The South African hacker who revolutionised cybersecurity around the world
South African hacker Haroon Meer founded Thinkst Applied Research, which revolutionised network intrusion detection with its Canary honeypot tools.
Meer was hired as SensePost’s chief technology officer in 2001, the year after the company was founded. SensePost quickly became one of South Africa’s premier cybersecurity firms.
He worked at SensePost for nine years before leaving to launch Thinkst.
Thinkst didn’t immediately set out to revolutionise how honeypots are deployed in networks. It began by consulting to other companies and tackling cybersecurity problems Meer described as “difficult and interesting”.
On 31 May 2015, they officially launched Canary after working on it for about a year.
“We think it’s insane that organisations that spent millions of dollars on cyber security took months or years to realise that they were breached,” Meer wrote at the time.
“We think Canary fixes this elegantly and manages to do this at a super reasonable price-point. We have spent ages adding features, stripping features and making it a pleasure to use.”
Meer assured that even on complex networks, it takes just 5 minutes to get up and running — with enough time to make a cup of coffee.
What set Canary apart was that the software was open-sourced, allowing anyone to build their own device if they wanted to.
However, for corporate and enterprise deployments where simplicity and excellent support are worth paying for, Thinkst offers Canary appliances and a set of supporting services.
The headline offer on its website is an annual subscription of $7,500 (R135,000) that includes five Canaries, a dedicated hosted console, a Canarytokens server, support, maintenance and upgrades.
Canary was fabulously successful, with Meer revealing in May 2024 that they had hit $19-million (R340 million) annual recurring revenue without accepting any venture capital.
We believe more security-product companies can do this too, by focusing a little more on customer-love.
“To be clear, we’re not anti-VCs. From the beginning, though, we wanted to try bootstrapping,” he said.
Speaking to MyBroadband in a recent email interview, Meer said he got into cybersecurity at university.
“I started working at the University of Natal while I was in my first year of a Computer Science degree. Initially as a lackey in the student labs, then in user support, and eventually in networking,” he said.
“The field was pretty young and the systems team had a bunch of people leave, so I ended up inheriting all the Unix systems and campus firewall — back when those were Solaris, HP-UX, and SCO boxes.”
Meer said he spent many nights on campus working, learning, and hacking all at the same time.
“So security was a natural progression. In 2001, I wrote a scanner for the Unicode bug, and Roelof Temmingh from the newly-formed SensePost did too,” said Meer.
“We got to chatting about it on IRC, and he invited me to come up to meet the team — who were still working out of his spare bedroom.”
Asked what sparked his interest in honeypots, Meer said it was the delay in companies being breached and them discovering the intrusion.
“We spent a long time breaking into companies and networks, and one of the simple truths is that most organisations had no idea we were even there until months later when we delivered the report,” he said.
“Even today, despite companies spending millions of dollars on their security programs, most organisations only find out about their compromises after hundreds of days.”
Meer said they realised that well-deployed honeypots could change that. However, they had to be less painful to deploy and maintain.
“So, we set out to make the easiest-to-deploy honeypot in the world,” he said.
Regarding what he and the company are currently working on, Meer said they are in the middle of a new release, which is keeping much of the company busy.
“We also have a handful of ideas that are still too early to productise, so we will be actively fiddling with them until they are.”
They are also about to hold their annual ThinkstCon, where the whole company gets together for a few days in Cape Town.
“As a company, we are huge on learning new things, inventing new things, and iterating on things to make them better,” Meer said.
“At any given time, it’s a pretty sure bet we will be in one of those three modes.”
Asked what his average day looks like nowadays, Meer said his time is generally widely split.
“I have a handful of one-on-ones with team leaders in the company, which I try to group early in the week, and we mainly use this time to make sure stuff is going in the right direction,” he said.
“I’m still the official product manager on Canary and CanaryTokens, which means the usual product manager stuff, but it also means I get involved on all customer-impacting user experience changes and flows.”
Meer said that although it’s a little unusual considering where he started, UX and product turned out to be one of his favourite parts of the job.
“We have a small research team now, so I’ll spend some time with them trying to be helpful and trying to shape where we focus our effort,” he said.
“I used to read every support and customer-success ticket that passed through us, but these days we have too many customers for that so I pull tickets at random — or based on some fuzzy heuristics — to wade into.”
Meer said that he does get roped in if an issue gets big enough.
“Fortunately, our teams are excellent, so they generally have a pretty good idea of how to solve it by the time I get nudged on Slack.”
Meer said they try and have as few meetings as possible, with most engineers only having one per week.
“But my time can easily fragment more than I’d like, so I try to chunk all of the tasks above into rough groups so I can give them enough focus when I’m on them.”
As a company founder in South Africa’s information security sector, we asked what some of the most important lessons were that he’s learned over the years.
Meer elected to focus on three.
“With tech in general — and infosec in particular — it’s very easy to get distracted by shiny objects,” he said.
“The ability to pick a thing and see it through is crazily under-appreciated in the short term, while being incredibly valuable over the long.”
Secondly, Meer said most people never really know what it’s like to work with someone — or a team — that is world-class.
“This is a real shame because it locks their ambition to a kind of arbitrarily constrained local minima. The Internet allows us to hang out with the best people in almost every field. We should use this to make sure we don’t end up being big fish in small ponds.”
Thirdly, and related to the above, good people really matter — even more than one would expect.
“A common infosec platitude is how it takes a combination of people, process and technology to win,” Meer said.
“I’m pretty convinced that the right people will make the right calls on process and technology, and with the wrong people, all the process and technology in the world won’t help much at all,” he continued.
“More than anything, if you can find great people to work with, you should because they will make you better.”