.svg?width=20&height=18&name=desktop_windows%20(1).svg){kind=small}
.svg?width=150&height=150&name=DefectDojo%20Menu%20Icons-03%20(1).svg)
Transcript
00:00 Welcome and CRA stakes
00:57 Deadlines and penalties
01:54 Meet the guests
02:29 Key surprises and readiness
04:59 Selling CRA to leadership
06:36 Enforcement and readiness stats
11:14 24-hour reporting reality
14:46 Scaling vuln management
16:40 Overlap with other frameworks
18:31 Fast path to defensible GRC
20:08 AI for CRA compliance
24:44 Human in the loop governance
26:38 Audience Q&A and tooling
27:59 What to do this week
30:34 Closing takeaways
All right, well, good morning or good afternoon everyone, and uh, welcome. Uh, my name's Frank Morris, and today we're gonna spend. Uh, the next 30 to 60 minutes on one of the most significant pieces of cybersecurity legislation to land in some years the EU Cyber Resilience Act. Now, if you've heard CRAM filed it under something to deal with later, this is probably worth listening to.
Um, as some of you would be aware, the CRA entered force in December, 2024, and it applies to any organization that manufactures or sells software, hardware, connected products into the EU market. Regardless of wherever that organization is headquartered. So a US company with EU customers that's in scope, uh, SaaS vendor, European contracts, almost certainly in scope.
So a lot of stuff going on with with CRA right now. The, um, the first hard deadline is gonna land in September, 2026, which isn't far away, and that's when mandatory vulnerability reporting to Anisa, which is actually the, the acronym for the European Union Agency for Cybersecurity, becomes law. Uh, full enforcement follows in December 27.
So non-compliance at that point carries penalties of up to 15 million euros or two and a half percent of global annual turnover, whichever is the greater, and beyond financial penalties, uh, market surveillance authorities can order product recalls and withdrawal from the EU market entirely. So you could say that the CRA is only the security equivalent of GDR.
GDPR reshaped how every organization handles personal data. And the CRA is gonna do the same for product security. Making secure by not just a best practice, but. Really, it's gonna be a legal obligation throughout a product's entire lifecycle. So today we've got two fantastic guests who live and breathe in this space.
Uh, we've got John Waller and he brings a, a deep amount of expertise in governance, risk and compliance. He's been helping organizations navigate exactly this kind of regulatory shift. And we've also got Greg Anderson, the CEO of DefectDojo, and, uh, we are gonna cover the regularly landscape, what mature compliance should look like operationally.
Some conversation around how AI is changing the game. So, uh, without further ado, we'll get into that and, um, I'll start asking a few questions of John and Greg. So I'd like to kick things off. Um, and John, if you wouldn't mind leading the way, I think the question for you is, when you first scoped out what the CRA actually requires, what surprised you most?
And, uh, what do you think has been the biggest challenge for teams trying to get traction on adoption?
Yeah. Well thanks for that, Frank. I would say that the thing, when you say surprise, there's a lifetime support obligation. So that seemed to me like, uh, something that was out of the ordinary, so surprising and it, it really requires the active security maintenance for the expected lifetime of the product.
So, um, it's something that a lot of product managers might haven't fully confronted at this point. And, um, when you say about the biggest challenge. It could be, uh, basically what I would think would be the biggest challenge is the SBO m requirement. It, not necessarily producing one, but keeping it continuously accurate as those dependencies evolve.
And that's what the regulation really demands, is that continuous compliance,
right? So some big challenges ahead by some, some things there. John, and I've got a question for you, Greg, and, um, with DefectDojo, you're working with organizations across the globe. What are you seeing in terms of readiness at this point?
Is it on most security leaders radar yet?
We see a really wide range of readiness. So, I would certainly say that Europeans have been more reactive, kind of no surprise there with a European regulation. I don't think we've seen. Quite as wide mass adoption as we've seen with, um, like GDPR, which me, which mirrors the CRA very similarly.
I think to a certain extent people may have just gone numb to security news. And so, oftentimes now because there's so much hype in marketing, people wait to see what the actual. Impact is particularly when we look at organizations outside of Europe. And so, um, like with GDPR, there was some. Some wild headlines when it first rolled out with, uh, the European Union aiming to make an example of some of the largest companies in, in tech to have, uh, ripple effects and good behavior throughout tech companies at large.
