People sometimes ask me why I started Anvil Ventures and what is so great about it. Based on who they are, I give them an appropriate response. Potential hires get the ESOP, Partner Track, Do Cool Work and Do it Ethically talk. I have blogged about the majority of this and am always happy to talk about how we are differentiated as an employer. Potential clients get the sales and marketing points. This includes all the cool stuff we do for our employees and the industry. And we talk about how we do things and how that helps our clients by making our employees more dedicated, customer focused, innovative, etc. But what sets Anvil apart from the rest of the elite infosec world in June 2017 is not our size, not our prices. It cannot be summed up that simply because it incorporates a number of factors. I want to give you two examples of recent client interactions (anonymized, of course) to give you a feel for what it is that we are doing and how we are doing it.
These cases are illustrative of our core values and even as a startup in this world, we are working to make sure that we have values and act in concert with them as we build our business.
A large device manufacturer with the need for a secure platform approached Anvil about a very early design review/free flow threat model session. They explained the platform at a high level and their need. We signed NDAs and MSAs and then shared more information. Based on their initial information, I approached two folks, one a hardware and embedded pen test and design person and the other, a threat modeling guru. We exchanged some information and awaited more explicit information from the client. Based on the client’s response, what they really wanted was an engagement with an embedded penetration tester for the design phase of their project. We agreed to terms, did the gig, and received incredibly positive feedback and are discussing next phases of their project.
Anvil took time to understand the need. We worked with the client and potential consultants on making sure we would be providing the best people for the job. We worked on delivery and made sure we had a successful engagement. We followed up and are available to this client as they continue in their development cycles as a security partner. The platform is very interesting and the project will hopefully build a lasting relationship.
A very large, well known technology firm approached us about a somewhat different type of implementation project. Essentially, they had decided to implement a new OS on a series of devices we had previously worked on with their team. Their goal was to have someone do a security review of the implementation of the new OS. The client had an extremely tight timeline. Anvil did not have anyone nor did any of our trusted partner firms have the right people available at the time required for the project.
I knew from previous experience that they were also engaged with a company that I know relatively well. I asked them if they were able to get a specific person for the gig from that other firm. They stated that they could. Anvil told them to use that person as that person would be excellent fit for the project and we would trust that person’s results as we move forward working with them on the project.
Anvil took time to understand the need. Anvil passed on the gig because we could not provide the right person to successfully do the project. Examine that carefully, it was not that we could not fill the slot with a body that may have done OK. We believe that the right person should be applied to the right problem. Anvil suggested that the client use a firm that had an appropriate resource available. We followed up with the client and learned that they had a positive technical experience with the other firm and that the project is continuing to move forward relatively smoothly.
How does this make us different? For those of you in industry, you know. For those of you who are not, let me be explicit. Information Security consulting is, unfortunately, more about land grab than quality. Most firms could not care less if you actually get value for your pen test dollar. Many firms are not about relationship or program, they focus on hit the project, move on to the next. Honesty is a hot commodity. Yeah. I am saying it. Most firms will do just about anything to keep or win your business. Anvil would rather not. There is little knowledge transfer or project/program consistency with those firms focused on growth rather than quality. The quality suffers and the client receives less than adequate results.
This actually leads directly to the other big thing that sets us apart. We are a small firm that is working to control our growth. We have excellent community ties and that means right now, we have more elite penetration testing capability than work. We get more resumes and job inquiries than any place I have ever worked and we have been in business less than 6 months. Great things are coming.
So, in June 2017, I am proud to say that we are doing things the way we want to do things and I am proud of Anvil Ventures.