From Bootstrapped to Venture-Backed with Vinnie Liu
Few cybersecurity startups develop strong customer relationships with 25% of the Fortune 100, attract an incredible team of experts, and become a market leader– all without any funding.
That’s precisely what Bishop Fox did for over a decade before raising a Series A round in 2019 to invest in the future of offensive security testing at scale. Bishop Fox co-founder and CEO Vinnie Liu has helmed the company through it all, working to proactively protect the company’s customers from the latest threats.
In this episode, Forgepoint Capital Managing Director Ernie Bio speaks with Vinnie about working with the NSA at 17, co-founding and bootstrapping Bishop Fox, deciding to pursue venture funding, what it takes to build a customer-centric business, developing a scalable offensive security platform, trends in Gen AI and enterprise resiliency, and more.
Episode 14
October 30, 2024
Vinnie Liu has over 20 years of deep expertise as a pen testing consultant and CEO. His leadership most recently helped Bishop Fox expand its role as the premier offensive cybersecurity provider with the company’s award-winning Cosmos platform.
Vinnie and the Bishop Fox team work closely with companies at the forefront of threat remediation, identifying risks and often discovering new vulnerabilities. Aspiring entrepreneurs and founders, listen closely: you won’t want to miss Vinnie’s critical insights on starting and growing a company, Gen AI, shifting notions of business resilience, the interplay between human and machine intelligence, and many more essential topics.
“The results that came back at first were mind-blowing. We were getting criticals. We were getting domain admin or root within 48 hours. We realized we were on to something. Essentially, it was this concept that we could build an Iron Man suit for our testers and do it at scale. This was the other driver behind getting a VC investment. We realized we were onto something, and we wanted to invest in it because it would allow us to continue our mission of taking care of people and keeping them safe. ”
Vinnie Liu CEO & Co-Founder, Bishop Fox
About Vinnie Liu
Vinnie Liu is the CEO and Co-Founder of Bishop Fox, the leader in continuous offensive security and penetration testing services. A 20+ year veteran in cybersecurity, Vinnie began his career as a security analyst at the NSA in 1999. After graduating from the University of Pennsylvania, Vinnie joined Ernst & Young as a security consultant before running Honeywell International’s global penetration testing team.
In 2005, Vinnie co-founded Bishop Fox with Francis Brown and ran the self-funded company for 13 years before raising a $25 million Series A round in 2019. Since then, Bishop Fox has expanded its presence within the offensive cybersecurity space and now serves 26% of Fortune 100 companies as well as 8 out of the 10 largest global tech companies.
Vinnie serves as a board advisor for AppOmni and CLEAR. He has co-authored multiple best-selling cybersecurity books and is regularly cited by media outlets as a cybersecurity expert.
Episode Highlights
Transcript
0:22 Introduction
Ernie Bio [EB]
Welcome to the Forgecast. I’m your host, Ernie Bio. I’m pleased to have with me today, Vinnie Liu, the CEO and Co-Founder of Bishop Fox. Vinnie has been in the industry for several decades now and he began his career with the National Security Agency (NSA). Bishop Fox is a leader in offensive cybersecurity and we’re going to dig into that today. Vinnie– welcome to the show.
Vinnie Liu [VL]
Thanks, Ernie. I appreciate the invite and look forward to our conversation today.
0:58 Offensive Security Services: Finding Problems before the Bad Guys
EB
Excellent. For those listeners that don’t know who Bishop Fox is, tell us at a high level what you guys do, what the mission is, and why you do it better than your competition.
VL
I always like to think of it as how do we do it differently than our competition and how are we different than our competitors. One thing you said there- mission- is something that is a big differentiator for us. We are an incredibly mission-driven company. Our job is to keep people safe online and offline. We realize the impact of the work that we have done and will do.
The work that we do is to provide offensive security services to the Fortune 1000, large enterprise, mid-sized enterprise, and some of the mid-market. We grew up in that space, looking at some of the most complex network environments, some of the most tangled applications, some of the most interesting products, some that hadn’t even hit the market yet. Our job is to find vulnerabilities in those assets and systems so that our clients can remediate or fix those before bad guys find them. One way that I think about our job differently when I describe it to the layman is that our job is to find problems before the bad guys do so that our clients can get ahead of the bad guys. That’s really our job. Every day we go head-to-head with some of the most sophisticated, skilled attackers in the world and we protect our clients.
