HD Moore is the founder and CEO of Metasploit and runZero, two cybersecurity companies that are widely used to identify assets and vulnerabilities in corporate environments. On today’s episode, Jon Sakoda speaks with HD on growing up as one of the most famous cybersecurity hackers who had the courage to publish software vulnerabilities on the internet.
HD Moore is the founder and CEO of Metasploit and runZero, two cybersecurity companies that are widely used to identify assets and vulnerabilities in corporate environments. On today’s episode, Jon Sakoda speaks with HD on growing up as one of the most famous cybersecurity hackers who had the courage to publish software vulnerabilities on the internet:
Follow Jon Sakoda https://twitter.com/jonsakoda
Follow HD Moore https://infosec.exchange/@hdm
Follow Decibel https://twitter.com/DecibelVC
HD MOORE: They want to basically set the rules for how you do exposure, and that very much included not sharing exploits. And I said, “Nah. Like, no, we’re gonna make this as wide as possible and blow it up, because that’s the only way that the vendor’s gonna take software security seriously, otherwise all the power’s basically in the hands of the software vendors, not in the hands of people buying that software.
JON SAKODA: Welcome to the Decibel Podcast. My guest today is my friend, HD Moore, one of the most famous cybersecurity researchers, and the founder of two successful startups, Metasploit and runZero. He is largely credited with shining a light on some of the most widespread vulnerabilities and exploits throughout the history of software. And in the land of cybersecurity, he is a man that needs no introduction. It is an incredible privilege to have him on the show.
HD, welcome. It’s so great to finally have you on the podcast.
HD MOORE: Thanks, Jon. I love the show. Thanks for having me.
JON SAKODA: We have a lot to cover today. I want to talk about the founding stories of both of your companies. Metasploit and runZero are both well-known names in the cybersecurity world. But before we get there, can we start at the very beginning? Where did you grow up? What did your parents do? And what was life like in your house?
HD MOORE: Sure. So I actually grew up in Hawaii for the first eight years, which sounds amazing until you realize how big the roaches are, and that they have no fear. Eventually moved to the mainland and bounced between Texas, California, and New York, and a few other places, and mostly settled down in Texas. But was fairly poor, didn’t actually own a computer. When all of my friends were getting their first Super Nintendo or even Nintendo at that point, I was still going to yard sales trying to find an Atari for $5. That kind of need led to necessity, in a lot of ways, in that I wanted to play Atari video games. I didn’t have an Atari controller. I figured out how to wrap some wires around the controller pins, connecting to some nails that I put in a piece of plywood, and then basically play, you know, F14 Hornet with a fork, which is a lot trickier than it sounds. You know, trying to get all the right combos and button presses using a fork and a couple nails is definitely tricky.
But that was kind of my background, was growing up really poor, dumpster diving for computer parts. I think the first video game I ever found was Manhunt in a dumpster. And it took me five years to get a computer that actually could play Manhunt. And I think I was probably 15 or 16 when I finally had enough parts together. And it was one of those days where everything went wrong. Right as I was leaning over to put the final connector on the board, a penny fell out of my front pocket, landed right on the board, shorted the whole thing out, blew the whole board up. I started again from scratch.
JON SAKODA: And that was after years of work.
HD MOORE: Yeah. After, you know, going behind the medical centers when they threw away old computers, pulling them out, looking for parts, going to yard sales, you name it. So, just basically scrimping together whatever I could.
JON SAKODA: You seem to have a passion for, perhaps even an obsession, for computers starting at a young age. How did you discover them in the first place? Did you have parents or mentors that first introduced you, or was this all self-taught?
HD MOORE: Oh, that’s good questions. I didn’t have a lot of mentors growing up with computers. So it tended to be going to the library, just figuring it out on my own, poking at stuff. I mean, I think my stepdad at the time made his money sharking people playing pool. Had a big ZZ Top year, no teeth. That was kind of the lifestyle we were living. There wasn’t a lot of computing expertise in the house. So I spent a lot of time going to libraries, going to schools, poking around the computers there, reading stuff.
I made friends who someone whose dad had given him a BBS account that he could dial into on his old M68K Mac. And, you know, we’d hang out, he’d go to sleep. I’d spend the rest of the night on his BBS accounts going through all this stuff. That eventually leads to finding the packing scene, the—all the zine files, downloading as much of that stuff as I could. That was kind of the beginning. So from there, I really got into dialing the world as much as I could. I thought it was always fun to what was the MCI or Sprint line at the time, “Reach out and touch someone”? It was a lot of fun to do that. But it was really expensive to do so back then. That’s when there were still long-distance fees. So you’re trying to figure out how do I, you know, talk to someone in Malaysia, but without actually incurring a $5-a-minute charge. And you had things like out-dials and PBXs and all kinds of things like that. So that’s kind of what led to Free King, World Island, all that kind of fun stuff. And it eventually got pulled onto the internet when the internet became a thing.
