Some companies follow the rules. Others write their own playbook. In our first brand story with White Knight Labs, we met two security leaders who’ve lived every angle of cyber—from army ops and red teams to startup chaos and real-world breaches. Forget the checkbox test—this is passion, precision, and purpose in the offensive security world.
We’ve been in enough conversations to know when something clicks. This one did — and it did from the very first moment.
In our debut Brand Story with White Knight Labs, we sat down with co-founders John Stigerwalt and Greg Hatcher, and what unfolded was more than a company intro — it was a behind-the-scenes look at what offensive security should be.
John’s journey is the kind that earns your respect quickly: he started at the help desk and worked his way to CISO, before pivoting into red teaming and co-founding WKL. Greg’s path was more unconventional — from orchestral musician to Green Beret to cybersecurity leader. Two very different stories, but a shared philosophy: learn by doing, adapt without a manual, and never take the easy route when something meaningful is on the table.
That mindset now defines how White Knight Labs works with clients. They don’t sell cookie-cutter pen tests. Instead, they ask the right question up front: How does your business make money? Because if you can answer that, you can identify what a real-world attacker would go after. Then they simulate it — not in theory, but in practice.
Their ransomware simulation service is a perfect example. They don’t just show up with a scanner. They emulate modern adversaries using Cobalt Strike, bypassing endpoint defenses with in-house payloads, encrypting and exfiltrating data like it’s just another Tuesday. Most clients fail the test — not because they’re careless, but because most simulations aren’t this real.
And that’s the point.
White Knight Labs isn’t here to help companies check a box. They’re here to expose the gaps and raise the bar — because real threats don’t play fair, and security shouldn’t pretend they do.
What makes them different is what they don’t do. They’re not an all-in-one shop, and they’re proud of that. They won’t touch IR for major breaches — they’ve got partners for that. They only resell hardware and software they’ve personally vetted. That honesty builds credibility. That kind of focus builds trust.
Their training programs are just as intense. Between live DEF CON courses and their online platform, they’re giving both new and experienced professionals a chance to train the way they operate: no shortcuts, no watered-down certs, just hard-earned skills that translate into real-world readiness.
Pass their ODPC certification, and you’ll probably get a call — not because they need to check a hiring box, but because it proves you’re serious. And if you can write loaders that bypass real defenses? You’re speaking their language.
This first conversation with John and Greg reminded us why we started this series in the first place. It’s not just about product features or service offerings — it’s about people who live and breathe what they do, and who bring that passion into every test, every client call, and every training they offer.
We’ve got more stories with them on the way. But if this first one is any sign of what’s to come, we’re in for something special.
⸻
Learn more about White Knight Labs:
Guests:
John Stigerwalt | Founder at White Knight Labs | Red Team Operations Leader | https://www.linkedin.com/in/john-stigerwalt-90a9b4110/
Greg Hatcher | Founder at White Knight Labs | SOF veteran | Red Team | https://www.linkedin.com/in/gregoryhatcher2/
White Knight Labs Website | https://itspm.ag/white-knight-labs-vukr
______________________
Keywords: penetration testing, red team, ransomware simulation, offensive security, EDR bypass, cybersecurity training, White Knight Labs, advanced persistent threat, cybersecurity startup, DEF CON training, security partnerships, cybersecurity services
______________________
Resources
Visit the White Knight Labs Website to learn more: https://itspm.ag/white-knight-labs-vukr
Learn more and catch more stories from White Knight Labs on ITSPmagazine: https://www.itspmagazine.com/directory/white-knight-labs
Learn more about ITSPmagazine Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs
Newsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/
Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-up
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Sean Martin: Marco.
Marco Ciappelli: Sean?
Sean Martin: It’s my favorite time of day.
Marco Ciappelli: Yeah. Pizza time, coffee.
Sean Martin: Always pizza. It’s a little early—even here…
Marco Ciappelli: Come on. You’re gonna tell me there’s a wrong time for pizza in New York? It’s 24/7 there.
Sean Martin: True. But it’s time for a story. And what I love about this time is meeting new people, hearing the passion behind the solutions they bring to market to help organizations protect themselves. These Brand Stories are designed to do just that. Today we’ve got Greg and John from White Knight Labs. Good to see you both.
Greg Hatcher: Thanks for having us.
Marco Ciappelli: Yeah, definitely a great opportunity to learn something new. Coming from branding, I’m always interested in the “why”—why a company does what it does, why people do what they do. Vision and mission are always at the core of what leads to success—and staying human, motivated, and passionate. Looking forward to this.
Sean Martin: And sometimes it creates outcomes you don’t even expect—great side effects for individuals and businesses. So, let’s start with the two folks on the line who’ve been in this space for a while. Who wants to go first?
