In this episode of Retaili$tic, Max Kahn and Josh Horwitz delve into the evolving landscape of cybersecurity, entrepreneurship, and the challenges of product-market fit. Josh shares his journey as a serial entrepreneur, discussing his experiences with bootstrapping businesses and the importance of validating product ideas before launching. The discussion also covers the critical issue of credential stuffing in cybersecurity and how innovative solutions can mitigate these risks. As they explore the future of authentication, they highlight the balance between security and user experience, emphasizing the need for adaptive security measures in a rapidly changing digital environment.
Video version of this episode is here
Takeaways
Josh Horwitz is a serial entrepreneur with a focus on cybersecurity.
Bootstrapping businesses can lead to successful exits without external funding.
Product-market fit is crucial for entrepreneurial success.
Validating product ideas through low-cost market testing is essential.
Credential stuffing is a significant threat in cybersecurity.
Innovative solutions can turn attack vectors into defensive strategies.
The future of authentication is moving towards passwordless solutions.
User experience must be balanced with security measures.
Adaptive security is becoming increasingly important in technology.
Understanding customer needs is vital for product development.
Chapters
00:00 Introduction to Entrepreneurship and Background
02:42 Bootstrapping and Product-Market Fit
09:29 Cybersecurity Landscape and Credential Stuffing
14:57 The Future of Passwords and Authentication
22:49 Balancing Business Needs with User Experience
Philip Moore (00:00)
Welcome to Retaili$tic, the official podcast of Coresight Research for October 7th, 2025. This week, Coresight Research President Max Kahn sits down with serial entrepreneur and cybersecurity expert Josh Horwitz to discuss the future of online security.
Max Kahn (00:19)
This is Max Khan, president of Coresight Research, and I'm so pleased to have Joshua Horwitz with me. Josh is a serial entrepreneur who most recently was yhe COO and co-founder of Enzoic, which is a cybersecurity company. Before that, he was the president and founder of Bolder Logic, and we're very excited to have him here today. Josh, welcome.
Josh Horwitz (00:42)
Thanks, Max. Happy to be here.
Max Kahn (00:44)
If you don't mind, Josh, just tell us, I know you've been sort of a serial entrepreneur. Tell us a little bit about your, know, sort of your background and, you know, what kind of prompted you to go off into the founder world and, you know, and stick with it with a couple of successful exits.
Josh Horwitz (01:00)
So Max, my background after finishing my MBA went to work for IBM, big company of course, and sort of felt a calling to be in a smaller company and had always a focus on entrepreneurship. At IBM, I was already sort of starting to think about various ideas and went on to work with some other companies, but had in the back of my mind an idea around customer advocacy.
So in an enterprise sales process, how do you get your customers to be kind of, you know, support the sales, speak to prospects, give testimonials and case studies, things that were pretty important to the enterprise sales process. And that was really the first idea that I had and started and ran that business for well over a decade and then ended up selling it to one of my competitors. I took a little time off after that and connected with a really strong technology co-founder who already had this nascent idea in the cyber security space. I had a little bit of my own experience working in the space myself and so sort of played off that to, to partner with him and develop what became NZoic and worked for that for, six years. and recently exited from that. and yeah, I, both of those businesses were bootstrapped. ⁓ you know, I, I really liked the sort of the early stage of business helping to, find a new market and figure out how to get that product market fit. And it's been a fun ride.
Max Kahn (02:42)
Yeah, so Josh, I definitely want to look forward to hearing more about the cybersecurity experience that you had with Enzoic. But before we get to that, let's talk maybe a little bit about that founder. There were two things that you talked about that I think people would love to hear more about. First would be bootstrapping. If I remember correctly, I don't think you raised money for either company.
Secondly, and we'll get to this in a bit as well, is the idea ⁓ of product to market fit. Because I think that's always a tricky thing for entrepreneurs. I think a lot of entrepreneurs have a great idea, and they think they've come up with some really cool technology or a cool idea, but they don't always think about whether it actually fits with what the market requires.
you know, versus just thinking about it as being a good idea. maybe that's actually not a bad springboard. know, tell me a little bit more about how you kind of, you know, work through that product market fit to really make sure that, you know, you had something that people were going to be willing to, you know, to purchase from you.
