This is the second post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examining Zoom and Microsoft Teams.
Other posts include:
To read about our approach to this analysis, understand the target security model we applied or see a side-by-side comparison of the products reviewed please visit our first post from this series.
If you’re interested in the detail from Zoom or Teams, please read on.
Zoom Video Communications is a company based in San Jose, California. The business has been enjoying great success since its creation in 2011, but sales have apparently rocketed with the COVID-19 epidemic. Zoom attempts to differentiate itself with excellent service quality and thus relies on its SaaS model exclusively. Zoom is used as collaborative audio and video solution for users (licensed) of meeting rooms, which allows working internally with colleagues as well as externally with partners, with an innovative interactive interface.
Since the beginning of the COVID-19 pandemic and the implementation of self-isolation measures around the globe, the use of Zoom has grown exponentially (+535%, in the United States alone). Several vulnerabilities and breaches, under the spotlights, have undermined security and trust in the company. Whilst these concerns are warranted, we feel that there has also been a fair amount of hyperbole involved, which was part of our motivation for writing this report.
Zoom 5.0 was released on April 27, 2020 and now supports AES 256-bit GCM encryption. This will be enforced across the board starting May 30th, 2020 meaning only Zoom clients on version 5.0 or later will then be able to join meetings.
In-meeting security controls are now grouped together under the Security icon on the host meeting menu bar. These controls allow the host to enable or disable the ability for participants to: Screen share, Chat or Rename themselves. Hosts can also “Report a User” to Zoom’s Trust & Safety team, enable the Waiting Room feature whilst already in a meeting, lock the meeting once all attendees have joined to prevent unwanted guests and remove any participants which will then prevent that individual from rejoining the meeting.
Additional safeguards have now been implemented; these include:
The application allows screen sharing to collaborate and share notes, visible to all the participants. You can send messages to all participants with one click. Also, recording conferences on-device or in the cloud is possible.
Zoom integrates with “Personal Information Manager” (PIM) applications like Microsoft Outlook and runs on mobile phones (iOS and Android) or on touch screens to allow as many integrations as possible. It connects to numerous audio and video endpoints. To create and manage a meeting, installing a ‘thick’ (executable) client or a mobile application under Windows, Linux, Android or iOS is necessary. We found installing the product under GNU / Linux to be tricky, however. Attending or scheduling a meeting can also be done through a browser.
Zoom also provides integration with several conferencing hardware solutions for cameras, microphones and screens, via partnerships with selected vendors.
Zoom, unlike many solutions presented here, uses proprietary technology and does not use generally accepted WebRTC standards. WebRTC is an interface allowing communication in real-time online. This standard allows browsers to support voice or data sharing directly from the browser, thereby eliminating specific software or extensions to be set up.
We found Zoom to be a very functional and easy-to-use tool, which has probably contributed to its meteoric rise. It’s available for a wide majority of platforms, including a browser, and does not require specific changes to corporate platforms or networks due to its SaaS operational model. Integration with main email and calendar applications such as Microsoft Outlook or Google Suite is smooth. Zoom also offers accessibility features for all participants, for example by enabling subtitles via Rest APIs. Zoom’s widescale adoption also makes it an attractive choice for businesses wanting to connect with others outside their own organization.
Encryption | ||
Uses an appropriate encryption algorithm | Fully | GCM with AES 256 since v5. Not fully proven in production. |
Uses a strong encryption key | Fully | AES-GCM with 256-bit keys |
Data is encrypted in transit under normal use | Fully | However, the encryption keys for each meeting are generated by Zoom’s servers |
Data stays encrypted on provider servers | Partially | Provided that meetings aren’t being recorded.
See https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/ |
Voice, Video and Text are all encrypted | Fully | See https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/ |
File transfers & session recordings are encrypted | Fully | See https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf |
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) | No | Expected in future with Keybase integration.
|
Encryption implementation has withstood scrutiny over time | No | v4 encryption was criticized, but Zoom points out there has never actually been a reported compromise of their encryption. v5 encryption only fully active from end May. Zoom is planning to publish a detailed draft cryptographic design on May 22 |
Authentication | ||
Administrators can define password security policies | Fully | For administered accounts, account admins now have the ability to define password complexity
|
Supports MFA as default | Partially | 2FA does not apply to the Zoom Desktop Client or Mobile App
|
Can integrate with Active Directory or similar | Fully | See https://support.zoom.us/hc/en-us/articles/201363023-SSO-with-Active-Directory |
Can integrate with SSO solutions via SAML or similar | Fully | See https://support.zoom.us/hc/en-us/articles/201363023-SSO-with-Active-Directory |
Offers RBAC | Fully | See https://support.zoom.us/hc/en-us/articles/115001078646-Role-Based-Access-Control |
Allows passwords to be set for meetings | Fully | See https://support.zoom.us/hc/en-us/articles/360033559832-Meeting-and-webinar-passwords |
Allows meeting password security policies to be set | Fully | See https://blog.zoom.us/wordpress/2020/04/14/enhanced-password-capabilities-for-zoom-meetings-webinars-cloud-recordings/ |
Jurisdiction | ||
Headquarters address | USA | San Jose, California, U.S. |
The vendor cannot technically access any data without the client’s consent | No | Expected in future with Keybase integration.