JON SAKODA: So we need to really thank the friend that allowed you to borrow his computer so you could discover the internet. Now, if I recall, you were famous in Austin for growing up as a wonderkid who hacked into the Austin school network and then eventually ran their cybersecurity lab as a teenager. Tell us that story.
HD MOORE: I think it was elementary school when we finally had Apple IIes in the classroom. And I had so much fun playing with them and playing with Basic and programming and Peek & Poke, and all that kind of fun stuff you could do then, that I didn’t really want to do anything else. Like, that was just kind of my jam. And of course, the school would only give you so many hours a day to go on the computers. So I found out pretty early on that I could just show up to school a couple hours early and jump through the window in the library, and break in and basically play the computers all morning until they unlocked the library. And they’d be really confused why I was there. I’d be like, “Oh yeah, the janitor let me in,” or something like that. And they bought that for years.
Later on, when I was in like fourth or fifth high school—I had a lot of high schools—they ended up giving me a computer lab to play with. So, we had a computer lab, but no one used it. And I basically started my office. I reformatted, reinstalled everything with Linux, set up a bunch of servers, started moderating traffic, setting up all sorts of scanning tools, things like that. And I started having a lot of fun with the AISD network at the time. And as part of all that, I was sharing with some of the projects that I was working on with one of the teachers at the school. And they mentioned it to the local news organization. The news came by and did a whole story about working on these statistical packet analysis tools with the NSW folks, basically for IDS work at the time.
JON SAKODA: So you are at this point a teenager well on your way to becoming a famous researcher. How did you eventually get your first job at the DOD?
HD MOORE: That was really random. It was probably 3:00 in the morning one night in Texas, and I got a random message on PoundFrack and Fnet saying, “Hey, do you want a job?” I’m like, “Yes. I just tried to apply to Whataburger and they wouldn’t hire me.” So I ended up going down for an interview. And it was one of those like, wood-paneled offices with a bunch of folks wearing suits. And I had a car that literally did not have a clutch. It was a manual, but there’s no clutch. You had to like, float the gears. You had to push-start it, all that stuff. At the time, it was dripping oil, it had no AC. It was about as bad as it gets. I roll into this parking lot where everyone’s got like, the Cadillacs and the nice cars and the wood paneling and the suits. I was like, “I don’t think I really belong here, but sure, I’ll do the interview.” And ended up getting the job, which was nice. And that job was interesting.
It was very much, because I was on the classified side, they would say, “We need to build you a tool that takes this input and puts out this output.” I was like, “You need to look at packets from the network and then read out these certain primers. Like, oh, it’s a password?” Like, “No, no, no! Don’t call it that.” “Like, okay. But it sniffs password.” “Yes, but don’t call it that.” “Okay, deal.” “Okay. So we need to like, send a request to the network to do this thing and then, you know, installs this software on every machine.” Like, oh, so we’re backdooring all these machines by guessing…” “Yeah, yeah, we don’t call it that.”
So, effectively, it was a lot of euphemisms for what was exploited back in the day. And did that for about a year or so. It was a lot of fun. It was remote work, for the most part, like working on tools, delivering it. But because I wasn’t on the contract directly because I didn’t have the clearance, they were paying me out of petty cash. And eventually, their petty cash didn’t cover my working rate at the time.
JON SAKODA: So your first job is actually more of an off-the-books internship at the DOD. I’m excited to hear how starting to learn about using exploits this way eventually leads you to start Metasploit, which is the first product to enable everybody to discover exploits for the first time.
HD MOORE: Sure. I was there for about a year. And they didn’t really want to pay me out of petty cash anymore. So we ended up taking a team out of that company and spinning off my first startup, which is Digital Defense, where we mostly did pen tests for credit unions, small banks. And they tended to have a lot of really obscure hardware that you just don’t see anywhere else. A lot of MPIX operating system devices, one of the HP3000s. A lot of old host server mainframes. So I got really, really good at hacking all that stuff and then writing tools for it. And that eventually such a big pile of tools that we went basically from a consulting practice to an MSSP, to like a managed vuln scan surface at this point.
Our tools were terrible. We just had a bunch of like, cribbed together internet stuff. And this is in the early 2000s, when all the folks used to share all their exploits. They pretty much stopped producing tools because they were just being used by commercial companies, and it wasn’t fun anymore, right? And that drove me crazy, because like, hey, I made the tools for work, and they’re hard to find. And half the tools you’d find would be like backdoored in various hard to find ways. And you couldn’t really use those at work for a bunch of reasons.
So we tried building out our own set of exploits. And I went to my boss at the time, like, “Hey, can we make this a real project that has some resources behind it and actually build this toolkit?” And they said, “Oh, absolutely not. Get back to work.” “Oh, okay. Well, do you mind if I keep doing it myself?” “No, no, go for it.” So they just wanted us to spend all of our free time building stuff out. So I did. That was the birth of Metasploit But then Metasploit started getting enough attention and going from this really terrible code base within Perl to a slightly better code base written in Perl, to a bigger project, to eventually hundreds and probably thousands of exploits these days. And during that process, the company I worked for really didn’t like it, because their customers absolutely hated it. Our customers were very conservative banks who didn’t want to have anything related to exploits or disclosure tied to their name at all.