Josh Horwitz (03:44)
Yeah, sure. I mean, bootstrapping side of it is a little bit of a DNA that's just sort of I feel just much more comfortable making sure that I have something that that really works. And before I go out and try to put a lot of gas on the fire and I've been fortunate where I've been able to create products and businesses where
you know growth has been generated sufficient for the size of the market. Yeah I probably could you know have gone out and gotten some more gas to do it a little differently but some of that's just a little bit on me in this style I like to approach him. I think the product market fit is a super important aspect of that because it's you know I see too often entrepreneurs who have that idea like you said that they they're super excited about and you know if they're
raising money too quickly. They get kind of ahead of the cart a little are anxious to build it all out and then sort of see how the customer likes it. sometimes they do and sometimes they don't. And what I've found is there's a tremendous amount that you can do to really validate what your offering
fairly low cost methods of testing the market and you know that's everything from. Collecting surveys ⁓ or doing things putting sort of pieces out into the marketplace that determine whether there's uptake and interest in it really low cost things you can do you can literally put Google ads against.
a white paper or something that you might have written and see what the interest is for it and evolve that to other techniques where you're able to see what kind of attention and uptake it draws. And then, of course, talking with customers. And there's just a ton that you can do with really making sure that the product resonates and adapting it based on the feedback that you have.
Boulder Logic, had relatively, it was a fortunate one that kind of hit the mark based on what was, what our sort of initial concept was without too much modification to it. The second business in cyber security required some evolution and it's tough, particularly if you're in a sort of a more engineering centric
organizations, particularly if it's started with a strong tech founder to focus on, let's get this thing built. But to me, I want to know that it's going to be bought and not just built. so testing that is, I think, a really important piece.
Max Kahn (06:28)
What was a good sort of story in the field where you had an aha moment that you had something? You know what I mean? Like some sort of validation either from a customer or a survey, any good anecdotes in terms of one of your discoveries from either company?
Josh Horwitz (06:44)
Well, so in the first business, it was still, you know, early stages of Google and relatively easy to get ⁓ SEO ranking for a fairly specific concept. so I was able to get some of that message out there without even paying for the Google ads. And I had inbound phone calls, frankly, that customers were looking for exactly what was listed there. So it doesn't get much.
⁓ easier than that. And it was, ⁓ it's a little bit easier than normal. But you know, I still, you know, push back to say, you know, well, let's really talk about what your goals are and you know, the problem that you're trying to solve. And so there was, you know, it's easy for potential customers to say, yeah, yeah, that's what I want. But you know, I think the important piece is to really
Max Kahn (07:13)
It's a little easier than normal, I will say, right?
Josh Horwitz (07:37)
you know, try to understand kind of how deep that need is. You know, is the pain acute enough that they're willing to pay for it and so forth. you know, that one was a little bit easier the cyber security side. You know, we had some assumptions about how the buyer would use the technology that we built and they
in that case assumed relatively low effort from their developers to consume an API based service. And really what we found, and there were other products that were trying to do it that way, but what we found in more detailed conversations was that in theory that worked, but it was just gonna be too much effort for the organization to secure really their own developers to consume an API.
So we had to kind of rejigger the product and the approach to make it something that would be a much more push button based approach. I think that's one of the You've got your cybersecurity department and then you've got the development side of the organization and getting access to internal development was much more difficult than that we might've expected.
That was one piece of it. And like I said, we did other things like putting out, I mentioned white papers and advertisements to try to gauge interest run some benchmarking service and other things to understand how they were addressing problems in the area. And it's a lot of work and it's not necessarily the sexy side of let's build a product and get it to market.
⁓ But it kind of really lays the foundation to building something that actually is going to be, that the customer is really going to actually pay for.
Max Kahn (09:29)
Right, No, absolutely. Yeah, so tell us a little bit more, maybe switching gears just in terms of Anzalik and the cybersecurity market. know, so what, you know, obviously cybersecurity, there's a broad range of applications, you whether it be, but if I, my understanding is with Anzalik, you guys were much more focused on, you know, credentials for, you know, a user as opposed to, you know, security around, let's say the, you know,
databases and virtual machines and things like that. Is that right? maybe tell us a little bit about the product.
Josh Horwitz (10:02)
Yeah, sure. mean, was a very simple product was part of what I liked about it. It looked at one of the primary attack vectors, which at the time was credential stuffing. people, know, it's, and it focuses on, so first of all, I guess I should just briefly explain what credential stuffing is. So hackers are able to look at past data breaches and we all know there's tons of them.
and be able to see the username and password that individual users have used. And what is very evident when you start to actually look at large data in that area is the concept of a password, which theoretically has millions of permutations.
actually doesn't work out that way in reality. The users tend to choose the same passwords again and again. Not only the same passwords for their own individual accounts, so reuse of this bank account and this brokerage account, but also across users. It's just the...
the patterns that they follow are super predictable and that has to do with the fact that people are trying to have a memorable password and it's really hard to remember a complex string of characters, particularly if what you're trying to do is have different ones across each of the services, which is really the best practice. It just happens to be that people don't actually do that. So what attackers were doing were
looking at past data reaches and didn't matter whether the data reach was a retail site or a banking site or a healthcare site. Once they had access to passwords and usernames, they were able to do credential stuff. can say, there's a high probability that this person banks with maybe one of the top five banks and be able to try those username and password combinations. And more often than not, they worked. So.
