WEBVTT - A Conversation With Matt Muller From Tines 0:00:00.880 --> 0:00:05.040 Unsupervised Learning is a podcast about trends and ideas in cybersecurity, 0:00:05.080 --> 0:00:09.960 national security, AI, technology and society, and how best to 0:00:10.000 --> 0:00:12.640 upgrade ourselves to be ready for what's coming. 0:00:17.120 --> 0:00:20.640 All right, welcome to Unsupervised Learning. This is Daniel Miessler, 0:00:20.640 --> 0:00:23.640 and I'm happy to have Matt Mueller here from tines. 0:00:24.280 --> 0:00:25.600 It's a pleasure to be here Daniel. 0:00:26.200 --> 0:00:29.280 Awesome. Yeah. Looking forward to this conversation. Um, I've heard 0:00:29.280 --> 0:00:32.920 so much about the company and, uh, happy to hear 0:00:32.920 --> 0:00:36.040 more about, uh, what it's actually about what problem you're 0:00:36.040 --> 0:00:40.440 trying to solve. Um, I really like to start there with, uh, 0:00:40.440 --> 0:00:44.199 the problem. What do you see as being the problem around, 0:00:44.240 --> 0:00:47.479 I would say security in general, but also, how are 0:00:47.479 --> 0:00:51.840 security problems being magnified by AI stuff? 0:00:52.720 --> 0:00:55.560 Yeah. So I'll maybe start with the original problem, uh, 0:00:55.560 --> 0:00:58.480 that our founders were trying to solve. They, uh, were 0:00:58.480 --> 0:01:02.300 security operations Professionals who had, you know, done security work 0:01:02.340 --> 0:01:05.100 at companies like DocuSign and at eBay and some other 0:01:05.100 --> 0:01:12.700 large places. And they were extraordinarily frustrated by the just 0:01:12.740 --> 0:01:17.180 a sheer amount of manual labor involved in actually responding 0:01:17.220 --> 0:01:19.740 to security incidents. Right. Like if you think about what 0:01:19.780 --> 0:01:24.500 a traditional security operations center or SOC does, they receive 0:01:24.500 --> 0:01:26.940 an alert. They have to go research that alert in 0:01:26.940 --> 0:01:30.060 a whole bunch of different places. Uh, and, you know, 0:01:30.100 --> 0:01:33.140 take a number of manual steps just to decide if 0:01:33.140 --> 0:01:35.060 that's a true positive, right. They have to do work 0:01:35.060 --> 0:01:37.419 just to decide if they have to do work. Um, 0:01:37.459 --> 0:01:40.259 which is an enormously frustrating place to be. And so 0:01:40.300 --> 0:01:43.300 they were looking out on the market for some kind 0:01:43.300 --> 0:01:45.940 of automation tool, uh, that could help them ease that 0:01:45.940 --> 0:01:49.380 burden and not seeing one that they wanted. They ended 0:01:49.380 --> 0:01:52.620 up building Tynes. Uh, and, you know, starting out sort 0:01:52.620 --> 0:01:55.420 of first and foremost as this tool to solve a 0:01:55.420 --> 0:01:59.060 lot of the SoC, uh, problems around, you know, inefficient, uh, 0:01:59.060 --> 0:02:01.880 you know, alert management and, you know, burnout and all 0:02:01.880 --> 0:02:05.640 those sorts of things. And what we've discovered over time, 0:02:05.640 --> 0:02:08.320 which I think has been really cool, is that the 0:02:08.320 --> 0:02:13.360 SOC is not the only team in cybersecurity that needs automation, right? 0:02:13.400 --> 0:02:17.680 Turns out there's inefficiencies everywhere. Um, another really fascinating thing 0:02:17.680 --> 0:02:22.880 that we've that we've learned over the years, uh, is that, uh, 0:02:22.880 --> 0:02:25.480 automation is actually a lot easier than I think a 0:02:25.480 --> 0:02:27.040 lot of people give it credit. Right? Like a lot 0:02:27.040 --> 0:02:31.680 of traditional automation tools, required learning Python, learning coding languages, 0:02:31.680 --> 0:02:34.920 having very, very deep systems knowledge in order to be 0:02:34.960 --> 0:02:37.600 able to get automation done. Um, and so with the 0:02:37.600 --> 0:02:40.560 rise of AI, what we're seeing is, you know, people 0:02:40.560 --> 0:02:42.760 that have automation ideas, right? Like, I think if you 0:02:42.760 --> 0:02:45.120 ask almost anyone, they have ideas about how they can 0:02:45.120 --> 0:02:48.520 make their job easier, right? They just haven't in the 0:02:48.520 --> 0:02:52.280 past necessarily been able to express that. Um, and now with, 0:02:52.280 --> 0:02:55.440 with tools like, I like no code. Uh, no code. 0:02:55.440 --> 0:02:58.280 Workflow builders, these folks are able to, you know, build 0:02:58.280 --> 0:03:01.810 those automations like like they haven't before. Um, so, yeah, 0:03:01.810 --> 0:03:03.970 I would say the pain point that that Tignes has 0:03:03.970 --> 0:03:06.730 been trying to solve is, you know, everybody who has 0:03:06.730 --> 0:03:09.210 ever had to, you know, push a file from point 0:03:09.250 --> 0:03:12.650 A to point B manually has a pain that Tignes is, 0:03:12.690 --> 0:03:13.690 is trying to solve. 0:03:14.290 --> 0:03:18.050 Yeah. Interesting. Yeah. One way I've been thinking about this 0:03:18.050 --> 0:03:21.929 is like, what would you do with five times more staff? 