Kevin Mandia is the Founder and CEO of Mandiant, the widely recognized leader in cybersecurity incident response which was recently acquired by Google for $5.4 Billion. On today’s episode, Jon Sakoda speaks with Kevin on why he founded Mandiant, and his personal journey to create a company to defend companies against cyber surveillance advanced persistent threats from Russia, China, and North Korea.
Kevin Mandia is the Founder and CEO of Mandiant, the widely recognized leader in cybersecurity incident response which was recently acquired by Google for $5.4 Billion. On today’s episode, Jon Sakoda speaks with Kevin on why he founded Mandiant, and his personal journey to create a company to defend companies against cyber surveillance advanced persistent threats from Russia, China, and North Korea:
KEVIN MANDIA: I was only good at one thing, responding to security breaches. Thank God that was a valuable thing to know, because I did not have a second company idea. I wasn’t gonna start, “Hey, I make cupcakes. Let’s go to Georgetown and make cupcakes for a living.”
JON SAKODA: Welcome to the Decibel podcast. I’m excited to welcome my friend Kevin Mandia, the founder of Mandiant, to the show. Kevin is one of the most famous cybersecurity founders in our industry and was one of the first to shine a light on the role that nation-states play in the world of cybercrime. He has a lot of wisdom to share with founders, and I am excited to have him on the show.
Kevin, thank you for joining us.
KEVIN MANDIA: John, thanks for having me. It’s funny; when you reached out with an email saying, “Hey, do you wanna tell your story?”, I kept going, “There’s probably a reason why I’ve never told it. Why is that?” And it’s, you know, just an upbringing of just keeping it to yourself, you know? So this’ll be a lot of fun for me. Thanks for the opportunity.
JON SAKODA: If you don’t mind, since this is one of the first times you’ve told your entire story, would you mind if we start at the very beginning? Where did you grow up, and what was life like in your house?
KEVIN MANDIA: Well, you know, it’s a great question. I think the formative years—I moved about five times before I was 18. My dad was always, gotta do more, gotta be more, take the next job. So I would say from 10 to 13, I lived in Pittsburgh, a beautiful town where the best thing they had in the late ‘70s and early ‘80s were the Steelers. And if you took that away from the city, God only knows what would’ve happened there. Those were the formative years. And then a little bit in Rochester, New York.
Grew up middle class, father working hard. My mother—I always equate my mom to being very German. You had a lot of rules. And my dad, being very Italian, enforced the rules. And the rules made sense, and the enforcement was consistent. So I think that environment worked. There was a lot of discipline in the household. I was the youngest of four boys, two half-brothers and my older brother. And I think when you have that many boys in a house, you do have to have a lot of rules and a lot of discipline to keep the noise down, keep the damage low.
JON SAKODA: I can definitely imagine, with four boys, there probably needed to be a lot of discipline in the house. And sounds like you also traveled around. What did your parents do?
KEVIN MANDIA: My dad kind of switched jobs. He was always involved in human resources, HR. And my mother—and my parents got divorced when I was 12 years old, maybe a little earlier, 11—and she did Mary Kay Cosmetics. So she had the pink Buick Regal, and later, the pink Cadillac. And she still does it today. So I grew up watching her kind of grow that business and do what she could to make that happen, and grew up watching my father just execute in a way where there was always, after a couple years at a job, he always kind of had an opportunity to go somewhere else. And that’s kind of what I observed.
JON SAKODA: While you were growing up and traveling around to lots of different places, do you remember how you eventually discovered computers?
KEVIN MANDIA: Oh, absolutely. Great question, Jon. You know, I think back to ‘79. 1979, I got my first computer. It was the TRS-80 color computer with 4K of ram. And I grew up—and so did you, I think—the era of Pong. Video games. Activision. Atari 2600. And television.
JON SAKODA: Absolutely.
KEVIN MANDIA: And so, I think that’s the beginning of it. I mean, I learned to drive playing Pole Position at the Pizza Hut, you know? If it wasn’t for Pole Position, I’m not sure I can drive a car. And so, I think it was that. So somewhere around 1978 or ‘79, for Christmas, my parents and my grandparents, I think all of them kind of chipped in and bought me the TRS-80. And I remember, I didn’t have a floppy drive for it, because the floppy drive was, I think, more than the damn computer. It was like $800 for a five-and-a-quarter-inch floppy drive. So I’d use the cassette load command or cloud command, as I called it, and I’d upload text-based games.
So I think it was that video game era that got me to say, “I want to dive into this.” And I was born in the ‘70s, so by the age of 10, I’ve got a computer. I’m the dork on the block or the nerd that has the Okidata 88-character dot matrix printer. And everybody would come over and say, “He can print out our homework here,” you know? So I was that nerd and loved it. And the kids on the other side of the tracks had the Apple IIe. I didn’t—that was way out of our price range.
JON SAKODA: Kevin, I’m so glad you’re telling this part of the story. KEVIN MANDIA: Yeah.
JON SAKODA: You used the word ‘nerd.’
KEVIN MANDIA: Yeah.
JON SAKODA: Were you a nerd growing up?
KEVIN MANDIA: You know, it was weird. In hindsight, probably, because I was fascinated. And if you could see my notebooks from high school, I would recopy my notes to make them look right. So there’s a bit of the spectrum of making sure you did the work you had to do in school. But at the same timeframe, playing football, I wanted to be the quarterback. Playing baseball, I wanted to pitch, play center field. If I ran track, I wanted to be the fourth leg on the track team, you know? You always wanted the position that was deemed integral to winning.
So, played all the sports, but also did well in school. So I’d just say well-rounded. So to answer that question directly, would I have rather been quarterback or rather have been programming in C, at the age of 15, I think I would’ve picked sports. Yeah. Computers would’ve been second.
JON SAKODA: In your formative years, when you talked about ages 10 to high school, where did the mindset of greatness come from? This ambition to want to be the quarterback, to run the final leg of the sprint, to be in the position to win—where did that come from?