2:40 The Bishop Fox Origin Story
EB
When people ask me what you guys do, I put it like this: there are a lot of offensive security companies out there, but when you need the best of the best, when you want to SEAL Team Six of pen testers, you go to Bishop Fox. I think that’s a huge differentiator.
You and your co-founder Francis Brown started the company back in 2005. We’re going to get into the details, but let the audience know why you decided to start the company.
VL
At the time when we first started the company, we were just being asked to do pen testing by our friends who were working at other Fortune 100 companies. We were both working at Honeywell, doing and leading a lot of the penetration tests, the assessments, and the reviews, doing that sort of deep technical vuln-finding work. We were being asked by our friends at other companies of that size to help with their extra work. We were kind of doing some moonlighting. We thought it was fun because we got to work with our friends, doing more cool stuff. We loved it and we were passionate about it. I think that’s the core: we are passionate about what we do because we realize how important it is and the impact that it can have.
For the first six to seven months, starting in Q3 of 2005, it was a side gig. Then in February of 2006, we made the decision to do this full-time. We were really young at the time and the thinking in our minds was “What’s the worst that can happen?” Now, when I look back, there was a lot of ignorance. We didn’t know what we were signing up for by starting a company.
But the beauty of it was that we loved what we did and really enjoyed the work. For the first two or three years, we were a lifestyle company. We were doing it because we were super passionate about it. We were working out of a living room in Arizona doing work for Fortune 100s. It was incredible because we got to work on cool projects and got to work with our friends. As we grew over time, our clients kept coming back and referring us to others. We would hire people we knew were great at testing and were passionate about it. We went down that path and it led to our core culture being defined by technical excellence and over-the-top service delivery- because we were taking care of our friends. You want to take care of your coworkers and colleagues because they are your friends. You want to do great service because they are also your friends.
I think that’s really carried through for us at Bishop Fox. For the first 13 years, we were bootstrapped. That phase established who we are as a firm today. We hire people that we like working with. We work with clients in a way that I would want to be worked with. There’s a cultural norm that we have here: be the people that other people want to work with.
6:28 Vinnie's Kentucky Upbringing
EB
That’s amazing. We’ll jump into more details because you did make that transition from being bootstrapped to what I call being “venturized” by getting your first institutional capital.
Before we go into that, let’s get back to your story. When I first met you, I made the erroneous assumption that you were just a tech guy that grew up in Silicon Valley, but you grew up in Kentucky. Talk about your journey and how you got interested in cybersecurity.
VL
Not too many people ask me questions in this direction. I grew up in Kentucky and interestingly a lot of my family is from the South. It was not a place where there were a bunch of people working on tech. My interest in tech started in elementary school. I remember my best friend at the time, Mark. He and I would be futzing around with computers, playing video games, and tweaking memory management so that we could play our favorite video games.
In high school I found a couple of folks that were really into computers as well. I was on bulletin boards early on. I had a 1200 baud modem, then I got a 2400, a 14400, and a 56600. Eventually, I got onto the internet through dial-up and found IRC (Internet Relay Chat) which I spent and wasted a massive amount of time on. That was my first exposure and it was a pivotal moment for me because I started to discover more of what was out there, like Phrack, zines, and the hacker scene. It got me really interested because I realized there was a whole lot more here than playing games.
8:55 Working with the NSA at Age 17
EB
My understanding is that you got a gig with the NSA when you were 17. Can you talk a little bit how that came about and what the journey was like?
VL
It goes back to IRC. I still remember the guy’s handle who directed me toward the NSA. He was a part of the Air Force and was working with the NSA, and told me about a program designed to recruit the next generation of cryptologists, mathematicians, linguists, and computer scientists into the NSA. The program targeted high school students who were graduating and he put me in touch with it. I still remember my parents were really freaked out because they didn’t understand what it was. Honestly, I didn’t really understand what it was either. At the time, the NSA was still a black box. I think there was one book that was written about it, The Puzzle Palace. Other than that, it was this faceless agency.