And so, um, I would say it's been more muted so far, but I expect once it actually gets here, we'll see just as large of an impact as GDPR had.
Definitely. So Greg, and, and certainly from my own perspective as well, I think you're right. We're seeing a lot more traction across the EU at this point, but it's really starting to balloon and actually hence the purpose of this discussion really today.
Um, Greg, thanks so much for that. Back to you, John, if I can. We've got a lot of us companies probably listening to this too, but how would you recommend making the case to the board or an exec team for CRA investment? Because, you know, the regulation is EU based and enforcement probably feels a little distant, even though that timeline I described earlier is rapidly approaching.
Um, how would you recommend making the case?
Well, I think the simple case is that it's not necessarily a compliance cost because if you don't comply, you're effectively banned from the market. So that's really the way of looking at it. You frame it in reg revenue terms rather than the the regulatory.
Cost 'cause, uh, non-compliance, uh, it again, it's effectively, uh, keeping you out of the, the EU market. Uh, I'd say a second argument would be competitive, uh, differentiation. So that, as you were saying, uh, European con companies are a little more advanced right now with those US companies that are go that are gonna take this seriously and already start moving in that direction.
They're really gonna have a, uh, competitive advantage. And they're gonna be ahead of their peers when it comes to, uh, you know, a pro, a procurement advantage with those EU enterprise customers that are tightening the supply chain, uh, requirements. So, uh, getting ahead of it is gonna put yourself in, in a better position.
For, uh, for the long term to be prepared, uh, and have the your partners in the EU giving you a little bit more of, um, a better look be trusted partner when you've got your plans in place and everything is, is documented, you're ready to go.
Yeah. Gotcha. Gotcha. And. It's kind of a question for both of you.
This one really, but you mentioned it, Greg, around GDPR and the pace of that, and, and we all know GDR took a a few years to bite, right? It took some time and a few examples being made to, to get things going. And question to both of you, uh, do you expect the enforcement of this one to follow that kind of slow burn or do you think it's gonna be a bit more aggressive from, from day one, they're gonna try and make a few more examples.
What, what do you think? What's your gut telling?
You wanna go first, John, or do you want me to go?
Yeah, go ahead, Greg.
I think we're going to see a lot of, of whiplash because the, um, kind of initial response has been maybe more delayed than we've seen with other, uh, high impact regulations. I expect that there is going to be this kind of, um, a calamitous moment when, uh, realization meets reality.
Of what people are, are in for with this regulation, particularly outside of Europe. And so, I expect that when we start to see enforcement in December, there's going to be, initiatives from boards that are all of a sudden paying attention to this. What are we doing about this? How quickly can it be done?
And, you know, they're gonna think about the timeline in terms of weeks or days, that's when they're going to wanna see a response. And the reality is you need probably months to prepare and be in full compliance. I think, even for organizations that are operating at the highest level, you would be lucky to get it all done in a quarter.
And so,
yeah.
One of the big differences between GDPR is GDPR was relatively easy to implement comparatively. At least from a technology control perspective. And so, um, I think it's going to hit organizations that aren't prepared much harder in terms of the pain that it takes to get compliant to compliance once it's actually in enforcement.
Great. Great. I love that. And John, anything you wanted to add to that?
Yeah, I'll just add in, in, um, I think one of the keys is, is that those organizations that have a fully developed software development lifecycle and, and have good documentation, uh, it's not gonna be as big of a reach, uh, so that they'll be, they're already, prepared on their way.
I know that we're, we're gonna get into some of that a little bit later, but I think it has something to do with that. One thing that is sort of a little different from, uh, GDPR is that Anisa is already, you know, it's a ma mature technical body, so that they're gonna be in place to be able to do some enforcement from day one.
So I think that's also something that might, you know that GDPR took a little time to bite. But this might, as uh, Greg had said, maybe they're gonna wanna make some examples upfront. And they'll be in a position to do that with the maturity of, uh, of Anissa.
Gotcha. Yeah. Makes a lot of sense.
John. And another question for both of you actually, just on this, I think with the reporting deadline being some months away, right? So it's over, over a year away to, to some degree, but when some of the stuff is a little, little far away, how prepared in percentage terms would you think most organizations are that you're seeing in practice?
