On seeing an out-of-band email with the “tcmlabs.com” domain, a client once asked, “What is ‘TCM Labs’?”
To the casual observer, there was a simple business website, some technical posts, and functional email and telephone numbers. In fact, though, it was one of a few different facades we put in place for security evaluations. The website, email, and phone number would serve as thin backstops for social engineering pretexts while the servers involved would serve as a dedicated VPN hub, a staging area for scans and attacks, a platform for data exfiltration and analysis, and so forth. Keeping the efforts separate had advantages in isolating correspondence, data, etc.
Inevitably, the sites were also examples of the technologies and integrations we recommend and deploy for clients. It’s always fun to tell a client “You’re using it right now!” and allowing them to log in and take a look for themselves with a “This is how we recommend you deploy” or a “Here are the keys, feel free to take it for a spin!” That led to continually improving infrastructure and security skills, and it also gave us the opportunity to serve as a client’s “shadow IT service:” a safe, dedicated space off the client’s network for prototyping and experimentation.
How about the name?
Well, “TCM Labs” is one of several that we’ve used, but I favored this one a bit, so I kept it. I have a notion of “the corporate monk;” it’s not fully explained in this post, but you’ll get the gist 🙂