Anvil Ventures & Our 3 Basic Differentiators

By Chris Elbring
Anvil Ventures & Our 3 Basic Differentiators

By Chris Elbring

In my earlier post, I detailed some of the things that my new venture will be doing and I alluded to more information being forthcoming. The firm’s name is Anvil Ventures. Anvil Ventures has set out to solve some problems in what we believe is an important segment of our industry. Information security is a very broad field. What we are talking about is the upper tier of information security consulting. We would define this as the areas of information security with solutions and services which cannot be easily commoditized. Specifically, we are talking about the upper tier of information security consulting with focus on penetration testing and Security Development Lifecycle ("SDL") work. At the current time, we are not planning on doing auditing, certification, Governance, Risk, Compliance ("GRC") work and the like. However given right opportunities in the future we might consider branching out into different areas at some point.

I have been asked by multiple people, “Yeah, so what will differentiate Anvil from the other upper tier infosec consulting firms?”. This is a great question:

Differentiator One

Anvil Tenets in the Information Security World – If you did not get a chance to read my post about the Anvil Tenets available here:

Emerging from Stealth Mode: My 4 Basic Tenets

October 17, 2016

Many of you know that at some point or another I have sworn off ever again being the person in charge and being fully responsible; been there and done that. And I made mistakes. We all do.

I have heard that these seem pretty basic. Duh. They are. Unfortunately, in our world, these very basic things are lacking in most firms. I could get into why I believe it to be the case but it’s not that important. I think that information security consulting is a relatively new business model and there should be a lot of room to grow. And please do not assume that I am talking about all the information security consulting firms out there. I have interacted with a number of firms and individuals over the years who are very professional and display ethically sound behavior.

Differentiator Two

Anvil People and Culture – At Anvil, we believe that people and culture are key. Empowering our partners and their teams is the key to providing the best possible services to our clients. All of us have been involved in information security and understand and appreciate the culture. We believe that there is an intersection between intelligent, professional management, empowered to build a business and genius technical capability that can solve real world problems and help to create a safer world. And the best and brightest tend to want new challenges looking at different technologies to stay interested and focused. They tend to have trouble in large corporate environments with limited scopes for extended periods of time.

Differentiator Three

Anvil Mission – Here is the big thing about Anvil: we are a partnership. Our partners run their own businesses with an infrastructure that provides the support services that are sorely lacking in many small, elite firms. When we look at the market, having a real stake in a business with the ability to “exit” is missing in most, if not all, firms. Most firms that we have seen get scooped up by the big guys with nearly impossible earn-outs and the big guys move on to the next one. Many firms are owned by single people with ideas of explosive growth, going public and other types of business plans that have yet to come to fruition. However, these ideas benefit just a very small group of people and oftentimes, only one person. How is innovation and growth overall going to come to the industry when so much of the money is sitting in the hands of so few people? It’s not. So, we are changing that dynamic. To do that we do the following:

First: we are limiting our partner count and are working on a detailed partner agreement which will allow us to bring in partners directly, bring in companies as partners and to look at interesting models for exit.

Second: we are figuring out our technical path for ownership through an Employee Stock Option Pool (ESOP). All of this is designed for the obvious purpose: people who are vested are invested: this results in quality improvement for our clients. Growth becomes a function of value creation with a real purpose.

We are Excited for the Future

As long as we stick to our tenets, growth is something that can be looked at through diversification, acquisition or other avenue without watering down of the service level, technical capability or anything else.

Third and Finally: I have committed to allowing the partners (at a certain point) to control the business. I will take a back seat and eventually exit the business with a new managing partner to be named. I want this business to be a model that is reflective of the hacker culture by embracing a model that provides the best information security services in the industry and creates a partnership of the best and brightest that far outlives me (because, according to many of my young punk friends, I am super old ;-).

So, we are striving to create an environment where quality reigns for the benefit of clients, employees and the community. We want to inject more knowledge and capital into the upper tier information security consulting world. The goal is to make the world a safer place one step at a time. We understand that changing the paradigm for corporate structure may not seem like a big deal but it is a step in the right direction. And, at a minimum, for the clients and employees of Anvil, it will mean a great deal. All of us have worked at the upper level of information security consulting and we will continue striving for this level of technical excellence bounded with professional mooring and a partnership focus.

There is a lot that I am not saying here that will come later. I would love to hear from you if you don’t suck and have actual input. 😉

About the Author

Chris Elbring is Managing Partner and CEO of Anvil Secure. Prior to founding Anvil, Elbring worked as CEO and CTO of a startup security software development firm, President of a boutique, regional security consulting firm, an independent technology and security consultant, Director of Software Development of a mobile, biometric firm and most recently as Senior Vice President of Research and Delivery at IOActive, Inc.

Tools

awstracer - An Anvil CLI utility that will allow you to trace and replay AWS commands.


awssig - Anvil Secure's Burp extension for signing AWS requests with SigV4.


dawgmon - Dawg the hallway monitor: monitor operating system changes and analyze introduced attack surface when installing software. See the introductory blogpost


nanopb-decompiler - Our nanopb-decompiler is an IDA python script that can recreate .proto files from binaries compiled with 0.3.x, and 0.4.x versions of nanopb. See the introductory blogpost


ulexecve - A tool to execute ELF binaries on Linux directly from userland. See the introductory blogpost


usb-racer - A tool for pentesting TOCTOU issues with USB storage devices.

Recent Posts