|
A full on-prem version is available for users who don’t want to trust the vendor | Partially | User and meeting metadata are still managed in the Zoom public cloud.
See https://support.zoom.us/hc/en-us/articles/360034064852-Zoom-On-Premise-Deployment |
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in | Partially | The feature exists but the number of regions is limited, e.g. with no provisions for the UK, Russia or any African areas. Possible ‘regions’ for provisioning are USA, Canada, Europe (NL, GER) and China |
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) | No | See https://zoom.us/docs/en-us/privacy-and-security.html |
Complies with appropriate privacy standards (e.g. FERPA or GDPR). | Fully |
|
Provides a transparency report that details information related to requests for data, records, or content. | No | In progress.
See https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/ |
Security Management | ||
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. | Fully | |
Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. | Fully | |
Offers clear central control over all security settings | Fully | |
Allows for monitoring and maintenance of endpoint software versions | Partially | An administrator can review client software versions, but 3rd party tools would be required to enforce an update. |
Provides compliance features like eDiscovery & Legal Hold | No | Not as far as we can tell. |
Auditing and Reporting | Partially | See https://support.zoom.us/hc/en-us/articles/201363213-Getting-Started-with-Reports
and https://support.zoom.us/hc/en-us/articles/360032748331-Operation-Logs |
Additional content security controls like DLP, watermarking, etc. | Partially |
|
Vulnerability Management | ||
Percentage of NVD 2019 | 0.02 | |
Percentage of NVD 2020 | 0.08 | |
Vendor discloses which vulnerabilities have been addressed | Partially | Zoom addresses several vulnerabilities on its site, but we could not find comments to all of them. |
Vendor runs a bug bounty | Partially | A revamp of the program is in progress as of April 15
See https://blog.zoom.us/wordpress/2020/04/15/luta-security-katie-moussouris-zoom-bug-bounty/ |
The solution is available exclusively as SaaS (or hybrid cloud), so customers need to be comfortable with trusting Zoom to protect the infrastructure and respect their data. In hybrid cloud mode, user and meeting metadata are managed on the public cloud, whilst video, voice and data sharing go through the on-premise Zoom meeting connector.
Zoom had previously suggested that its communications were end-to-end encrypted, but closer examination has revealed that this is not strictly speaking the case (using our definition above)[1]. Moreover, Citizen Lab reported that Zoom communications are encrypted using the AES-128 and not the AES-256 previously indicated by Zoom[2]. More problematic for some users, the Zoom AES-128 encryption keys could have been transmitted to third parties, possibly in China.
Zoom has however responded forcefully to address these and other issues and the new 5.0 update, includes upgraded encryption. The new ‘Galois Counter Mode’ (GCM)[3] encryption will use the 256-bit ‘Advanced Encryption Standard’ (AES) algorithm[4], which is considered to be standard, reasonable and appropriate for applications of this kind. A thorough evaluation of Zoom’s implementation of this algorithm is beyond the scope of this review, but it would be fair to assert that Zoom has put the primary historic concerns about its encryption to bed with this update.
Apparently in order to bolster their encryption capabilities, Zoom has announced the acquisition of Keybase. Keybase currently delivers an end-to-end encrypted secure messaging and file sharing platform. Zoom has stated that the acquisition is a key step in their “attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses”. Whilst it is not clear to us at this stage what Zoom’s strategy for this acquisition is, it would appear that the technology would position Zoom very strongly to provide full end-to-end encryption based on proven public key encryption methods at some point in the future.
Zoom administrators can enable two-factor authentication using Google Authenticator, Microsoft Authenticator or FreeOTP[5].
According to their website, Zoom single sign-on (SSO) is based on the Security Assertion Markup Language (SAML 2.0[6]). Zoom acts as the Service Provider (SP) and offers automatic user provisioning. You do not need to register as a user in Zoom. It can also work with other Service Providers such as PingOne, Okta, Azure, Centrify, Shibboleth, Gluu, G Suite/Google Apps and OneLogin. Zoom can additionally work with Microsoft’s ADFS 2.0[7] SAML implementation.