EB
I’m trying to figure out the timing here. Had you applied to college already?
VL
Yeah, it kind of happened in parallel. We were considered full-time employees. We’d get a salary and split our time between school and the agency when school wasn’t in. There are several folks in the industry today- I won’t call them out- that were in that program that I still know of. I made a lot of great connections and many of those folks are still out there and are still active. It was awesome. I feel like I was the lowest guy on the totem pole because everyone else was absolutely brilliant. I snuck in somehow.
11:19 The Early Days at Bishop Fox
EB
Well, at that age, most kids are flipping burgers somewhere and you were in the puzzle palace.
You alluded to your work at Honeywell and EY and how that led you to start Bishop Fox. Talk a little bit more about what that transition was like, because like you said, ignorance is bliss. You didn’t know what you were getting into. As a bootstrap company, you didn’t have capital coming in from VCs. You had to make payroll every month.
VL
There were years when we didn’t pay ourselves. It was off and on. Some years we were doing well and could give ourselves a salary. Other years, we had low expenses and could still afford gas and pay for pizza, so it was fine. There were definitely ups and downs. I remember we made a commitment to our employees early on that they were going to get paid no matter what. That meant my co-founder Fran and I were always conservative with our spending. I don’t know that either one of us has ever bought a new car to this day. We drove around this beater, a faded purple 1993 Toyota Corolla where everything was manual but the transmission, for a long time. We were really scrappy about it.
I think that’s the message for anyone who’s listening and thinking about going on that journey. If you’re not venture-backed, you don’t have the safety net. We didn’t come from wealthy families. We didn’t have any rich uncles or anything like that. We had nothing to fall back on, so we really had to make sure that we spent less than we made. I think we grew up that way and that wasn’t anything unusual to us.
EB
Was there any point where you and Fran were thinking, “Let’s just go back to Honeywell. Let’s get an enterprise job. This is too stressful.”
VL
About once a year. More seriously, though, as an entrepreneur you’ve got to be able to take getting beat down over and over again. It doesn’t matter how big you are, you’re still going to get beat down. You’re going to get beat down every quarter, several times a year. The only advice I can give is, this too shall pass. I’ve had to tell myself that countless times. Just keep that in mind. You’ve just got to keep moving forward.
14:42 Pursuing Venture Funding
EB
I’m sure it was tough. You got to a point around 2018 when we met you, where you were considering taking venture capital and “venturizing” Bishop Fox. What was that decision matrix like? Why did you ultimately decide to go from a bootstrap consultancy to taking venture capital where you’re giving up equity in the company? That comes with some monumental changes.
VL
I think we’ve always tried to be honest with ourselves about how we were doing and what our skillsets were. Fran and I always talked on a regular basis and threw around ideas. We were also aware that we weren’t always going to be the best at everything, even though we are good in certain areas. I think at that point we had about $20 million in revenue or so- and we didn’t even have annual budgets. The biggest issue that our customers had with us is that we would send them invoices late or in the wrong quarter. It was just the general operational aspect that we were not as good at. We were fantastic at service delivery. We were fantastic at the technical work. However, we had to learn all the other aspects. We learned HR. We learned legal. We learned all those things over that time period. Every time something new came up, we would have to go and learn it ourselves and be the person who figured it out, which was really challenging.
We realized if we wanted to attract incredible talent, if we wanted to grow and take advantage of the market which was growing faster than we could grow organically, and invest in what we believed the future of offensive testing was going to be, that we needed to get some funding. That’s when the conversation started. Venture was one of the ideas on the table and ultimately won out because it was the optimal path for us as a business.
EB
What did your employees think at the time?
VL
They thought we were selling out. We had been independent for 13 years. But a lot of our pain points weren’t visible to the folks who were delivering the work day-to-day. For everyone else who was really trying to make lives better inside and outside of the company and take care of everybody, it was thankless. It was constant. Holidays, weekends, every single day. We barely took vacations.
18:00 Shifting from a Pure Consultancy to Develop a Scalable Platform
EB
I could imagine. By the way, the first deal I ever worked on was the Bishop Fox deal. It has a special place in my heart. So some of the employees thought you were selling out. I guess the other piece too is that you and other folks at Bishop Fox, like Rob Ragan, had other aspirations outside of consulting. Talk about some of those early thoughts and blueprints to take this beyond just a consultancy.