KEVIN MANDIA: I think both my parents had a great bar, meaning you never really hit the bar. And for some kids, you always have to figure out what motivates your children the most. I really thrived on, if we won a game in football 35-nothing, my dad would be like, “Eh, your third quarter stunk.” And I
would go, “Yeah, you’re right.” So, there was a habit of not really celebrating the touchdowns, as I called it. And by the way, if I celebrated a touchdown, my dad would not have been happy. It’s expected. Just get it done. Get an A. Get a touchdown. And don’t celebrate it. And I was okay with that. Not everybody is, Jon.
But for some reason, I very early on—and I think you’re right, when you go back with founders. By the age of four, five, six, there’s already a kernel developing that gave them something. And that’s probably all humans and what they accomplish. But I always remember chasing perfection, and I liked it. I don’t believe I’ve ever felt like, “Oh, I got here.” I’ve never felt like I’ve arrived. And that comes straight from the parents saying, “Eh, that A was okay, but there’s a better A out there. That touchdown was good, but you should’ve scored a three-play sooner.” I thrived in that challenge.
JON SAKODA: Today I think some people refer to this education methodology now as the growth mindset. This is the idea that you’re always learning, constantly improving, and you never really reach your full potential.
KEVIN MANDIA: Yeah. I’m sure there’s a new California way of saying all that, growth mindset. From Pittsburgh, we didn’t learn growth mindset. We just learned, score touchdowns, don’t celebrate.
JON SAKODA: Let’s go back to software and let’s go back to computers. And you know, a lot of the best cybersecurity founders and the elite level researchers, when they discovered computers, they also discovered hacking. So tell me a little bit about the early years of you discovering computers and software and the internet.
KEVIN MANDIA: Yeah, you know, for me, it wasn’t on the hacking side of things. For me more growing up with video games and growing up with Magnum PI, growing up with Quincy, I was really into law enforcement. I was into doing the right thing. And you combine that with technology, you sometimes back into computer forensics. So I didn’t come at cybersecurity from the offensive side. I came at it more from the defensive side. Hey, people are getting unlawful or unauthorized access to something. And I never cared about the attractive nuisance of hacking for hacking’s sake. But hacking for money, hacking to extort, hacking to invade someone’s privacy, hacking corporate secrets—those sort of things felt different to me.
So I think that was a product of the late ‘70s, early ‘80s. And coming out of that, I think I found my sweet spot with computer forensics, really.
JON SAKODA: And tell us that story. So how did you go from, I guess, being a well-rounded and very computer-literate student to finding your way into computer forensics?
KEVIN MANDIA: So, I graduated high school in ‘88, and I had an Air Force ROTC scholarship, so I went to a place called Lafayette College to do computer science. And I’ve wanted to do computer science. I wasn’t all STEM and no liberal arts. I liked to balance. I liked to study religion, sociology, study psychology. But at the same timeframe, I was all in on computer science at that point. And I did believe at that time, computers would permeate everything we do. I remember someone had said in a book I had read, and I forget who, and he published it in like ‘72 or ‘73. He said humans would communicate more via computer than face-to-face. And I think by ‘88, I even believed that this is gonna be a big change.
So I studied computer science, but I had to go into the military. And in the military, my first job was at the Pentagon doing computer security. And when I was a second lieutenant stationed at the Pentagon, there’s not a lot of second lieutenants there. And really, it’s almost sad how I ended up really doing cybersecurity, because in a lot of ways, there’s only two 15-second moments in my life that if they go the other way, I might be totally different. One was at the Pentagon sometime in May of 1992. There was a bunch of lieutenants in line to see a colonel to get their assignment. And I went first because nobody wanted to go first. So that’s the first moment of choice that if I didn’t go first, I may not have gotten the one slot in computer security that was available.
So I go first, and I literally picked computer security because of that one slot. The colonel gave me six options. But there was an abundance of slots that I could take in the other five options. And he said, “There’s only one position left in computer security.” And I’m like, “Ooh, only one.” And I’m a sucker for it if there’s only one left. On Amazon, if you want me to buy it, just say there’s only one pair of shoes left, and I’m buying it. You’re making a Ford Raptor R and they go, “Hey, there’s only one left,” I’m buying it. So that’s what happened. So that’s the first 15 seconds when I think back. I go first, I pick computer security. And if I didn’t get that job, Jon, I’m not sure we’re doing this interview today.
So my first job at the Pentagon was really mainframe security. And it’s a start. But it was resetting pass phrases, looking at who accessed what on TS systems, secret systems, unclassified systems. And then I cross-trained from a computer security role into the Air Force Office of Special Investigations a few years later. And that was that interest in Quincy and forensic science. I couldn’t shake it. And I didn’t want to just be the nerd looking at log files. I did want to have more impact with the computer science that I did. And I wanted to take that and apply it to law enforcement. So I did that in the military.
JON SAKODA: You said that there were two moments that changed your life that were almost haphazard, right? One is this story, which is amazing.
KEVIN MANDIA: Yeah.
JON SAKODA: What’s the other one?
KEVIN MANDIA: The other one happened in the summer of 1998. There was an intrusion into a bunch of military bases. And over time, that intrusion got the name, I believe Moonlight Maze is where it might’ve ended. And I just got this esoteric invite, “Hey, get to the FBI headquarters on Wednesday afternoon. We gotta brief you on something.” And at the time, I was training FBI agents as a contractor. And I went into a room, and somebody was up front briefing. So I’m 27 years old at the time. And I’m watching him brief. And my internal voice is literally saying, “Don’t do this. Don’t do this,” because I wanted to interrupt the briefer, because he was not accurate. And it wasn’t an FBI agent. It was some contractor.
And what he was doing was going through automated security incident measurement logs from the Air Force, meaning TCP dump data. And so I went against my rules. I never interrupt speakers. I don’t want to take the limelight. But that was the other 15-second break. I’m listening to this guy get it wrong, Jon, and I finally said, “Actually, what the attacker’s doing in this log file is the following.” And I’m not making this up. Whoever was briefing at the time just sat down and let me take over. So I end up walking up to the front of the room, and I just kind of went through the log file.
