Nathan Sportsman: Hey, everyone. My name is Nathan Sportsman. I'm the founder and CEO of Praetorian, and today we're gonna give you a full scope demonstration of our Praetorian Guard platform. This is what you're up against, and this is what we're going to demonstrate how real this is.

Nathan Sportsman: So we're an offensive security company. We're known for kinda getting into things, hard targets, that sort of thing. We've built a platform, and we've seen a migration to continuous, but this platform is way bigger than continuous penetration testing or continuous red teaming. Ultimately, we've also built in what they call threat exposure management.

Nathan Sportsman: And as I walk you through this platform, you're gonna see we have attack surface management, breach and attack, cyber threat intel, penetration testing, of course, and vulnerability management. But we meet the customer where they are. And so if they have Census or they have Qualys, that's totally fine. We'll just integrate it, but we have these own capabilities ourselves.

Nathan Sportsman: We're gonna start with AI because everyone is super jazzed about this sort of stuff right now, particularly as these models are getting better. And so let's just kinda start here, and I'll kind of explain as we go.

Nathan Sportsman: We're going to compromise with Marcus and his band of merry Caesars. So Marcus is our orchestrator agent. He is your conduit into the platform. And so I just asked him a question — who are you? He kind of talks about his background and the things that he can do. Now let's ask him, what is your mandate?

Nathan Sportsman: We can ask him questions. We have about fifteen years worth of data from being an offensive security company that we've fed Marcus and his band of merry men. But we can also query him on the enterprise relationships that he has for the particular tenant and the particular customer.

Nathan Sportsman: As you can see from the supported attack surfaces, a lot of these companies that are up and coming, they're just focusing on web apps or they're just focusing on internals. We focus on enterprise risk. We were focused at the CSO level at the board of directors level, and we need to look at all the attack surface to understand what the critical paths are.

Nathan Sportsman: So that's querying. That's a read operation. In query mode, you can talk to him and he can do reads on the various databases. We have a graph database, we have a data lake, we have a DynamoDB database, just a lot of different databases, and he has that full context. But Marcus can also be flipped into agent mode. And in agent mode, this is where you start to see the power of orchestration.

Nathan Sportsman: Hey, Marcus. Compromise this environment. Leverage all the attack surfaces that you see, all the agents that we can use, make it super interesting. I want you to really mix it up. People are watching. We need to wow them and really show them the full scope of your capabilities. Just do not stop until the objective is reached.

Nathan Sportsman: So Marcus talks to these sub agents. These sub agents are specialized. There's a lot of things you have to deal with when it comes to AI. One of them is you need to make sure that they're bounded, that they're not falling out of scope. There's controls that we have in place for that. But one of the ways to control how agents work is through the action space.

Nathan Sportsman: These agents have specialized prompts, they have specialized skills, and they have specialized capabilities that is all they are allowed to call. We control it through literally through code, and we constrain it. For the capabilities, we're kinda open sourcing those — APIs, we open source Vespasian for cloud, we open source Aurelien recently.

Nathan Sportsman: Attack plan — seven simultaneous fronts. Credential assault, LLM exploitation, a little bit of cloud, vulnerability researcher, crit finder, CICD pipeline attack, secret scanning. Human in the loop. He's asking me for confirmation, and so we're just gonna give him the green light.

Nathan Sportsman: So passive agents and active agents. Passive agents — they're doing things, but they're mostly benign. Triaging vulnerabilities that come in from Wiz or Tenable, that's a passive agent. Active agents are full on attack. They're there to compromise. Brutus does credential attacks. He's also multimodal. Augustus is another capability we open sourced — it's for jailbreaking LLMs. Trajan for CICD, Diana for web applications, Titus for secrets.

Nathan Sportsman: Step one, context. We need to map the terrain both as attackers and as defenders. Traditional attack surface management, we do that. We don't really see that as a product. It's a feature. It's a stepping stone. It's an input. It's not an output. What we're trying to get to is the outcome of what are the few things that you actually need to care about.

Nathan Sportsman: There's two ways to do this. We can map the assets and you get an asset list. We have our own techniques for enumerating these things. We have a tool called Pius that we also open source. Whether we're creating EDGAR filings or certificate scraping or zone transfers, we can find these things and figure out where they are in the environment. That's what we call a zero knowledge or outside in.