0:03:22.770 --> 0:03:23.330 Right. 0:03:23.370 --> 0:03:26.690 Right. So it's like we know what we want to do. 0:03:26.730 --> 0:03:29.889 We're constrained by how many eyes and hands that we 0:03:29.889 --> 0:03:35.089 actually have and brains. Right? So I mean, all these 0:03:35.090 --> 0:03:38.930 things could be done manually. The question is, you know, 0:03:38.970 --> 0:03:40.970 do you have the people to do it? Do you 0:03:40.970 --> 0:03:44.330 have the people to create the automations to do it? 0:03:44.850 --> 0:03:47.610 And it just seems like, um, I'm a big fan 0:03:47.610 --> 0:03:51.290 of Theory of Constraints, and the constraint is usually people 0:03:51.290 --> 0:03:54.370 in time that they have to focus on these problems. 0:03:55.050 --> 0:03:57.330 Absolutely. And I think, you know, one of the things 0:03:57.330 --> 0:03:59.550 that we're also learning as well. And this is where 0:03:59.870 --> 0:04:02.670 AI has been such a such a fascinating new addition 0:04:02.830 --> 0:04:06.990 is that it's constraint around, uh, knowledge as well. And like, 0:04:07.150 --> 0:04:10.270 even if you have, uh, all the people that you want, 0:04:10.470 --> 0:04:13.990 security teams have just such a fractured ecosystem that they're 0:04:13.990 --> 0:04:17.190 responsible for protecting, and it's virtually impossible to become an 0:04:17.190 --> 0:04:20.630 expert in every single system that you're responsible for. Right? 0:04:20.670 --> 0:04:23.550 And so, you know, again, what we see is, you know, 0:04:23.589 --> 0:04:25.950 these these people that are experts, they free up all 0:04:25.950 --> 0:04:28.950 this time. Great. Maybe I know exactly what I want 0:04:28.950 --> 0:04:31.550 to do in AWS, but we just acquired a company 0:04:31.550 --> 0:04:34.750 that has a GCP environment. Um, and now I have 0:04:34.750 --> 0:04:37.230 to learn an entirely new, different cloud provider. Right. And 0:04:37.230 --> 0:04:39.430 I'm just not going to be as good in that. Yeah. Um, 0:04:40.029 --> 0:04:42.349 and that's where I think AI tooling has been really, 0:04:42.350 --> 0:04:46.630 really helpful, uh, to make that context switching less of 0:04:46.630 --> 0:04:48.150 a cognitive load for people. 0:04:48.630 --> 0:04:53.270 Mhm. Yeah. One thing I'm worried about is this addition 0:04:53.270 --> 0:04:55.830 of staff to uh attacker teams. 0:04:56.230 --> 0:04:56.590 Mhm. 0:04:56.630 --> 0:04:59.170 Right. So if you have an entire team, let's say 0:04:59.170 --> 0:05:02.490 it's 100 people. And five of the people are like really, 0:05:02.490 --> 0:05:06.570 really good and really dangerous. What happens when AI tooling 0:05:06.570 --> 0:05:10.250 or automation or agents or whatever it is turns that 0:05:10.250 --> 0:05:14.450 into like 30 or 50 of the best people and 0:05:14.450 --> 0:05:19.289 it turns the other like 80 into like 800. And 0:05:19.290 --> 0:05:21.730 this is what I think the agents are actually going 0:05:21.730 --> 0:05:26.650 to do for both us as defenders, but more importantly, attackers. 0:05:27.089 --> 0:05:29.370 So the time that it would have taken them to 0:05:29.410 --> 0:05:34.890 find our mistake goes from like days or hours to 0:05:34.930 --> 0:05:39.250 like maybe minutes. And so we have to be doing 0:05:39.250 --> 0:05:41.529 something on the defense side to counter that. 0:05:42.690 --> 0:05:47.810 Absolutely. And for me, it's it's been interesting watching how 0:05:47.810 --> 0:05:52.410 attackers have been thinking about AI. Um, Sophos actually just 0:05:52.410 --> 0:05:56.170 published a report recently with some analysis around how attackers 0:05:56.170 --> 0:05:58.390 are using AI. And if you look back a couple 0:05:58.430 --> 0:06:01.589 of years, there were a lot of headlines that I think, uh, 0:06:01.589 --> 0:06:02.950 you know, they were valid at the time, right? We 0:06:02.950 --> 0:06:05.909 just didn't know what generative AI was, was truly capable of. 0:06:06.070 --> 0:06:07.790 And so there was a lot of concern that I 0:06:07.830 --> 0:06:12.029 was going to invent all these brand new kinds of attacks. 0:06:12.310 --> 0:06:15.790 And that really hasn't happened. Right. Instead, what we're seeing 0:06:15.790 --> 0:06:20.150 is attackers are using AI much the same way defenders are. Hey, 0:06:20.150 --> 0:06:24.510 make my email sound a little better, right? Um, you know, uh, 0:06:24.790 --> 0:06:28.469 make my phishing page, uh, you know, generate 14 different 0:06:28.470 --> 0:06:31.750 varieties of landing page for me. Um, and so where 0:06:31.750 --> 0:06:34.109 we're seeing attackers start to use AI a lot more 0:06:34.110 --> 0:06:38.430 to your point, is increasing their velocity, right? Um, and 0:06:38.430 --> 0:06:42.070 so to my mind, you know, again, as defenders, you know, 0:06:42.110 --> 0:06:44.109 there's only so much time and attention that you can 0:06:44.150 --> 0:06:47.190 that you can afford to put into problems. Um, let's 0:06:47.190 --> 0:06:49.549 not worry about, you know, types of attacks that haven't 0:06:49.550 --> 0:06:52.630 been invented yet, right? Let's worry about the ones that 0:06:52.630 --> 0:06:55.750 are occurring today and how those are evolving. Um, you know, 0:06:55.850 --> 0:07:00.410 our our security teams, uh, can really build defenses against 0:07:00.410 --> 0:07:03.770 attacks that don't exist yet. Um, but we can sort 0:07:03.770 --> 0:07:07.530 of see how those attacks are becoming faster. Right? How, uh, 0:07:07.650 --> 0:07:11.690 the the, you know, the translations are becoming better and better. Uh, 0:07:11.690 --> 0:07:14.490 and so the bar for fooling our employees is, is 0:07:14.530 --> 0:07:17.210 getting lower. Um, it means we need to be able 0:07:17.210 --> 0:07:20.530 to react faster. Uh, we need to be able to react, uh, 0:07:20.570 --> 0:07:23.570 in a more, uh, you know, we need to be 0:07:23.570 --> 0:07:25.570 able to adapt a little bit better, right? Like, we 0:07:25.570 --> 0:07:30.250 can't just apply rigid playbooks to every single security scenario. Um, 0:07:30.450 --> 0:07:32.650 and so, you know, to me, it's a little bit 0:07:32.650 --> 0:07:36.010 of an AI arms race. Um, and, you know, I 0:07:36.010 --> 0:07:39.450 think for us as, as defenders, in my view, applying 0:07:39.490 --> 0:07:42.489 AI in the places where attackers are also applying it, 0:07:42.490 --> 0:07:44.650 that seems to make, you know, make the most sense, 0:07:44.650 --> 0:07:47.050 at least today, right, with today's models. And that that 0:07:47.050 --> 0:07:50.050 answer could change in, you know, three days, right, when 0:07:50.050 --> 0:07:53.250 some new foundation model gets released that, uh, that changes 0:07:53.250 --> 0:07:54.970 the game. But at least with today's models, I think 0:07:55.100 --> 0:07:58.140 that's that's where I sort of see things evolving right now. 0:07:58.180 --> 0:08:01.340 Yeah. I really love this point that you're making because 0:08:02.100 --> 0:08:08.340 the the reality is and it actually goes to pre 0:08:08.340 --> 0:08:10.060 AI as well. It's like, are you going to hire 0:08:10.060 --> 0:08:13.060 this super hacker person who's going to like all these 0:08:13.060 --> 0:08:17.220 new techniques and new ideas and advanced attacks and like 0:08:17.700 --> 0:08:19.860 the day to day job of like a CISO or 0:08:19.860 --> 0:08:22.900 the day to day job of a defender is so 0:08:23.020 --> 0:08:27.739 nuts and bolts, it's like we okay, is a log 0:08:27.780 --> 0:08:30.460 being generated for step one. 0:08:30.740 --> 0:08:31.020 Right? 0:08:31.060 --> 0:08:33.220 Can we even like if you take like a bunch 0:08:33.220 --> 0:08:37.060 of minor attacks, can we even know if this attack 0:08:37.059 --> 0:08:39.900 is being waged against us? Do we have any sort 0:08:39.900 --> 0:08:43.540 of detection capability? Right. That's one question. And then the 0:08:43.540 --> 0:08:48.420 question is like, is that log going anywhere where someone 0:08:48.420 --> 0:08:51.380 could potentially see it, a system or a person or 0:08:51.380 --> 0:08:55.040 anything like that? Okay. That's cool. That's a nice second level. 0:08:55.080 --> 0:08:59.520 Is anyone actually looking at it? Okay, that's three. And 0:08:59.520 --> 0:09:02.000 three doesn't even guarantee what you need. Which is are 0:09:02.000 --> 0:09:05.120 they going to do something about it. And like these 0:09:05.120 --> 0:09:08.840 basic workflows are like everything. And if you look at 0:09:08.880 --> 0:09:13.120 like a ciso's job, it's managing the budget. It's managing 0:09:13.120 --> 0:09:18.679 this basic workflow of like logs and processing and, you know, uh, 0:09:18.679 --> 0:09:22.960 workflows coming through the security operations. Um, and it's politics 0:09:22.960 --> 0:09:26.520 and stuff like that. And it's like, it's not hacker movies. 0:09:26.520 --> 0:09:29.280 It's really just these fundamentals that we have to do 0:09:29.280 --> 0:09:34.000 more consistently and at scale. Um, so I really like 0:09:34.000 --> 0:09:36.800 that point. What do you see as like the, the 0:09:36.800 --> 0:09:39.000 biggest challenges for CISOs right now? 0:09:40.000 --> 0:09:42.199 Yeah, I mean, for CISOs right now, I think there 0:09:42.200 --> 0:09:44.559 are there are two halves to the challenge. The first 0:09:44.559 --> 0:09:49.160 is securing AI for their enterprises. Uh, and the second 0:09:49.160 --> 0:09:52.920 one is how to apply AI for security. Um, you know, 0:09:52.960 --> 0:09:56.180 if you look at the first problem, um, it's been 0:09:56.179 --> 0:09:59.579 really interesting to see the CISO role evolve from sort 0:09:59.580 --> 0:10:04.020 of a self-acknowledged the team of no, uh, to, you know, 0:10:04.059 --> 0:10:08.819 really trying to enable the business. Um, we definitely saw, 0:10:08.860 --> 0:10:11.820 you know, when when, you know, for like ChatGPT first launched, 0:10:11.820 --> 0:10:15.660 for example, there was some team of no, uh, mentality there, right? 