Through the Eyes of the Adversary: Breaking and Defending Identity

Host: [00:00:00] Good morning or afternoon, everyone. Thank you for joining us. We’ll get started here in a couple of minutes, but before we do, I’d like to give you a minute to test out your chat function. Let us know where you’re tuning in from. I am live from Massachusetts, where it is sunny and beautiful today. 

Welcome, Wisconsin, Tennessee, California — awesome. Thank you all so much for joining us. With that, we’ll get started. My name is Jillian and I’ll be your host as we discuss today’s topic: through the eyes of the adversary — breaking and defending identity — brought to you by Radiant Logic and hosted by VIB. 

Please use the Q&A button in your window to ask questions. We will do our best to answer all of them, and for those we don’t get to, we will follow up afterward. Without further ado, I’d like to introduce our speaker, Anders. 

Anders Askasen: [00:01:00] Thank you very much, Jillian. Our guest today is one of the most experienced physical red teamers, and one of the few in the field who can show actual photographs to prove all of his amazing deeds. 

He goes by the name FC, or Freaky Clown. He’s the co-founder and head of ethical hacking at Cygenta, a company he built together with his wife, Dr. Jessica Barker, and the author of How I Rob Banks and Other Such Places. For many years, FC has been paid by banks, data centers, and operators of critical infrastructure to do what adversaries do best: break in, and cause a little bit of havoc along the way. 

[00:02:00] The information FC gathers is what makes this work so valuable. But he’s not only known for breaking in physically — he’s equally skilled at breaking in digitally. So today we’ll be crossing between the physical and digital worlds. 

FC, welcome. Before we get into your war stories, let’s tell the audience in your own words: how did you end up breaking into banks, and what does a physical red teamer actually do? 

FC: Well, thank you, Anders, for having me, and thank you everyone for joining us. My name is FC. How did I get into it? That’s a long, boring story. I started off tinkering with computers as a young kid, which led me into cybersecurity. I ended up as the head of security for a few organizations, 

[00:03:00] and that involved testing our own systems. Then that led to pen testing. I remember, quite vividly, going in to do normal pen tests and noticing physical security issues along the way. 

I have complex PTSD, which means I’m very alert to my surroundings. I started jotting things down — first a Post-it note: “maybe you should take a look at these things.” That grew to half a page of notes. I’d hand over the pen test report and add, “Here’s this other thing you might want to look at.” 

Eventually that grew to eight pages of notes per engagement. Then one of our clients said, “Hey, you know that extra thing you did for us?” My boss said, “What extra thing? Did they pay for it?” They said, “No, FC just did it. Could you come do that for our new building? We’ll pay you for it.” 

[00:04:00] We said yes, and it snowballed from there. Now, 20-odd years later, it’s a full industry. Other people are finding their way into it too, which is great. 

Anders Askasen: I remember back in my days doing a stint at one of the smaller private banks in Switzerland. They had fancy facial recognition — you had to shave twice just to get in, and there was a stern gentleman making sure you were who you claimed to be. But I noticed that people would just slip down to the basement bicycle garage, grab a bike, and go about their day. A classic gap, even at supposedly secure facilities. I’m sure you’ve seen plenty of those. 

FC: [00:05:00] The more secure a place looks, there are generally ten other ways in. That’s the whole point. Very few clients come to us and say, “Can you break in through this specific door?” It’s usually a strange conversation. It goes: “Hey, can you break into our building?” I say, “Yes.” They say, “You seem very confident.” I say, “Yes, because I will get in.” They say, “You’ll never get in.” I say, “When I get in, what would you like me to do?” 

They say, “No, no — you won’t get in, just test this bit.” I say, “I’ve been doing this 30-odd years. I have a 100% success rate. What do you want me to do once I’m inside?” They always think it’s never going to happen. And it generally does, because there’s always something they haven’t thought about — something they wouldn’t do themselves, so they assume nobody else would either. That’s where experience, expertise, and a different mindset come in. 

[00:06:00] I once went to a place — a new building, supposedly quite secure — and found six different ways in, including climbing up the sloped glass roof of an adjacent cafeteria. Once you’re on the main roof, the doors weren’t locked, and you had access to all the air conditioning systems for the server rooms. Horrific. They simply never imagined anyone would get up there. 

Anders Askasen: When you plan one of these engagements, I’m sure you don’t just show up and try something. You probably spend a lot of time doing your recon. 