But again, I got there because I really knew it. I wasn’t guessing. I think that contractor was new to computer intrusions, and I was not by then. And I really did understand what I was looking at. So that moment was the other one, because it kind of gave me a position to help in a major case, and then from there, just kind of solidified my incident response work.
JON SAKODA: That was the moment that you put yourself in the starting lineup. KEVIN MANDIA: Yeah. That’s a good way to look at it.
JON SAKODA: Yeah. You raise your hand, they put you in the game, and you score a bunch of points. And perhaps that’s also the moment that gave you the confidence that you were the expert in a field where maybe previously, you felt like other people knew more.
KEVIN MANDIA: Yeah. I think it was—in ‘98, I was a UNIX guy at the time. These were UNIX log files. You’re right; it gave you confidence. You recognized, for the last five years, this is kind of what I did. And now we’re working on a case where the Russians are hacking half the darn military. We gotta put our best expertise on it. So you’re right—I think that was me stepping into the lineup. Got off the bench and said, “Put me in, Coach.”
JON SAKODA: And tell everybody about what life was like in the 1990s. This is the emergence of the internet. It is the early innings of nation-state cyberwarfare. Tell us about the ‘90s.
KEVIN MANDIA: So, I get to the Pentagon in ‘93. We’re just starting to use email. I would say most officers don’t use email. From a threat perspective, the first time I saw a threat and went, “Okay, this is real,” it was 1995, I’d say it was. And it was out of China. So I think the first intrusion where I went, “Okay, this isn’t kids,” it was to access military systems. Because the criminal cases come actually later, Jon. I think the first thing bought on the web was probably not even till 1995. I think it was flowers in 1995. So you’re thinking, once you’re accepting credit cards in a faceless, nameless environment, that’s when the criminal element arrives, ‘95, ‘96 timeframe.
I go into the Air Force Office of Special Investigations in ‘96. And the cases we had then, I think they really were espionage at that point. There was Chinese and Russian campaigns against the US military. Because where we did all our research and development were on supercomputers, and we didn’t export them. So if you really wanted to see what we were up to as a nation with modeling and simulation of weapon systems or anything else, you kind of had to hack the UNIX nodes that connected to the supercomputers. And it was UNIX-based from ‘93 to ‘98-’99. And with the proliferation of the Windows servers, by ‘98, you start seeing the criminal element in Windows-based hacking.
2003 is right before I started Mandiant, my company. And that’s when we saw the pivot, in my opinion, of what I would equate to probably military units or foreign intelligence services that were just hacking the military, pivoted and started hacking the US private sector and other private sectors globally. And that led to Mandiant’s founding in 2004. So there’s been about four or five changes I’ve lived through, and we’re probably coming into another one with AI, so.
JON SAKODA: Can I take you back? It is fairly well-known now that in the late ‘90s and the early 2000s, some of the elite security researchers like you ended up becoming some of the most successful cybersecurity founders. And many of you were at a very special company called Foundstone. Can you retell some of that story?
KEVIN MANDIA: Well, at the time that I became acclimated to Foundstone, started by George Kurtz and Stu McClure, who did Cylance, there was a guy named Chris Prosise from the Air Force who I’d known. And it was May of 2000. Chris Prosise calls me up and says, “Hey, you should join Foundstone.” And I remember going, “What do these ENY guys know? I’m coming out of the Air Force. I know what the attackers are really doing. I’m working with the FBI as a contractor. I know what the attacks are.” And I literally pulled over. I think I was on a spring break kind of trip. I pulled over into Barnes & Noble and bought Hacking Exposed, by George Kurtz, Steve McClure, and Joel Scambray, was the third. And I remember reading it going, “Okay, these guys actually do know stuff. It’s different than what I know. It’s different than what I saw.” But I saw the absolute value. They were white hat hackers arguably guessing what attackers were doing, quite frankly. I don’t think they were ever responding to breaches. But they were white hats figuring out, how do you break into networks, and how do you do it? And they did a great job.
So I read that book and went, “All right, I think these guys really are that good.” So I joined Foundstone. And at the time, I think I had a job offer from Microsoft, and I went with the startup, because they were good. That was it.
JON SAKODA: What was so special about Foundstone? All these people went on to do amazing things. What was special about that group of people at that time?
KEVIN MANDIA: Pioneers. I remember, we would do incident response at Foundstone. And there was no way to determine what ports were open on a Windows machine and what application opened them. And then, so you could be like, “Hey, this stinks. We can’t figure out what’s going on.” There’s a Linux—we could do that. And Joel would be like, “I’ll write F port. And we’ll just make a tool that does it.” And I’d be like, “This is just so cool,” you know? We just wrote the stuff we needed. And what I learned there, and I think the team did a great job, was we were really automating what the experts knew. And I always felt that was the goal of software. Automate what humans do, and do it in an elegant way. And Foundstone kind of showed me that innovation cycle.
JON SAKODA: I know Foundstone itself has an amazing story. But if we could transition to your founding story, at some point, you decide to leave Foundstone and start your own company. This is really the seed of your own entrepreneurial journey. When did you know it was time to go off on your own?
KEVIN MANDIA: So, at Foundstone, there were six founders. It’s probably less this. But I was more on the incident response side, and they were more vulnerability management. And as they grew, I kind of got pushed away. They were all on the West Coast. I was in DC. I was always kind of a little bit on the outer rim of the circle. So it was time to do my own thing, quite frankly. I was only good at one thing, responding to security breaches. Thank God that was a valuable thing to know, because I did not have a second company idea. I wasn’t gonna start, “Hey, I make cupcakes. Let’s go to Georgetown and make cupcakes for a living.” I had nothing up my sleeve, Jon, other than, let’s start a company that responds to incidents. And believe it or not, though, Mandiant was supposed to be an endpoint company. I just didn’t have funding. I didn’t even look for funding. It was, let’s respond to every breach that matters, so we have a front row seat to see all the new and novel attacks. And let’s build the next-gen endpoint technology to stop the attacks that we witness. So I think George built the company I was trying to build.