0:10:15.700 --> 0:10:19.660 And what happened? Every single employee just worked around the 0:10:19.660 --> 0:10:22.460 constraints that the security team tried to throw up. Um, 0:10:22.700 --> 0:10:25.179 and so now what we see are CISOs starting to, 0:10:25.220 --> 0:10:27.500 you know, I think the CISOs that are that I 0:10:27.500 --> 0:10:30.980 see that are least stressed about AI are the ones 0:10:30.980 --> 0:10:35.260 that have, you know, started to adopt frameworks around usage, right? Helping, 0:10:35.300 --> 0:10:39.939 you know, not just setting barriers for their organization, um, 0:10:39.940 --> 0:10:42.420 but working with them to understand, like, hey, what are 0:10:42.420 --> 0:10:44.860 the risks that we're taking on, right? And like, honestly, 0:10:44.860 --> 0:10:49.300 even just showing where AI doesn't necessarily succeed as well today. Right? 0:10:49.340 --> 0:10:51.820 It's not saying no, you can't use it. It's actually 0:10:51.820 --> 0:10:56.000 working to demonstrate. Okay, this use case seems interesting, but 0:10:56.000 --> 0:10:58.520 may not actually be the most helpful output, right? We're actually, 0:10:58.559 --> 0:11:00.840 you know, if we have a chatbot, can it be 0:11:00.840 --> 0:11:05.520 fooled into giving away free airline tickets, for example? Right. Um, yeah. Uh, 0:11:05.520 --> 0:11:08.920 and will that be held up in court? Answer is yes. Uh, so, 0:11:08.960 --> 0:11:10.760 you know, I think when it comes to securing AI 0:11:10.880 --> 0:11:15.240 for the business, um, you know, it's it's been actually 0:11:15.240 --> 0:11:18.200 almost a little bit refreshing to see CISOs adapting more quickly, 0:11:18.200 --> 0:11:21.200 I think, than they have to to other technology stacks. Um, 0:11:21.920 --> 0:11:23.559 and sort of saying like, hey, this is our this 0:11:23.559 --> 0:11:27.120 is our next big frontier chance to serve as a 0:11:27.120 --> 0:11:29.800 trusted advisor to the business, right? Like, we can reset 0:11:29.840 --> 0:11:31.800 a little bit on, on some of the other, you know, 0:11:31.800 --> 0:11:34.400 technology shifts and and just say like, right, we're we're 0:11:34.440 --> 0:11:38.120 now helping the business, uh, and helping the business understand 0:11:38.240 --> 0:11:41.360 what and when and where it wants to take on risk. Um, 0:11:41.960 --> 0:11:45.200 when it comes to applying security within or applying AI 0:11:45.240 --> 0:11:49.400 within the security organization. That's where I think there's going 0:11:49.400 --> 0:11:51.680 to be a very interesting balance. One of the things 0:11:51.679 --> 0:11:53.940 that we're starting to hear now is that boards are 0:11:53.940 --> 0:11:57.820 mandating that teams within an organization figure out how to 0:11:57.860 --> 0:12:03.900 use AI. And, you know, when it comes to cybersecurity defense, 0:12:04.100 --> 0:12:08.059 AI is useful for a lot of different scenarios, but 0:12:08.059 --> 0:12:10.900 not necessarily every scenario. Right. You have to balance the 0:12:10.900 --> 0:12:12.780 fact it's, you know, I sort of, you know, if 0:12:12.780 --> 0:12:14.820 you're if you're building the plane while flying it, you 0:12:14.820 --> 0:12:17.219 have to make sure a wing doesn't fall off when 0:12:17.220 --> 0:12:19.820 you're adding, adding a different technology. Right. And so I 0:12:19.820 --> 0:12:23.540 think for CISOs who are, who are adapting AI for 0:12:23.540 --> 0:12:26.580 cybersecurity defense, I think that's going to be a really 0:12:26.820 --> 0:12:29.460 interesting sort of balance to strike of saying, yes, we 0:12:29.460 --> 0:12:31.740 need to go experiment with AI. We need to go 0:12:31.740 --> 0:12:34.260 figure out where it's useful for us, but also recognize 0:12:34.260 --> 0:12:38.100 that the consequences if you know, if AI fails for defense, 0:12:38.500 --> 0:12:41.620 it may be a little higher stakes, right? Because now 0:12:41.620 --> 0:12:44.420 we're talking about actual like, you know, data protection, right. 0:12:44.460 --> 0:12:47.579 And potential data breach issues. Um, and so I do 0:12:47.580 --> 0:12:50.620 think that CISOs have their work cut out for them, uh, 0:12:50.620 --> 0:12:53.390 you know, in that regard, uh, when they when they 0:12:53.429 --> 0:12:55.630 have to go be the ones that are applying and 0:12:55.670 --> 0:12:58.350 using AI versus setting guidelines for other teams. 