FC: [00:07:00] The reconnaissance phase is the most important part. That’s where the bulk of our time goes. We can spend weeks on it, because the more complicated the target, the more recon you need — and the more recon you do, the more likely you are to succeed. Whether it’s digital or physical, knowing everything about the target is essential. 

There have been times where I’ve had to show up on the day and adapt on the fly. That’s where experience really comes in handy. But most of the time, it’s extensive reconnaissance. People ask why they’re paying so much when the actual operation only happens on the final day. The answer is: all that time beforehand is the work. 

Anders Askasen: In the movies you show up with a ladder or a clipboard. But I imagine that’s not really the case with some of your more sensitive clients. 

FC: [00:08:00] Matching your environment is always the key. Plenty of red teams get into places wearing a hi-vis jacket — it probably works fine for a normal office. There are YouTube videos of people getting into concerts with a ladder. But try that at a Swiss bank and you’re not getting away with it. Some places I’ve worked, you’d simply get shot for attempting something like that. 

You have to match whatever you’re breaking into. Most of the time that means a well-made suit, because the people who work there will instantly spot the difference between a bespoke suit and an off-the-shelf one — let alone a hi-vis jacket. 

Anders Askasen: Do you have any engagements that are particularly memorable — ones you think about regularly? Where you almost got caught, or something went so sideways it defied logic? 

FC: So many. Every one is very different. 

[00:10:00] On the subject of disguises — I once spent about a week doing recon on a bank’s corporate headquarters. Not the branch, just the offices. I had a clear picture of the dress code, the building layout, and the plan. The day arrived — a Friday, I think. I walked into the reception area, found the specific recessed section I needed to pass through, and waited for the security guard to move from his post as he always did so I could vault the barrier. 

[00:11:00] Then I saw Jack Sparrow. Then a dinosaur. Then I noticed the security guard had little plastic devil’s horns and a pitchfork, and the receptionist was dressed as a cat. Charity dress-up day. 

There was absolutely no way I could walk into that building in a suit without standing out completely. I left and came back the following week. If I’d had a dinosaur onesie on me, I’d probably have got in. No amount of recon can prepare you for that unless you have inside information. 

Anders Askasen: Have you ever come close to being caught — seriously, with law enforcement involved? 

FC: [00:12:00] Oh, yes. Many times. There’s one I remember in particular. I don’t count it as a failure, because it actually helped the client improve their policies and processes. We were breaking into a series of high-street bank branches — I was doing about eight banks a week. During that month, I broke into more banks than Jesse James, Bonnie and Clyde, or any notorious bank robber you can think of. More in one month than they managed in their entire careers. 

[00:13:00] It was stressful work — a different approach each time. We reached a particular region controlled by an area manager who oversaw five or six branches. He felt threatened by what we were doing and thought it would make him look bad. It did. But rather than work within the agreed scope and contract, he told his branches to expect me that week. 

When I walked into one of his branches and delivered my usual script — which should have had me escorted straight to the back — I was instead ushered to one side to wait in reception. That was highly unusual. 

[00:14:00] I sat there next to a man who was ranting about his mortgage and his grievances with the bank. He had a thick folder of papers and kept showing me everything. I genuinely could not have cared less in that moment. I was stressed, because I knew something was wrong. Twenty minutes passed. I could sense heightened activity in the background. I decided I should leave. 

Just as I made that decision, sirens and blue lights surrounded the building. Armed police came straight in. I turned to the man next to me and said, “Excuse me — those are for me.” He said, “What did you do?” 

[00:15:00] I went over to the police and explained the situation. What had happened was the area manager had told the branch to call the police immediately if I came in. But there’s a proper escalation procedure: try to move the person on, take protective measures, and only involve police as a last resort. He had bypassed all of that. 

That’s a serious problem. Too many unnecessary call-outs and police response times increase. It could genuinely have cost that bank. The area manager faced significant consequences. And it didn’t make his other branches any more secure, because he hadn’t warned them — so I went on to those as well. 

Anders Askasen: [00:16:00] A lot of our customers are in critical infrastructure and healthcare. I know you have many stories, and a lot of them are quite funny. When we were preparing for this, I asked if you had photos to share, and I think you showed me one from a healthcare provider — you and your wife in scrubs? 

FC: Yes. The backstory is we were asked to break into a hospital. I normally do these engagements solo — it’s easier and quicker. But in this case, given the type of hospital, I decided it would look genuinely odd for a middle-aged man to be wandering around on his own. So I recruited my wife, who had never done one of these before. 