So for many of the years that I was on my first startup, they effectively hid that I worked there, and they wouldn’t take any press for anything I worked on. They kept it pretty much under wraps because they didn’t want to scare the client base. But Metasploit was growing and, you know, it was getting better and better all the time. And we were using it every single day against all these banks that we were having customers as part of our pen test work. So it’s always good when you have a need that you understand really well yourself, and you want to go build a tool for it, and you actually get the time to go out in the field and get your hands into it, make sure it’s actually working right. So, that was our product-market fit, if you want to call it that.
JON SAKODA: And let’s go back in time, because you chose to open source Metasploit. And this is crazy because even though there were a handful of projects that had been open source successfully back then, projects like EnMap or Nessus, this is the first time there is a free tool that helps people find exploits. Why did you choose to give it all away for free back then?
HD MOORE: A lot of it was keeping me out of jail. I mean, one nice thing about being open is that we could say, “Hey, we’re not giving these to criminals. We’re not using this just to break into stuff and take people’s money. We’re doing this to help educate the entire industry.” And your two options are you either make it commercial and you restrict who gets access to it, like NSO Group, for example, and you see how that went; or you make it as widely open and available to everyone you possibly can, to the point that even the people who want to prosecute you depend on the tool. And that’s where we got, eventually. We even got to the point where, I think in my last days at Rapid7, we were working on getting an exception, the last hour agreement, specifically for opensource tooling, specifically for Metasploit. Because the folks who were pushing for the arms control treaty to apply to exploit tools didn’t actually want to include Metasploit in it, because that was the tool that everyone else depends on. So, it’s one of those things where your options were either tightly control your technology or make it so widely available that it becomes the standard.
JON SAKODA: I think this brings me to one of the defining traits of your career—that is, always having the courage to shine the light on something that people don’t want to see. And if we go back 20 years, it was not normal. It was not popular. It was arguably viewed as quite dangerous to share exploits publicly. I think you were heavily criticized for what you were doing. Remind everyone what life was like back then.
HD MOORE: At the time, all exploits were kind of jealously hoarded. If you had a really good exploit, you shared it with your friends, maybe, or used it at work, and that was it. And you still had sites like Packet Storm that published some stuff, but the really good stuff wasn’t really widely available. Part of it was that there was a huge concern, like my employer at the time, our first startup, was very concerned that if we released an exploit, a customer who got hacked using it would then go sue them and basically put them out of business, or they’d be held criminally liable for people using the tools, things like that. And the software industry very much wanted people to feel that way. They didn’t want people releasing exploits and vulnerabilities all day, because it made them look terrible, because their software was terrible.
And so, there was a group called Organization for Internet Security? OIS, I believe. So OIS was the name of the consortium. It was basically all the major software bidders at the time. And they put out this whole, you know, “There shall not be any disclosure unless there’s these particular rules behind it.” They wanted to basically set the rules for how you do disclosure. And that very much included not sharing exploits. And I said, “Nah. Like, no, we’re gonna make this as wide as possible and blow it up, because that’s the only way that the vendor’s gonna take software security seriously, otherwise all the power’s basically in the hands of the software vendors, not in the hands of people buying that software. So it was a really good, needed counterbalance to the software world.
But so many people didn’t like it. It wasn’t just that the vendors didn’t like it. The vendors absolutely hated it. They tried to put me in jail. They tried to get me fired. I had folks at Microsoft leaving voicemails saying, “We’re gonna shut off your Microsoft Partnership subscription if you don’t fire HD.” We had customers saying they were gonna fire us as a vendor because they employed me—all sorts of hate. And those are just the software vendors putting pressure. And the black hats hated me just as much. They didn’t want people dumping all the exploits they were using all day. If you had a really good exploit, the last thing they want is everybody to know about it and get fixed. They were using it for whatever they wanted to do every day.
So whenever we’d publish an exploit on Metasploit, we’d get DDOSed, we’d get attack, we’d get all sorts of stuff happening, not just with the Metasploit website, because that was funny, but all over the place. Our employers, personal stuff. We’d have stuff mailed to our houses. We had all kinds of fun threats. So I got very used to getting kind of a thicker skin because of that.
And then you had law enforcement, right? Law enforcement also wasn’t a big fan of it because they didn’t really understand the difference between putting out an exploit and using an exploit. And it wasn’t really clear. There wasn’t a lot of case law about, does that include—are you violating the CFA by putting out an exploit that then used later on? Are you aiding and abetting a crime, reporting tools for it? It was just super murky law. And in a lot of ways, the law isn’t any better. The enforcement rules have been a little more clear. But the law itself hasn’t really changed much.
It was really kind of tough times. I think for about 10 years, my spouse had a “Get HD out of jail” fund that was in her name, totally separate, just in case they seized everything else I had, she’d at least be able to get bail money. And there was definitely a lot of immediate risk of prosecution and/or lose my job pretty much every day. And you get used to it eventually. But it’s also good prep for startup life.