Nathan Sportsman: Things like this — it's in Cloudflare. We also found it independently. Deduplication technology, that's good. But we can start looking at what are the deltas between your systems of record. Why is it that Cloudflare is discovering this and Tenable is not? You have a vulnerability management solution, but you're actually not scanning your entire inventory.

Nathan Sportsman: The way that works is through integrations. What we're looking at is the total enterprise risk of the organization. We think about it in terms of attack surfaces. Whether it's perimeter, applications including LLMs, social engineering, code, cloud, and internet — this is your attack surface. These are all the ways in which we as operators doing this for fifteen years like to get into the environment.

Nathan Sportsman: Code includes static analysis with sophisticated LLMs, but it's also things like supply chain attacks. It's CICD, like you saw how Trivia just got hit. Axios, how they just got hit with supply chain, and then secrets, which some companies like TruffleHog charge for. It's a feature. It's not a platform.

Nathan Sportsman: On the integration side, we have all those capabilities. We can do all these things ourselves, but we meet the customer where they are. With these integrations — it could be input sources for assets, input sources for vulnerabilities, input sources for telemetry when it comes to detection response. Pull the information in and then rifle shot out the things that actually matter.

Nathan Sportsman: If we go to vulnerabilities — if we take the origin of Wiz, Wiz is a great product, sold for thirty billion to Google. We love Wiz, but it can be a little bit noisy. These things come into a detected state for us. If the customer lets us integrate into their cloud environment, we can not only find our own things with Aurelien — we focus not on best practice in theory, we focus on kill chains. That's all that matters.

Nathan Sportsman: Let's run back and take a look at how he is doing. Brutus access, extract secrets. Full pipeline compromised. That's good. Brutus, two valid credential pairs discovered. He's getting into some stuff. He's gotten blocked on one — doesn't have access to a repo. A couple of things still running. We'll let him continue on.

Nathan Sportsman: For those vulnerabilities, we can triage those. I'll show you how to triage stuff with an agent that we call Cato. Coming back to the integrations and meeting the customer where they are — it's just input. Get all the threats, all the risks into one place, and then let's rifle shot out the actual outcomes. The number of integrations we support is fairly expansive.

Nathan Sportsman: The other thing that we wanna look for is technologies. We open source something called NERVA. NERVA does really cool things — it fingerprints software, but it's a little bit more sophisticated. It'll actually pull down the repos of something like MySQL, look through the code to literally understand how it works and how can we fingerprint, and it'll even look at version differences.

Nathan Sportsman: So we want to map the terrain to understand the technology. As CISA KEV and NVD comes out, we know exactly where those assets are and the technology that runs on them. Something for the defenders. Something for the attackers — we go zero day hunting. If a target is particularly hard, we'll fire up Constantine and have it find zero days for us.

Nathan Sportsman: Constantine can take anywhere from three hours, six hours, twelve hours depending on the size of the repo. It looks at the code base, understands the size, understands that an agent can only really look at about ten to fifteen thousand lines of code for two hundred thousand tokens meaningfully. It figures out how many agents to run across the code base so it doesn't hallucinate.

Nathan Sportsman: Then it goes through a threat model. It understands the input sources, your security controls for encryption, auth — and then we give it a prompt: find zero days, CVSS ten crits, remote code execution. It doesn't just find the vulnerability. It writes the exploit, verifies that it works, it'll even patch and send up a patch to the repo in PR if we want it to.

Nathan Sportsman: The reason that we do this is threats. Threats come in from CISA KEVs, could be NVD, could be a number of things. As these things come out, we want to look at the EPSS score, the CVSS. Does it have a public exploit? Doesn't really matter anymore. If it's not, we'll get the N-day. With NVD and CISA KEV, we can use Vaxtinius, Constantine's little brother, to take information where we kinda know something's there and just dial it in.

Nathan Sportsman: We have various ways to improve our signatures. If we go to attacks and signatures — it is Nuclei, and we love those guys. When we or an agent confirms something's a false positive, there's an automatic feedback loop. It'll take that signature, understand that it's a false positive, update the signature, create a sandbox, verify it, and PR the signature back to us so we have a higher true positive rate over time.