Zoom actually offers a native 2FA implementation via various ‘One Time Pin’ applications for mobile, but these are only enforced for authentication to the web interface, i.e. not for joining meetings via the mobile or desktop applications. However the SSO various platforms supported would allow enhanced features like push-to-mobile for strong authentication for all elements of the Zoom ecosystem.
Until recently instant Zoom meetings didn’t enforce a password, meaning that anyone who got the meeting ID could join the ongoing meeting sometimes with funny tricks sometimes with more unethical behavior, but this issue appears to have been addressed by a series of new features culminating in the release of Zoom v5.
It has also been disclosed that Zoom settings would add the same domain email address to a sole directory, which in some cases people using a personal email address could be added to a pool of contacts they know nothing about, sharing their personal information such as email address and photo. As of 18 April Zoom has stated that users will no longer be able to search by full name for contacts with the same domain if they are not on the same account or organization. We believe this change mitigates the issue above.
Zoom Inc is a registered U.S. company, but media reports have suggested that it is tightly integrated with several Chinese businesses, employs developers in China and indeed has accidentally routed some traffic through servers in China for a small subset of their users. This caused concern and outcry for users and businesses who believed Zoom to fall wholly under US jurisdiction[8].
However, Zoom does have an option under its advanced settings for paid accounts that allow users to opt-out of certain data center regions. Any number of regions can be deselected, except the region from which the account was provisioned. According to Zoom’s site “Datacenter regions selections apply only for meeting and webinar traffic. The selections do not impact the location of data at rest. Datacenter region selections also do not apply to Zoom Phone or related features”[9].
Another feature promoted on Zoom’s website is worth noting. Zoom “Meeting Connector” is a hybrid cloud deployment method, which allows a customer to deploy a Zoom multimedia router (software) within the customer’s internal network. According to their site: “User and meeting metadata are managed in Zoom communications infrastructure, but the meeting itself is hosted in the customer’s internal network. All real-time meeting traffic including audio, video, and data sharing go through the company’s internal network”.
Zoom claims adherence to privacy standards like HIPAA and GDPR and asserts that its policies are designed to reflect their compliance with the requirements of the Children’s Online Privacy Protection Act (COPPA), the Federal Education Rights and Privacy Act (FERPA), the California Consumer Privacy Act (CCPA), and other applicable laws. That appears to be mostly by virtue of the fact that it doesn’t collect the relevant data or obtain user consent before doing so.
Zoom offers role-based access control which enables an account to have additional user roles. User roles can have a set of permissions that allows access only to the settings pages a user needs to view or edit.
Zoom’s ‘Admin Management’ portal appears very similar to the advanced settings page a user would work with, but with the added ability to define settings for various subsets of users. An administrator can not only set defaults for these settings but can also opt to ‘lock’ a setting so that it can’t be overwritten by an individual user. Our experience of the interface showed it to be fast, simple and intuitive once properly installed.
The portal also allows admins to view the software versions running for different users, but there doesn’t appear to be a way to centrally manage the client software. According to the Zoom site, “the Desktop Client can be mass configured for Windows in 3 different ways: via the MSI installer for both configuration and installation, an Active Directory administrative template utilizing Group Policy for configuration, or via registry keys for configuration”[10].
The NIST National Vulnerability Database records six vulnerabilities for Zoom since the beginning of 2019:
Year | Reported | NVD Total | Percentage |
2019 | 3 | 17,308 | 0.02% |
2020 | 6 | 7,519 | 0.08% |
Several of the vulnerabilities counted above would be considered ‘serious’, but at least two are being disputed by Zoom.
The recent vulnerabilities and breaches have attracted a lot of attention and apparently undermined trust in the technology. Here’s a brief summary:
However, Zoom seems to understand these security issues and has been aggressively taking necessary measures to address these issues and patch vulnerabilities as soon as possible. The new 5.0 update addresses all the security vulnerabilities known to us at the time of writing, as summarized in the table below.
Microsoft Teams is a proprietary collaborative communication application, operating only in SaaS mode, officially launched by Microsoft in November 2016. The service can be integrated with Microsoft Office 365 suite and Skype for Business. It is also expected to replace Skype, which will be abandoned in July 2021. The solution allows collaborative work (co-publishing and storage of documents, access to e-mails and an instant messaging system, etc.), thus offering far beyond the traditional features of video conferencing systems. Teams also offers extensions that can be integrated into products other than Microsoft.
Microsoft Teams has been available in a free version, limited to 300 members, since July 13, 2018, although some features of Office 365 are missing. The solution now claims more than 44 million active users with an exponential acceleration since the beginning of the massive pandemic-driven teleworking migration in many countries.