What we did was kind of turn that attack play into a defensive play and help the organization to restrict basically the user to not use the same passwords that they had used on other sites or even commonly used passwords across other users. And really what that did was sort of force more complexity.
into the password creation process. Encourage passphrases where password might just be a long string of words that might make it easier for the user to remember, but it's kind of break that pattern. so while you might be used to seeing a password creation screen say, ⁓ you don't have enough characters there, or you didn't have an uppercase and a lowercase, this would be,
we've seen you use or we've seen others use this password too often, please use something else. And considerable amount to block the concept of dictionary attacks and credential stuffing attacks.
Max Kahn (13:04)
So no more password 123 explanation point.
Josh Horwitz (13:07)
Exactly. That's top of the list. You got it.
Max Kahn (13:09)
Yeah,
I know that which is one of the most shocking things in the world that that was, you know, 10 years ago was still so common, you know, was common across so many people, right? Which I would imagine it's not anymore.
Josh Horwitz (13:19)
You know people like they they assume that it's the you know the the the company's responsibility for keeping their site secure they you know and they you know they may not think about the implications that you know this is you know this person's going to only be able to get into my Whether it's my retail account for a given site. They not may not realize that there's you know
Max Kahn (13:21)
You'd be surprised.
Yeah.
Josh Horwitz (13:48)
consequences to them both on that site and and others so it's ⁓ it's important important for the vendor to ⁓ to make sure that they prevent that from not from happening.
Max Kahn (13:51)
Right. Another tight start.
Yeah, well, Josh, when you and I were talking before, we were mentioning how, you know, there's a logical trade off between, you know, complexity of logging in, which is more secure, but, you know, discourages people then to use your website, right? So that, you know, that's a difficult balance. And if you think about the idea that if passwords need to get more and more complex, then that is sort of, you know, and we talk a lot about it at CoreSight, the idea that, you you want to make it
like basically paint by numbers for the client to be able to use your product, right? And logging in is in some ways is a part of that. So you're starting to see new ways, right? That of people logging in, right? Password lists, biometrics, things like that. I and you know, where, you know, I know we're somewhat in early days of this, of that, but at the same time that you're starting to see it in more and more places and, know, just in, in just kind of everyday life, even, you know, where, where do you see, you know, where are we heading with that? You know, and sort of like the
passwords and requirement of sophistication of passwords versus biometrics versus passwordless, you know, type solutions. I mean, where's all that heading?
Josh Horwitz (15:07)
So, I mean, one of the things that has kept passwords very sticky and hard to kind of completely kill is they're pretty basic. They don't require a particular technology. They're not, you know, hard to use. They can be shared in the cases where sharing is, you know, important. You know, there's cases where it's okay to have multiple people log into the same account.
to a degree. And so those things have kept passwords around for a very long time. I think there's, but just the extent of the problem has really forced the industry to push towards these newer technologies. There's a whole bunch of them from different types of adaptive security that looks at different signals to try to determine how likely is it that this user is who they say they are to
to places where they force multi-factor, it actually becomes a requirement. So you can't just use your password, you have to use that token that gets, or the code that gets sent to your phone or something like that. And you're right, the trade-off for an organization that's trying to balance convenience for their users with enough friction to keep the bad guys out, but not so much friction that it...
causes the user defect or to walk away from the transaction. So there's some really nice technologies that are coming relatively quickly at this point. Pass keys may have seen pop up more and more. And that's a really nice one because it really just takes the user out of the equation. It still gives the concept of a secure kind secret between the company and the
the client but kind of takes a user generated password which is the biggest vulnerability out of the equation and uses a encryption based handshake to allow it. So I think the Fido Association is saying something around 75 % of large retailers are moving actually towards pass keys. There's still going to be limits like I was saying before.
Max Kahn (16:56)
you
This is the other.
Josh Horwitz (17:14)
⁓ where it is somewhat platform dependent and different browsers, different devices, different versions of devices may or may not support them as completely. So you're still going to have sort of this long tail of alternate login methods, but strong advice to organizations to move away from the password towards some of these really taking the user.
out of the equation and that's really the goal.
