Jay Sims

Shadow SecOps: The New Kid on the Block

Hello, World!

Welcome to the official blog of Shadow SecOps! My name is Jay, the founder of Shadow SecOps. I’m thrilled to kick off this blog with a personal introduction and a glimpse into the mission that drives our work.

Let’s start with a little about me. I’ve spent the past decade navigating the cybersecurity landscape, working across both public and private sectors. My passion for this field has grown immensely over the years, but the journey hasn’t been without bumps along the road. Despite those challenges, I can confidently say there’s never been a better time to dive into cybersecurity if you’re considering it as a career. But let’s be honest—it’s not all sunshine and rainbows.

One recurring issue I’ve encountered is a knowledge gap among system administrators. Many are exceptional at managing infrastructure but lack the understanding needed to build and maintain secure systems. This isn’t due to any individual’s shortcomings but rather an industry-wide oversight that leaves critical vulnerabilities unaddressed.

This persistent gap has led to a repetitive cycle of preventable mistakes. Sure, this ensures job security for us (don’t tell the AI enthusiasts!), but it also means that penetration tests—or pentests—can start to feel monotonous. More importantly, it keeps organizations from truly advancing their security postures.

How Might Shadow SecOps Elevate the Educational Baseline?

At Shadow SecOps, we believe there’s a better way. Traditional approaches like security training, conferences, and mandatory workshops often fall flat. Why? Because genuine learning only happens when the recipient is engaged and eager to participate, not when they’re forced to sit through another dry and generic presentation.

So, how can we shift the narrative?

Let’s re-imagine how pentests are perceived and delivered.

A Complete Re-framing of Penetration Testing

The typical pentest report follows a predictable structure:

Executive Summary

Key Findings

Engagement Summary

Full Results (vulnerabilities, impact, risk scores, recommendations, etc.)

Appendices

This is often paired with a generic PowerPoint presentation—a dreaded list of everything stakeholders did wrong and how they need to fix it. Unsurprisingly, this approach breeds a defensive mindset. Clients often view pentests as audits (🤮) rather than opportunities for collaboration and growth.

What if we flipped the script?

While some executives may want a checklist to satisfy compliance, and we’re entirely capable of providing such a service, we aim to do more. Imagine a pentest process that starts with gamification and incentivizes collaboration… for example:

Incentivized Discovery: The customer IT department is tasked with identifying vulnerabilities within a set time frame before the assessment. Rewards could include:

  • A discount on the assessment for every critical vulnerability they discover.
  • Free lunches for uncovering valuable low-to-medium risks.
  • Complimentary cybersecurity consultation services for n number of months for identifying and remediating a critical issue during the engagement.
  • A trophy or public recognition for the individual with the most impactful findings.

These simple incentives can turn a dreaded audit into an engaging, team-building experience. Instead of feeling under scrutiny, the IT team becomes an active participant in enhancing their organization’s security. Of course, these ideas aren’t without flaws, but what’s the harm in trying? If we want to change the status quo, we must be willing to experiment and learn from what works—and what doesn’t.

We can take this even further with some additional learning avenues:

  • Storytelling and Contextual Learning: Use relatable scenarios to help administrators understand the real-world implications of vulnerabilities.
  • Personalized Learning Paths: Tailor training to individual interests, roles, and tooling utilized in the customer environment.
  • Interactive Labs: Sandbox environments where teams can experiment and learn hands-on.
  • Collaborative Communities: Foster peer-to-peer learning and feedback loops to sustain engagement.
  • Gamified Risk Simulations: Develop video games that illustrate the consequences of breaches in a compelling and educational way.

These are just starting points, and I’m eager to hear your thoughts. Innovation often begins with bold ideas, and together, we can reshape how cybersecurity education is approached.

Let’s Build a Stronger, Smarter Future

Shadow SecOps isn’t just another cybersecurity firm. We’re here to challenge the status quo, foster collaboration, and elevate the industry’s educational baseline. This blog will serve as a platform to share insights, spark conversations, and explore innovative solutions—with your input guiding the way.

Thank you for joining me on this journey. Whether you’re a seasoned professional, a curious newcomer, or someone who just stumbled upon this post, I’d love to hear your perspective. Let’s connect, learn, and grow together.

Stay tuned for more posts where we dive deeper into the world of cybersecurity, one challenge at a time.

In the mean time, reach out! We’d love to hear what you have to say and potentially foster a working relationship.

Share with Friends:

Responses

  1. Maria G Kron Avatar
    Maria G Kron

    Sounds awesome! Best of luck, Jay!

    Reply
  2. Jay Avatar
    Jay

    As a systems administrator and IT director, I look forward to learning more streamline ways to protect my systems. I would much rather someone point out my vulnerability than take advantage of them. We have been more focused on prevention this past year. One of our biggest challenge is prioritizing the list of suggested changes to our system. Here is a real example. We run a public library and have staff who help the public and will sometimes forget our policies and plug in a customer’s flash-drive into their workstation to help. How critical is this suggestion to protect us from accidentally executing a bad actor’s dangerous file or should we be focusing on other weaknesses in our system? Here is the suggestion…”Ensure ‘Turn off Autoplay’ is set to ‘Enabled: all drives’.”

    Autoplay reads from drives as soon as the media is inserted, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch programs to damage the computer or data on the computer. This is disabled by default on some removable drive types, such as floppy disks and network drives, but not CD-ROM. Should we consider this change as a high priority? I am ready to dig in and build a more secure system.

    Reply
    1. Jay Sims Avatar
      Jay Sims

      Thanks for sharing your scenario! Disabling Autoplay for all drives is a high-priority change in your public library environment, especially with staff handling patrons’ flash drives. While Windows 11 disables Autoplay by default and Windows 10 prompts users the first time a new media type is detected, explicitly enforcing this policy further reduces risk and ensures consistency across your systems.

      To strengthen your defenses, consider:

      – DLP Solutions: Monitor and control removable media usage to prevent data breaches or malware.
      – Staff Training: Reinforce safe handling practices for external drives.
      – Endpoint Protection: Use antivirus tools with real-time scanning for an additional layer of security.

      Disabling Autoplay is easy to implement via Group Policy or local settings and aligns well with your focus on prevention.

      If you’d like to discuss this further, schedule a call with us here. We’d love to chat!

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *