The South African hacker who built a multi-million-dollar security company

Roelof Temmingh is not only an actual hacker, he is an actual serial entrepreneur, although he probably prefers the connotations of the word “hacker” to the term “serial entrepreneur”.

He founded a penetration testing company nearly 25 years ago that has become an incubator for cybersecurity talent in South Africa and is still going strong.

After that, he launched a company where they built one of the world’s most widely used open-source intelligence tools, Maltego. Last year, it secured a $100 million cash injection.

Temmingh exited Maltego in 2017 and has since launched Vortimo, where he develops open-source intelligence tools for online researchers, investigative journalists, and intelligence analysts.

Before striking out on his own, Temmingh worked as a system architect at specialist encryption and network security company Nanoteq.

He had completed his electronic engineering at the University of Pretoria in 1995, joined Nanoteq in 1996, and worked there until February 2000.

On Valentine’s Day of the year 2000, Temmingh launched SensePost from his bedroom with Charl van der Walt, who had quit Nanoteq with him.

They were soon joined by Luc de Graeve, Chris Erasmus, Jaco van Graan, and Haroon Meer, who have all since moved on.

For example, Meer left SensePost in 2010 to launch Thinkst, which develops Canary, one of the most beloved and widely used honeypot systems in the world.

That same year, current Orange Cyberdefense SA managing director Dominic White joined SensePost as chief technology officer.

SensePost was acquired by SecureData, which Orange bought in 2019 to increase its international reach and expertise in cybersecurity. It rebranded to Orange Cyberdefense in 2020.

In a recent talk about how he came to create Maltego and launch the company behind it, Paterva, Temmingh explained that he left SensePost in 2006 because he wanted to pursue this new idea.

“SensePost is a pen-testing company, and I was tired of testing pens,” he joked.

SensePost’s first office in cofounder Roelof Temmingh’s house in Centurion

After developing the first versions of what would become Maltego, Temmingh realised he needed help with the user interface.

He contacted another Nanoteq alumnus, Chris Bohme, who had founded a software consultancy called Pinkmatter Solutions.

Temmingh said he had proposed going 50/50 with Bohme on Paterva.

However, Bohme needed cash flow, so they negotiated a 70/30 deal with Pinkmatter to provide services to Paterva at a discounted rate.

Their third musketeer was Andrew MacPherson, who was an engineer at Paterva until 2018.

By 2008, Paterva was running at an annual loss of $4,000 (which was less than R40,000 back then).

In 2009, they began selling Maltego servers, even though Temmingh said he had no interest in it.

However, rather than simply saying “no” to the client’s request for servers, they decided to say it would be too expensive and set the price at $12,000. To his surprise, the client agreed.

Two years later, they were doing training at the BlackHat conference in Barcelona when they were approached by someone who opened doors for them to Silicon Valley investors.

However, no deal ultimately materialised from that.

“In the end, the reason it didn’t go anywhere was because we were too South African,” Temmingh said.

In 2013, Paterva (and Temmingh) were on top of the world. Everything seemed to be going well for Maltego.

They prepared a massive talk for BlackHat 2013 where they planned to release lots of new features on the same day.

However, the session was a major letdown. Fewer than 100 people were in the audience, and nobody really seemed to care about Maltego’s big announcements.

“I was deflated after that. After BlackHat, I was really low and wanted to get out.”

In hindsight, Temmingh said selling the company was a mistake as it changed the dynamics within the organisation.

“If you want to kill a company, buy it. It’s super disruptive,” he said.

Temmingh only completed his exit in 2017.

Snoopy Maltego showing website info that can be intercepted
A Maltego graph mapping data that was captured during a Wi-Fi snooping attack

They initially sold a 25% stake in Paterva to SecureData UK, the same company that had bought SensePost.

However, when SecureData couldn’t complete the full acquisition in 2016, they sold the company to a German investment fund.

With the money in his pocket, Temmingh took a gap year before launching Vortimo in January 2019.

Speaking to MyBroadband, Temmingh said the idea with Vortimo was to build tools for analysts, researchers, and investigative journalists to help them do their work better and faster.