Anders Askasen: FC, are you sharing the photo? 

FC: Sorry, just a moment before I bring that up. 

[00:17:00] I briefed her beforehand: avoid everyone. Do not talk to anyone — just steer clear, because that’s going to create problems. We walked in, started down the first corridor, and I could see she desperately wanted to acknowledge the first person we passed. I was grabbing her hand: “Don’t, don’t, don’t.” 

We made our way through the building and eventually found an unlocked supply cupboard. This is a photo of the two of us in scrubs we’d taken from it. That gave us significantly more access throughout the hospital than we should have had. We also got into the C-suite executive building, where we found an access badge that happened to look very much like my wife. She wore it around her neck as we went around. We were able to photograph patient records, though we didn’t take them — just documented the access. 

[00:18:00] Once you’re past that initial security layer, everyone assumes you’re supposed to be there. A related example: a government building where this particular department was so secure that even my client — the person who hired me — wasn’t allowed in. I got in by convincing them I was there for a team-building exercise and had them building teepees out of bamboo canes. 

[00:19:00] Once you understand that the initial barrier is all that stands between you and full access, you can do remarkable things, because people simply believe you. “I’m from this department,” and they think, “Well, he’s clearly already in the building, so he must be legitimate.” 

Anders Askasen: Has security actually improved? You’ve been doing this for about three decades now. 

FC: [00:20:00] Honestly, I’d say it hasn’t got better. The threat landscape has grown, but the types of attacks are fundamentally the same — they just cycle through different names. On the digital side especially, it’s all input validation. SQL injection, cross-site scripting, AI prompt injection — they’re all input validation flaws. We haven’t solved the foundational issues, and I don’t think we will for another three decades. 

Anders Askasen: Before we pivot to that, we need a couple more war stories. But to your point — a lot of what we deal with is identity sprawl: getting a unified view of everything and applying observability to understand what’s happening under the hood. [00:21:00] Listening to you, it’s clear you’re exploiting the same thing in both the physical and digital worlds: small gaps between protocols, between security mechanisms. Once you identify them — whether through weeks of recon or pure serendipity — you know where to attack. Banks are your specialty. Give us one. 

FC: Let me set the scene. I was asked to break into a bank and wanted to try something a bit different. When I went in for initial recon — and the great thing about recon is you can walk into almost any public space naturally — I went into the reception area. 

[00:22:00] Two important things to look for in any reception area: first, there is almost always a fire evacuation map on the wall. Take a photo of it or memorize it — it gives you a complete floor plan of the building, free and available to anyone. Second, you get to assess the entrance layout: broken barriers, poor sightlines, camera blind spots. 

In this case, I also noticed job application forms sitting on the end of the reception desk. I took one. The bottom half was marked “for internal use only — do not fill in.” I took it back and filled it in myself. In a particularly poor design choice, it had tick boxes asking what building access the new employee should have. I ticked everything. 

[00:23:00] The next day I came in through a back entrance and intentionally got stopped by a security guard — which is exactly what I wanted, because I needed to speak to someone in security. I told him I was a bit lost and had been told to bring this form around the back. He directed me to an office. 

[00:24:00] I walked in and took a photograph. You can see a box of temporary passes on the desk, a badge-making machine, and a computer. The guard took my form, said he needed to verify a few things, and left the room. That’s when I took the photo. I had three options: steal a temporary pass, make my own badge, or play it out and see how far it went. I decided to wait. 

[00:25:00] He came back and asked why I needed access to their dark site. I said I was there for security testing and needed access to all buildings. He said it was unusual but okay — and then made me a pass that gave me access to everything. Without ever checking whether the manager who had supposedly signed the form was a real person or had actually authorized anything. No checks at all. Remarkable. 

Anders Askasen: I recall from one of your talks that at some point you found yourself in a large internal meeting — and the CSO was in the room. 

FC: [00:26:00] Yes! So I break into this bank, and once you’re past that first barrier, you can do remarkable things. One of my favorite moves is finding meetings. I went floor by floor through the building and came across a large all-hands — there were more than a couple of hundred people on the floor. I settled in near the front and started taking photographs. That in itself is a signal: if someone you don’t recognize joins your meeting and starts taking photos, ask them who they are. No meeting is ever that interesting. 