JON SAKODA: I think it’s fair to say that disruptive ideas often start out unpopular. You were obviously ahead of your time. Now it’s very common for companies to enlist hackers to come forward and disclose vulnerabilities. We even now have bug bounties. We’ll pay white hat hackers to come forward. I wonder, if I take you all the way back to when this was wildly unpopular, particularly when you wife had the “Get HD out of jail” fund, did you ever wonder if this was the wrong approach, or somehow second guess yourself?
HD MOORE: No, I’m stubborn. I thought I was right, and I believed I was right, and just stayed with it. I mean, it made it miserable for me sometimes, but at the same time, we won eventually. So, I still believe I was right.
JON SAKODA: Yeah, take me back, because I think somewhere in here, there’s probably some great wisdom for founders, right? So you’re a few years in, and you know you’re on to something big, but everyone seems to hate you. Everyone’s threatening you. Everyone’s suing you. Everyone’s coming after you. How did you build the resiliency to keep going?
HD MOORE: Part of it was the community, or users, if you want to call it that, user feedback. So, in the really early days of Metasploit, all the really cool hackers thought it was a kid’s toy, and a scrib kiddy tool, and terrible, and you shouldn’t be using it, and it’s garbage. Or the professionals at the time thought it was unsafe to use, and so on and so on, even though we spent a lot of work making sure Metasploit was safe. But then we’d actually have our users. And our users would come to us and say, “Hey, I have this really nasty problem at work, and I was able to demonstrate that we actually need to patch our servers. We need to patch the configure bug, and I just proved it,” or “Our ATMs are vulnerable to this particular thing.”
A friend of mine I won’t name drop here just in case he doesn’t like the story, but he worked for a company that manufactured ATMs. And they did not believe that they had to take Windows patching seriously. And this is before Blaster destroyed all their ATMs. And he was using the ODCom exploit from Metasploit, even pre-Metasploit framework, to demonstrate that, hey, y’all really need to patch this stuff. And then when Blaster did come out and did exploit that vulnerability, and even used our payload for it, basically everyone looked up and said, “Hey, how’d you know that was gonna happen?” It’s like, “Because I’ve been telling you about it for a year.” So, stories like that really kept us going.
There’s also the community aspect of employment. We were the first job reference a lot of folks had. And if you were a budding security researcher in Malaysia or someplace that didn’t really have a strong tech market in the early 2000s, if you had contributed a module to Metasploit, that became a great resume builder.
JON SAKODA: I’m curious, after all these years where people, including me, have grown up using Metasploit—it’s now one of the most widely used hacking tools—do you still have people bump into you and share stories about how Metasploit made or changed their career?
HD MOORE: Yeah. It’s probably once a week or so, I’ll still run into folks who are like, “Hey, you know, this exploit changed my early career or changed my perspective on what I was working on,” or “I worked for a software vendor, and we saw this vulnerability come out for it on Metasploit, and realized, I really want to go into security, not software.” So I know not everyone’s gonna thank me for being in security, but we definitely got a lot of people into security who wouldn’t have otherwise gone that route.
JON SAKODA: I guess that’s right. We should be thanking you for recruiting and training the current generation. You are in many ways responsible for inspiring everybody to get into cybersecurity at an early age. Looking back, is there anything you would have done differently?
HD MOORE: Man, there’s a lot of stuff. So, in the early days of Metasploit, most people that worked on the project used handles for it. We really didn’t know anyone’s name. Later on, we found out some of those folks were not necessarily the good guys. But they were great contributors to the Metasploit project, put it that way. So it was interesting to see some of the things that came out much, much later, where we started off saying, “Hey, you’re gonna be able to have access to this stuff. We’re gonna make it available to everybody.” And we got really great feedback. Exploits got better, payloads got better, innovation got better. And then later on, we found out that some of those folks were now working for cybercrime people. Well, that was interesting. So, I’m not sure that I would’ve done anything different there, but it was definitely a point of inflection to realize like, hey, it’s not just the good guys. It wasn’t just the bad guys either, in that sense.
Some other major decisions we had to make. At one point, a commercial company copied Metasploit to put their name on it, started selling it as their own exploit tool. And we all got our feelings hurt about it. It was like, hey, if you just wanted to work with us and collaborate, we would’ve been more than happy to make it open source, or share code back and forth, or updates. But they basically just tried to take credit for everything the Metasploit project had done at that point. There were 200 or 300 contributors at that point. So we got mad. We basically halted the entire project, rewrote the whole thing in a different language, put it out in Ruby, not open source license for about a year, just to give us a little bit of breathing room to get it to the next stage. And that basically killed the flow of new exploits into that commercial project, and that commercial project then failed.
So, I’m not sure we would have done that any differently, but it was one of those things where if there was actually a communication channel, if that company had been more open to collaborating, they could’ve been a great competitor to what eventually became commercial Metasploit Pro, or even Core Impact at the time. But because they decided to basically take credit for someone else’s work and then refuse to acknowledge it, even though we were looking at their source code and seeing our code in it, it basically caused us to basically rewrite the whole project in a different language to make it incompatible with their stuff, and then block them from accessing it for a year.