That's a great question. I, in, in our data at least I think probably 3% of companies are fully ready. I think there's probably another, uh. One fourth of them that are on the right track and will be ready. I think another quarter will be, um, having some panic, if you will, right before the end. And then I think there's going to be, uh, for the last, what did I leave?
Just, just about 50%. I think there's going to be a lot of panic,
right? And I, I would just echo that I don't have the same type of numbers that you have Greg, but I would say that just from experience, the, um, American companies are gonna be on the, on the lower end of that as well. So, uh, that's really where my focus is and most of the customers that I have are US based, and it's, it's really not as, as high on the radar as it as it should be.
So I think that, um. This webinar hopefully is gonna be a, a wake up call for some of, uh, our customers who, who might be viewing, but also it's, uh, you know, something that we bring back to the organization and make sure that, that the work gets out there. There's a lot of, yeah, a lot of work that needs to go into this to be ready for it.
And again those organizations that have got a strong, uh, documented, secure software development lifecycle that they're gonna be in a, in that, to it than the folks who, who haven't been thinking about it, who are sort of ad hoc and they're gonna have some troubles, that's for certain.
Yeah, definitely. So, definitely So, thank you both. I think, you know, we've got a, we've got a bit of a picture around. What the regulatory landscape looks like there. I guess the, the sort of next set of questions I wanna dig into really about the demands on the security team operations, uh, as a result of this.
So if you don't mind, I'm gonna transition slightly in the types of questions I'm asking, but I think the question, and again, I, I'd like to ask both of you this one is that, that CRA does require. Actively exploited vulnerabilities to be reported to Anissa within 24 hours, right? So it's some of these quick turnaround jobs.
What does that demand of a security team's tooling and processes, you know, and, and how many people are really ready for that kind of thing today?
I think what it shifts is enrichment. I think used to be a luxury. So there, there's been a lot of hype in security marketing around enrichment. Specifically. Once you have all this security data normalized, how do you actually prioritize it? How should it be treated? Because you know, the number of vulnerabilities has exploded.
My co-founder makes this joke that, uh, software is like milk. It doesn't get better with time, it spoils. And so, um, that's something the market has truly had to react to. And so, we've seen a lot of, you know, large enterprises adopt a focus on enrichment to prioritize vulnerabilities. And, you know, maybe we haven't seen that trickle down yet to the smallest of organizations, at least at the same, uh, level of caliber and adoption.
And so, um. If you're in the enrichment market, it's, it's a great time to be there for those vendors. I think most people will look to, to kind of the, the standards. So, um, whether it be cis, a, Kev, EPSS, et cetera.
Mm-hmm.
But I think it moves those sort of solutions and those sort of data feeds from um, nice to have to need to have.
Gotcha, gotcha. And I, I guess, implication through that is the, the more data and information you have, the easier it is to decide what you gotta focus on. Right.
Yes. Yeah. Um, on the enrichment side the more qualified sources you have to pull from, definitely the easier we'll make, uh, our lives. But, um, conversely, all the noise that security tools has producing has exploded.
And so, you know, on, on one end we kind of see a detriment in our, our current technology. And on the enrichment side, the better enrichment you have. The, the easier it makes the, the lives of the people who actually have to deal with these things.
Sure. Sure. And you, John, anything you wanna add to that?
Yeah, I was just gonna add that, you know, you mentioned the 24 hours and, you know, what is this gonna be putting on security teams? I think one of the, the most important thing is, is that once you've got detection, I mean, that's just the starting point. The clock is ticking for 24 hours, so you really need to have everything in place ahead of time, pre-built, uh, playbooks, um, the sort of disclosure templates.
Those real time, uh, threat intelligence feeds that are going to, um, flag the active exploitation automatically. So, getting into that, that, um, that mindset that things need to get done immediately, uh, it's really gonna start, um, kicking in with 24 hours, then 72 hours for the detailed report 14 days later.
So. All this process, it's, uh, it's going to start quickly, but then hopefully once everybody's used to it, uh, get into, uh, uh, a habit that everybody's used to.
Gotcha. Brilliant. Thanks John. And Greg, question for you. I think, you know, you touched on just the amount of. Data and information that is coming people's way and we're seeing organizations dealing with 500,000 plus findings in a quarter or more.
Right. How do you, how would you suggest people can avoid getting overwhelmed by all of that? How do you really get to focus on the things that really matter? What, what guidance would you give on that?
I think the key is, is it has to be automated, whatever your solution is or however you choose to approach it.