VL
We love what we do. Fundamentally, what we do is keep our clients safe. We help them protect themselves. Whatever we do, as long as we maintain that attitude we’re on track. We have a very service-oriented culture. We take care of our clients. We take care of one another. We knew that culture was going to be at the forefront.
The way that we did it could vary. Consulting and providing professional services is one way to do that. We also knew that we had to develop a different way to do that because the scale of the problem, the number of technologies and assets companies were deploying, and the speed at which they were deploying was changing a lot. We couldn’t keep up by just doing professional services, and we knew that technology had to be part of it. We looked around at what was available and what other folks were doing. We know exactly what every tool does, each tool’s strengths and limitations, and the problems that our customers have. We spent 13 years dealing with these things. What needs to be built and needs to be done? That was the genesis of our Cosmos platform came in. We ran some initial tests with our customers and the results that came back were mind-blowing. We were getting criticals, we were getting domain admin or root within 48 hours. We realized we were on to something.
Essentially, it was this concept that we could build an Iron Man suit for our testers. We could do this at a scale we never could have before. That was the other driver behind getting a VC investment. We wanted to invest in our idea because it would allow us to continue our mission of taking care of people and keeping them safe.
20:33 Market Differentiation Through Industry Leadership and a Customer-Centric Approach
EB
It’s an amazing story. Fast forward to today and in the last six years alone, you guys have done 20,000 projects and Cosmos has won several awards. You guys boast high NPS scores and continue to be the leaders in the space. Today, when you think of differentiation in the market, there’s a lot of companies and startups that do pen testing and there’s more automated stuff. What helps you guys differentiate amongst a crowded market?
VL
We are constantly researching the latest and greatest. We’re staying on top of those threats and trends. That’s one element that differentiates us. It’s one thing to say that you’ve got great people while it’s another to actually show and demonstrate that. We continue to give back to the community and share thought leadership around useful things that people want to know about. For us, the approach is: let’s talk about the latest vulnerabilities that are out there. Let’s give back. Let’s share our perspective at conferences. Let’s release tools. A lot of people can say that they’re good at things. I think that one thing we do differently is we show by doing. A handful of firms will do that but there is a small subset that can raise their hand and say, we can prove it. I think that’s the difference.
We also have a very different approach because of our roots. When we first started the company, we were doing work for clients who were also our friends. We invested a lot of our time in understanding their businesses and their problem set. That has carried through to today. Beyond just the technical aspects of what we do, we make sure our customers are surrounded by a team that is there to take care of them. The entire experience is developed in a way that demonstrates we’re here to serve them. That’s something unique that not everybody invests in. We are not trying to churn customers through as quickly as possible. We are really trying to take care of our customers and their problems.
EB
It’s a customer-centric business. You guys are mission focused. How big is the team these days? 300 people?
VL
I think a little under 350 or so, which is wild to think about.
23:27 The Cosmos Platform
EB
What I want to do now is dive into the Cosmos platform. Describe what it is, what it does, and how your Fortune 500 customers are leveraging it.
VL
The Cosmos platform is a nation-state caliber attack platform that we deploy in the defense of our customers. Our job is to find vulns before the bad guys do. How do we do that? Number one, we are continuously profiling your external attack surface to understand what attackers are going to see when they do their own research. Unfortunately, we get lumped into attack surface management- most attack surface management companies are like a data feed that just shoves a fire hose of 1s and 0s at you. For us, that is just a byproduct because the second thing that we do is a very rich attack surface analysis to gather information about your businesses and your attack surfaces. It’s not just where your IPs are and where your ports are- it’s a very deep, not wide, search. We then operationalize that analysis in the second phase of our managed service- we test your perimeter and look for weaknesses, misconfigurations, and critical and high-risk issues that may be exposed on your perimeter. At the end of that whole process, you have somebody that’s constantly watching your perimeter and your assets for changes as well as for emerging threats and vulnerabilities.
