Welcome, Josh Brunty!

Rachael Lyon:
Hello, everyone. Welcome to this week's episode of To The Point podcast. I'm Rachael Lyon here with my co host, Jon Knepher. Hi, Jon.

Jonathan Knepher:
Hello, Rachel.

Rachael Lyon:
What's going on?

Jonathan Knepher:
You know, to be honest, the news of what's happening over at F5 has been something really, really concerning these days.

Rachael Lyon:
Interesting. Okay.

Josh Brunty:
Okay.

Rachael Lyon:
Well, I think maybe we'll talk about that today. Exactly. I think our guests may have some thoughts there. So without further ado, please welcome to the podcast, Dr. Josh Brunty. He is a professor of cyber forensics and cybersecurity with a joint appointment in the Department of Criminal Justice, Criminology and Forensic Sciences, and Department of Computer Sciences and Electrical Engineering at Marshall University. He also serves as the research lead for the Institute of Cybersecurity. His research has been funded by organizations including the United States Secret Service, Department of Homeland Security, and National Institute of Justice.

Rachael Lyon:
He also really coolly serves as the head coach of the U.S. cyber team for the U.S. cyber Games, leading the U.S. national team and international cybersecurity competitions. Welcome. Welcome to the podcast, Josh.

Josh Brunty:
Absolutely. It's a pleasure to join you guys. I'm happy to be here. Looking forward to this. Yeah.

Jonathan Knepher:
So thanks for. Yeah, thanks. And you know, I love that background kind of both on the electrical engineering side and the cyber side. I think that is. Is unique and brings a lot of skills. So maybe if you. You could talk about how all of your teaching experience has influenced your understanding and expertise on the cyber workforce and where things are headed, what's in demand.

Josh Brunty:
Yeah. So before I ever got into academia, I worked 10 years in industry. So I think that's a strength that I came in right away. And one of the things when I started is I wanted to not be the traditional academic mold. Right. I wanted to be the practitioner that was transitioning into academia, and I really wanted to be that trailblazer to break the mold. Right. And I know everyone wants to do that when they start in their career field.

Josh Brunty:
And, and we were building a new program at Marshall. We were kind of one of the first programs to kind of dabble into cybersecurity and, and digital forensics and that whole area there. So being that practitioner, knowing what we did and work so. And how the daily grind work worked in the laboratory, we Wanted to put that into the curriculum. So right away, one of the things that I looked in was how, what committees could I get on to help be part of the steering wheel to help develop this curriculum and stay on these committees where we were developing things that we knew would translate into job skills. And that led to producing some good rock star students that are out there doing all the cool things. And here I am becoming the old professor that kind of reaps the benefits of it, but that is kind of has led into, you know, positions that I've had the past couple of years of serving on, you know, nice framework committees and working, you know, with. With entities like AP to roll out cybersecurity curriculum in high schools.

Josh Brunty:
So it's been a fun ride so far, but it seems like we're just getting started on all this. You know, we've been doing cybersecurity for a number of years, but it just seems like academia as a whole was starting to, like, make this transitional shift from traditional computer science to, you know, hands on the keyboard, cyber, basically.

Rachael Lyon:
Well, you know, I'm always curious too, because, you know, cyber curriculum in general. Right. I mean, it's. It's still kind of growing and taking hold as we look at the next generation. Right. Of cyber professionals kind of. What are you seeing come through your classes? Right? I mean, what kind of folks are coming through what backgrounds? Or are you seeing some interesting trends in folks that are looking to enter the field?

Josh Brunty:
I think so. You know, one of the things that I've seen in the past couple of years is people are starting to want to specialize. You know, they may come in with an idea that they want to do. Hardware cyber, which is, you know, critical infrastructure, is a new thing that we're doing research on. So all of this, like, transitional shift, it used to be, you know, you were the jack of all trades. You know, you were doing just studying cyber security, and that's what you would do. You know, you would. You would do it all.

Josh Brunty:
Now I'm starting to see people look at offensive security, defensive security hardware, even incident response and forensics as being kind of a shift there. So I see students coming in right out of high school with ideas that this is what I want to do, and this is this, this is what I want to study, and this is what I want to learn from you.

Rachael Lyon:
That is so cool.