JON SAKODA: I think this story does answer the question why Metasploit started out in Perl and eventually got rewritten in Ruby. I know that’s a much, much longer story. But if I fast-forward just a bit, I think a lot of people were surprised the Metasploit was ultimately acquired by Rapid7. What was the story behind that deal, and how did you get to know those guys?
HD MOORE: So, Metasploit was also a side project. My first job, they absolutely hated it, they didn’t want to know I worked on it. My second job, they hired me because of it, but it was still a distraction for them versus working on what we did at Breaking Point, which was network test equipment. And it was helpful to have Metasploit work going on because it helped drive our content coverage, but it was not our business, right? And so, I would spend weekends flying out to Blackout, or Blackout DC, or another conference to do a training, and using the training money to basically cover the bills for Metasploit hosting, for all the work, things like that. All my nights and weekends on it. So, I was pretty exhausted doing normal startup all day long, and then every night, every weekend on basically the side project forever. It was a little bit exhausting.
So by the time I got through, what was it, 2009 or so, the two other early developers of Metasploit had gone off to do other things. It was just kind of me by myself at that point. I had roped in Egypt to help out on the open-source side a little bit, but he wasn’t getting paid. He was still working at wherever he was working at, at National Lab, I believe. And I went on basically paternity leave. And while I was on paternity leave, there was this project that I’d been kind of helping out with at Rapid7 where Corey Thomas, who at the time was the head of marketing, reached out saying, “Hey, it’d be really cool if we could integrate Metasploit with Nexpos, where if you click on an Nexpos link, it’ll take you into the Metasploit web interface, and then you can actually test an exploit.” I’m like, “Yeah, sure, easy.” That was more just open-source work. Like, sure you do a little click here on this link. We’ll give you a link you can land on over here. And then you can chart an exploit to that host. And really small contract work on the side. It was mostly a chance to get to know the team there a little bit.
So by the time I was on paternity leave, my first was born, he reached out again and said, “You know, there might be an opportunity to do more of this.” I’m like, “What do you mean? There’s nothing here. We have a domain name. We’ve got a BSD licensed project with no real IP behind it. And you’ve got me, and that’s pretty much it at this point.” And so, he said, “No, no, come on, let’s chat.” So—actually, this was right before the kid was born, because we actually had a plane on standby to bring me back to Austin in case the kid was born early. It was ridiculous. So I flew out there, met with the chairman and the board, investors of Rapid7. Chatted through kind of all the scenarios. I probably over-prepared. I built a whole business plan that was like 40 pages. I had charts of all the competitors and their Google Trends over time, and how recognizable the name was. I said, “If you bring Metasploit in, this is what we’re gonna do for your brand. This is what we’re gonna do for your name recognition.”
The only problem is, how do you price that? So there wasn’t a lot of acquisition money. It ended up being barely enough cash to cover my legal bills, basically, as part of the acquisition close, a little bit of equity, and then an earn out agreement saying that I would get some percentage of all the sales of Metasploit when we had a commercial product. But keep in mind, we just had an open-source framework. We haven’t built a commercial product yet. But the clock starts when you sign that agreement. So they hit basically all my minimum numbers for negotiation. I’m like, “Okay, fine. I’m exhausted at my current job. I’d rather work on this full-time. This sounds like a better thing to do, and I can work remotely as I get things up and running.”
And about a year later, we launched Metasploit Express, which is the first commercial edition. And that kind of got our foot in the door in terms of like, here’s a web front end to the product to make using Metasploit a lot easier. And then we started working on kind of the next big version, which was the enterprise version, which was Metasploit Pro. And we were able to leverage the existing Rapid7 sales team and sales motion to basically add that to deals, to co-sell with Nexpos. And that worked out really well. If I had to start over from scratch and basically create a name for the product and find customers and all that, it would be way more difficult. But because we already had a sales team ramped up, we had a marketing team ready to go, it was incredibly efficient. We were basically paying our own bills within 18 months of the acquisition.
JON SAKODA: Nice. And you stayed there for years.
HD MOORE: Yeah. First 3.5 years I started running the team, product stuff, day-to-day, running the Austin office. We found a replacement for me to run the day-to-day office stuff once we got into our second office building. And then I basically switched over to research. It’s one of those things where you’re coming into a new company, and you’re acquired, and you’re the founder of the product, but you didn’t really want to be head of that product’s engineering forever. You really want to let it get sucked into the rest of the organization, part of the overall process, right?
JON SAKODA: Right.
HD MOORE: You don’t want it to be this weird third foot hanging out there and decide. So that’s all really messy and always hurts your ego, and no one does it the way you want it to do, and they treat your baby poorly and things like that. And that’s just what happens. You just have to get over it.
JON SAKODA: Yes. I don’t think everyone knows that Metasploit became both a large and successful open-source community, but also had a successful commercial business while at Rapid7. Perhaps also surprising to a lot of people, you stayed at Rapid7 for many years, if I recall. What did you learn while you were there?