JON SAKODA: Well, let’s go back to this time period, because this whole concept of incident response, breach detection, breach response, even having consulting or offensive capability, all this is brand new, right? So let’s go back. Did you just sort of have, I don’t know, the naivete or the boldness to go do this? What was your thinking? You just sort of decided, “Hey, this is all I know?”
KEVIN MANDIA: Yeah. In hindsight, first, it was 2004. February 26th of 2004, I start Mandiant. And I sat in a Starbucks to write a business plan. All I wrote in that plan, and I still have the document, is—I wrote like 55 companies and said, “Here’s who our customers will be.” Which is ridiculous. And by the way, all but two became customers. And all we were gonna do is respond to every breach that matters. But you can’t proactively sell that. So we had to sell assessment work and pen testing and those things as well. And we were gonna do consulting to bootstrap and endpoint technology, and we did hire Dave Merkel, who now runs Expel, who was our first and only head of engineering. He also ran sales and eight other things, two years later. So we bootstrapped with this.
But you just hit on it. I started a company with, we’re gonna respond to every breach that matters. And our website said—this was pathetic. It said, “You cannot solely rely on preventive measures,” which is not very marketing. “You cannot solely rely on preventive measures.” And we changed that to be, “Security breaches are inevitable. Don’t be a headline.” Nobody really bought that. And I always felt, based on what I saw, that most break-ins were based on human nature, duping humans into doing things. And I also felt the best offense in the world is gonna get into the game. And the people building apps are massively underestimating the level of effort that folks will have to reverse them and look for vulnerabilities. And by the way, we still do that today. We underestimate the adversary.
JON SAKODA: And Kevin, I think, isn’t that one of the great insights around Mandiant in retrospect, is maybe you had the benefit of having seen this in the 1990s? And in the early 2000s is the timeframe that I grew up in and was on the field.
KEVIN MANDIA: Yeah.
JON SAKODA: It was spam and phishing attacks.
KEVIN MANDIA: Right.
JON SAKODA: It was all kind of lightweight cybercrime.
KEVIN MANDIA: Right.
JON SAKODA: And I don’t know that there was as much energy and attention on the leveling up the game to go after intellectual property and nation-state warfare.
KEVIN MANDIA: I think Mandiant, we only responded to, for the most part, nations. I mean, nobody hired us at $400 an hour to respond to spam. You just nailed it, Jon. I had the right premise. I didn’t even know it. I mean, I did know it. I was highly confident. But I think 99% of the world would’ve said, “Mandia is wrong.” I felt security breaches were inevitable. Like you run, exercise, and eat right, and you still catch a cold. And I felt the same way in cyber. You can do everything right on the networks. They’re too complex. We’re gluing stuff together. You’re gonna have an incident. But the offense is coming, because that’s what I saw in the military.
So I think I got lucky that my experience showed me what the Chinese and Russian SVR’s capability was, and I knew they were literally gonna kick the crap out of our private sector if they chose to do so. And over time, at least the Chinese did. And if you take away Chinese cyberespionage, I don’t think Mandiant survives.
JON SAKODA: And I’ve heard you talk about this before. I want to maybe channel the younger version of yourself for this part of the podcast. I think you said that part of the reason why you started the company was that nobody really understood what you were doing. You had a high risk profile. I think you also described yourself as being unmanageable. What was it like when you were in that Starbucks and then walked out on the field?
KEVIN MANDIA: In hindsight, I was confident bordering on arrogance. There’s no other way to describe it. I felt I was great at what I did. And I know that’s weird, because I don’t feel good at anything, usually, you know? But I remember, I felt I knew the people that were great at what we do. I could recruit those people. And so, the composition of why you do something, there’s multiple factors. I would say it’s 30% to 50% just unbelievably confident, “We’re good at this, and I know people good at this. Let’s go do it.” And nowhere was responding to breaches a full-time job. Nowhere on the planet that I was aware of.
So I was like, we’re gonna start it. And we’re gonna get the folks that can be the best bedside doctors during an incident. And we did. You gotta be good at what you do, Jon. And even today, when I look at possible investments, to find a founder that doesn’t and breathe—like if the genesis of their career doesn’t add to what their company does, it just doesn’t make sense. My whole career was responding to breaches. It was time to just go do that.
JON SAKODA: Well, let’s go back to those mid-2000s again, because I have been wanting to ask you this question. And that is, is security software getting better? I mean, I think we’ve given the commentary on where it was. We know the offense is getting better.
KEVIN MANDIA: Yeah.
JON SAKODA: So how is the defense?
KEVIN MANDIA: Absolutely getting better. Our innovation is so much better now than in the 1990s and early 2000s. I can tell you this. Mandiant wrote our first external report, where we referred to the advanced persistent threat. I think we published it in either 2010 or 2011. It was one of those two years. And a major company that has their own cybersecurity report said, “Hey, don’t believe the hype about APT. It’s fake.” Really? It was the only thing we were responding to as a company, and we were doubling in size every year.
In 2011, one of the largest antivirus companies called me up and said, “Is it true there’s cyberespionage campaigns from China against the United States?” Yes. And for the last seven years, Mandiant has responded to hundreds of security breaches at hundreds of companies. So, what we had was a software industry making security software, and they were not in touch with what the adversaries were really doing.
JON SAKODA: Well, let’s tell this whole story, because I think this is one of the most important stories in the history of Mandiant. And that is, you began to do very highly specialized work around breaches.
You discovered patterns, which you then named advanced persistent threats. And I remember when you began to market that this was even a type of threat, like the type that you really just can’t detect one- off, right? It’s something that is persistent in some way. And then famously, that led up to APT1 in 2013. But I think a lot of people think that in 2013, that was just the beginning of it. But it had been years leading up to that point.