[00:27:00] This curly-haired gentleman is my client — the person who hired me to break in. He knew it was happening roughly this week or next, but didn’t know it was today. And up front is the CEO, giving a presentation to the whole company. 

I decided to text my client — actual SMS, this was a while ago. “Just to let you know, I’ve gained access to your building. In fact, I’m in your meeting right now.” And I sent the photograph. He took out his phone, read the message, went completely white, finally spotted me, and I waved at him. He had absolutely no idea what to do — he was sitting right next to the CEO, who at that moment was saying, “[00:28:00] We haven’t had a single security breach this year.” You could see my client silently willing him to stop. I was desperately hoping the CEO would say, “Any questions from the floor?” so I could raise my hand. But there you go — you can crash meetings. Especially ones you’re not invited to. 

Anders Askasen: It seems like a lot of security protocols are over-engineered, and in doing so, you end up missing the obvious things. 

FC: [00:29:00] The physical world has a direct digital parallel. Stale accounts in the digital world are exactly like stumbling upon an unused access badge. The mindset needed to defend against both is the same. 

[00:30:00] I’ve gone in on pen tests and found user accounts left behind by other pen testing companies who never cleaned up after themselves. They reuse the same passwords, so you try the known credential pattern and suddenly you have access because someone left something behind they shouldn’t have. There should always be a thorough cleanup afterward. It’s happened at least seven or eight times — using another firm’s credentials to get in. They were there to improve security and ended up making it significantly worse. 

Anders Askasen: [00:31:00] Any recommendations for those in charge of physical security planning, particularly in financial services and critical infrastructure? These are functions society depends on, and they’re under constant pressure from state-sponsored actors. 

FC: The obvious recommendation is: get external advice, because you become blind to what you already have. It’s far more important to get that advice before you build than after. We do a lot of consulting on new buildings, and it is significantly cheaper to catch problems at the planning stage than to come in afterward and say, “This is all wrong — new barriers here, move this desk, put a wall there.” 

[00:32:00] Most people in a security role have been doing it for a few years. They haven’t spent three decades breaking into places. And breaking in is fundamentally different from defending — that’s why we have red teams and blue teams. You don’t hire a red teamer to run your defense, and you don’t hire a defense team to do your red teaming. Two completely different skill sets. 

The second recommendation is: cultivate a healthy distrust of everyone around you. I have been let in countless times simply because people assumed I worked there. 

Anders Askasen: [00:33:00] While you’re looking for that photo — we deal with the digital domain, and identity is now the number one attack vector. 

FC: This is a photo I like to show to test people. I always ask: what’s the biggest security flaw you can see? Anders, I’ll ask you — or actually, let me ask the chat. 

Anders Askasen: [00:34:00] I’d look for Post-it notes with passwords. Physical access to the computer means I could plug something in. The person in the frame doesn’t seem bothered by someone taking photographs. I can also see family photos — which, if you’re truly malicious, is a real problem. The machine is running Windows, which opens a lot of opportunities. It’s unlocked with nobody around. What do you see? 

FC: You nailed it, Anders. There are Post-it notes with actual passwords on them — you can’t quite make them out in the photo, but they’re there. And I applaud you for spotting the family photos. That’s a critical one. Regardless of who you are or what your seniority is, a credible threat to your family will open every door. [00:35:00] Show a C-suite executive where their children go to school — game over. Physical coercion renders any password instantly irrelevant. 

But the thing you spotted that I don’t think anyone else in the chat caught is the man in the corner. I had been at that desk for a while, holding a proper camera — not a phone — deliberately trying to find the threshold at which someone would challenge me. That man in the corner never once asked who I was, what I was doing, or why I was photographing a colleague’s desk. [00:36:00] That ambivalence — “I can see something odd is happening, but I don’t want to get involved” — is the biggest security vulnerability of all. He could have stopped everything with a single question. 

Anders Askasen: [00:37:00] To pivot to the digital side — you’re doing network and application testing as well as physical. In my world, we talk daily about identity sprawl, stale accounts, and maintaining a unified view. When you’re in a digital engagement, what are you looking for from an identity perspective? 

FC: [00:38:00] Low-hanging fruit. Accounts with weak passwords or poor operational security — those are the easy entry points. But access itself is almost never the end goal. I can get in a thousand different ways. What I’m really trying to do is move laterally through the network and reach the high-value targets: usually a database or some specific data stored somewhere. 