0:12:58.830 --> 0:13:03.110 Sure. Absolutely. So why why do you think boards are 0:13:03.110 --> 0:13:05.270 pushing companies to adopt AI? 0:13:06.910 --> 0:13:10.309 I think it's, uh, you know, sort of the in 0:13:10.350 --> 0:13:13.310 a lot of ways, boards have always pushed companies to 0:13:13.350 --> 0:13:15.990 be more efficient. Right. To to make sure that they're 0:13:15.990 --> 0:13:20.390 they're maximizing the effectiveness of their team. Um, no board 0:13:20.390 --> 0:13:22.830 of directors is going to say, you know, it looks 0:13:22.830 --> 0:13:25.470 like you have a pretty, uh, bloated workforce that really 0:13:25.470 --> 0:13:29.990 isn't doing much. That's fine. Right. Um, and, you know, 0:13:30.030 --> 0:13:33.030 now there's a new tool at hand, right? Which has 0:13:33.030 --> 0:13:38.150 a lot of promise, uh, to, you know, uh, displace 0:13:38.150 --> 0:13:41.110 some of the grunt work that teams have to do. Um, 0:13:41.670 --> 0:13:44.870 you know, again, I don't think most people at this 0:13:44.870 --> 0:13:48.670 point are seriously contemplating replacing the bulk of their staff 0:13:48.670 --> 0:13:51.690 with AI. You know, it's it's, you know, it's a 0:13:51.690 --> 0:13:54.370 fear that certainly has been heard and talked about a lot. 0:13:54.410 --> 0:13:58.290 But I think the reality is the focus now is, hey, 0:13:58.370 --> 0:14:02.089 give your, your team access to these tools. Um, see 0:14:02.090 --> 0:14:05.090 what they can do. Right. See if they can increase their, 0:14:05.130 --> 0:14:08.569 their own efficiency here. Um, and so to me, what 0:14:08.570 --> 0:14:11.890 this translates to is we will ultimately be more effective 0:14:11.890 --> 0:14:14.850 as a business, not necessarily by replacing our staff, but 0:14:14.850 --> 0:14:18.170 by making it so that, you know, their individual productivity, uh, 0:14:18.170 --> 0:14:21.570 extends a little bit further. Right. Um, or, um, you know, 0:14:21.610 --> 0:14:24.330 another lens of this is we know that the business 0:14:24.330 --> 0:14:28.050 of doing business inherently involves a lot of toil. What 0:14:28.050 --> 0:14:31.450 would our designers what would our security professionals? What would 0:14:31.450 --> 0:14:34.330 our HR people be doing, uh, if they weren't just, 0:14:34.370 --> 0:14:38.130 you know, sort of doing daily, daily document processing tasks, right? 0:14:38.170 --> 0:14:41.810 Like what creativity could we unlock for the organization? Um, 0:14:41.850 --> 0:14:44.250 so I think it's it's fair, honestly, for boards to, 0:14:44.290 --> 0:14:47.090 for boards to push companies on these things. Um, yeah. 0:14:47.290 --> 0:14:49.210 I think the only failure mode is if they say 0:14:49.370 --> 0:14:53.670 you must adopt AI. No exceptions. Uh, even if you 0:14:53.670 --> 0:14:56.310 find a use case that models today's models aren't necessarily 0:14:56.310 --> 0:14:58.710 ready for yet, right? Like that could be the the 0:14:58.750 --> 0:14:59.630 only danger there. 0:14:59.670 --> 0:15:01.310 Yeah, that's what I was going to say is there's 0:15:01.310 --> 0:15:03.790 probably some push as well that says just get it 0:15:03.790 --> 0:15:07.110 into product so we can market it because everyone else 0:15:07.150 --> 0:15:09.990 is talking about it. But I think it's probably like, 0:15:10.030 --> 0:15:13.390 I don't know, 75, 25 in the direction of like 0:15:13.430 --> 0:15:15.230 find efficiencies, like you said. 0:15:15.710 --> 0:15:20.350 Yeah, absolutely. And you know, definitely the the early days 0:15:20.350 --> 0:15:23.350 of AI adoption, I think was a lot more, you know, 0:15:23.390 --> 0:15:26.030 this model of and now we have AI, right. Like, 0:15:26.030 --> 0:15:28.110 well for what you just kind of added a wrapper 0:15:28.110 --> 0:15:31.630 around around a chatbot. Right. Um, and you know, for us, 0:15:31.670 --> 0:15:34.470 at times as we were thinking about adding AI into 0:15:34.470 --> 0:15:36.310 our product, I mean, we started out as a as 0:15:36.350 --> 0:15:39.190 a no code workflow builder. Um, we took a look 0:15:39.190 --> 0:15:42.870 at some of the early AI pushes, and we ended 0:15:42.870 --> 0:15:46.550 up with something like 50 failed experiments, uh, to integrate 0:15:46.550 --> 0:15:49.490 AI into our platform because we didn't just want it 0:15:49.490 --> 0:15:53.970 to be yet another chatbot, right? That looks cool as demoware, 0:15:54.010 --> 0:15:57.250 but doesn't actually add any value for anybody. Um, it 0:15:57.250 --> 0:16:00.130 requires some thoughtfulness to make sure that, you know, you 0:16:00.130 --> 0:16:02.090 can't just slap AI on something and say, oh, great, 0:16:02.090 --> 0:16:03.970 this is now a better product, right? Like, it actually 0:16:03.970 --> 0:16:07.290 requires deep thought and integration to make AI useful. 0:16:07.930 --> 0:16:12.450 Yeah, and that's a great transition. We've set a pretty good, uh, 0:16:12.490 --> 0:16:16.810 baseline here for what's happening in industry. So for the 0:16:16.810 --> 0:16:20.730 problems that we talked about, uh, difficulty of automation, basically 0:16:20.770 --> 0:16:25.890 a constraints on, you know, work that could be done 0:16:25.890 --> 0:16:27.970 by security teams because of just the size of the 0:16:27.970 --> 0:16:30.370 team and the stuff they're working on. So how is 0:16:30.410 --> 0:16:32.210 time specifically addressing these? 