Automation is the only way we kind of solve these things at scale, if you will. Like, it's fairly easy. If you had 10 vulnerabilities, you could do, uh, one-off processes remain in compliance. But I think always one of the greatest challenges in security is, is how do you scale these things? And so, um, it has to be.
You know, deterministic. There's a lot of talk around, I think determinism in ai. And this is, I think one of the areas where determinism is incredibly painful if it isn't correct. And so, um, I think one of the things you have to think about is, is when we talk about the scale of, of 500,000 plus findings per quarter for some organizations.
Um, I, I think like the theoretical maximum, if I had to guess is for the largest of organizations is, is 2 million findings a day. I think that's roughly what we see in our data in terms of theoretical maximum for the largest of organizations. That's an incredible amount of data to deal with. No, I don't think any human can deal with that data.
And so, it has to be automated, it has to be scalable, has to be reproducible, has to be audible and has to be deterministic for it to ultimately work and comply and, um, but also just, you know, protect these organizations when we talk about this level of data and what you have to report on.
Great.
That's great guidance. Thanks Greg. John, back, back to you if I can. You know, a lot of organizations at the moment are already living with NS two, ISO 27,001 GDPR, other sector specific frameworks. Where, where do you see that the CRA overlaps and, and where does it add net new obligations?
Yeah, so, um, I would say that, um, with.
There, there are a lot of those overlaps and in particular, uh, NIST two with incident reporting ISO 27 0 1, secure Development Controls and GDPR data security, they all really shared those the evidence assets and the CRA requirements. And, and on top of it, you know, this is more European based. Here in, in the US of course, we've got the, the CSF.
So a lot of overlaps between those. And if you're already compliant or using those frameworks you're in a good. Starting position to start with, but I'd say the net new obligations, they, they are pretty specific. And I, I alluded to this before, but the SBO M mandate is probably, uh, the biggest thing.
Um, the, the other surprise I mentioned, the product lifetime support commitment. These are the, some of those things that net new that you have these things in place. Now you need to add these new, layer them onto what you already have. And, and of course all of these things just, uh, just makes the organization security posture stronger and stronger and stronger.
So, when we talked before about what was the, what would be some of those things that you bring to the board about why you need to do this? We won't forget that. What's going on is you're making your, your product better. You're making the, the organization security posture stronger. So these things, uh, the net news are actually gonna be a benefit to the organization, not just an obligation.
Makes a lot of sense. Yeah. Thanks John. Um, a follow up question for you and it's more GRC related, but if a company doesn't have a formal GRC program yet, and um. You know, there aren't too many these days that don't, but you know, if you didn't have too much of one, what would be the fastest path that you'd recommend to get to A A CR?
A defensible posture.
Wow, that's, as you said these days, it would be difficult to think that somebody doesn't have it. But if they don't, you know, now's the time to get moving. Uh, you know, first and foremost, figure out what it is, what program that you wanted to adopt. You know, where, where you are, these things.
But not even getting into that level, thinking about what is required with this, uh, with this act. Really a sequence would be like to classify the products see where they fit. Then you could, um, generate the SBO m for each inscope product. Move on to standing up the vulnerability disclosure policy.
Uh, and then these three steps I think would move you in that direction. I think obviously it would be incumbent upon you to adopt a formal GRC program so that that could be your starting point. But taking those steps, that's really what you need in order to, to start moving in the direction of, of understanding what it is that you need to comply with the, with the CRA.
Gotcha. Gotcha. That's great. Thanks John. And just to summarize what, what I've heard so far, I think, you know, it sounds like. The requirements, you know, if you go looking for 'em, they're pretty clear, right? But we know that operationalization of that is gonna be quite hard. And, and that's where there's gonna be a bit of a gap, I guess, going forwards.
And tooling's gonna play a, a critical role in that. I'd like to sort of, if the discussion into what that might look like in practice. So I think AI is obviously a big topic at the moment, right? It's a, a huge topic forefront of mind for most security leaders right now, for a variety of reasons. But I think from a GRC perspective view, John, how are you seeing AI being used or that it could be used to meet the requirements we're talking about in practice? Is, is there anything there at the moment or is it all hype?
No, I think that absolutely using AI to, to integrate, uh, vulnerability intelligence so that you, it, uh, cross-referencing your SBO M data with those, uh, CVE databases flagging the active, uh, indicators.