[05:16] Building and Coaching the US Cyber Team

Jonathan Knepher:
Okay, so I see here that you've been coaching the US Cyber team for a few years now. How do you get involved with that? And can you tell us a little bit about what that team is.

Josh Brunty:
Okay, so this kind of came about. This goes back about five or six years. So I started a competitive cyber security team at Marshall, and we had won the National Cyber League national championship back in 2020 as a school team. So I had an individual that was on that team that made US national team in season one, and she had reached out to me and said, are you interested in coaching the US Team? And I was like, I don't know about that, but, you know, I'll. I'll see you, you know, send me the info on it and we'll see, you know, what we can do. So I ended up talking to about three different individuals, and before I knew it, I was head coach. I was like, oh, my gosh, like, I have no idea what I'm doing whatsoever. And that we had started, you know, we had.

Josh Brunty:
We had done really well in competitions, but we hadn't, like, broke through the barrier yet. And so, you know, in the first season, it was just kind of learning, you know, because the world competition, the. The way that competitions are here in the States are totally different than they are at an international scale. The way that they do attack and defense in Europe and things like that, and I can talk about that here shortly. But I served in that first year, and the team is like, you know what, it might be a good idea to keep some continuity, because we always change head coaches from year to year to keep me on as a second year. So we kept our coaching team intact for a second year, and the continuity paid off this past year. So we're starting to get really good. We're starting to recruit individuals that have played in DEFCON finals in the main stage.

Josh Brunty:
They're really good individuals that are ages 18 to 25. And we're starting to get respect on a national scale, and. And we did so in Poland last week. So I'm kind of reluctantly stayed on for a third year just because I enjoy it so much, but. And we've changed our. Our coaching structure a little bit. You know, how coaches get involved. But it's been a very fun ride, learning all of this and learning the strategy of it and.

Josh Brunty:
And then representing our country. On top of that, I couldn't think of a greater honor to. To step USA Jersey on and. And do this not only for your country, but to set a legacy that. That. That we're starting to win on a national, on an international stage. It's been. It's been a fun ride.

[07:59] International Competitions and Team Dynamics

Rachael Lyon:
That's fantastic because apparently you guys did really good in Poland. And then Tokyo is coming up next, which is so cool to me. I mean, how do you even, because these are really working on real world attacks ostensibly, right? I mean, how do you prepare the team, right, to, to go into these competitions like this against like the best global talent out there today? This is, this is fascinating to me.

Josh Brunty:
Yeah. So the, the European Cyber Security Competition is hosted by ANISA, which is essentially the EU's version of CISA basically. So every year they hold the European ECSC, the European Cyber Security Competition. So that's all the EU member nations and then they invite guest member nations to play in that as well. It's a two day competition. First day being Jeopardy style CTF type questions. We really did well on that. We, you know, USA has been good in ctf, but we, we haven't been DEFCON good.

Josh Brunty:
You know, that's, that's, we're known for our DEFCON skills. We're known for that, that kind of gold standard. We had never to my knowledge ever placed anywhere above eighth. I think on the ctf. We, we found some young talent. We paired it up with older seasoned talent that had been playing for the past five years on our, on our US team. And we went in and spent a good part of the day on the top of the leaderboard in ctf. So we had a very good first day.

Josh Brunty:
Now the second day is where it gets fun because it's attack and defense. So you have all of the 30 some member EU nations, the guest teams, they're all put into an attack and defense environment where we have to attack services and steal flags and submit flags from other teams. So we stayed in the top five on that leaderboard. We've been known to be a good attack and defense team, but to hold up against teams like Italy and Germany and Denmark and even Ukraine, Ukraine had a team there and to be able to interface with those teams and learn from the coaches, we were learning from each other. It was just an invaluable experience. I think at the end of the day and then to come out winning the guest bracket, which we had never done before, we really walked out of Warsaw. As, as, with respect, you know, everyone was talking about how not only good our team was, but how just they, they conducted themselves on the world stage. So with all the countries involved in that, I think that's a win for us.

Josh Brunty:
At the end of the day, when you hear that as a coach that your team was, was that all of that. And then one couldn't be prouder, couldn't be prouder yeah.

Jonathan Knepher:
Can you talk us through like some of what, what are the, the hands on things they do? What are these, like, what kinds of things do they have to dig into and how does that help them kind of in their career? Like lift off right out of, out of this to the real world?