Greg Hatcher: John just volunteered.
Sean Martin: He did. I saw that.
John Stigerwalt: Yeah, I guess I’m going first. I’ll give a quick background and talk about the company. Greg, feel free to jump in. I’m one of the original founders of White Knight Labs. I started hacking at 17. Back in 2009-2010, pen testing was just starting to take root. Did a bit of college—information security assurance. Learned how to write an email, send a memo. Not much hacking. Realized college degrees in our field don’t mean much, unfortunately.
Started at the bottom. Worked IT help desk at a small bank. Learned Active Directory, got hands-on with servers—Dells, HPs, racked servers. Became a junior admin, then a regular admin, then security lead. That’s when things really picked up. They shipped me out to North Carolina to work with Palo Alto firewalls. I was one of the original TRAPS customers, pre-Cortex branding. I got hands-on with the original kernel driver—super cool stuff.
Eventually became a CISO for a bank with nine locations, two in India. I handled compliance—FedRAMP, SOC 2, PCI, ISO, VA—you name it. Burned out quick. Took a pay cut to become a pen tester. At that point, I had my OSCP, OSCE, and a bunch of other certs. Did two years of assembly, wrote shellcode, did kernel-level stuff for Windows 7 and 10.
Joined VDA Labs. Small shop in Grand Rapids. Worked with Dr. Jared. Did red teaming, EDR bypasses, physical operations, worked with Microsoft. That’s where I met Greg—we became friends, worked jobs together.
Later I ran the U.S. Red Team for a Fortune 500 company. We were 16 people, everything word-of-mouth. Tested networks with 100,000+ endpoints. Insanity. I tested two Fortune 10s globally in 2019 and 2020. Then we started WKL—based on all that prior experience, good and bad.
We’re not a “pen test puppy.” We strive for the gold standard—senior and principal engineers only. Team of 37 today, covering all of offensive security. No IR, no compliance. Just pen testing and training.
Sean Martin: I want to pause there—because while we can laugh at compliance, I’m curious how that connects with your deep networking and coding experience. You’ve been on both sides—how does that inform what you bring to the table for businesses?
John Stigerwalt: Great question. I’ve sat in their shoes—CISO, IT manager. I know what it feels like to be on the other end. So when I make a recommendation, I understand they might not have the budget or resources to implement it. That experience makes me a better tester. I understand business logic flaws, not just technical ones.
Marco Ciappelli: I’d love to hear Greg’s story too. Jump in, Greg.
Greg Hatcher: Sure. I found tech later than John. Graduated from Grand Valley State in 2009—liberal arts. I was an orchestral musician, played rugby, studied political science. Then I joined Army Special Operations. I went through the 18X program to become a Green Beret. Spent two years in the qualification course—small unit tactics, language school (Modern Standard Arabic), SERE school. My role was communications: routing, switching, VoIP, crypto, all that. I got thrown into the fire—had to make gear work with no manuals.
I deployed four times. When I left in 2017, my first daughter was born that same week. I was a stay-at-home dad for nine months. She slept a lot—I labbed five to six hours a day. Did SANS VetSuccess, got three certs.
Then I joined VDA Labs. Jared gave me a shot. I did mobile testing, kernel work, EDR bypasses for Cylance. Learned a ton. In 2020, I moved to SixGen as a federal contractor, working with CISA on penetration tests for municipalities. Also contracted for NSA. Learned just how squishy U.S. critical infrastructure is—EternalBlue still out there.
In 2021, I joined WKL with John. I brought in culture from Army Special Forces—specialists going deep in one area. That’s how we structure WKL: embedded team just does embedded, red team just does red. No generalists doing everything.
Sean Martin: And how does that experience shape client engagements? How do you scope things?
Greg Hatcher: No cookie-cutter packages. We start by asking how the business makes money. That tells us what attackers will go after. We tailor every engagement—whether it’s a healthcare org or FinTech startup. Red team, pen test, physical ops—it’s all scoped custom.
Marco Ciappelli: That fits my style too. Manuals come last. Especially in cybersecurity, there’s no one-size-fits-all.
John Stigerwalt: Right. We explain everything clearly—tools, rules of engagement, playbooks. About 20% is automated—scanning, info gathering. The rest is manual. We have playbooks but encourage creativity. Clients that just want a checkbox? We still give them a solid test. We meet them where they are.
Greg Hatcher: A lot of our work comes from partners—MSPs, IT firms that bring us in. We’re the tip of the spear, but we charge a normal rate. Some big firms charge crazy day rates—we don’t.
Sean Martin: I want to touch on the actual pen tests. No surprise you do network testing.
John Stigerwalt: Yep, network testing.