From an identity perspective, I’m actually trying to go beyond individual users. People have restrictions. What I want to become is the system itself. If I can take over a machine’s identity, I can go anywhere. [00:39:00] Thinking about computers as people is probably the best framework — and conversely, protecting computer systems and AI agents means treating and controlling them like people. That’s going to slow down a lot of attackers significantly. 

Anders Askasen: You’re essentially building the case for what we call the three-identity problem. First, human identities — once you’re in, it’s about lateral movement. Then non-human identities: system accounts, man-in-the-middle attacks, captured sessions, API keys. [00:40:00] And the new piece you just mentioned — agent AI. I’ve been playing around with it: whenever I need access, I just drop in an API key and it works. But do that at enterprise scale and you’re in serious trouble. 

FC: I can guarantee plenty of people have done exactly that. Everyone is experimenting with agentic AI right now. I have it running here at home with access to everything on my network, because I know what I’m doing. But the really dangerous scenario in an enterprise is the person who also thinks they know what they’re doing, gets frustrated when something doesn’t work, just grants it a bit more access, and then moves on. [00:41:00] Suddenly there are API keys everywhere, identities everywhere — it’s the same problem as hardcoded passwords. Horrific. 

Anders Askasen: And this is a whole new dimension of stale accounts. You can spin up an agent without being a techie — a CFO can do it. You get access to a cloud environment, spin up some agents, forget about them, and you don’t have the security mindset to recognize the risk, because it’s not your job. 

FC: Exactly. It’s fascinating, and it comes back to what we said earlier: the threat landscape has massively expanded. In the last year or so, it’s grown tremendously. 

Anders Askasen: [00:42:00] We also touched on the injection angle. SQL injection in traditional systems, and now prompt injection in AI. Is that something you actively look for? 

FC: My preference is for the most esoteric things. We’re in the fortunate position of running our own company, which means we can say no to routine engagements. I want to work on things no one has examined before. [00:43:00] A new electronic device? It comes to us and we try to break it. A web application that’s never been seen outside the company? I’m looking for zero-days. Is there a hidden account nobody knows about? A hidden entry point? 

I’ve done this many times: contact a vendor, tell them we’ve found a serious flaw in their product through a client engagement, and offer to work together. Ninety-nine percent of the time it works out well — they’re grateful, they didn’t know it was a vulnerability. That’s the kind of work I enjoy: the weird, the unusual, [00:44:00] the things nobody has thought to question. 

Anders Askasen: And I suppose a lot of hardware comes from places where you can’t always be sure what’s in there. 

FC: You can build your own devices too — that’s the fascinating part. I was formerly the head of offensive cyber research for Raytheon across Europe, and I think one of the things that got me on their radar was some implants I’d been building. This is a VoIP phone — taken right when the Raspberry Pi first came out. [00:45:00] 

I broke into a company, took this phone back to my hotel, and modified it. I happen to travel with a lot of equipment. I bridged a Raspberry Pi to the network, ran power from the board, and added a USB Wi-Fi adapter underneath the device. So this phone was now acting as a wireless access point. When I put it back the next day, network scans still showed it as a phone — because the phone itself still worked. But I now had a wireless access point inside the network, past all the firewalls. [00:46:00] I could sit in the car park and connect via SSH. You want to make the implant as secure as possible — no unnecessary holes. 

Anders Askasen: Quick question — did you reveal this before or after you got paid? 

FC: After, of course. And to be clear, this was a contracted engagement. A client specifically hired us to get a foothold on their network. Sometimes the best way to achieve that digital access is to physically place a device inside the environment. [00:47:00] 

Here’s another Raspberry Pi implant inside a phone in a government building. And my best device — the one I can at least talk about — is this pre-Raspberry Pi build. This device was designed to attack an entire country’s critical national infrastructure, or CNI — for anyone who just asked in the chat, that’s the systems that control things like electricity supply. [00:48:00] I plugged it into a piece of CNI and it took down the entire country’s infrastructure in about 21 seconds. Built and coded before AI or the Raspberry Pi existed. There’s always this crossover between digital and physical — get inside somewhere, plant something, and you have digital access. 

Anders Askasen: [00:49:00] We’re about to open up for questions, but before we do — for anyone young who wants to get into this field, any recommendations? How do you get involved, get up to speed, and keep your skills current? 

FC: That’s a tough one, because my path wouldn’t map onto anyone else’s. Nowadays there are so many courses, free resources, YouTube videos, cheap platforms like Udemy — it’s probably overwhelming to know where to start. 