Josh Brunty:
Yeah. So one of the things, I'll just talk a little bit about our attack and defense part of the competition. So generally they'll put up about five to seven services. Those services are either easy to what we call blood or exploit an attack. Once we attack that service, that could be a number of different things that can be going on in that service. Once we attack that service, then we have to figure out a way to strategize how to use that exploited service to attack other countries with. So that can be difficult, you know, just even exploiting the service, you may have to figure out what type of encryption is going on in that. How do we, how do we weaponize that? So we attacked a service later on in the day.

Josh Brunty:
The part was we didn't know how to utilize that service and weaponize it and build an exploit to attack the other teams with. So it, it creates this skill from a standpoint of you're almost, and I would argue that you're almost throwing zero days into this environment or finding zero day vulnerabilities in order to attack those services. And I think it creates kind of a problem solving team skill. It puts the pressure on them to say, I have eight hours to exploit this, weaponize it and start attacking other teams. And you watch the team's dynamic as, as we, as we compete in that day. You know, it comes down to how do we, how do we eat during that day? You know, how do we get lunch to the table? Who sits beside each individual? I mean, it gets that granular. Like, you know, we're going to put teammates beside each other so they don't have to keep getting up and sitting down. We put crypto talent near individuals who know attack and defense from a server level.

Josh Brunty:
So it creates kind of this team skill that I think just directly translates into the workforce that, that employers are just absolutely looking for. And it not only builds up our individual skills for the, for the students, but I think it kind of sets our posture overall as a country in critical infrastructure. Because these individuals are going to work for companies, big, big five contractors, they're going to work for Fortune 5 companies and they're going in and embedding in and saying, okay, this is how you make your infrastructure stronger. Because we saw this in a competition. And that's just phenomenal. That is phenomenal that you see things like that happen. And very, very proud of that. Very, very proud of that.

[13:59] AI Strategy and Recruitment Pathways

Rachael Lyon:
Now, I have a two part question that are not necessarily connected, but I love talking about all this. So first question we have to ask is, does AI play a role here anywhere in terms of strategy and execution? And then number two would be, it seems like a talent these days in their aptitude for technical skills and cybersecurity. They're getting younger and younger and younger. And so for our listeners out there that may have this budding cybersecurity talent, how could they, you know, maybe learn how to come onto the team or, you know, what are the, what's the criteria, right, for having the level of talent that you're looking for for the US Cyber team?

Josh Brunty:
Okay, so yeah, that is a two pronged question. I'll answer it in two parts, the best that I can, because that is a good question and I don't want to miss it here. So you had mentioned about AI being a huge component in the competition. And one of the things that we started doing with the US team is first off understanding like the core components of AI. I think that's important to sit down and think, okay, what can I do and what can it not do? And how do we do, how do we put that into our playbook? So right after last year, that's one of the things I tasked our team with doing and I did myself. How do LLMs make us better and how could they slow us down? And one of the things we looked at as strategy is saying, okay, how do we get quicker in our solving, our problem solving? And a lot of the cognitive offloading we put into automation and automation, you see that across cybersecurity, it's a key component because automation can get you to a threshold quicker than not automating something. So if you have a breach, for example, and you have automation in place, you can recover from that breach through automation quickly. So I was like, okay with that, that understanding, how do I bring in AI and automation to make us work quicker? And that is what we did from a, from a strategic standpoint, we started building tools that incorporated AI that got us to the solves a lot quicker.

Josh Brunty:
And of 32 solves on the board, it may have helped us with about five, but it let us put five of those answers in the rear view mirror because we were able to come to the problem solving mechanism within minutes. And that's a big key because when you start Grinding on tougher challenges, you want to take the time to focus on those. And that's what we did. That's how we started using AI. So I tell people that listen to this podcast that are in cybersecurity, how do you leverage that for cognitive offloading to make, make yourself more efficient, right? And that's what we did. We work that in with automation. We incorporated in with automation and the proofs in the pudding, man, you know, we did well in Poland off of it and we, we will do well in Tokyo off of that as well. The second part of that question is how do, how do we get individuals involved? So our target audience is ages 15 to 25.