Sean Martin: But also mobile apps, web apps?
Greg Hatcher: Absolutely. About half our work is app sec—mobile, web, API testing.
Sean Martin: When we look at those apps, data moves over networks, right? You mentioned data storage and configuration. Do you dig into that too?
Greg Hatcher: Yeah, we’ve done Cloudflare config reviews. For example—can I bypass Cloudflare and hit the origin IP directly? That’s a worst-case misconfiguration. We’ve seen it. We’ve also tested global-scale file transfer systems like GlobalScape and ShareFile.
Sean Martin: Are there common gaps you run into—things orgs think are locked down, but really aren’t?
Greg Hatcher: You wouldn’t believe how many clients think being on Azure or GCP automatically means they’re secure. That’s like saying Active Directory is secure by default because Microsoft made it. These platforms need hardening. They don’t come locked down.
John Stigerwalt: We created a service a few years ago that’s become one of our most popular—our Ransomware Simulation. But not like others. Ours is unique. We’ll run a Cobalt Strike beacon, bypass every EDR out there—we’ve got the bypasses on the shelf. We’ll set up a dummy file share and simulate a real attack: encrypt and exfiltrate data without being caught.
Most clients fail. Only one has passed recently. We make it look like legit Microsoft traffic. We even test their data loss prevention tools on the way out.
Greg Hatcher: It’s a low-cost way to test EDR, network security, and monitoring. And it often opens the door to longer-term relationships.
Marco Ciappelli: So let’s talk services: Pen testing, attack simulation, security assessments. I see incident response too?
Greg Hatcher: We don’t do large IR anymore. We’ve got families. Every IR seems to hit Friday at 5 PM. We have partners for that. We’ll take small cases—a compromised endpoint or web app issue—but not major breaches.
John Stigerwalt: Yeah, and we pass IR leads to our trusted partners. We focus on what we’re built for. We’ve got a partner for nearly every service we don’t offer—compliance, software, hardware resell, all of it.
Greg Hatcher: We only resell what we’ve personally tested. If it’s junk, we won’t touch it. SentinelOne is one we believe in—solid product. We reached out to them after they gave us a tough time on an engagement.
John Stigerwalt: Some EDRs... we’ve gotten cease and desist letters from. They treat us like state actors. But it proves we’re doing something right.
Sean Martin: It all comes back to the goal: helping organizations operate securely. So once you expose a weakness, how do you help them actually improve?
Greg Hatcher: We offer that fine-touch help. One example—we worked with a FinTech firm that accidentally hired a strawman developer for a crime group. No background check. The guy vanished when caught. We had to assess their source code, CI/CD pipeline, infrastructure—find all the persistence mechanisms. We cleaned them up and gave them peace of mind.
John Stigerwalt: I always include general recommendations in reports. Stuff like: turn on Defender’s ASR rules, use LAPS 2.0, enable AppLocker alternatives like WDAC. It’s all free—just needs implementation. Sometimes they’ve got the tools, they just don’t know it.
Marco Ciappelli: You don’t sell yourself as the Acme company that does it all. You know your lane and bring in trusted partners when needed. That builds trust.
Sean Martin: Let’s shift to training. You offer public, private, on-demand. DEF CON sessions, right?
Greg Hatcher: Yes, three courses this year at DEF CON: Advanced Red Team Ops (ARTO), Offensive Development Practitioner Course (ODPC), and the new CI/CD course (ASCPC). We also teach quarterly remote sessions and do custom private training. One recent private course was customized for a red team’s cloud stack.
Sean Martin: Who’s taking these trainings?
Greg Hatcher: Everyone—from aspiring red teamers to pros. We’ve also got on-demand courses at training.whiteknightlabs.com. Students get video, labs, and a VM via Terraform. The ODPC exam is hard. If you pass, you can write real-world EDR bypass loaders.
John Stigerwalt: I built that exam. It’s tough for a reason. We want people to earn it. If someone passes ODPC, I’ll interview them personally.
Greg Hatcher: We’ve also got a GoLang malware course launching on CoreStack LMS. $50 for the bundle—programming + malware dev in one. VM built into the LMS. We’re also working on a web app bug-hunting course—think OSWE but way broader.
Sean Martin: Amazing. We’ll include the 30% training discount in the show notes—code is ITSP30. And a link to all your training and your brand page on ITSPmagazine.
Marco Ciappelli: This was a full download of experience and passion. Looking forward to more conversations, case studies, and use cases.
Sean Martin: Thanks, John and Greg. And to everyone listening—check out White Knight Labs. We’ll see you on the next Brand Story.
Greg Hatcher: Thanks, Sean and Marco.
John Stigerwalt: Thanks.