John Ahlander, alphaMountain.ai: “malicious actors are ready to take advantage of any situation”


When the world is going through global unrest, for digital felons, it’s an opportunity to exploit difficult times.

Various threats are lurking around the concerns of the digital space, and no one is immune. A regular Internet user, a small business, a large enterprise – everyone’s a potential target. And if a cyberattack hits, the consequences can vary from financial losses and reputational damage to identity theft.

That’s why cybersecurity solutions exist and should be adopted by virtually every Internet user and organization. While connecting to a virtual private network (VPN) is a traditional protection measure, it might not always be enough, especially for businesses.

For this reason, we invited John Ahlander, the CEO of alphaMount.ai – a company that provides up-to-date domain and IP intelligence for cybersecurity investigational and protection platforms, to share his opinion regarding proper security measures in the digital world.

Tell us a little bit about your history. What were some of your greatest achievements throughout the years?

My Co-Founder Matthew Wood and I have both worked in the security industry for decades. We first worked together at Blue Coat Systems where he joined via an acquisition of Solera Networks. I led the product teams for our Global Intelligence Network, tracking all web threats and Matt led the Solera product for network forensics. After the Symantec acquisition of Blue Coat, our roles expanded to provide intelligence across the Symantec product line.

After Symantec was purchased by Broadcom, we set out to build a company to support other companies in our industry that don’t have their own internal intelligence data sources. Unlike large companies like Symantec, most companies in the industry buy primary web reputation data from third parties. With our expertise in threat intelligence and experience with AI and machine learning, we had an opportunity to make a difference.

Can you tell us a little bit about what you do? What technology do you use to detect malicious IP addresses?

alphaMountain.ai provides threat intelligence, web reputation, and content classification to help companies determine what is safe or unsafe on the Internet. This data is used either for blocking an Internet access point or investigating potential threats in their log analysis tools.

As an example, if you think about a company like Cisco, Symantec, or McAfee, they provide products to protect your devices from malware or prevent you from accessing a malicious website. Behind that technology, there is threat intelligence data that provides the information to determine what is safe and what is not. This prevents access to malware, phishing, scams, ransomware, malvertising, and other nefarious actions from bad actors. alphaMountain.ai provides this proprietary data for over 1 billion domains and IPs in all geographies and languages.

Another use case is related to a threat investigation. If you are using Cisco SecureX, Splunk, Maltego, Cyware, or any of our other partners to look for suspicious activity in log files and research web requests, alphaMountain provides the SOC analyst an intelligent risk assessment for any given URL. For example, the NFL SOC used alphaMountain data integrated into Cisco SecureX to investigate suspicious activity during the recent Super Bowl.

Machine learning techniques have evolved a lot in the past several years to provide broader coverage in these areas. However, we noticed many legacy solutions hadn’t implemented the latest technologies, so we decided to do it ourselves. Our proprietary technology is based on a continuously trained neural network and voting system that uses thousands of threat factors to identify new and emerging threat vectors.

What type of attacks do cybercriminals usually carry out using malicious domain names?

Whether the bad actor starts with a spear-phishing email or a smishing text message, there will inevitably be a request to a site on the Internet to infect a machine or steal personal and financial information. These are often in the form of an urgent request to fix an issue with your package delivery or your bank transaction… if you’ll just click on the link and enter a bunch of private personal information. Stopping the risk on that initial click is much more effective than trying to stop a threat once it is already on the device. In this way, URL filtering data from alphaMountain can prevent phishing, malware, ransomware, skimmers, cybersquatting, scams, and a myriad of other Internet-based risks.

How did the recent global events affect your field of work?

Whenever there’s any kind of crisis – whether it’s a hurricane, fire, pandemic, or war – we see a large uptick in malicious websites trying to scam people. When Covid-19 hit, there were a huge number of new fraudulent websites collecting money for Covid relief. Similarly, after the war in Ukraine started, we saw another surge in websites for fake charities collecting money for food, supplies, or other forms of disaster relief. In some cases, we saw sites collecting money for Ukrainian refugees that were repurposed on top of what used to be a malicious Covid-19 relief website.

This goes to show that network security never slows down – there are malicious actors ready to take advantage of any situation.

Although there are plenty of security solutions and providers available on the market, certain companies and individuals still hesitate to upgrade their cybersecurity. Why do you think that is the case?

I think it’s usually one of two reasons: either they (1) underestimate just how prevalent these malicious actors are or (2) they underestimate how costly it will be when their security is compromised. Many companies – and even individuals – want to save money wherever possible, and so they don’t always pay for the amount of security they need. But once they’ve experienced a significant breach and understood how much damage these threats can do, they usually decide to invest more in security defenses.

Share with us, what early signs indicate that there might be something malicious lurking in the network?

There is often a spike in requests to risky or unknown sites. Most will see a spike in risky requests, but analyzing the unknown sites will often yield suspicious activity. In other words, “Why is a user’s device repeatedly hitting a site that my security company doesn’t know about?” You either have suspicious activity, or you need a new threat intelligence partner with better coverage.

Are there any lesser-known features that make an organization or a website an attractive target for cybercriminals?

Cybercriminals are in business to make money, just like any other business. Some cybercriminal businesses are targeting a low number of high-value targets (banks, enterprises, governments) where the cost to success is high, but the payoff is tremendous. Some are targeting mass markets (consumers) where the cost to success is low, the individual payoff is relatively low, but the scale is tremendous. In other words, everyone is an attractive target in this risky game, and everyone needs to consider the right internet security protection.

What new threats do you think companies should be ready to tackle in the next few years? What tools should they have in place?

Social engineering, or tricking a user into doing something inadvertently, will continue to be the primary entry point for malicious threats, and the predominant “trick” is to get the user to click on a link. Link inspection is your first line of defense, and having the best threat intelligence and web reputation data to check against is the most cost-effective way to prevent that attack.

Share with us, what’s next for alphaMountain?

We just closed our seed round of funding, so that will enable us to scale up our operations both in development and sales. We are always continually striving to improve our intelligence and the models that produce the data. The threat landscape is constantly evolving and requires new techniques to track shifts and protect against them. In addition to the summary of risk and content from a site, we will soon be allowing customers to utilize the threat factors fed into our models for their own threat response workflow.