HD MOORE: Yeah, this is definitely the biggest company I’ve worked at in a long time. The thing I really liked about Rapid7 was that they didn’t have a great reputation on the sales side when I started, but they were very committed to fixing that. And that meant letting go of pretty much half the sales staff. We closed the entire West Coast sales office. The one team that we were able to salvage, we brought to Austin, and then we had to rebuild it all. And that’s just because the culture was to the point that we didn’t think we could get it back on track. So, that went a long way with me of saying like, “Hey, we’ve got a problem. We know our customers don’t like the way that we’re doing business with this group. Let’s fix it, and let’s fix it to the point that there’s no question that we’re taking it seriously.” And it was that kind of drive to take the culture and put the professionalism seriously that made me really happy that I was working there, working with the team. Folks really cared about customer outcomes. They really cared about not burning bridges.
There’s only a few large vendors in that space, right? And to me, my name was on a lot of the products. I was going out there and pitching both Nexpos and Metasploit when I went on sales calls, and doing my best to sell them together and things like that. And I took it very personally when we did something that made the customers unhappy. If I felt we did a bad job at a pen test, or did a bad with a software fix, I’d go yell at people and figure it out. I mean, hopefully nicely. But I was younger then and probably more brash in that sense. But yeah, I liked that the company took the customer experience seriously and had a decent ethics code.
JON SAKODA: You eventually leave Rapid7. I think you took a lot of time off and had a lot of choices on where to go and what to do next. Why eventually did you decide to start another company?
HD MOORE: Well, if you don’t mind me getting a little personal with it. So, going through the startup life for 15, 20 years at that point was pretty rough for both me and for my relationship with my spouse. And just flying to Boston every couple weeks, it was a lot of travel, it was a lot of stuff. So one thing, when you’re finally done in that sense, IPO is done, you’re cashing out, you get a little time to yourself again, I was really focused on like, great, I can now go help other startups, help other founders. I was doing a lot of things with founders at the time. But then I realized the rest of my life was catching up with me.
My marriage wasn’t doing so hot. My health was getting really bad. I had two discs collapse and then couldn’t really walk or move my arms because my neck was all janked up. I had to start doing all the medical stuff to fix that, including a couple rounds of surgeries later on. And during that whole process realized, “You know, I’m probably not married to the person I want to be married with,” and decided to end that. So, lots of changes all at once. And went from that basically into consulting for a couple years. So, this overlapped with early days of runZero, but also just getting back in the field, doing pen test work, talking to customers, figuring out what challenges people are solving, which ones they aren’t, and try to take care of myself a little better—doing a lot more running, getting back in shape, trying to spend more time, because I wanted to spend time on having better relationships with my kids, things like that. Ended up meeting someone wonderful, getting remarried not too long after, and very happy since. But it was definitely kind of a period of reckoning when you finally leave the startup, and you finally get to the end goal. I had a little bit of time to be on the ground and be like, “I don’t like this. Maybe it’s time to do something different.”
JON SAKODA: I think it’s easy to see the habit of trading off your health for your startup when you’re not in your startup. That’s fairly common. But do you have advice for founders that are doing this right now? How would you coach yourself through that moment?
HD MOORE: I’m kind of of back into it again these days. Definitely keeping a close eye on family and relationships and kids and health and all that, trying to make sure, okay, I haven’t left the house in 48 hours, and I haven’t left my two-square-foot kennel because I’m writing code for two days straight. I need to go run in a circle for a little while just to at least get some blood moving again. And same with the family. If I haven’t caught up with the kids in a couple days, or we haven’t had family dinner in a bit because people have plans, make some time for them. Carve stuff out. My spouse has been super understanding and great at poking me, being like, “Hey, you haven’t seen me in a bit. Stop being so stressed out about work and hang out, go swimming,” whatever it happens to be. So, just getting the reminder to take a break I think is really helpful, especially when you’re in it. When you’re in startup mode, it does feel like fight or flight every day. Every decision, every challenge can often feel like it’s a mortal wound if you get it wrong.
Sometimes it’s actually true, right? You get sued to oblivion, your largest customer leaves because you make a mistake. Those are all really serious things you do have to keep an eye on. But the stress level is crazy. It’s just trying to remind yourself you should enjoy every day too. You should see your family, see your kids. You should take care of yourself, go to your doctor’s appointments. So I think the best thing you can do is put some calendar blocks. I block off lunches now, because I didn’t have lunch for a few years, just because I never had time for it. So putting in lunch blocks, putting in exercise blocks, putting in placeholders for doctor’s appointments, blocking out all of your special days with your family and your friends. Just make sure to make time for yourself and the rest of your family.
JON SAKODA: Can we go a step further? Can you describe how you do this? Do you actually block time off in your calendar, or do you have any other hacks for creating health and balance while also keeping up the same level of intensity?