In a lot of cases, we’ve been able to find critical and high vulnerabilities very rapidly and in some cases we are the ones who discover them in the first place through our research as we protect our customers and their attack surfaces. We find them in 24-48 hours, often before our customers’ own internal change management processes do an ad hoc scan and before vuln checks are released. Cosmos is not a solution that gives you homework like other vulnerability scanners. We clearly identify what’s vulnerable and not vulnerable: out of these 10 issues, 7 of them are non-exploitable, 3 of them are. We are going to tell you exactly where you need to spend your time.
EB
You’ve gone from just some PowerPoint slides back in early 2019 to having this robust platform today. That’s pretty amazing.
VL
I’m proud to say that the delivery team, and not just the tech, is absolutely top notch. The NPS scores and engagement levels we get back from our customers are amazing and we’re doing it for some of the biggest banks and some of the top retailers in the world. It’s awesome to see how well this has scaled. A big differentiator is that we can handle some of the largest networks that are out there. Not everybody can say that.
27:03 Vinnie's Evolution as a CEO
EB
As you think back to being the CEO who was driving that Corolla and taking no vacations, now in the present day how have you evolved as a CEO? How has the journey been going from the early days to now having a company with almost 350 people globally working with a good chunk of the Fortune 100?
VL
I remember in the early days, we used to have a list of the Fortune 100 printed out and taped to the wall. We’d go through and mark them off one by one as they became our clients. Today, a lot of those boxes are checked and we are really proud of that.
I definitely have a lot more support these days, which is a huge relief. The problems are bigger but the team we’ve built at Bishop Fox to tackle those problems is what I’m most proud of. They’re incredible. I’m proud of the culture that we have here around knowledge sharing between our technical folks.
Also, I’m proud of the way that we communicate and try to be as transparent as we can. I remember way back in the beginning when Fran and I had a conversation about making big decisions, before we had any advisors or anything. We decided early on that whenever we came to a pivotal decision, we wanted to be able to look back on that decision and be proud that we did the right thing for our customers and our employees. That’s been the guiding principle for me as a CEO that has continued to evolve as the decisions that I’ve had to make get bigger and bigger, as we’ve gotten more employees, bigger customers, and larger contracts.
29:32 Safely Deploying AI and the Early Days of Gen AI
EB
You guys have a lot to be proud of. It’s a company that has scaled and kept its culture, with a solid team. Hats off to you.
No discussion would be complete unless I brought up AI and Gen AI. Recently, Forgepoint Venture Partner Kathryn Shih interviewed Rob Ragan (Principal Technology Strategist, Bishop Fox), who has taken the lead in helping customers safely deploy AI and Gen AI by leveraging his pen testing skills in this new area. I’d love to hear your thoughts on how you guys are doing that because it’s early days but it’s very important.
VL
It is early days. We’ve been fortunate to have brilliant staff, like Rob and an entire team of other folks, that have been digging into LLM and Gen AI for years. We’ve also been lucky to be working with customers who were early adopters. We’ve had the opportunity to get in very early with real world scenarios, start playing with those technologies, and actively test them- not even as contracted projects, but as thought partners. We’ve been in the AI space a lot longer than many others.
What we’re starting to see now is the commercialization of Gen AI, where a lot of companies are beginning to adopt it and integrate it into their products. We believe it is a seismic shift in technology and our lives. We’re excited that we’ve had a year plus to be testing and experimenting with these things. Our team has a tremendous amount of experience with it, to the point where we’re also implementing Gen AI for our own business use cases within Bishop Fox. We’re both looking at it for large e-commerce and retail software companies, where the first use case is often customer service, and we’re also starting to use it internally for ourselves because we’ve gotten so familiar with the tech. We can see a lot of areas where it can accelerate what we’re doing or enhance the quality of what we’re doing for our customers.
32:16 The Shifting Threat Landscape and an Evolution in Enterprise Defenses
EB
It’ll be interesting to see how this evolves, not only on the testing side but across security for AI. Obviously, there’s a lot of focus on AI governance right now. We’re keeping our ear to the wall and watching it very closely.
Let’s jump ahead to the future now. You and your team have a very unique vantage point. You see a lot of customers, some in very target-rich environments that adversaries are going after. How do you see the landscape shifting over the next two, three, five years as far as threat actors and the defense of critical companies and assets?
