\u00a0As the week winds down and the news of Troy Hunt soliciting bids to sell the Have I Been Pwned (HIBP) service, it seemed inevitable that I would receive a flood of questions from friends and colleagues seeking my thoughts on this headline. As the former CEO of a venture backed start-up company (VeriClouds) solving nearly identical problems as HIBP is trying to solve, fielding questions about HIBP has become a normal activity in this business. Competing against \u201cfree\u201d is always a fool\u2019s game unless and until the conversation is changed from one of free to innovation and value creation.According to Wikipedia, HIBP launched in December of 2013 and subsequently reached more than two million subscribers. Troy emerged from obscurity by reporting publicly about data breaches and publicly shaming companies and their customer service representatives when confronted with vulnerabilities such as leaked credentials. 7B breached credentials and 6 years later it looks as though HIBP will finally enter a new chapter and make progress towards its true calling under the leadership of an established product\/technology company.It is in fact great news!\u201cProject Svalbard\u201d represents a transformational mindset shift on Troy\u2019s part and an acknowledgement that HIBP has a lot more potential than what it currently enjoys. Troy\u2019s decision to sell HIBP (which he announced here) is great news for Troy, his buyer, and the industry at large. The HIBP service has not only played an important role in educating the industry and even the Congress of the United States about the growing risk and frequency of data breaches (transcript congressional hearing here) it has helped end users and organizations to better understand that we have all been pwned one way or another, and the cumulative effects that breaches over time have on security.Troy\u2019s Project Svalbard does in fact contain the seeds of exciting potential for the buyer of the HIBP service. One of the fascinating success stories of HIBP is how Troy has deployed and managed the service on Microsoft Azure in a capital efficient way, which he explains here. Doing what any Microsoft MVP would do, he developed and documented a scalable webservice deployed on Microsoft\u2019s Azure cloud computing service that in instructive to not only start-ups but large organizations seeking to operate their enterprise computing infrastructure in a cost-effective manner.Although Troy maintains that he would like the service to be available for free post-acquisition, there is an enormous amount of IP from the research, operations and press relationships that will have many companies drooling. The free and open-source HIBP will likely continue in its current incarnation while the real valuable IP \u2014along with Troy\u2019s Midas touch with research and PR\u2014 will be parlayed into a commercially viable product.The devil is in the detailsDuring my time as CEO of VeriClouds I was asked countless times how VeriClouds is better than HIBP. It is a fair question. In fact, very few forward-thinking cybersecurity leaders would be able to identify more than one distinguishing feature of venture backed solutions available on the market today. In an article published on the U Have Been Pwned website (sponsored by Enzoic, TruGrid and Detack) it was pointed out that HIBP is missing the one killer feature that sets them apart from HIBP.The one killer feature, the article says, \u201cthat is missing from HIBP is that it doesn\u2019t preserve passwords when collecting them from credential leaks and hacker databases.\u201d As buyers perform due diligence on HIBP it will be immediately apparent that without the username and password, there is no actionable insight that can be delivered at scale. As of the date of this article, HIBP is not the only service that lacks such actionable insights. Customers of AT&T who use the Mobile Security app (a manifestation of the IP acquired by their acquisition of Alien Vault) proves to users that they have been pwned, but lacks any guidance on the severity of the risk and more importantly what action needs to be taken if any at all.Without the benefit of venture capital or a monetization model other than donations from generous subscribers, it will also be apparent to buyers that the HIBP service has lacked any real substantial innovation and thus missing out on other desirable features. In a private conversation I had with Troy in 2018 (it was not under NDA) Troy admittedly operates the service on a time budget of 4 hours per week, without any help from others. I suspect that any buyer will struggle with this fact \u2014that HIBP capabilities severely lags in features offered by venture backed companies\u2014 although that can be offset by the real value of the acquisition which lies in the fact that Troy\u2019s talent and reputation is a large part of the deal.The valuationHaving gone through the due diligence process with buyers for selling a technology company like HIBP, I can appreciate that serious buyers will be forced to look beyond reputation and future potential when establishing a purchase price. Michael Green, CEO of Enzoic (a credential screening and cybersecurity company in Boulder, Colorado) and previously CEO at ID Watchdog where he turned the company around and had a successful exit to Equifax, explains that \u201cThe problem with valuation when considering an acquisition is that it really comes down to revenue and revenue growth which translates into a multiple of revenues. There might be a golden egg hidden underneath the publicly visible IP, but we have a more difficult challenge in assessing and putting a monetary value on that.\u201dWithout revenue to speak of, buyers will not be able to acquire HIBP based on a multiple of revenues. I suspect that the assets of HIBP may not be the primary consideration at all. Troy\u2019s value as a researcher, analyst and ability to manage global comms for a company \u2014plus maybe the 0.005 of his subscriber base that can be migrated to the buyer\u2019s platform\u2014 would look more attractive to the buyer than assets or existing revenues.Any buyer who can convert \u00bd of one percent of HIBP subscribers at the rate of, for the sake of argument let\u2019s say $25,000 on an annual subscription, would recognize upwards of $250M in annually recurring revenue, not bad, but again that is based on speculation.Who are the buyers?As previously established, the HIBP service in its current state does not offer actionable insights and therefore cannot offer the same level of protection as modern solutions in the identity threat intelligence space. I have written before, and it is worth stating again that leading security practitioners assume a state of breach and are now more urgently focused on answering \u201cHow at risk are my users and is my organization to the risk of compromised credentials?\u201dRecently published NIST (National Institute of Standards and Technology) Digital Identity Guidelines recommends a list of important verification steps when updating the password for a given account. Specifically, that verifiers SHALL compare the prospective secret (i.e., the account password) against a list that contains values known to be commonly used, expected, or compromised. While this guideline is open to wide interpretations \u2014from checking password blacklists to checking actual user\u2019s credential for compromise\u2014 it generally falls into the hands of cloud identity service providers (E.g. Okta, Amazon AWS, Microsoft Azure) to on-premise identity management solutions from the likes of Oracle, Microsoft, Ping Identity and so forth to enforce this requirement. Without the username\/password preserved for verification during registration, login and password reset, the use of HIBP would tax end-user productivity to the detriment of the user experience.My intuition informs me that companies who are focused on risk scoring (those who don\u2019t have or need access to users\u2019 passwords) will be more interested in what HIBP has to offer than IAM companies. With its recent IPOs, CrowdStrike and Tenable seem more likely buyers, including CASBs such as Netskope, Skyhigh (McAfee), Bitglass and so forth. Though with Troy\u2019s reputation being what it is, I would not be surprised if Shape Security scooped up HIBP to monetize on his reputation and ability to engage the media and shape public perceptions.The security of identitySince I started writing this column in 2017, the main objective has been to focus on the security of consumer and end-user identity management. Through that lens, HIBP does not offer enough to enhance the security of identity due to missing the killer feature of credential verification. I delved deeper into The Politics of Have I Been Pwned with hopes that cybersecurity leaders can make informed decisions about credential-centric threat intelligence services as a category of cybersecurity.On the other hand, I wish all the best for Troy and the buyer of HIBP and believe (along with Troy) that there is much more that can be done, and that with HIBP he has only begun to scratch the surface of possibilities within the identity threat intelligence and fraud prevention arena. Backed by the financial resources of a larger organization, and a team of engineers and researches who can collaborate with Troy, I look forward to seeing HIBP re-imagined. I am confident that it will impress us all like we were impressed in 2014 when the service first launched.