HD MOORE: It’s always a work in progress, right? So, get a sense for what’s working, what’s not, what doesn’t—again, getting a little personal here, I’d say, “You’re off from alcohol.” So I wasn’t gonna drink for a year. I was like, you know what? Maybe alcohol’s not great for me. Let’s take a break. That’s great. Well, I’m still sleeping poorly. I’m still not doing this. Let’s try getting a sleep study. Okay, let’s try this. Let’s go talk to a psychotherapist. Let’s go do the next thing. Just started working through all the list, trying to figure out, what I don’t like is waking up in the morning exhausted and stressed out and feel miserable. I want to wake up feeling like I want to go conquer the world. And so, what do I need to do to get there? And just trying everything and work down the list till I felt like I had a good handle on it. And these days, it’s great. I was sleeping probably two or three hours a night for years. And now I’m eight hours a night straight. Health and all that other stuff is always a work in progress, but you just kind of have to take it seriously. You have to treat it like a job.
I was joking with my spouse, even when I started dating again post-divorce, I treated it like a job. I set up three interviews per day, aka dates, and showed up at coffee shops and grilled people, walked through qualifications. And I realized I was really, really bad at it. And so, the only way to really solve it was to go get good at it. And to get good at it, you need lots of practice. And so, very professional interview style dates. But 60, 70 of those, and it was like, okay, I think I know how to do this again. And I eventually found someone who was a great fit.
JON SAKODA: This personal story is hilarious. I can’t wait to finally meet your wife. You’ve mentioned more than once that you are really bad at something. And when you say that, I also hear you say that you commit to making yourself better at it. I noticed, for example, that you’ve referenced that you’re bad at doing podcasts and public speaking. But I also have noticed that you’ve given over a hundred talks and are one of the most widely sought after public speakers. So, do you feel this is a part of your recipe for success?
HD MOORE: Yeah, I don’t think it’s worked out with podcasts or public speaking. I think I still talk too quickly and am incoherent. But I think my wife says I beat myself up too much in that sense. But I feel every bit of failure, right? I feel everything I say wrong, every stutter, every misspoken word. So I think it’s just being very self-aware makes it really difficult to be happy with the state of everything.
JON SAKODA: Would you mind if we talk about the word “happiness”? You would not be the first founder to say that you have a tortured relationship with that word. Do you ever look for happiness? How would you define it?
HD MOORE: I guess for myself, I don’t strive to be happy, right? I strive to be productive and I strive to make my family and friends happy. I strive to make the world a better place in whatever way I can, and that makes me content. But it’s never happiness in the moment, right? So I think for me, the anti-happiness is feeling like I have little control over my life, and I’m stressed out, and I’ve got no real way to move the boulder. Feeling like you can make changes, feeling like you can actually control some things that you don’t like about your life, I think is the key for me of being content or whatever euphemism, or happy, you want to use there.
JON SAKODA: This is probably a great transition to the runZero story. There is clearly some personal satisfaction that comes from discovering assets on people’s networks. So let’s fast-forward there. You get through your personal journey. And how did you eventually land on the idea of runZero?
HD MOORE: Well, even in the early days, I really liked kind of exploring the kind of man-made mazes that are the internet, the phone lines, the application, the software. We have these amazing puzzles we create accidentally, as you have different network providers all connected to each other, different firewalls, different rules, different vendors, different applications. It’s a fun puzzle. So figuring out what’s out there is always interesting. In the early days, there were very few firewalls. You could just scan the internet and say, “Here’s everything out there, because I pinged it and it ponged back, and we’re good. That’s what it is.” These days, things are really, really complicated. You’ve got DX LANs, you’ve got overlays, you’ve got segmentation everywhere, SD band, Multicloud, you name it. So it’s really difficult to know what’s actually on your network. It’s really difficult to figure out what’s out there.
And if you don’t know what’s out there, it’s really hard to—the cliché is to protect it. But even not being aware of it is gonna change your view of the world. It’s not just that you can’t defend that device; it’s that you don’t really have the right tools in your head to make the right decision about what technology you need to purchase or what rules you need to manage. So for me, it’s always been about how do you discover everything you need to discover to make the right decisions for security?
And what you realize is that when you start working with companies who have a decent budget, who have great staff, who are really trying their best to defend themselves and to do a good job of securing the network, the only place they fail is when they don’t know about something. And so, finding all the things that that team doesn’t know about is job number one for being a successful pen test, audit, defense, you name it. So runZero really is about that. It’s how do we find all the things you don’t really know about? What’s all the information that you don’t have today that you really need to have to make good decisions? So it’s really kind of going to that next step of bringing everything into the recognition engine behind the runZero core.
And where a vuln scanner may say this to devices running Linux, we’ll tell you it’s a Roku media player and it’s attached to this particular switchboard. Like, just more context, more information about where it is. You actually don’t even need to know what IP addresses you have with runZero. You can say, “Find every single internal device connected to my network, no matter where it is, within a certain blast radius or GTL, and we’ll map the entire private internal IP space, and we’ll do that really quickly through subnet sampling and things like that. And that’s where folks go from like, “Oh, I thought I had 30 devices, now I’ve got 300 on this network,” or “I didn’t realize the built-in control network was actually hooked up to my main corporate plan.” Things like that.