Max Kahn (17:43)
so is that basically just, does that then increase the reliance on biometrics or is there other, just for people that aren't maybe as familiar with the passkey concept, right? Is it all driven by biometrics or are there other ways that that sort of non-password generated verification can occur?
Josh Horwitz (18:00)
⁓ So the PASCs tend to rely on biometrics. what's happening is the secret is established between a device and the server. And so that's an encryption, public key, private key type of exchange to allow that. And it relies then on the user's device to
do the basic authentication. So that will be the biometrics. ⁓ And so they kind of go hand in hand. There's other ways of getting the initial authentication to happen on the device, but it puts much more trust between the device, the ability to properly log into the device, and then gives the company a...
Max Kahn (18:29)
Right.
Josh Horwitz (18:47)
trust that they actually have the authorization to allow that person to access the service.
Max Kahn (18:53)
Is there any reluctance? mean, I know for some people they're totally fine with that, but what level of reluctance is there to biometrics? Do know what I mean as a method for that? I know no one gets into their iPhone through the face recognition. There still are some holdouts out there.
Josh Horwitz (19:15)
Yeah, there are. And so that was kind of, you know, where organizations need to have, you know, a flexible, you know, it would be great if there was just, you know, one authentication method for everybody. That would make it lot simpler for companies. But, you know, like I said, folks that are holdouts run older technology that might not buy into that or can't use it for some reason.
you know, and some disability or other things to prevent ⁓ that from working. I know that my mother-in-law for some reason, I don't think she even has the face recognition set up, so she's still using thumbprint and she was a chef, so her fingerprints are kind of gone away, so that doesn't work reliably. So yeah, there's cases where it can't work. But I think the device-based, the native...
Max Kahn (19:58)
Thank
Josh Horwitz (20:05)
biometrics is solid. It's taken a little bit for that to get kind of established at the norm. There's other systems and places where biometrics, if it's actually held at the company level rather than locally to the device, that introduces a whole other list of security vulnerabilities because at that point, a data breach
⁓ risks a bad actor getting access to all of that biometric data. And unlike a password, which you can always reset and change to something completely different, you know, I can't really change this face or my fingerprints. It's, know, that's kind of a more vulnerable piece of identity.
Max Kahn (20:31)
Thank you.
Are there other, you know, as things are getting more sophisticated, are there alternatives to the biometrics, you know, that get you out of the password game? Or is that kind of the only game in town right now?
Josh Horwitz (20:55)
⁓ There's all kinds of different flavors of biometrics and new things that you'll see in terms of retina identification and obviously the facial recognition and thumbprint, voice recognition in some cases is there. I think three sort of core elements of
authentication are what you have. So that would be the device, what you know, that might be the secret or other identifying information that you know, and what you are, and that's the biometrics. So all of them tend to fall into kind of one or more of those buckets. And so you can see in more secure environments.
You know, just your phone is not sufficient. There needs to be a token that goes alongside of it. But the bottom line is, you know, having multiple layers and figuring out how to impose that friction of multiple layers in a way convenient as possible. And that's where another concept of adaptive authentication or comes into play where
I may only trigger that token based where it's going to send a code to your phone if you're logging in and a way that is different than we've normally seen. All of a sudden, you're logging in from a different geography and a different time zone or things don't match up quite right, where you can step up the level of security based on the information you have. I think that's where
More and more data about users and potentially AI AI comes into play where they can kind of detect this is a normal pattern. This is an abnormal pattern rather than maybe strict rules based of ways of determining is this something is this in ⁓ a log in event that we should be more concerned about or or less concerned about and applying the right amount of friction to the to match the situation.
Max Kahn (22:39)
Right.
Right.
Similar to how, or part of what you said, similar to how your credit card company might ping you when you're, you know, use your card for the first time on vacation in a place you've never been before type of thing. Jess, just bring it, you know, bring it full circle in a sense. You know, the interesting thing about
Josh Horwitz (23:01)
Yeah, exactly.
Max Kahn (23:07)
what you guys were doing in ZempBank companies that sort of like, you're a B2B sale, but then introducing a B2C, in other words, a technology that's then used by the end customer. Do you know what I mean? So in other words, you have to get the business to buy from you, but the business has to be comfortable that they're B2C customers.
Josh Horwitz (23:22)
Yeah.