That's really the what AI can do. At scale that, uh, it's gonna be difficult for a human to do. I think that Greg probably has a, a, a, a better take on this. But for certain just a AI is, uh, there, there's so many applications for it, and this is a, this is a perfect application where the scale of those 2 million vulnerabilities.
And no human's ever gonna be able to handle that. You, you're going to need to automate, you're gonna need to bring AI into this to, in order to meet the, the compliance requirements.
For sure. For sure. And Greg, for you, and related to that, I guess, you know, what does it mean? You know, if you've got outing?
We, we've been trying to incorporate things like, uh, the MCP integration for AI to help people ingest data and do their analysis on that. What does that actually mean for a, a security analyst trying to work faster on, on those CRA compliance tasks? Can you give us an example?
I think we see kind of a wide range of, uh, maturity in terms of, of AI usage.
So I would say there is excellent AI usage in security and then there is AI usage in security that concerns me greatly, essentially. And so, when we talk about the CRA specifically I think you want to use things that are. Highly annotated and focused specifically on the CRA. And so, uh, how we've approached this specifically with AI capabilities is, um, the other thing I'll, I'll say just about AI and security generally.
I think the data that AI likes is very, very different from the data that humans like, when you give humans a description of a vulnerability, you can put more nuance into it that is appreciated. And when you put nuance into, uh, vulnerabilities for AI's consumption sometimes that can cause hallucination.
And so, I, I think if you are just hoping to kind of throw data into your LLM of choice and get something that is, perfect. Or, or meets regulation requirements, that probably isn't going to go super well, but mm-hmm. Um, when you use something that's highly annotated, when you use something that's purpose built if you understand how to build, uh, a really good MCP versus one that is just bolted on top of APIs, I think that will be, uh, the key.
But primarily, I, I would think in reporting and, and remediation would be. The two greatest use cases at, at least from the, the data that we're seeing. So, uh, a AI is great at writing reports, right? I, I use AI for all of my reporting. Uh, I use AI for my board slides. Hopefully none of them watch this.
And, uh, yeah, you know, it's phenomenal for producing incredibly professional things. And then on the remediation side, that's something that. You know, we're experimenting with and, and seeing great results. I think the volume of the data that needs to be processed will be a challenge. Making sure that the right, uh, derivatives and conclusions in those reports is also a key challenge for the LLMs of today.
And so, um, I think it's all about, getting it right with, you know, great technology. I think comes great opportunity, but also an opportunity to get it, unfortunately, really wrong.
Sure, sure. Thanks Greg. Um, I guess just to add,
I'm sorry, Frank, just to add something to that. Good. I think on, on top of everything else, what AI would be good for, uh, is good for and that is for automated, uh, detection and response.
So a lot of the vulnerabilities that, can be handled, uh, automatically. That's something that without ai, you're not gonna get that same level of, of closing the loop immediately. So I think that, um, the, that's a, a, a secondary, not necessarily just for CRA requirements, but for the organization a, a as a whole.
Right. And the question I was gonna ask you actually, as a follow up to that, I think to, is there somewhere that you would draw the line between AI assisted triage and decisions that still need a human in the loop? Because I think Greg's alluded to the fact, you know, obviously you've got loads of stuff and coming to ai, but it doesn't always get it right.
You've got hallucinations going on, et cetera. So where do you draw that line from a governance perspective, in your view, between AI assisted triaging and having a human in the loop?
Yeah. Well that's, that, that's really a great question. And that's, I think that every, every organization struggles with that.
I would just, just draw the line, you know, the one thing that, we have to treat AI outputs as drafts. If it's doing something that's novel, any, anything that's unproven you can't trust it until you've had your expert review. And, uh, and the documentation, that's another side of things.
Uh, if the, if we're gonna be generating reports as Greg said I use it all the time for everything. But the bottom line is, is that I'm the one who's responsible for anything that comes out. I have to sign in and make sure that, that it's accurate, so that, I think that's one of the big, most important things is you can't trust anything that comes out.
That you're gonna sign, you need to review it, you or your team to make sure that it's authoritative, that you're not presenting something directly from that LLM or, or from wherever and say that, oh yes, this is it. Anything that is gonna be presented just needs to have that human in the loop for me, I think that's the, the, the, the one thing that you can be certain on a lot of other use cases might require that.
