{VIDEO} – Roni Carta, Lupin & Holmes: Offensive Cybersecurity Explained

Excerpts from the interview with Roni Carta

Dawn Liphardt – You founded Lupin & Holmes in 2023; what is your positioning on the cybersecurity market?
Roni Carta – Lupin & Holmes is a research and development company focused on offensive cybersecurity. Our goal is to discover the vulnerabilities of tomorrow. Security flaws that will be actively exploited across ecosystems and industries, but that we are not paying enough attention to today. The first ecosystem we wanted to tackle was the Software Supply Chain and the use of prebuilt components in our clients’ information systems.

Dawn Liphardt – Do you have an example of a Software Supply Chain compromise?
Roni Carta – In 2020-2021, the SolarWinds incident stands out as the biggest example of an attack on the Software Supply Chain. Today it remains the most significant case in this area. More recently, one can think of Bybit, where a compromised Safe employee gave access to Bybit’s crypto wallet, resulting in exfiltration of about $1.4 billion in cryptocurrency.

Dawn Liphardt – It is to address this issue that you launched Depi, a SaaS platform. What kinds of problems can it solve?
Roni Carta – To understand what Depi is, you must grasp the full complexity of the Software Supply Chain. Our definition encompasses all the processes that enable building and deploying applications within information systems. In short, when you use prebuilt components, you are creating a software supply chain. As a consequence, there are many different security flaws that can arise. Depi’s aim is to proactively reveal all the entry points an attacker could take into the Software Supply Chain logic of our clients.

Dawn Liphardt – What categories of clients are you targeting? Global firms that regularly engage in acquisitions?
Roni Carta – We must consider the organizations that would benefit from using Depi. Today we operate in a continuous development ecosystem, so every time we develop more rapidly, we rely increasingly on these prebuilt components. Therefore any company that is embedded in continuous development, across any industry, is a potential target. We are in a go-to-market phase: we will primarily target large French enterprises, the Fortune 500, and perhaps some GAFA if we’re lucky.

Dawn Liphardt – Another distinctive aspect of Lupin & Holmes is how you financed its creation?
Roni Carta – Yes, I think this story is fairly atypical. Since I was 17 (he is 23 today) I have been exploring through Bug Bounty. I realized that the Software Supply Chain is an extremely easy and highly impactful entry point. I went to my brother, who is a back-end developer, and told him: you do development, I do security research, and we’ll start an R&D company. The bug-hunting work allowed us to earn bounties that we reinvested into developing Depi.