Frequently Asked Questions
-
What makes Polo Cyber different from other cybersecurity consultancies?
We straddle many of the divides in cybersecurity thanks to our founder’s varied experiences and consultant network. For instance, we excel at explaining situations and concepts to diverse audiences, from junior-level employees to executives. We can keep the discussion non-technical or quickly escalate it to specific technical problems. We know the different types of work, discourse, and needs in government, corporate, and academic environments.
We have seen the work of other firms and seek to emulate the best practices we have seen, while avoiding the others. We communicate crisply, quickly, and as verbosely as needed - leaving nothing for the customer to guess at, or re-inquire about. We will not be pushy about opportunities to upsell additional engagements. We will not accommodate widespread assumptions and practices in the industry that we find inadequate, and will state so clearly.
-
Can you provide examples of how you've helped other organizations improve their cybersecurity posture?
Our experiences range from the macro- and strategic levels to the micro. For instance, at the broadest level we have produced vast amounts of intelligence, as well as created teams and trained analysts, to provide the best possible anticipatory judgments of cyber and other threats. We have a solid track record of reducing uncertainty and vast adversary and TTP lists to a far more manageable set that matters to a specific customer.
At the micro level, we have evaluated individual malware samples to extract strings containing clues or indicators of payload purpose, or studied domain registrations by specific people or registrars to find typosquatted domains that would anticipate which corporate target was next in a criminal campaign.
There is a lot in between: questioning employees in insider investigations; developing applications from scratch to automate or improve security processes; recruiting talented personnel; evaluating vendors; and more.
-
What is your approach to threat landscape analysis, and how does it benefit my organization?
Our founder Pablo Brum learned with the best at Georgetown University: professionals from the US intelligence community who defined the craft of intelligence analysis, and now teaches them there as well. This focus on advanced analytic tradecraft is hard to find even in agencies or roles that have “intelligence analyst” or “analysis” in the description.
This approach has two broad features: structured analysis, and application of intelligence techniques. Structured analysis means that each intelligence problem is treated as a question, for which the answer will hinge on a series of drivers. Once enumerated, drivers are populated with all the data pertinent to the case, and analyzed to determine their trajectory as relevant to the problem. The overall answer to the question is a probabilistic statement based not on the analyst’s preferences, recollections, biases, or whims, but rather a conclusion derived from the structure proposed at the beginning, as mechanically as possible.
Speaking of biases, this leads to the second feature of our approach: the application of analytic techniques. While often listed in intelligence manuals, these are rarely used in practice in real-life settings. We, in contrast, do employ them. While structured analysis helps direct analysis in the right direction, techniques contribute the flip side: they help analysts avoid pitfalls and mistakes. Therefore, a proper threat landscape study will consider key assumptions checks, fundamental attribution hypotheses, starburst techniques, and other methods for filtering out analytic errors and omissions.
All of these approaches can be conducted in an interactive form with the client, or produced as deliverables - it is up to the customer to choose.
-
How does Polo Cyber ensure that its incident response services are swift and effective?
We work with our customers’ existing teams to work incident response. Our ability to bring in our own responders to customers’ engagements is dependent on availability and timeliness. Nonetheless, if and when we are brought into an incident, we will bring professionals with extensive experience in producing and executing runbooks for numerous incident types; familiar with technologies, log types, and infrastructure providers critical to typical incident situations; and who can conduct forensics down to the binary level.
-
How do you stay up-to-date with the latest cybersecurity threats and technologies?
Fortunately this is quite easy and we recommend everyone in the industry do this as well: by combining news sites, blogs, social media, and your own personal community chat groups and spaces, it is absolutely possible to remain up to date with infosec and national security developments. It takes dedication to go through numerous information sources each day, as well as judgment to assess the quality of what we are reading.
Incidentally, Polo Cyber offers services where, for those who don’t have time to manually read the press, customers can automate their news digest to turn it into actionable alerts for relevant developments involving their brands, suppliers, and technology stacks.
-
Can Polo Cyber help with compliance to specific regulations like GDPR, HIPAA, or PCI DSS?
These are not our specialties nor those of our consultants. We may assist with aspects of PCI DSS data security and incidents, but this will be on a case-by-case basis.
-
What is the process for initiating a project with Polo Cyber? What information do you need from us to get started?
You may book an appointment directly with Pablo via this website to have a 60+ minute conversation with him. Following one such call, you may engage indefinitely with Pablo via email in order to figure out future steps and contracted engagements.
Alternatively, you may write to us here describing your issue and questions for us: we will reply pending availability due to existing contracted engagements.
-
How does Polo Cyber handle sensitive information and ensure client confidentiality?
We do not employ insecure channels for communication, nor include sensitive information in any message we send on any channel. Calls and instant messages are only exchanged on proven end-to-end encrypted applications. We follow industry standards and sign non-disclosure agreements (NDAs) as set by clients.
-
What is your pricing model? Do you offer bespoke solutions based on specific needs and budgets?
We do not like it when firms and vendors we are interested in refuse to showcase their prices, and force interactions with sales representatives to obtain them. Therefore, while we do leave certain prices for in-person discussions, the following is our public pricing policy.
The only fixed price published on our website is USD $1,000 for a 60+ minute consultation with our founder Pablo Brum on any topic, plus open-ended written follow-ups thereafter.
We do have price guidelines for many of the service engagements we offer (such as Vendor Replacement or Incident Response), but these are negotiable and highly dependent on the customer’s needs and scale.