JON SAKODA: Knowing what is on your network is a fundamental problem. Deep down inside, I think every IT professional knows they should be able to answer this question. In the old days, we knew everything that was installed on our network because it was physically installed. I think through the years now, it feels like an unsolved problem. No one really knows what’s on their network, either connected on premise, in the cloud, through their work from home environments. Give us some of the historical context. How did we get here? How did the vendor ecosystem go from showing customers everything that was on their network to now only having parts of the picture?
HD MOORE: Starting from the cost side, a lot of vendors charge per IP for what they scan. So if you are using a vulnerability management scanner on your network, if they do have discovery options, but they tend to be not super well used and not particularly great, that’s supposed to tell you, here’s the number of things that are on your network. Then you actually pay your vault management license per asset at that point to manage it. So there’s actually a disincentive there to scan things because the more stuff you have to scan, the more it costs over time. And so, companies tend to narrow and narrow their focus, their vuln scanner to less stuff. There’s also the challenge of vuln scanners knocking devices over, causing printers to spit out paper, cause problems with their firewalls, things like that. So you don’t always want to scan everything. Everyone’s been a little bit gun shy of using a vulnerability scanner.
What we try to do with runZero is create a scanner that you can safely throw on any network, whether it’s OT or not, and be pretty confident that nothing bad’s gonna happen. And of course, it’s always great to test on things, but we want to make sure this is a very safe button to push. And that’s something you can’t really do with a vuln scanner. And it’s so expensive with a vuln scanner that you generally can’t cover everything.
The other side of it is every vendor wants you to think that you’ve got full visibility, because that’s what they’re selling you to. The vendors don’t want to couch their solution, saying, “Well, we’ll show you 25% of visibility.” That doesn’t sell very well. You can’t say, “We’ll sell you full visibility,” and they’re just often wrong.
JON SAKODA: So at Metasploit, you were shining a light on the vulnerabilities in software that people couldn’t see. Now at runZero, you’re shining a light on the assets that people can’t see. And I think in both cases, you’re making the case that technology is a part of the solution, but also, I think you’re shining a light on the business models that vendors have used, which have perhaps obscured this information. Is that another reason why solving this problem has been so difficult?
HD MOORE: The clearest path is what do you charge, right? How do you charge for your product, right? If you’re charging for every visible asset on the network, you’ve got incentive to increase your visibility to everything. That’s what runZero does. We charge you a per IP or per asset or recent asset rate. But we have a much lower rate than your vulnerability management. It’s actually affordable to do on a larger scale. So, at the end of the day, it really comes down to following the pricing schemes and the model. If you can’t find a way to make money by doing the thing, you’re not gonna do the thing.
JON SAKODA: I feel, at Metasploit and runZero, you have in some ways packaged your offensive security genius and have put it into a product that now mere mortals can use. Was that the intention?
HD MOORE: I’m kind of old and busted these days for offensive stuff. But I’ve kind of shifted a lot of my focus from how to how do I get shells on things to how do I tell you what things are. And it’s a very similar problem. It’s like, how can you use very limited information about devices you don’t control to give you a better answer, to tell you how to do the next thing? And for us, it’s giving a great inventory. In the old days, it was, I want to get a shell in this thing and then break into it and take all the data. But it’s kind of a similar first step. With Metasploit, each individual module or effectively module was its own little bag of tricks. Like here’s how you compromise this particular server. Here’s how you generate this type of shell code. With runZero, it’s very similar. We have all these different tricks that we just layer and layer and layer on top of each other.
JON SAKODA: Any advice that you have for founders today who look up to you and see you as somebody that they’re trying to emulate?
HD MOORE: I mean, hopefully you enjoy what you’re doing. If not, do something else. It’s late hours, it’s long days, it’s oftentimes doing things that are not the fun part of the job to get the business up and running. I spent way too much of my life the last few years doing things like state unemployment insurance registrations, and sales tax, and finance crap, and insurance, and everything else in between. And on one hand, it was annoying that I wasn’t spending that time running fingerprints. On the other hand, it was really good context for me to have, having spent more time on the business side, to know what our customers care about and how those different things affect their businesses too. But experience outside of just your niche is actually really helpful for you understanding the bigger picture that customers deal with. And the more time you can spend in the customer’s environment, the better. Just don’t let one customer drive your entire road map, your entire perspective.
JON SAKODA: I know we are running short on time. Do you have any quick lessons learned or words of wisdom for your younger self?
HD MOORE: Try to enjoy life a little bit more. Go outside. Be nicer to people. Things like that.
JON SAKODA: HD, this has been an amazing show. Let me be the first to say that you have not just been nice, but you’ve been incredibly generous in sharing your wisdom and your software with the world. I think we can all say the internet is a safer place because of you, and I can’t thank you enough for coming on our show.
HD MOORE: Oh, thanks, Jon. Thanks for having me. And always happy to help out founders.