Max Kahn (23:33)
right, are going to embrace or not find it to be an extra impediment to use in the customer journey that they're building for their B2C customers. would imagine that introduces an extra wrinkle in terms of that validation relative to matching the product to the market need. How do you think about trying to get the, both getting
business that you're selling to on board and also understanding that they're and customers are going to be happy with the technology as
Josh Horwitz (24:07)
Yeah, well, there's a few different parts of that. I think that ultimately, for the most part, the organization or customer should and does understand their own end users and kind of what level they can choose their own sort of level of friction that they're willing to apply. And so that just means if we're selling to a
financial services company, they may have a different attitude about it than a retailer. And a retailer may be willing to endure a certain amount of loss, fraud or otherwise, that to avoid defection of their customers. There's some interesting scenarios is then...
there's different opinions within the organization. know, the fraud team may have a different perspective than the product management team, ⁓ than the marketing team, et cetera. And so a cybersecurity vendor perspective, it's a little bit about kind of understanding as quickly as possible.
Max Kahn (25:03)
drawer in the market.
Josh Horwitz (25:14)
you know, who you're talking to, who are the other, who are the key players, what are, you know, what are their concerns? What is the, you know, what type of friction willing to endure. And then potentially adapting the product to that. know, and so coming out of the gates, you know, we took a based approach that I think the cybersecurity team, the fraud team would
have felt was really an effective fraud prevention. But we quickly learned that product or marketing may have different ⁓ motivations and objectives. so adjusting both messaging as well as the way the product worked to address that. I think that kind of, it goes back to trying to really understand who you're going to sell to.
early in the development of the company.
Max Kahn (26:05)
How much did you find that you needed to get your customer comfortable with how their customer was going to feel about using the technology?
Josh Horwitz (26:16)
there's a
little bit of client therapy that was in that process to help them understand But some of it, they had, there were sort of fairly strong opinions that weren't always entirely rational, but were things that...
we couldn't sort of educate them out of, you know, concerns that it was just gonna be too hard for them to come up with password if we didn't let them use the exact same password that everyone else was using or that they had used that we knew that we knew that was breached on another site. And, or, you know, an over reliance in their mind on multifactor authentication, meaning assuming that a second layer was gonna be solving the
Max Kahn (26:48)
Yeah, right.
Josh Horwitz (27:04)
⁓ solving the problem. but you know, the whole point of multiple factors is that you have two strong methods, just kind of having one sloppy one and having one that you felt more confident about it kind of doesn't really do the trick. So, it was more about, ⁓ you know, providing that, ⁓ that therapy when it was appropriate and, and, and, also about, being good at qualifying opportunities and realizing where, you know,
you weren't going to be able to change their mind or you didn't have enough consensus or there are other objectors within the organization that would be likely to scuttle it before even if you had a strong sponsor advocate for the concept.
Max Kahn (27:47)
Yeah, definitely, you see tech, you know, we work with a lot of technology companies and we do sometimes see that they kind of forget about that extra step, you know, in the sense that it's like, you know, you don't have to just get the, you know, the tech company selling to the retailer, doesn't, it's not, you know, your job isn't only to get them comfortable with your technology. It's also to get them comfortable with the idea that their customers are going to be comfortable.
with the technology as well, right? And I think sometimes technology companies, especially earlier stage ones, of, that's another thing they sometimes forget, right? In addition to trying to build it without actually talking enough to the customer, they sometimes build it and don't, not just talk to the, not talk to the customer enough. Sometimes they do that, but then they also forget to, you know, to talk to the end customer to make sure it's working for the people that are actually going to end up using it when it's technology that, that touches the, the consumer. So.
With that, we'll leave it there. Thank you so much. This was really interesting and it's fascinating how this is evolving in the marketplace. I personally love the biometric piece myself just because it's just one, I don't love integrating all of my passwords into those password things on my computer. I don't know if that's an irrational fear or not, but. ⁓
This way don't now have to worry about it. instead of having to look up, I use a password generator and save it on an app on my phone. Now I don't have to look it up every time with a bunch of my applications that I use on a regular basis. They're starting to add those biometrics in. I find it a lot easier. I love it. I hope that a lot more companies start to use it. But thank you so much for your time. And this was a great conversation. We appreciate it. And we'll look forward to catching up soon.
Josh Horwitz (29:27)
Great, thanks Max, it was a pleasure. Have a good evening.
Max Kahn (29:30)
You too, bye bye.
Philip Moore (29:31)
Thanks, Max, and thank you for joining us. Coresight Research serves our members with cutting-edge research on the intersection of retail and technology, data resources, real-time consumer trends, and consulting services that create global competitive advantage. Visit us at coresight.com to learn how Coresight Research can support your success. Have a wonderful day, and we'll see you next week.