0:16:33.170 --> 0:16:36.090 Yeah, we're addressing it through a couple different layers. The 0:16:36.090 --> 0:16:41.450 first is, uh, recognizing that just about every single security 0:16:41.450 --> 0:16:45.250 team has a different, uh, adoption maturity level when it 0:16:45.250 --> 0:16:48.750 comes to AI and also different constraints. Um, and so 0:16:48.790 --> 0:16:51.230 our number one design principle was, you know, don't be 0:16:51.230 --> 0:16:55.430 prescriptive in how people use AI within your platform. Um, 0:16:55.470 --> 0:16:58.230 a very. And so, you know, one of the very first, uh, 0:16:58.270 --> 0:17:04.550 integrations we built was, uh, we called it an automatic transform. Um, 0:17:04.550 --> 0:17:06.670 and basically what this was, is, you know, a lot 0:17:06.670 --> 0:17:09.950 of what people use times workflows for is to, you know, 0:17:09.990 --> 0:17:13.070 take data from one system, transform or manipulate it in 0:17:13.070 --> 0:17:17.110 some way, and then move it into another system automatically. Um, and, 0:17:17.150 --> 0:17:20.390 you know, if you don't want to learn the necessary, 0:17:20.430 --> 0:17:22.710 like all the ins and outs of some arcane like 0:17:22.750 --> 0:17:25.990 JSON schema. It turns out AI is actually really good 0:17:25.990 --> 0:17:29.270 to understand. You know, given a JSON input you tell AI. 0:17:29.270 --> 0:17:32.389 I would like to extract these four fields, transform the 0:17:32.390 --> 0:17:35.270 data in this way, and then output it in this format. Um, 0:17:35.910 --> 0:17:37.389 and so the first, you know, so one of the 0:17:37.390 --> 0:17:40.350 first integrations we built was this was this automatic transform 0:17:40.350 --> 0:17:46.869 where I would actually, uh, generate Python. Um, and uh, 0:17:46.869 --> 0:17:49.920 you know, so now your workflow, it still looks like 0:17:49.920 --> 0:17:52.800 the same, you know, deterministic workflow that you built by 0:17:52.800 --> 0:17:55.800 hand before. But now you've got one additional piece here 0:17:55.800 --> 0:17:58.440 that you didn't have to build by hand. Um, you're 0:17:58.440 --> 0:18:00.639 still having you know, Python is deterministic, right? If you 0:18:00.640 --> 0:18:02.560 give the same input to a function, it'll produce the 0:18:02.560 --> 0:18:06.240 same output. Um, and, you know, so we, we balanced 0:18:06.280 --> 0:18:07.679 the kind of what we saw as the best of 0:18:07.680 --> 0:18:10.360 both worlds there where, yes, you don't have to write 0:18:10.359 --> 0:18:12.560 that Python. You don't even have to know, like what 0:18:12.560 --> 0:18:15.320 Python does. You just need to validate that when you 0:18:15.320 --> 0:18:17.639 put out, you put the input in, you get the 0:18:17.640 --> 0:18:20.400 output that you expect. And so, you know, for teams 0:18:20.400 --> 0:18:24.400 that are sort of nervous about integrating AI or uh, 0:18:24.400 --> 0:18:27.800 maybe really early in their their maturity journey, we wanted 0:18:27.800 --> 0:18:29.919 to give them a first step. Right. Something that had 0:18:29.920 --> 0:18:31.679 a lot of guardrails on it that was safe to 0:18:31.720 --> 0:18:35.080 play around with. Um, we also have the ability to 0:18:35.119 --> 0:18:38.760 just integrate, uh, a straight up AI prompt, uh, into 0:18:38.800 --> 0:18:41.800 into your workflows as well, um, where, you know, if 0:18:41.800 --> 0:18:44.640 you're maybe more comfortable with, you know, prompt engineering or 0:18:44.680 --> 0:18:49.500 using those sorts of things, um, you could actually then go, uh, 0:18:49.500 --> 0:18:51.980 you know, give it almost any input you wanted and 0:18:51.980 --> 0:18:54.060 get any output you wanted structured, unstructured and so on 0:18:54.060 --> 0:18:57.899 and so forth. And then more recently we launched a 0:18:57.900 --> 0:19:03.580 tool called workbench. Uh, and workbench is basically our way 0:19:03.580 --> 0:19:08.100 of addressing the fact that most chat tools are their 0:19:08.100 --> 0:19:11.740 best when they have access to your data. Right. Um, 0:19:11.780 --> 0:19:16.180 there's this inherent tension between, uh, sending your most sensitive 0:19:16.220 --> 0:19:20.700 business contextual information, uh, to a third party vendor, um, 0:19:20.700 --> 0:19:23.020 and also making sure that AI is useful for you. 0:19:23.180 --> 0:19:25.980 So when we launched workbench, uh, we made sure that 0:19:25.980 --> 0:19:30.500 the AI models that we were using were actually completely private, uh, 0:19:30.500 --> 0:19:33.700 to the, you know, the tenant that was running them, right? 