KEVIN MANDIA: Nine years.
JON SAKODA: Yeah. And so, walk us through that journey, because nine years is an incredibly long time to be observing something that is so fundamental, only to have everybody tell you it’s not real. And it took courage to publish something which was very controversial at the time. And I’m sure that there was some frustration and some courage that it took to really get through all this.
KEVIN MANDIA: I always wondered, if somebody could cure cancer today, would it take 10 years before we heard that voice? And unfortunately, maybe, because of the amount of money made in the apparatus that treats it. Mandiant was always seen as this fear, uncertainty, and doubt company, when all we ever reported on was fact. We had to figure out what happened and what to do about it, meaning write a remediation plan. And that’s a very strategic way of taking someone from point A in cybersecurity to point B, and let them know, hey, your new normal is there’s a Chinese cyberespionage campaign. Someone somewhere in the world badges into a building every day and says they need to hack you to steal something from a certain program. So you have a continual bout. You have to get in the ring every day and fight these guys.
And so, we codified forensic evidence in the mid-2000s. Every time we responded to a breach would be like, what’s the IP range? What’s this? What’s that? And we created a Leave Note database that became the source of our intel so we could scan. So every time we responded to a breach, with great discipline and rigor, we recorded all that trace evidence and put it in this database. And then by 2013, we had decided, we’ve responded to this one group out of China, PLA Unit 61398, 141 times over nine years. And we were certain. And we kind of got to watch a building come up on Google Earth. They built their headquarters, basically, while we were responding to them, you know?
So that was the story that you’re referring to. February, maybe 13th or 15th of 2013, we went live with that story with the New York Times, with David Sanger. And it’s because the New York Times was breached by these guys. Well, we published it based on about eight or nine reasons. But I couldn’t have stopped that report if I wanted to. Because at the time, Mandiant was about 400 employees. And I’d say about 200 of them were former military. And it was the Chinese New Year at the time. And my team really wanted to do it. Let’s have these guys come back from vacation, and they’re the news, that we blocked every one of their backdoors. We blocked all their infrastructure.
And so luckily, the Chinese New Year is celebrated for like eight to 10 days, so we had a long window to time this. And then kudos to the New York Times and David Sanger to say, “Let’s make it an article. Let’s write about this.” Because I remember telling him, Jon, I was like, “David, nobody cares.” And I was wrong. David Sanger was right. And he created a great story.
JON SAKODA: I think you ended up getting on the cover of, was it Fortune Magazine?
KEVIN MANDIA: Yeah, it was Fortune Magazine. And meanwhile, my internal dialogue was, “Nobody cares. No one’s gonna notice.” When we wrote that report, I just went to work that day. I
didn’t know I’d be on every news station by 8:00 PM that night. We didn’t do it for marketing. I don’t care what anybody says. We did it for thought leadership and we did it because it was the right thing to do. There was no marketing plan behind that. Nobody in the car with me when I was doing TV interviews.
JON SAKODA: No, I think famously, you actually said no to being put on the magazine, right?
KEVIN MANDIA: I did say no. I said yes when our head of marketing, Mike Evans, called me up. And he said a little bit of profanity. But he basically said, “You’re not on the magazine for you, you idiot. You’re on the magazine for the company.” And when he said that, I went, “Oh, he’s right. This isn’t about me and being on the cover. This is about Mandiant and the efforts of the men and women of Mandiant.”
JON SAKODA: Would you have done anything differently?
KEVIN MANDIA: I don’t think so, because I mean, I never did an after action report. Did we release it at the right time? I was actually up at Harvard at the time, by the way. It was a weird time for me, because when I got the first APT1 report, it’s not like we had proofreaders at Mandiant. We were a self- funded profitable startup. I proofread the damn thing. And I just remember missing lots of class writing the thing. No, I wouldn’t have changed it. The timing felt right. In hindsight, we were riding a wave. And it just felt to me, between the CEOs I talked to, the government folks that we were working with, people wanted us to write this report and get it out there. And I mean, we weren’t wrong. It was a pretty good piece of work.
JON SAKODA: I mean, it is a foundational part of not just the history of cybersecurity, but also now the single most consequential geopolitical relationship on the planet. You mentioned you were a bootstrapped company, and you were doing the proofreading of the APT1 report. So tell me a little bit about some of the early days in terms of, did you just never think anybody would give you money? Did you not necessarily want to work with investors? What were sort of the early days like?
KEVIN MANDIA: We never sought funding when I started Mandiant. Unbelievably, in hindsight, I think I only saw months at a time, the whole time. It’s just my vision of every single three-month increment would change. Get a little broader, a little bigger, a little more hopeful. And the first month was just, I can hire a couple critical employees. A guy named Brian Dykstra came on board, was a freight train of effort, he got in. Curtis Rose, who’s one of the smartest computer forensics people I’ve ever met, came on board. It was, build a great team, do great work, and if you do one job right, you’ll get your next job.
I’m not kidding, it was like stacking one Lego at a time. But I didn’t see more than five Legos at once. That’s kind of how I ran the company. It was maniacally focused on when you walked into Mandiant, there was a sign that said, “Do it right, do it now.” Every Saturday, every Sunday, we worked. There was no day off. There really wasn’t, Jon. In hindsight, if I had to change one thing, I may not have pushed as hard as I did.
JON SAKODA: Well, I was able to look up on the Internet Archives that you also had cancer around this time, right?
KEVIN MANDIA: Yeah. It was one year in. Diagnosed in January of 2005.
JON SAKODA: And is it true what I read on the internet, that you had cancer treatment in the morning?
KEVIN MANDIA: Wow. Yeah, that’s true. I didn’t want to miss work. We used to do on staff calls on Sunday night, because I was like, weekdays are the customers’ time. 6:00 PM on Sunday nights were staff calls. Can you believe that?
JON SAKODA: No. And then I guess you had to schedule in chemotherapy.