The solution is available on most Microsoft Windows, MacOS, Android, iOS and GNU / Linux distributions. The product is completely usable via a browser, with no need to install a client. However, the optional rich client or a fully supported browser (like Microsoft Edge based on Chromium or Chrome itself) is required to access advanced features like content sharing, control of shared content, and background[1].
A free version exists for SMEs (up to 300 users) although it offers very limited functionality. We feel that the solution might be a bit heavy for very basic or occasional needs.
Encryption | ||
Uses an appropriate encryption algorithm | Fully | All cipher suites supported by Office 365 use algorithms acceptable under FIPS 140-2. Office 365 inherits FIPS validations from Windows. |
Uses a strong encryption key | Fully | AES-GCM with 256-bit keys
See https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel |
Data is encrypted in transit under normal use | Fully | See https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide |
Data stays encrypted in transit on provider servers | Unclear | We couldn’t clarify this from publicly available information.
See https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide |
Voice, Video and Text are all encrypted | Fully | See https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide |
File transfers & session recordings are encrypted | Fully | See https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide |
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) | Partially | A feature called Service Encryption allows for your organization to supply the root keys and control the ability of Microsoft to process your data. |
Encryption implementation has withstood scrutiny over time | Fully | |
Authentication | ||
Administrators can define password security policies | Fully | |
Supports MFA as default | Fully | |
Can integrate with Active Directory or similar | Fully | |
Can integrate with SSO solutions via SAML or similar | Fully | |
Offers RBAC | Fully | |
Allows passwords to be set for meetings | No | See https://docs.microsoft.com/en-us/microsoftteams/meeting-policies-in-teams |
Allows meeting password security policies to be set | No | |
Jurisdiction | ||
Headquarters address | USA | One Microsoft Way, Redmond, Washington, U.S.A |
The vendor cannot technically access any data without the client’s consent | Partially | A feature called Service Encryption allows for your organization to supply the root keys and control the ability of Microsoft to process your data. |
A full on-prem version is available for users who don’t want to trust the vendor | No | |
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in | Fully | See https://docs.microsoft.com/en-us/microsoftteams/location-of-data-in-teams |
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) | Fully | See https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-iso-27001?view=o365-worldwide
and https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-c5-germany?view=o365-worldwide |
Complies with appropriate privacy standards (e.g. FERPA or GDPR) | Fully |
|
Provides a transparency report that details information related to requests for data, records, or content. | Fully | See https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report |
Security Management | ||
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. | Partially | Waiting room |
Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. | Fully | See https://docs.microsoft.com/en-us/microsoftteams/meeting-policies-in-teams#meeting-policy-settings—general |
Offers clear central control over all security settings | Fully | See https://docs.microsoft.com/en-us/microsoftteams/manage-teams-skypeforbusiness-admin-center |
Allows for monitoring and maintenance of endpoint software versions | Fully | Via Microsoft Endpoint Configuration Manager, MSI, GPO or other Microsoft tools. |
Provides compliance features like eDiscovery & Legal Hold | Fully | See https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview |
Auditing and Reporting | Fully | See https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide |
Additional content security controls like DLP, watermarking, etc. | Fully |
|
Vulnerability Management | ||
Percentage of NVD 2019 | 0.01 | |
Percentage of NVD 2020 | 0.00 | |
Vendor discloses which vulnerabilities have been addressed | Partially | |
Vendor runs a bug bounty | Fully | See https://www.microsoft.com/en-us/msrc/bounty-microsoft-cloud?rtc=1 |
Teams uses Transport Layer Security (TLS), and mutual TLS (MTLS) which encrypt instant message traffic. Point-to-point audio, video, and application sharing streams are encrypted using Secure Real-Time Transport Protocol (SRTP)[2]. Files are stored in SharePoint and secured by SharePoint encryption. Notes are managed via OneNote and protected by OneNote encryption, also hosted on a SharePoint. Microsoft asserts that with Microsoft O365 data is encrypted in transit and at rest.
Network communications are encrypted. All Teams servers must use certificates and implement technologies like Oauth, TLS or SRTP plus 256-bit encryption. Communications are encrypted from users to Teams servers, meaning they are not encrypted end-to-end[3].
Teams requires all servers to contain at least one Certificate Revocation List distribution point for purposes of verifying that a certificate has not been revoked since the time it was issued.
Microsoft O365 offers an added layer of encryption at the application level called ‘service encryption’, which covers data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files[4].
