Vinnie Liu was only 17 years old when he landed his first job – the National Security Agency (NSA). The year was 1999, and he worked on signals intelligence gathering.
It was a formidable but typical start for Liu, now Bishop Fox CEO and co-founder. The NSA was looking for promising high school graduates with proven fluency in hacking and programming languages. Liu, then an incoming computer science major with a psychology minor at the University of Pennsylvania, spent two years commuting from Philadelphia to the NSA satellite office in Baltimore. His first year was focused on red-team hacking and the second on specialized tool development.
Working at the NSA “really opened my eyes into how deep you can get, into how deep this rabbit hole can go,” Liu says. “I had grown up with bulletin-board systems on the Internet. Cybersecurity wasn’t even a term people used.”
That’s about all he will say about his work at the NSA, except that it involved nation-state actors. But the experience left a lasting imprint.
“It gave me a huge sense of being mission-driven,” Liu says. “We’re missionaries, not mercenaries. Our mission, fundamentally, is to keep people safe both online and offline.”
That mission ultimately manifested itself as Bishop Fox, an offensive security firm whose team of hackers pretend to be villains. In other words, they try every possible way to penetrate a client’s security defenses, including adversary simulations and “purple teaming” (red teaming and advising the client’s blue team at the same time).
But for all the criminal cunning that Bishop Fox staff need to employ, Liu thinks of the company’s work in medical terms. Bishop Fox, he says, is “the doctor’s doctor.”
“There are so many similarities between good health practice and security,” he tells Dark Reading. “You don’t just prescribe pills and that’s it. You don’t eat healthy and exercise once and that’s it.”
This approach is a view into the two personal qualities underlying Liu’s success: his sense of purpose – “missionaries, not mercenaries” – and his palpable scorn for complacency. Liu’s brand of optimism is hard, even austere.
“People in the industry have too pessimistic a view,” he says. “I don’t even like the joke, ‘It’s not if you get hacked, but when.’ Our whole philosophy is defending forward.”
Like many successful tech firms, Bishop Fox has humble origins: the living room of a bachelor pad.
Liu had graduated from Penn in 2003, having focused on network security and adaptive intrusion detection services. He then joined Ernst & Young as a security consultant, performing penetration testing for Fortune 500 clients. Liu calls Ernst & Young’s Advanced Security Center “a kind of NSA for the private sector.”
Working with Liu at Ernst & Young was Francis Brown, now on Bishop Fox’s board. Brown and Liu had lived on the same hall as freshmen at Penn, and both studied computer science. They were the only first-year students in their program who did not drop out within the year, Liu says. The two friends lived as housemates in Arizona, where “as long as we could afford pizza and Internet, we were good to go.”
Honeywell would eventually poach both men from Ernst & Young; Liu would lead Honeywell’s global penetration testing team, plus the teams of Honeywell’s various subsidiaries. The chance to build up Honeywell’s team was an exciting prospect, but turned out to be a limited opportunity: Once the team was built, the slower pace of work left Liu (and Brown) restless. Liu had outgrown the role; by 2005 he was speaking at conferences like Black Hat on how to bypass anti-forensic tools – a skill he had been developing since his teens. Both Liu and Brown started moonlighting as independent security professionals.
Then one day, in 2006, Liu, Brown, and a third contributor sat in the living room and toyed with the idea of launching a security services startup.
“We said, ‘Why not?’” Liu remembers. “We were really enjoying this.”
“From 2006 to 2009, we were a ‘lifestyle’ company,” says Liu, referring to the fact that the company was still kind of a hobby for them. In 2009 they switched to a professional mindset, and Bishop Fox was born. Liu and his partners set about recruiting the best talent they could find and attracting bigger and bigger-name clients. Their revenue rose, despite launching during the Great Recession.
It was also the Titan Rain era – when a string of attacks believed to be the work of Chinese state-sponsored actors compromised a number of government agencies in the United States and United Kingdom – and companies and government agencies were beginning to realize how vulnerable they really were. Binary analysis and incident-response forensics were suddenly in high demand. Liu was one of only a few hundred people in the United States who had any experience with both of these functions, and most of his peers had only worked with disk forensics.
“We sucked at it back then!” he laughs. “Everyone did. We were playing catch-up with the people writing the viruses.”
Fast-Forward to Now
These days Bishop Fox offers various assessment tests, including the comprehensive 4+1 methodology, in which several assessments and simulations are built around a central tabletop exercise. But all of the company’s services involve continuous work with a client’s developers, architects, and teams, rather than the “waterfall” style of performing one test here and another test there. Sometimes an assessment alone can take two months to complete.
“This is not a ‘let me just kick the tires’ kind of scan,” Liu says. “We look at code. We look at business logic issues. We like to find the hard problems, we always exploit, and we’re going to chase it down all the way.”
Liu doesn’t let clients rest on their brand-new tools or infrastructure either. “You’ve got to get the basics right,” he says. “We teach them how to take a punch and keep going.”
Twelve years later, the threats have grown, attackers have become more sophisticated, and defenders are changing how they approach security. Liu has observed security teams shift away from compliance-based security and toward ongoing, developmental security operations.
What does that mean for Bishop Fox?
“We’ve been very discreet,” says Liu. “I think it’s time to come out of our shell. We’ve done good work with big name clients. It’s time to go out into the world and talk, to bring good work to more people.”
The landscape may have changed, but Liu’s mission hasn’t: keeping people safe, online and off.
What is Vinnie Liu’s greatest success? “This sounds terrible, but I’m really proud of the people who have come through Bishop Fox. Some of our alumni have become CISOs at publicly traded companies. Recruiters will just hang up if they hear you work at Bishop Fox [because they know how hard it is to hire people away].”
One thing his colleagues would never guess about him? “I dance goofy, I sing loudly, roll on the ground, make faces. … I’ll do anything to make my kids laugh and smile.”
His dream job if he worked in a different industry? “Definitely something where I make things with my hands – food for people, construction, etc.”
Favorite thing to do in his spare time? “My pandemic skill has been failing to grow things in my garden. The universe has somehow blighted the 32-square-feet of backyard where my garden lies.”
Favorite book? “I’m a huge sci-fi/fantasy book nerd. The more space battles, wizards, and aliens, the better.”