not going to start a bakery.”