According to Microsoft Tech Community contributor ‘Alexwall’[5], “Microsoft retains an availability key, which means that Microsoft could access all customer data. The lack of encryption of Teams messages, as well as the existence of an availability key for all services, would be a concern for a customer that wants 100% security”[6].
The mobile client supports App Protection Policies from Microsoft InTune that would ensure that its content is encrypted on the mobile endpoint device[7].
Authentication is based on Office 365 with Microsoft Azure in particular. Microsoft Teams desktop clients for Windows and Mac support ‘modern authentication’ which brings sign-in based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms[8]. Microsoft Teams supports all the identity models that are available with Office 365 and has a comprehensive set of tools for provisioning and managing identities, all tied in with existing Active Directory or Azure implementations.
Multi-Factor authentication is supported with any Microsoft 365 or Office 365 plan that includes Microsoft Teams, with support for phone calls, text, One Time Pin or Mobile App Notification as second factors. Users also benefit from the additional security controls provided by Microsoft across its O365 range of services.
Teams is categorized by Microsoft as a ‘Tier D’ compliant application, which means it adheres to ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2, HIPAA, and the EU Model Clauses (EUMC). Teams is also German government BSI Cloud Security Alliance compliant.
For new customers only, data in Teams resides in the geographic region associated with the customer’s Office 365 organization. Currently, Teams supports the Australia, Canada, France, Germany, India, Japan, South Africa, South Korea, Switzerland (which includes Liechtenstein), the United Arab Emirates, United Kingdom, Americas, APAC, and EMEA regions[9]. We were not able to determine whether this also applies to voice, video and text communications.
However, Teams is a SaaS solution delivered by Microsoft, which falls under the jurisdiction of the United States government. Encryption keys are owned by Microsoft by default and is therefore technically able to decrypt your data. This may be of concern to clients operating outside the U.S.A.
Microsoft Teams is supported separately as a cloud app in Azure Active Directory conditional access policies. Conditional access policies that are set for the Microsoft Teams cloud application apply to Microsoft Teams when a user signs in.
As a component of Microsoft 365, Teams benefits from a comprehensive and granular set of centralized security and compliance management tools well suited to the enterprise, especially if Microsoft AD or Azure are already in use.
Microsoft 365, with all its inter-connected applications is highly sophisticated and complex, however. We feel that without the required skill and appropriate care, the average organization is more likely to suffer a breach due to an accidental leak or misconfiguration than as a result of the technical interception of data by an adversary or Microsoft themselves.
There is one vulnerability recorded for Microsoft Teams specifically in the NIST National Vulnerability Database in the period from the start of 2019 to the time of writing, but there has been a number recorded for associated products like Skype, Skype for Business and SharePoint.
Year | Reported | NVD Total | Percentage |
2019 | 1 | 17,308 | 0.01% |
2020 | 0 | 7,545 | 0.00% |
On April 28, 2020 Researchers at Cyb0rArk created a proof-of-concept (PoC) attack that involves an inside attacker getting a victim to view a malicious GIF that allows an attacker to take over the victim’s Teams account. They reported two insecure subdomains to Microsoft, which resolved the issue in under a month. Using the bug, an attacker could gain access to an organizations’ Teams accounts by making Teams API calls, which allows one to read and send messages, create groups and add and remove users.
Generally, although there is little data with which to assess this product’s security heritage, it would be fair to argue that Microsoft has robust processes and has developed a strong reputation in this regard.
1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet
Head of Security Research
Charl van der Walt
Technical thought leader, spokesman and figurehead for Orange Cyberdefense world-wide, leading and managing the OCD Security Research Center – a specialist security research unit. We identify, track, analyze, communicate and act upon significant developments in the security landscape.
Senior Consultant Cybersecurity
Quentin Aguesse
Graduated from a French Business School, Quentin is now senior consultant at Orange Cyberdefense operating from Casablanca (Morocco). With nearly 10 years of experience, Quentin has specialized in risk assessment, disaster recovery planning, as well as cybersecurity awareness.
Consultant Cybersecurity
Jérôme Mauvais
As a specialist in regulatory compliance, Jérôme Mauvais is a security consultant for Orange Cyberdefense. Highly invested in the protection of personal data, Jérôme has also been remarked all along with his career for his great capacities of knowledge transmission.
Lead Security Researcher (MSIS Labs)
Carl Morris
Carl has over 20 years’ experience working within IT, covering the whole breadth of the IT infrastructure, with a primary focus and interest on the security-related solutions. This has been followed by a decade working in MSSP’s, the latest of which being at SecureData for over 7 years. Initially as an Escalation Engineer followed by moving into Professional Services then to the Managed Threat Detection team as a Senior Security Analyst before moving into the Labs team as a Lead Security Researcher.