Uh, in certain levels of, uh, managed detection and response, for example, there's things that can be done automatically, but the things that are gonna require a higher level of, of, um, of approval for certain you want to have the human in the loop for things like that.
Gotcha. Gotcha. Thanks so much, John.
Listen, I, um, I'm gonna pause for a minute there. I've exhausted a lot of my questions and, um, without me typing into a, a, an ai, uh, bot to, to ask some more, I'm gonna pause for a moment and just see, uh, from Chris if we've had any questions in from the audience.
Do you have one here, which is, uh, when do you expect to see the reporting?
API release might be more of a question for Greg. I think this is a defect question, but not sure.
Sounds like one.
Yeah.
Oh goodness. I get to get myself in trouble in a recording. Uh, I, I think it's already out, to be honest with you. So, um, in, in our platform, there's a section where the AI is totally optional and if you enable it, it will give you some prompts that have essentially been annotated so that we.
We are providing custom context on the backend to try and make sure you're getting what you expect essentially. And so we've been preparing some resources for CRA and I think those have already been released, but, um, shame on me for not knowing it may be eminent rather than in the product today. I'm sure it's always in our change log if it's not there already, but if it's not out today, I'd expect it's in weeks or at most a month.
Got it. Great.
Anything else
in NA tool, Chris? Was that the only one?
Instantly one and yeah, folks, if you had a question. Okay. Steve ly throw the questions in the chat or the q and a, which at the bottom.
No problem. Well, I've got one more question for both guests. Give, given all the stuff we've, we've discussed already and, and there's a lot more obviously.
What's the one thing that organizations should start doing this week if they haven't begun their CRA journey? What would you recommend? John, do you wanna go first?
Sure. I'd say first and foremost, if they haven't begun the journey is to really understand what the CRA is requiring. That's, that'd be the, the starting point.
I mean, it's just basic, but that's the bottom line. That's the first thing. And then. What I had had mentioned before, if you don't have the, the a formal GRC program, the first thing that you really need to do is to classify your products and see where you fit in the, in the tiers and, and that will really direct you as to what it is that you're going to need to have in place.
At this certain period of time. So if you just start off with that understand what the act is, what it's requiring of you, and then figure out where your products fit in that hierarchy, then you'll at least have a, um, a guidepost to say, this is what I need to do by now by, by a certain date.
And, and once you have that, then you work back from there and see what it's gonna take for you to get there.
Sound advice, John? Very good, Greg.
I agree absolutely with everything John is saying, I, I don't think that I have much to add there other than like how, how do we actually do these things in, in practicality, I think I.
The big challenge is that, you know, 90% of security teams are, are understaffed. And so, um, there's a thousand different things that security professionals are hit with every single week that we have to make decisions on if we absorb or not, or if there is, you know, leadership buy-in or not to even go do these initiatives.
And so, um, if I could save one little bit of pain, I, I think. What John is, is putting forward is, is spot on. Even if, um, like you don't have buy-in today, I think, I think it's coming and I think it's gonna be very, very painful. Like unprecedentedly painful. And so even if you just throw it.
In your AI of choice and ask it to, you know, do these things, just provide an outline. Just having some sort of plan. Uh, when the panic does eventually set in, when boards, uh, start to react to this regulation and start asking questions that, uh, make their way down and people are, are looking for answers, I think what John has outlined will perfectly kind of help people to, um, to react to that and hopefully react to it quickly when, um.
When the, the, those two realities meet.
Absolutely. Well, listen, thank you both. That's been a, a genuinely rich conversation in a short time. Uh, I'd like to leave everyone with a, a few thoughts. I think, uh, you know, the window between now and September 26 is shorter than it looks. And, you know, organizations that are gonna use that period to build the process, get the right tooling in place, and maybe even do some dry runs for how they do notifications to, they'll be in a fundamentally different position to those that are gonna start. In August 26, right? So, uh, I think that urgency's really important for everyone there. We know that GDPR created a wave of compliance investment and the companies that moved early there did have a real advantage. We know a lot of people stored, but those that did get involved early definitely had a real advantage.
And, and given what we know about CRA, literally being the security equivalent of that, it's happening now. Get things moving quickly. So thank you both for joining us today. Thank the audience for, for taking the time out. So, uh, John and Greg, it's been a pleasure and to our audience, uh, thanks for taking the time to listen and we'll close out there.