[00:50:00] I’d start with platforms like Hack The Box or TryHackMe to get a feel for the digital side, because digital is a much easier entry point than physical. Physical red teaming almost always comes through pen testing first. It’s very rare to go straight into physical work. 

Anders Askasen: It’s a similar mindset, right? 

FC: It is — the recon skills especially. It’s a bit like asking how to join the SAS without going through the military first. You have to do the foundational work. Start with bug bounties, because you can do that alongside whatever you’re currently doing — it’s free and accessible. Don’t do it for the money; do it for the experience. Then get into pen testing, and hopefully land a job at a firm that does physical work, because there are plenty of them now. It’s not a quick journey. 

Anders Askasen: [00:51:00] It’s a long road. But it’s a career, not just a job. Let’s open it up for questions from the audience. 

FC: I’m sure someone will bring up that photo I nearly showed. 

Anders Askasen: Any questions in the chat? 

FC: I saw someone raise their hand. Are we not seeing the questions? 

Anders Askasen: Gobsmacked — there are none. We still have a few minutes, so let’s pivot to the defender side. [00:52:00] There are a lot of CISOs and security professionals on this call who want to know: what can we do on the digital side to reduce the attack surface and make your job harder? 

FC: The single biggest thing — and I’ve seen this embarrassingly often across organizations of all sizes — is segment your networks. It’s one of the simplest measures available, and even large enterprises just don’t do it. You don’t need everyone to have access to everything all the time. [00:53:00] Have controlled portals for data exchange. Segment your networks. 

Anders Askasen: That sounds like the natural expression of a zero-trust philosophy. 

FC: It is. It’s obvious, but common sense isn’t common. Look at your network — it’s probably flat. The people with the most access are usually developers and admin teams. I once worked with a bank that had a globally flat network: everything connected via VPN, flat across the entire globe. Completely unbelievable. 

Anders Askasen: [00:54:00] Questions coming in. Have you ever hired red teamers to pen test your own company? 

FC: Yes. I’m friendly with a few great people — all my friends are hackers, honestly. We have an open retainer arrangement with a couple of them: come and attack us whenever you like. Free weekend, bored, want to try something new — go ahead. It’s a very loose contract, but it works well for us. 

Anders Askasen: [00:55:00] I take it they haven’t found your agentic AI instances on your private network yet. 

FC: That’s on a segmented network. 

Anders Askasen: There we go. Another question: what is the most overlooked identity risk with contractors and third parties? Especially given regulations like NIS2 in Europe, where supply chain security is now a major focus. 

FC: The biggest issue I see is failure to remove access. Someone joins, accumulates access over time, changes roles or departments — [00:56:00] and nobody ever revokes the old access. People who’ve been there twenty years and moved through five or six departments still have access to everything they’ve ever touched, because no one wants to take away privileges. The same is true for contractors: their credentials simply never get cleaned up. Failure to remove access is the biggest risk that most organizations don’t even recognize as a risk. 

Anders Askasen: By demonstrating this, are you effectively helping CISOs build the case for budget — for the right tools, processes, and training? 

FC: [00:57:00] Yes. If you ask for a security budget in the abstract, you’ll often get turned down — “Everything’s fine, we’ve never been attacked, why spend more?” But if someone like me comes in, proves access is achievable, and documents everything found, the conversation shifts: “We need to fix all of this before someone bad finds it.” That opens up budget considerably. 

The return on investment is enormous for most organizations. My job isn’t just to find one or two vulnerabilities — it’s to identify the foundational things that need to change to make everything better, not just patch one door. [00:58:00] 

Anders Askasen: There are some questions here about healthcare and identity security for clinical staff. We have a dedicated microsite on identity security in healthcare — just search for it and you’ll find it. FC, we’re coming up on the hour. It’s been a genuinely fantastic conversation. So many great stories. Hopefully I’ll see you at Black Hat or Identity Verdict. 

FC: Yes! If anyone is coming to Las Vegas — that’s where I live — I’ll be at Black Hat and DEF CON. Stop me and say hello. 

Anders Askasen: Thank you so much, FC. Over to you, Jillian. 

Host: Thanks so much. With that, we’ll close out. Thank you all for attending today’s webinar. We hope you enjoyed it as much as we did. If you registered through VIB with your business email and have any questions, please contact [email protected]. Have a great day, everyone. 

Anders Askasen: Thank you.