VL
There are two shifts that I’ve been observing.
The first is that people are starting to look a lot more at the proactive aspects of security. How do you get ahead of breaches? Fundamentally, that boils down to finding vulnerabilities and fixing them before they can be exploited. I think for the past 15 years, the market has overwhelmingly been focused on incident response and breach detection. It has always been about how good you are at taking hits. How quickly can you get up after you’ve been punched in the stomach? How resilient are you? However, when you look at the regulatory changes (the disclosure requirements), it’s a signal that it doesn’t really matter if you’re responding faster or if you’ve got an IR plan. What matters is that you got breached and now you need to disclose it. There are consequences that are being enforced. That change is combined with people now realizing they can get a lot more out of proactive defense than they can spending another $500,000 or $1,000,000 on detecting a strange corner case to make things just a little bit better. We’ve seen our customers make that shift. They’ve invested in offensive security, getting ahead of threats, and finding issues before they get exploited. An ounce of prevention is worth a pound a cure. People are starting to understand that and the regulators and compliance frameworks are starting to shift in that direction. We’re seeing a move there.
The second thing is a belief that we hold at Bishop Fox. I’m not sure everybody holds this belief. We believe that the work we do for the foreseeable future will be a combination of human and machine. That’s how the problem set will be solved. I know there are people out there that are promoting their fully automated AI solutions. There are others that are choosing to stick with a fully human-run service. Those are two different camps. We’re squarely in the middle, where we believe you need talented people paired with technology to solve the problem at hand. Everyone’s making their bets. This is ours.
36:21 Enterprise Resiliency
EB
You mentioned a word earlier that seems to be trending, which is resiliency. Unfortunately, there was a recent global issue with an EDR provider that really opened many companies’ eyes around resiliency. I know Europe has the DORA regulation which is more focused on banking and financial services. What are your thoughts on resiliency amongst enterprises?
VL
I first heard the word resilience a lot when it came to employee resilience around getting phished and other things like that. It’s a good lens to apply to almost anything within your organization in order to identify your key failure points. Security products, security solutions, and even security vendors can be weak points in your risk register. You’ve got to take that into account.
The recent global outages that have impacted a lot of companies are a good example of that. We have to consider the same thing when we think about cloud providers. The consolidation into a single cloud provider is dangerous. We’ve noticed our larger customers expanding into a multi-cloud approach for that very reason. You don’t want to wind up with a monoculture in certain situations. There has been proper risk evaluation done on that. I don’t know if security products and security solutions have gotten the same treatment, but it’s a good example of what could happen when a critical solution is deployed so homogeneously across your environment. I’m not singling them out, though, because the same could happen to anybody.
38:21 Life Outside of Work
EB
Absolutely. I do have one last question which I think aspiring founders will want to listen to, but before going there, my understanding is that you tend to go outside and do things when you’re not being a CEO. What’s your big hobby? How do you let off steam?
VL
I’m really big into waterfowl hunting. I remember doing it when I was very young with my uncle down on the shore of Louisiana. It’s something I’ve picked back up again. That’s where you’ll find me when I’m not in front of the computer.
39:10 Advice for Aspiring Founders and Entrepreneurs
EB
It’s good to spend time in the physical world.
There are aspiring and very early founders listening to this podcast. They’re always looking for advice from people like yourself that have been successful in entrepreneurship. What’s some advice you give these folks, whether they’re bootstrapping or raising venture capital?
VL
Surround yourself with really good people. I have been blessed in my career to have gotten an opportunity to work with incredible people. Those incredible people begat more incredible people. As an entrepreneur and founder, you are going to pour your heart and soul into the business. You are going to be spending a lot of your time doing this one thing. It makes a huge difference when you can do it with people that you really enjoy being around.
EB
Great advice. Easier said than done, right? It’s difficult, but that is the key.
Vinnie, thanks for your leadership, your perseverance, your passion for cybersecurity, and everything you do for your employees as well as your customers. Thanks again for taking time to chat with us.
VL
Absolutely. Thank you, Ernie. I appreciate you having me on the Forgecast.
EB
You got it. Take care.