KEVIN MANDIA: It was actually radiation treatment. It was, I think, 6:00 AM every morning. I would drive into DC to the hospital and get back in time. My goal was to not miss a day of work. And I could probably tell you I didn’t. But I probably should have.
JON SAKODA: Before we get into some of the lessons learned and what you guys could’ve done differently, Mandiant was not a typical startup environment. You guys were always responding to a crisis. Did that in some ways require you to create a unique type of work culture?
KEVIN MANDIA: I think so. An interesting stat about Mandiant is more people used to work there than currently work there. But there’s a reason for that. It’s almost like you are an emergency room doctor all the time. There’s only so long you can be on call. You want to start a family and you don’t want to travel? The job’s ill-fitting for that. I just remember one day, I’m standing literally at the water cooler, as they say. The difference is, it’s about 1:30 in the morning. And a guy comes in, his name is Ken Bradley. And he’s got kids at home. But he comes in at 1:00 in the morning like it’s high noon. And he’s coming back from a job. And we’re just talking like it’s high noon. And I’m like, “This is the wrong job for this guy. He’s got a family at home.” But where is that normal? And by the way, we weren’t the only two. There was like four other people standing around a water cooler catching up on, how did the job go? How did you do? Who hacked in? What did they do? The pursuit of excellence on each engagement we did kind of made you ignore the clock at Mandiant, and the day of the week, for that matter.
JON SAKODA: And to be honest, now that you coach founders and coach CEOs, is it any different now than it was back then? I mean, do you have any different advice?
KEVIN MANDIA: Jon, I think the advice would change to the founder and what they need. But one of the things I’ve always felt, in my opinion, they can’t feel like there’s an out. Unfortunate reality, you need to feel like you are cornered, and the only way out is to get out of the corner. And because I think any founder with an out, there will be times where it’s too hard, and they’ll take that out. And I think I got lucky at Mandiant. I was always waiting for the excruciating kick to the face, figuratively. And it never happened. Mandiant was profitable every year of our existence except one.
And when you’re profitable and you’re doing what you love, you can just keep doing it. We didn’t have to worry about an exit. We didn’t have to worry about funding. When we did our funding with KP, Kleiner Perkins, and One Equity Partners, 80+% of that was secondary to a bunch of Air Force guys who had no furniture, you know? So, I watched other founders, that if they felt they had an out, I’m not sure they would’ve made it over the hump. So I tell everyone who’s starting a company, there is no retreat plan. There just isn’t. And that might be overly intimidating. So in hindsight, 10 years from now, my 60-something-year-old self will say my 50-year-old self was a little bit too hard.
JON SAKODA: Well, I mean, literally, you are at war in a startup, and in your profession, you are at war.
KEVIN MANDIA: Yeah.
JON SAKODA: I mean, you’re descending into some of the greatest form of modern combat that is on the planet today.
KEVIN MANDIA: Yeah.
JON SAKODA: It is not just a metaphor in your case, right? So I think it does require a certain kind of psyche.
KEVIN MANDIA: I guess that was my long-winded way of telling you that I’d advise a founder, there will not be a balance in your life.
JON SAKODA: Yeah, no, that’s right.
KEVIN MANDIA: Hey, I’d like to do spring break with the kids. You could, but your competition probably is not on spring break right now.
JON SAKODA: That’s right. KEVIN MANDIA: Yeah.
JON SAKODA: It is, I think, now fairly well-known that we need some of the best offensive players building great defensive capabilities. And I think you’ve been pioneering elite research, building great services, then building great products. So what are some of the best practices now if you’re trying to share that back to people? How do you build great services and great software together in the same company in a high-growth environment?
KEVIN MANDIA: I can tell you that a lot of folks won’t agree with what I’m gonna say. I have always believed great software is nothing but the automation of great human process. And if you are automating the brain surgeons for an important task, that’s important software. So, when I look at cybersecurity and the complexity of it, we do need to automate it to get the scale, to protect those who can’t hire the expertise to protect their organizations or even their homes. I do believe in the innovation cycle of having the pros from Dover, the Navy Seals, under the same hood as software engineers. And creating a feedback loop, especially in cyber, where you have folks who understand defense, understand offense, influencing the product.
What I’ve learned is, you could be a product manager saying, “Hey, Jon, what do you think you need for security, and how do your folk want to work?” Or you could have a company paying you hundreds of thousands of dollars. And I think you have that company’s attention even more when they’re paying you for the service. And you let them know, “Listen, we have to deal with people today. But it’s technology-enabled people. And over time, we’re gonna automate this.” I just believe it’s a better workflow, at least for enterprise companies. Maybe for consumer tech, it’s different.
But my background, building enterprise software—in security, I’ve always thought it was kind of funny. Asking customers what they want—every customer’s gonna say, “I don’t want a breach. I don’t want to deal with this stuff.” So it’s on us to go figure out the problem. So I’ll leave you with that. I think services is critical to product research.
JON SAKODA: Kevin, as you describe it, it sounds very logical. But as you mentioned, not everybody agrees with you on this. Why don’t people agree with you on this?
KEVIN MANDIA: Valuation. It’s amazing, but the models that get valued—first, there’s way too many bankers in every industry and market, right? They’ll look at the spreadsheets and say, “Well, you’re not scalable. Your operating margins aren’t what they need to be.” Or actually, in this case, in our business, gross margins. “Oh, your gross margins aren’t over 80%. You’re not growing at over 30% in revenues.” Technology scales. That’s what people tell you. And the things that scale get valued higher. I just think you build far better tech, especially in security, with an arm of Navy Seals that are doing the job.
And I think that’ll prove out. I think Foundstone started that. I really do. If you have a great services organization, you should have a better operating margin than a company that relies on sales as their only go-to-market. There’s gotta be better ways to measure that. You do get productivity from your experts and your thought leadership that drives product adoption and sales. And I just don’t think we’ve done a good job of measuring that.
JON SAKODA: That’s an incredibly thoughtful point. In some ways, this is the best pay for sales and marketing.
KEVIN MANDIA: Mm-hmm.