Josh Brunty:
With our competing team. We want to be within about the 18 to 25 year old range just because we're traveling internationally. So the cutoff of both the international and European competitions is 25. So we have, in the spring we have what we call the US Cyber Open. The US Cyber Open, anyone from anywhere at any age can apply. So we give them a series of capture the flags and scenarios. And basically the US Cyber Open is just an open ctf. So we recommend that if you're really good in an area like web or PWN or forensics or reverse engineering to make sure that within the open that you're highlighting that skill.

Josh Brunty:
And from that open we probably had close to a thousand people in our open. From that open crowd we invited back about a 120 to our cyber compine, that cyber combine. We put them through some talks, lectures and additional skill challenges. And that was about a four week process. We do a job interview basically. So we do a onetoone interview with them where the coaches will interview them, kind of get a gauge on what their skills are and then we convene as coaches. We whittle that down to a team. We picked a team of 40 this year that includes male and female where we put female teams together to go compete in female only competitions.

Josh Brunty:
So we were very strategic on how we picked our team from just a number of different skill sets. And we intend 2026 to kind of keep going with that of picking a team of 40. So individual that want to get involved in this, start with the Cyber Open, reach out to us as coaches. There's plenty of coaches that are working with this and even if you don't make the team in your first iteration, you can be put into our pipeline which kind of gives additional training. You know, we have sponsors that give out free training vouchers and certifications that help build that person in the pipeline. And I would say about half of our team right now started in our US Cyber games pipeline. And so it's a skill building program. And that's a key.

Josh Brunty:
When they leave at age 25 or they may choose to leave a year early, we want them to look back and say, man, I learned a lot in this program. And we want employers to say, man, I really want to hire a person from the US Cyber team because they're just so embedded with skills. We know we're going to get a good employee out of that.

Rachael Lyon:
Absolutely. It's like real world, hands on experience. And I'm just one more sidebar, John, sorry. Because so many of the cyber professionals I've met never even go to college. I mean they just literally start their careers hands on, 17, 18 years old and used all that real world experience. And now they're senior executives and leading CISOs in organizations. And I imagine something like this would be really wonderful for jump starting, you know, careers for those that, you know, maybe want to bypass the university. Not that we're suggesting that, but it gives you an open path to pursue something that you, you enjoy and have an aptitude for.

[20:51] Career Paths and Entrepreneurial Impact

Josh Brunty:
Right. You know, here I am a college professor and I tell people like college may not be the pathway for you. I mean it really may not be. We have individuals on our team that are, that, that went to a community college for two years or individuals that never went to college period, and they're super skilled in do. So I think we're seeing these multiple pathways, almost like trade pathways in a sense, but it really depends on what skill you want. You know, I, I have individuals on my team that are, that are well versed in hardware that, that didn't go to a top tier electrical engineering university that work for, you know, companies like Mitre building the challenges and didn't even get a degree in electrical engineering. They just, they just learned it from growing up, you know, and just immersing themselves in the skill. And then I have individuals that went through electrical engineering programs that learned that.

Josh Brunty:
You couple individuals up like that with those varying skill sets, it's like, it's like putting a automotive engineer in a room with a mechanic. Like they're going to come to some really cool solves if, if you mix them together compared to if you put two engineers in a room mixed with that. I really do believe that. And I think we're seeing that in cyber security, these, these multiple pathways to skills. Plus we're still trying to close the cyber skills skills gap. I Don't, I don't think we've closed that. And then the job gap definitely hasn't closed yet. So.

Josh Brunty:
And we haven't even peaked in this yet. So I encourage these multiple pathways and you know, whatever gets you in the field, whatever, whatever shines your skill set, do it and go for it. You know, it'll, it'll, it'll, it'll step out.

Jonathan Knepher:
What do you follow some of your, your former teammates, like, where they end up in the, in the industry? Like, do they tend to follow the security path? Do they go security management or, or do they just go into other IT and tech roles?

Josh Brunty:
Everything, everything. We see some that are following into in the leadership roles as early as their late 20s, they're falling into mostly these really highly technical roles early in their career. So they're getting into the very systems engineer side of it. Because they have such high technical skills, they're rarely falling into these management positions. They will, they will. And I see the ones that I talk to, and I talk to a good majority of them, they'll reach out on discord and we'll chat. You know, we have a thread of just alumni that talk. And what I'm seeing out of them is they're going to these larger contractors, they're going to work at the three letters.