Nathan Sportsman: Vulnerabilities come in, they get flipped to demonstrated states from detected. Once they're demonstrated, we can cut tickets. Those tickets can be automatic. This one cut to two different places because we're hooked up to Jira. It's bidirectional — when they think they've remediated it, we get a notification, and then we can go in and autonomously retest.

Nathan Sportsman: Let's showcase a passive agent. Please triage some of our other detected risks and verify if they are true positives or false positives. He'll launch Cato. Coming back to what I wanted to show you — it's a graph database. I showed you a graphical representation. We can also ask whatever questions we want. Some of our common queries are here — common exposures.

Nathan Sportsman: With things like a WAF integrated, we can actually look at — show me the applications that your WAF is not actually protecting. It's either not in the asset inventory or it's in monitoring mode. Same thing for SSO. Show me the applications that have login portals and that are not federated by Okta or Entra ID. For us, those login portals probably don't have 2FA, wrong password policy. That's what we're going to target.

Nathan Sportsman: We can also ask questions about relationships. Active directory, cloud IAM, privilege abuse. Whether it's on prem, cloud — things like BloodHound and AzureHound, we have that in here too. Classic BloodHound attack path for active directory — show me a non-privileged workstation, and how do I get to a domain admin?

Nathan Sportsman: Context for attackers, context for defenders, context for agents. That's what we're trying to do. Ultimately, from all this context — what is actually possible? That's how you get to a kill chain. We map out these kill chains — we work with CISOs, tell us what is a bad day. Not all critical risks are created equal. We want to talk about materiality.

Nathan Sportsman: We have capabilities. Talking about signatures. From a Red Team perspective — launch via Terraform scripts to DigitalOcean or Azure or GCP or AWS, doesn't really matter. Domain parking for our various web pages that we set up. Payload generator. We also have plugins that go into Burp.

Nathan Sportsman: As we're doing web applications, if we need to do it manually, we can actually talk to Marcus. Marcus can look at what Burp is doing. We have C2 stuff where we literally have teleconference technology kind of like a Zoom. There's all kinds of ways that we can get in. We have C2 bridges. We have Juicy Fruit. And then Constantine's backlog of zero days — MySQL, Redis, Keycloak, whatever the case is.

Nathan Sportsman: We ultimately know we're gonna have to do a full feedback loop. I don't think it's gonna be a problem finding risk anymore. Defenders are already completely inundated. Step one is to help them prioritize — attacker verified prioritization. Part of what we need to do is have a full autonomous loop. Not only will the attack become autonomous, but the patching needs to become autonomous.

Nathan Sportsman: To really get not just the attack helix, but the double helix going, these things need to help improve each other. If we integrate with CrowdStrike or Cortex or Defender, we can put it in recorded mode, watch the telemetry data, and then understand situational awareness. We detonated this kill chain — for seven of these steps, you saw four of them. These other three, you did not. Why not?

Nathan Sportsman: We can map that to the security controls and start to answer the question — yes, you do have a web application firewall, but twenty percent of your assets are not protected. Same thing with SSO. Where I ultimately want to take this is NIST CSF and ISO 27000. Push it up to evidence-based management and actually give the CSO and the board of directors a security scorecard — but the benchmark is in reality.

Nathan Sportsman: Let's check on Cato and how he did. Two false positives, two true positives. That's actually pretty good. False positive rates that we typically see are a lot worse. He just arbitrarily picked four things, but we could apply this to triage all your Wiz results as well.

Nathan Sportsman: The core value propositions as we wrap up — you need continuous coverage. We need to be watchers on the wall just like your EDR is. You wouldn't run your EDR two weeks out of the year. Why are you doing that with offensive security? Value prop one is risk reduction at scale and continuously.

Nathan Sportsman: Value proposition two — let's give defenders time back. Leveraging these agents, leveraging the attacker's perspective, we can take those ten thousand things and just get it down to the few things that actually matter. And then the third value proposition is a capital allocation play. You start with penetration testing. We actually cover the annual as part of it. In year two or three of the subscription, you'll start to see decommissioning of your point products.

Nathan Sportsman: I am Nathan Sportsman, founder and CEO of Praetorian. I hope you enjoyed this demo, and I'll continue to let Marcus and Cato run. Thanks for the time.