JON SAKODA: In addition to being the smartest product managers that you can hire to do your product management.
KEVIN MANDIA: Right. You still need great product management. But boy, if I’m a good product manager, would I love an expert who just said, “Listen, I solved this problem. Someone paid me $7 million to solve it with humans. I will now tell you what I did to solve it. Can you automate that?” That is a great feedback loop.
JON SAKODA: That might be the best startup founding advice I’ve ever heard. Kevin, on this point, I think it’s well-documented that there’s a lot of security startups on the field today. Perhaps there’s too many. What’s the advice that you have for founders today? I know that now in this chapter of your life, you are a great friend of founders. You give a lot of great advice. So what’s some of the advice you’re giving to founders out there today?
KEVIN MANDIA: There are so many different ways to answer that, Jon. And each one might get a different picture. What worked for me, what I told myself, be true to yourself. If something you’re doing doesn’t feel natural to you, you’re not gonna be consistent. And you have to be consistent first and foremost. I would tell you, second thing, play the long game. Make decisions that aren’t one-offs that you can’t make all the time. You have to make your decisions in a way where the outcomes promote a sustainable practice as best as you can.
And then I would tell founders what I learned the hard way, and maybe it eluded me—the founder absolutely sets the culture. And you don’t realize that how much your temperament can be a whiplash. So I do believe that there’s got to be a consistency to decisioning and a consistency to your temperament. You can’t be wildly happy one day and depressed the next. I used to write down everything I had to do every day, and I just did it almost with neutrality. And the good days and the bad days were just, did I get through my list, yes or no? I think founders have to be consistent, know they set the culture, decision for the long-term, and keep their temperament.
I found over time, when I went from one person to 300 to 500 to 3,800 people, you go from managing walking the halls to managing through spreadsheets. But you also find that your temperament narrows and narrows and narrows, to the point where you approach things very, very consistently.
JON SAKODA: Let’s talk a little bit about the decisions that come in an M&A process. KEVIN MANDIA: Right.
JON SAKODA: So famously, you’ve been acquired. You also have been asked to become the CEO of the acquired company, which is unusual.
KEVIN MANDIA: Right.
JON SAKODA: So when FireEye bought Mandiant. Ordinarily, the team within the acquired company doesn’t always stick around. But you famously then became the CEO of FireEye. And now you’ve been acquired by Google. So I can’t think of a better person to ask this question. So, talk to us a little bit about all those transitions and some of the lessons learned along the way.
KEVIN MANDIA: Sure. FireEye buying us, I can tell you, Dave DeWalt called and said, “Here’s what I’d like to do.” And he laid out a plan. And I was damn excited. You get off the phone, and I felt an emotional response of, “My God, we can change the security industry.” And then why we did that deal, we were a private company. And I brought it to my direct reports. And I hit each one of them one-on- one with, “Hey, FireEye would like to buy us. Here’s what the terms are.” And I didn’t think about it till hindsight. I had 10 direct reports at the time, and 10 out of 10 said, “Let’s do the deal.” So I don’t know if I could’ve unwound it in the first place.
But I wanted to share the emotional response because there was a lot of offers for Mandiant along the way. There was literally LOIs faxed to me before with almost no due diligence to buy the company. And none of them got me as excited as FireEye and talking with Dave. So, I felt the excitement, combined with 10 out of 10 directs said, “This is the deal for us.” And usually when you get bought, you’re at some kind of fork in the road where you may have to change out some key leadership, or you may have to accelerate your go-to-market, or maybe you’re trying to go down market. Maybe you’re trying to go international. Maybe you’re trying to go public. Maybe you need funding. You’re usually at some kind of juncture.
The Mandiant juncture that we were that at that point was, I think in that stage, we were at over $100 million in revenues. We were profitable. I think we were gonna get pushed to go public. But I didn’t think about that. I hate to say it, it was the excitement I felt talking to Dave and team in with him that kind of promoted me to say, “Yeah, let’s go do this.” Sticking around, I can tell you, I’ve been the CEO that’s bought six, seven companies. I’ve always felt the obligation cuts both ways. As the acquirer, you
want to nurture the asset you acquired and make it seem like one team. Call it a merger, not an acquisition, because it always feels like, “We’re merged. We’re working together.” I never wanted to call it an acquisition. “We bought you.” It just felt wrong.
I think there’s obligations in both ways. And I always felt, as the CEO being bought, all I’ve ever really wanted, Jon, was to be great at cybersecurity. If we can do that, I could wear any jersey. I just wanted to believe in the mountain we’re climbing. We’re still heading up that mountain towards the pinnacle of where we want to be. With FireEye, I felt we were still on the journey. And with Google, I feel we’re still on that journey. We can be—and by the way, we’ve never arrived. Marketing people get angry at me, or even coworkers, when I say, “We’re not there yet.” I’m never there. We can always get better. There’s always another inning to develop something, make something, adapt to something. So, I just always want to be on a journey where we’re still in the pursuit of greatness. And both the times that I’ve been acquired, that was the case. So, it wasn’t hard to stick around.
JON SAKODA: I know that this is gonna be tough. But is there a highest high and a lowest low that you can remember through what has, I’m sure, been just an amazing journey from the mid-2000s to now?
KEVIN MANDIA: Couple ways to answer that. I got advice once from a founder. For me, you always want your personal life and your professional life. You got to have at least one of those things working for you. Your personal life can unravel if you’re a founder and you’re all in. And I had some challenges there. And you just have to recognize your own health. I’ve worked with people that have worked themselves to a family that separates, or worked themselves to 50 pounds of weight gain. All of us should recognize, hey, there’s no dry run here. This is your one shot. And it’s almost impossible to be great at both, your professional life and your home life.
My lows weren’t professional. They’re more, I felt a duty and an obligation to the company and the thousands of people there that sometimes trumped personal relationships with friends and family. So that’s a long-winded answer, Jon, that if I were advising founders, keep your personal house in order. It’ll make you better professionally, and that’s important.