0:19:33.700 --> 0:19:35.620 There was no logging of the data. There was no 0:19:35.619 --> 0:19:38.419 sending the data across the internet. Um, and it enabled 0:19:38.460 --> 0:19:41.780 teams that had previously had constraints around sending data to 0:19:41.820 --> 0:19:44.500 third parties be able to say, oh, right now I 0:19:44.500 --> 0:19:47.479 can actually connect my uh, my AI models to the 0:19:47.480 --> 0:19:49.720 tools that I use, uh, in a way that's safe 0:19:49.720 --> 0:19:52.160 in a way that complies with my policies. Um, and 0:19:52.160 --> 0:19:55.879 now we can finally take advantage of that true combination 0:19:55.920 --> 0:19:59.720 like that, that that ideal combination of large language models 0:19:59.720 --> 0:20:03.000 that have the context, that have the business data and 0:20:03.000 --> 0:20:03.840 feel good about it. 0:20:04.440 --> 0:20:07.359 Nice. And what were the types of operations that they 0:20:07.359 --> 0:20:10.400 were doing with those, uh, prompts and Llms was that 0:20:10.400 --> 0:20:15.040 data transforms? Was that analysis, um, benign or malicious, that 0:20:15.040 --> 0:20:15.840 type of stuff? 0:20:16.600 --> 0:20:19.800 Yeah, I think one of the big use cases that people, uh, 0:20:19.800 --> 0:20:25.240 often start out with is around, uh, phishing analysis. Um, the, the, 0:20:25.240 --> 0:20:28.359 the phishing ecosystem, if you will, has evolved a lot 0:20:28.359 --> 0:20:30.840 over the years where you used to be able to 0:20:30.880 --> 0:20:34.040 check for things like a suspicious link or suspicious IP 0:20:34.040 --> 0:20:36.640 address or, you know, malicious attachment in an email and 0:20:36.640 --> 0:20:40.200 that told you whether or not it was phishing. Nowadays, uh, 0:20:40.200 --> 0:20:44.080 business email compromise is one of the biggest attack vectors 0:20:44.080 --> 0:20:46.980 that we see. And often it's simply, you know, somebody 0:20:46.980 --> 0:20:51.820 impersonating your CEO or impersonating somebody at your organization. And, 0:20:51.859 --> 0:20:53.340 you know, I mean, I get these all the time 0:20:53.340 --> 0:20:56.859 from from the times CEO, allegedly. Right. Saying, hey, Matt. Right. 0:20:56.940 --> 0:21:00.180 It is me, your CEO. Uh, please provide your phone 0:21:00.180 --> 0:21:02.619 number to me. Right. And they're they're looking for for 0:21:02.619 --> 0:21:05.860 additional context there. Um, and it turns out that's a 0:21:05.859 --> 0:21:10.660 really hard problem for traditional tools to be able to solve. 0:21:10.940 --> 0:21:13.580 A human can look at that message and sort of 0:21:13.980 --> 0:21:17.140 instinctively understand that this is phishing, right? Your tier one 0:21:17.140 --> 0:21:18.900 SoC analyst can look at that and be like, oh, right. 0:21:18.900 --> 0:21:21.619 That's that's obviously not the CEO. But how do you 0:21:21.619 --> 0:21:24.540 explain that to code? Right. How do you explain that 0:21:24.540 --> 0:21:27.580 to a very strict workflow tool? Because asking for a 0:21:27.580 --> 0:21:30.100 phone number is something people do all the time, right? 0:21:30.140 --> 0:21:33.580 It's the context of this conversation, uh, that results in 0:21:33.619 --> 0:21:35.460 that not being, you know, it results in it being 0:21:35.460 --> 0:21:39.820 malicious versus versus benign. And large language models, of course, 0:21:39.859 --> 0:21:45.200 are pretty darn good at understanding intent, understanding, you know, 0:21:45.320 --> 0:21:48.280 the nuances of some of those things. Um, and so 0:21:48.520 --> 0:21:51.640 for security operations teams that would get, you know, reports 0:21:51.640 --> 0:21:54.280 of phishing that they would have to go analyze. Um, 0:21:54.320 --> 0:21:56.600 you know, there was a certain bulk of them that 0:21:56.600 --> 0:21:58.760 had to be done by humans just because, like, the 0:21:58.760 --> 0:22:01.600 rules that they set just couldn't catch them, particularly in 0:22:01.600 --> 0:22:04.000 the Bec case. And so now what we're seeing is, 0:22:04.040 --> 0:22:06.560 you know, these AI analysis tools are being able to, 0:22:06.600 --> 0:22:08.840 you know, you can use them for a verdict. Um, 0:22:08.840 --> 0:22:11.040 or you can just say, hey, I actually want you 0:22:11.040 --> 0:22:14.119 to extract the intent of this message, and I'll combine 0:22:14.119 --> 0:22:16.600 that with some other signals that I have, right? Like 0:22:16.640 --> 0:22:19.480 mix and match AI and, you know, maybe a threat 0:22:19.480 --> 0:22:23.119 research or a threat intelligence database that I have to say, oh, 0:22:23.440 --> 0:22:26.400 this sender is actually in our database, as you know, 0:22:26.400 --> 0:22:29.920 being potentially risky. Uh, combine that with, uh, you know, 0:22:29.960 --> 0:22:33.560 the intent of this message being asking for contact information 0:22:33.800 --> 0:22:36.840 and now you instantly have not just a yes, this 0:22:36.840 --> 0:22:40.200 is malicious verdict. You also have insight into the intent 0:22:40.200 --> 0:22:43.800 of the threat actor. Right. And um, with workbench in particular, 0:22:44.130 --> 0:22:47.490 This is where analysts can now iterate on that. Right. And, 0:22:47.530 --> 0:22:48.889 you know, going back to like what would you do 0:22:48.890 --> 0:22:51.050 with the additional time that you can that you can 0:22:51.050 --> 0:22:55.609 save now they're able to, you know, pivot into additional investigation, right. 