For general guidance, our prices start at USD $10,000 for our smallest engagements while the largest are in the USD $100,000-$150,000 range. The latter are typically one-time engagements that will allow the customer to replace SaaS vendors charging that same amount, or more, every year.
-
How does Polo Cyber customize training programs for different organizations? What makes your training effective?
We are particularly good at training and educating audiences of all levels. Pablo first started teaching in college days after graduating, and today is an adjunct at the world’s foremost security program, Georgetown’s Security Studies Program. Former students and alumni have continuously given him the highest marks for both breadth and depth.
This was further the case at both CrowdStrike and Mercado Libre, where Pablo led teams of professionals not just in developing their professional capabilities, but in succeeding him as trainers and leaders themselves.
-
In case of an ongoing cyber incident, how quickly can Polo Cyber respond and provide support?
We answer all emails within 24 hours of receipt or less. We can join any ongoing incident within that time frame, which is generally acceptable but, we should acknowledge, suboptimal optimal for many types of incidents. Because of that, for certain types of particularly urgent incidents, there is no replacement for your in-house solutions. Our Security Preparedness engagement can help your organization build a more robust in-house incident response organization, so that you don’t need Polo Cyber or anyone else when the next incident happens.
-
Can you assist with in-house development of cybersecurity solutions to replace vendor products? How does this process work?
This is one of our greatest value propositions. The security stack for numerous organizations is currently dependent on annually paid SaaS and other products that, with an investment of engineering time and effort, can be replaced with in-house solutions. We have vast experience in unique environments performing this kind of work, and can lead your engineers (or bring our own) in developing these kinds of systems. Under the right circumstances, customers will net significant annual savings from replacing subscription-based services for their own automations.
-
What kind of support does Polo Cyber offer post-project completion?
All of our engagements conclude with an after-action report.
In the case of Vendor Replacement engagements we will provide you with extensive technical documentation in your organization’s preferred language(s). The idea behind Vendor Replacement is for customer organizations not to be reliant on external parties, including Polo Cyber, to maintain their defensive technologies. As such, we train your engineers to be the maintainers and developers of each application, post-completion. Nonetheless, we can also discuss an especially-priced retainer for post-project consultations.
We strongly believe this approach is often preferable to the faster method of buying a vendor tool off-the-shelf. The vendor space is often saturated with venture capital dynamics, brand and company pivots, drastic YoY price increases, upsell efforts, and more. This extends to maintenance: TAMs and sales engineers rotate frequently; your account is often inherited by someone who doesn’t know you or your company; and even formally submitted tickets may receive only limited attention. If you have faced any of these issues you know exactly the kind of friction we are talking about: contact us to consider an alternative approach.
-
How does Polo Cyber handle projects across different time zones and languages?
We work primarily out of Western hemisphere time zones. We will give special consideration to east Asian customers who are interested in talking to us during east Asian business hours.
-
Can you provide details on how Polo Cyber collaborates with internal teams and external vendors during a project?
For the best possible results, in technical engagements Polo Cyber asks for two counterparts on the customer’s side: a technical lead (could be as high as a CTO or CISO) and an engineer or developer. The second best situation is one when there’s a single technical counterpart. When there’s no technical counterpart at all it is more likely we will bring our own technical staff to work with you, and interact more closely with your top leadership.
-
How can clients ensure they get the most value out of Polo Cyber's services?
We strongly suggest emails that do not spare any details, detailed checklists, and coming prepared with specific questions to consultation sessions with us. We are committed to delivering excellent service in exchange for our consultant fees, and this includes thoroughly perusing materials or context you send us in order to clearly understand your situation.
-
What are the advantages and disadvantages of replacing vendor products with in-house tools?
We are neither anti- nor pro-vendor as a matter of course. We have worked extensively at and with vendors, and find many of them critical for any security stack. At the same time, there are vendor-saturated markets and numerous opportunities whereby an organization can replace an expensive vendor tool with a one-time investment in a proprietary tool and modest maintenance.
Off-the-shelf purchases of vendor products are convenient and can solve some problems fast, but in practice they can also bring their own set of problems.
Brand changes are an example: vendors often juggle product names, discontinue the one you purchased, or otherwise try to push customers in commercially convenient directions, not to mention vendors can outright disappear via acquisition or bankruptcy. Another example involves personnel: customers often find their point of contact at their vendor, whether a sales engineer or a Technical Account Manager (TAM), has moved on to other accounts, teams, or companies - and relations have to be built from scratch. Yet another one has to do with the products themselves: vendors often remove features (maybe moving them behind more expensive tiers) or make changes to their APIs that require maintenance work on your side anyway.
Last but not least, vendors inevitably are looking to upsell customers (that is, stack sales on top of existing sales). Some of them are more artful at this than others, but ultimately it is their core mission and incentive. This does not necessarily align with your organization’s incentives.
There are some vendor products or advantages that cannot be replaced. For instance, certain security products leverage network effects to a degree where an in-house automation, whether developed with us or with others, is an unrealistic replacement. We will make sure to state this explicitly. It is also why we adopt a modular approach to every engagement, and won’t hesitate to point you to worthwhile vendors for certain gaps.
-
If I develop my own automation with your assistance, who will be in charge of maintenance once it goes into production?
Like other aspects of the engagement, this will be defined in the scope of work between the two parties. We find the optimum is for your organization’s IT or security staff to be thoroughly involved in tool development and to inherit the maintenance task, as it is the formula that best guarantees your autonomy relative to external suppliers, including Polo Cyber. Nonetheless, we are happy to discuss fee-based maintenance services for us to be in charge of.