JON SAKODA: So can you unpack that just a little bit? Because I think this is one of the hardest things that every founder is facing, right? They have that same seven-day commitment that you have. They have that same around-the-clock mentality. That’s how they get to where they got. Many times, we start our companies without families. And we’re younger, and it’s easy to maintain our health. And then if you’re lucky, you become wildly successful. The intensity doesn’t go down. You get a family.
KEVIN MANDIA: Mm-hmm.
JON SAKODA: It’s a little harder to keep your health. So what’s the solution to the puzzle? How do you actually balance the picture if you’re trying to keep your personal house in order while maintaining the intensity and the tenacity that you know is required?
KEVIN MANDIA: I think the key, at least the way I’ve sorted it out—it may be different for everybody in their prioritization of their own lives—is open communication, because I don’t think there is a balance. I think what it takes at times in your professional life, simply, you have to be successful there at the expense of your home life and the support you have there. So it’s an open dialogue with your loved ones and your family as to what you think you need to do. And if that’s
unacceptable to you, you always have to figure out how to get your company over the next hurdles or through the next gateways, with or without you.
When I started Mandiant, I felt there was a social contract between me and everyone I hired that we would take care of you. And we weren’t funded. When I hired Dave Merkel, he took a huge pay cut. I mean, everybody did. I was like, “Hey, man, I know you got a family and kids, and you want to pay for their college. But can you take a 30% pay cut to come to this little startup garage band?” And they did. And when you kind of see that sacrifice, you’re all in. So communicate to your family and your friends. They will never truly understand it, but you’d better communicate as much as possible what it takes for you to get over the hump. Some people define themselves professionally. Some people define themselves like Ted Lasso, and move home to coach their son, rather than be a great football coach in the UK. So, don’t know the answers.
JON SAKODA: Well, I think you maybe unpacked a great hack and a great piece of wisdom. So, there’s two. One is, I do think that the transparency, that the communication is a big part of it, right? I think a lot of the reason maybe why the personal life is not always in order is because everyone there doesn’t really know what’s going on, right? But if they do know that, in some ways, they can be more empathetic. I think a lot of us that are so heads down and work, we don’t actually ever really open the door or open the window.
I think you also hit on another important point, and I think this is deeply personal to a lot of founders. And that is, sometimes I think we project that somehow this is a terrible tradeoff, that we’re giving everything to our company, maybe at the expense of our personal life. But I think you described Dave Merkel as an example, as being somebody that you felt almost a personal and family-like obligation to. And in some ways, the early teammates are your new family, and there’s a certain deep personal commitment and bond that is created that is, in some ways, as strong as having a family.
KEVIN MANDIA: Mm-hmm. In the early stages, I think as a founder, I felt it was harder to interact and manage 500 than 3,000, because you know them all. In fact, I would tell you it was harder to do 50 than 500, because you hired them all, know them all, know their families, know their spouses, and you just feel this personal draw to making the job complete for them. But every founder’s gonna not have a balance, in my opinion. And when you tilt that balance, you have to do the best you can to explain to others where you’re at and how long you might be there.
JON SAKODA: Along the way, usually there’s something that we observe. And that’s, sometimes companies outgrow people.
KEVIN MANDIA: Oh yeah.
JON SAKODA: How did you deal with what I call the paradox of loyalty, right? That all these people left their jobs, took pay cuts, came to serve, and at some point in the battle, the game’s gotten too fast, it’s gotten too hard, and it’s time for them to go home.
KEVIN MANDIA: First, never BS anybody. Second, you do what’s best for the best outcome. And everybody will respect that if you operate under the principle, “Everything I do is what I believe is what’s best for the company. Not best for me, not best for him. Best for all of us. The collective mission.” And I think I was authentic to that. How are we the best incident response from the world?
How do we run ourselves as crisply as we can? It was weird how brutally honest we were. Part of it to save time; part of it to save the direction of the company towards greatness.
I was lucky enough that almost all the staff I hired were great at what they did—compared to me, anyway—and great for the phase that we were in. And I only went through one management change, except for in sales, where I went through a few more than that. But that’s what I would say to any founder. Do what’s best for the company. End of story. Know what the company’s objectives are and do what’s best for that. And if that means changing people out, it’s not a personal decision.
But every founder will replace their staff. I would be shocked and astonished if you don’t have to have a tough conversation with a co-founder or your first head of sales, saying, “Hey, listen, this is—we’re gonna go in a different direction. But it’s not personal.” If it is personal, then fine. You figure out how to communicate that. But in my opinion, I backed into every decision that we made for personnel I felt was genuinely best for all of us.
JON SAKODA: You’ve had so much amazing success. Looking back, anything you would’ve done differently? Any lessons learned? Any coaching advice that you’d give to your younger self?
KEVIN MANDIA: There’s lots of things you do wrong at the micro level. At the macro level, one of the things that I still haven’t done is reflected on, hey, look where we’re at. Founders, I think, do get wired in, “Who cares about yesterday? We got tomorrow.” And I began every all hands, Jon, with, “That was our best quarter ever.” And then I was done with talking about it. And we’d go right into the next one. At least when we were a private company, that was the all hands. I think it’s, every once in a while, take that time out to reflect on where you’re at.
And maybe as you grow your company, I probably could’ve done more off-sites with the team for more team building. I kind of let the average work day be your team building. It may be nice to get people out and get them together without the pressure of trying to accomplish a work task. I did not do a lot of that. And in hindsight, the job itself just created a race. You had to run six-minute miles every day. It’s worth it every once in a while to take that time out, do a 10-minute mile a day with the team.
JON SAKODA: Kevin, I know we need to wrap up. This story has been amazing and full of wisdom for lots of founders. I think it’s some of the best advice I’ve ever heard on our podcast. And I am so grateful that you were able to join us. I know you don’t do this very often. And I’m very appreciative that you did. Thank you so much for coming on the show.
KEVIN MANDIA: Well, thank you, Jon. Appreciate the opportunity to speak with you.