“Unstructured web pages are hard to work with, and I am lazy and forgetful, so I want tools to help me. It might be useful for others too,” he said.

“I am even less motivated by sales and money after selling out of Maltego.”

Asked what fuelled his interest in open source intelligence (OSINT), Temmingh said he realised at SensePost that he loved building tools.

“Someone said that OSINT is for hackers that can’t hack.”

Temmingh said he was in penetration testing for eight years, and although he believes he was pretty good at it at some point, performing at a really high level requires a lot of work and stress.

“And the work is never done — you just give up,” he said.

“I was explaining footprinting one day, and it dawned on me that the same principles and techniques can also be applied to people, organisations… everything.”

That’s where the idea of Maltego came from.

“In a way it wasn’t really that I was much into OSINT, it kind of just grew to it as I added more Maltego transforms,” Temmingh said.

“Some years later someone said, ‘That’s OSINT’ and I was like ‘oh really?’. It didn’t start off as OSINT. It started off as Maltego.”

When asked whether the information security landscape had turned out the way he expected since founding SensePost in 2000, Temmingh said he could only comment on the security assessment and penetration testing aspects.

“It’s kind of sad for me that people now choose security careers because, you know, money, opportunities, and so on, and not because they really have a combination of sharp tech skills, curiosity, and mischievous energy,” he said.

Temmingh said they never thought about their careers or prospects when they all got into the space.

“We were actually just amazed that people paid us money to break into their networks — it was like we’ve found a loophole in the system!”

He said when you’re not actually that interested in technology, or you don’t have that much curiosity, or you’re just not that mischievous, then it’s harder to do the work.

“But hey — it’s just a job, right?” Temmingh said.

“That growing up, being money motivated, taking ourselves way too seriously, being in it for the wrong reasons… all of that kind of bubbles to the surface,” he continued.

The end result is that, 25 years later, he believes many in the infosec industry have lost their passion.

“But then again — that’s what you’d expect from an old guy mumbling about ‘the good old days,’ right?”

Temmingh said the situation in OSINT is almost the same.

“I was there when the boom started, and we all kind of figured it out as we went along,” he said.

“These days, I don’t see that energy and innovation in that space. If you want the same buzz, you’ll need to look at something new like — I dunno, AI?”

To fuel his desire to keep building OSINT tech, Temmingh said he tests his software in the field with teams of researchers to figure out who is behind various influence operations online.

Temmingh said hacking was always about information and control.

“The thing that moves the needle for me these days is automated influence using technology — at scale,” he said.

“Why do you need to break into someone’s computer if you can get everything about their life online anyhow (information, via OSINT), and use advertising and social media to control what they think about (control, via influence)?”

Asked what the most important lessons were that he’s learned as a founder and entrepreneur, Temmingh listed several.

“Be more blissfully ignorant. If you don’t just jump in every now and again, you won’t try anything new because life is mostly scary when you take a closer look,” he said

“Don’t trust the suits and bean counters. They don’t get measured by how innovatively they think, but rather by how much money they can make.”

Make technology or other things you are passionate about. For Temmingh, that’s making tech that creates results he could not have predicted.

Automate mundane work and drudgery. If you can’t, outsource it and pay enough for someone else to do it, but keep it away from you and your core people,” he continued.

Temmingh also said you should not ask your people to do tasks you’re not willing — or were not willing — to do.

“If you’re not willing to do a lot of marketing and sales, your product or service needs to be amazing,” he said.

“Think: Would you rather spend money on making your product super amazing or on marketing?”

He also had advice regarding listening to feedback and criticism.

“If you ask 100 people what they want to see in a product you’ll get 90 different opinions or features,” he said.

Don’t listen to your customers too much. They don’t know what they want or want different things.”

His parting advice was to remind yourself regularly that luck — factors outside your control — plays a role in your success.

“Of course, the harder you try, the luckier you get.”

ʇǝuɐʅꓒ ǝɥʇ ʞɔɐH

Latest news

Partner Content

Show comments


Share this article
The South African hacker who built a multi-million-dollar security company