Josh Brunty:
They're really embedding into those careers and starting to move up the pathway there. But there's really no like common denominator that I'm seeing because the companies will see a skill and they'll hire for that skill. And you would think, okay, well, you know, there's certain industries that's, that's hiring these people. No, supermarkets are hiring them. Three letters are hiring them. All of these companies that have critical need to protect their infrastructure are hiring these people. So, you know, it's not industry specific. It is, but it isn't.

Josh Brunty:
And what I'm seeing about critical infrastructure, there's a lot behind that. So I say this to anyone that's, that's kind of dabbling into this early on. You know, there's, there's, there's need out there and, and understanding what the industry is asking for. There's no better way to get that than through hands on. So if you can come in and grab on with us and help with coaching, mentorship, whatever the case may be, you're going to learn a lot. I know I have, I learned a ton, ton by being involved with these programs.

Rachael Lyon:
Do you have, I can imagine with the talent that you have coming through the door, are any of these folks starting companies, kind of budding entrepreneurs because they see a need in the market and they're like, you know what? I'm going to throw my hat in the ring and see if I can make this happen. Because their perspective having, I think, been exposed to digital and that world their entire lives, gives them kind of a different wiring sometimes on.

Josh Brunty:
Right.

Rachael Lyon:
You know, what, what the market needs.

Josh Brunty:
Yeah, yeah. A lot of them actually have their own, you know, side hustles that they're doing. You know, they're, they're doing vulnerability assessments or pen tests. You know, they do that in the side. From an ethical perspective. They all do that. And, and I encourage that because that skill, that, that, that helps companies, they, they can, they can help build their infrastructure up and, and, and where some big vulnerabilities might exist in these small to medium businesses, which we've seen, it's not the big firms that are getting, you know, obliterated by the nation states and the threat actors. It's the small to medium size where we're seeing those, you know, critical, I call them critical meltdowns happening.

Josh Brunty:
So it benefits, you know, some of these startups, these young startups, and you know, I always say, like, go after some of these boutique firms to do pen tests or vulnerability assessments on your network and your whole infrastructure in general, and do it frequently. And you might find some areas that might save you tons of money down the line from that investment. So I see our players doing that. I see our players starting up just little niche areas like building capture the flags for schools, building for organizations and big and small. They're working with that. They're building attack and defense platforms that's used in bigger competitions. So they're, they're kind of putting their, their webs out there and you know, being involved in the community, they're speaking at conferences, they're doing all the things you would want a professional to do. And that's a key, you know, getting them to interface.

Josh Brunty:
And yes, they are, they, they're very much out there getting involved at that effort. I think that's awesome myself that, that they're able to go and, you know, provide value even early in their career.

Rachael Lyon:
And I hate to do this everyone, but we're going to pause today's discussion right here and pick back up next week. Thanks for joining us this week and as always, smash that subscription button and we'll see you next week. Until next time, stay safe. 

About Our Guest

Josh Brunty, US Cyber Team Head Coach, US Cyber Games

Dr. Josh Brunty is a Professor of Cyber Forensics & Cybersecurity with a joint appointment in the Department of Criminal Justice, Criminology, and Forensic Sciences and Department of Computer Sciences and Electrical Engineering. He also serves as the Research Lead for the Institute of Cyber Security. Prior to joining Marshall University in 2012, he served 7 years as a Digital Forensics Examiner, Technical Leader, and Technical Assessor for both the state and federal government sectors. He currently serves as Head Coach of the US Cyber Team for the US Cyber Games, leading the US national team in international cybersecurity competitions. Since 2013, he has served as Faculty Advisor and coach of Marshall University’s Collegiate Cyber Defense Competition Team, which won the National Cyber League Championship in 2020. 

He serves on the editorial boards of Forensic Science International: Digital Investigation and the Journal of Forensic Sciences, and is a member of the NIST Organization of Scientific Area Committee (OSAC) on Digital Evidence. He is a Fellow of the Digital and Multimedia Sciences Section of the American Academy of Forensic Sciences (AAFS) and has received multiple awards for teaching and research excellence. His research has been funded by organizations including the United States Secret Service, Department of Homeland Security, and National Institute of Justice. He has published extensively on digital forensics, most notably co-authoring the textbook Social Media Investigation for Law Enforcement and award-winning research on forensic analysis of wearable devices.