0:22:55.650 --> 0:22:58.689 And say, okay, if I know this was the attacker's intent, 0:22:58.690 --> 0:23:00.609 what else can I learn about the attacker? What else? 0:23:00.650 --> 0:23:03.369 You know, what else would this attack look like? Right. Maybe, 0:23:03.410 --> 0:23:06.410 you know, maybe we received this one report. What would 0:23:06.410 --> 0:23:09.689 it look like if it had succeeded with a different user? Right. 0:23:09.730 --> 0:23:13.290 And can I go investigate that now? So, so much 0:23:13.290 --> 0:23:16.129 less time spent on triage, more time actually spent asking 0:23:16.130 --> 0:23:18.810 the questions of like, who is attacking me? What can 0:23:18.810 --> 0:23:20.810 I do about it? How do we know that we're safe, right? 0:23:20.850 --> 0:23:23.889 And moving beyond to the things that actually require some 0:23:23.890 --> 0:23:25.330 some human thought and creativity? 0:23:26.050 --> 0:23:30.649 Yeah, that makes sense. Yeah. Something you said earlier was 0:23:30.650 --> 0:23:33.649 really interesting. You're talking about data transforms. And like, I 0:23:33.690 --> 0:23:37.450 spent a lot of time, uh, different companies dealing with this. 0:23:37.490 --> 0:23:44.149 It seems like it's not just, um, augmenting augmentation with 0:23:44.150 --> 0:23:46.950 stuff that humans were doing that times could help with, 0:23:47.510 --> 0:23:53.230 but also things that, um, like, um, data pipelines. Um, 0:23:53.510 --> 0:23:56.510 and I was also thinking about, uh, and you probably 0:23:56.510 --> 0:23:59.270 aren't I you got to focus when you're a product, 0:23:59.270 --> 0:24:04.109 you got to focus. But, um, quality checks and security checks, 0:24:04.869 --> 0:24:06.830 you kind of have the same sort of vibe. You 0:24:06.830 --> 0:24:09.790 have things coming in and you're moving through a set 0:24:09.790 --> 0:24:15.070 of steps for checking, for validation, for quality, for whatever 0:24:15.070 --> 0:24:17.070 you could do. And if you add AI to that, 0:24:17.070 --> 0:24:19.310 you could have like judgment in there at any of 0:24:19.310 --> 0:24:23.590 those steps. So, I mean, um, it seems like you're 0:24:23.590 --> 0:24:29.030 very much focused on security. Um, but are you seeing 0:24:29.030 --> 0:24:33.190 people use it for, um, more like broad use cases, 0:24:33.190 --> 0:24:36.750 like quality and stuff like that, because, I mean, this 0:24:36.750 --> 0:24:39.270 is everywhere in it. It's everywhere in business. This is 0:24:39.270 --> 0:24:43.650 just business in general needs these sort of workflows at scale? 0:24:44.530 --> 0:24:48.090 Yeah, absolutely. Um, and, you know, I at the end 0:24:48.090 --> 0:24:49.970 of the day, it feels like almost every problem boils 0:24:49.970 --> 0:24:53.970 down to either case management or data management. Right? And so, um, 0:24:54.010 --> 0:24:57.010 you know, especially in the data management world, um, you're 0:24:57.010 --> 0:25:00.730 you're exactly right. This is where, you know, uh, we 0:25:00.730 --> 0:25:03.890 can use tie ins, and we see customers using tie ins, uh, 0:25:03.890 --> 0:25:06.609 to remove some of the toil and burden off of, 0:25:06.650 --> 0:25:11.290 you know, just managing those, those pipelines, everything from, um. Hey, 0:25:11.330 --> 0:25:15.010 what do we expect this log source, uh, to be, 0:25:15.050 --> 0:25:20.530 you know, like, producing, right? Like, do we actually, you know, uh, AWS, uh, 0:25:20.650 --> 0:25:24.410 loves to subtly change the shape of CloudTrail logs. 0:25:24.450 --> 0:25:25.330 Totally. 0:25:25.690 --> 0:25:27.889 You know. Right. And there's no there's no big announcement. 0:25:27.890 --> 0:25:30.290 It's just one of these days, I've noticed that a 0:25:30.290 --> 0:25:33.010 fewer of my logs are getting classified correctly. Right? And, like, 0:25:33.010 --> 0:25:35.890 why is that? Um, and so that's where, you know, 0:25:35.930 --> 0:25:39.130 tines and, you know, AI implementation within tines can, can 0:25:39.130 --> 0:25:43.070 serve as that sanity check. Um, we also see customers 0:25:43.070 --> 0:25:46.510 using tie ins to integrate with, uh, you know, some 0:25:46.510 --> 0:25:49.790 of their, some of their other data management platforms, particularly 0:25:49.790 --> 0:25:53.350 around hot and cold. Uh, you know, data stacks. Right. 0:25:53.390 --> 0:25:57.270 And like, you know, in the context, you know, of doing, 0:25:57.310 --> 0:26:00.270 for example, a security investigation, um, you know, you may 0:26:00.270 --> 0:26:02.949 only have 30 days worth of logs that are that 0:26:02.950 --> 0:26:06.070 are like hot, hot, right? And, like, actively accessible. And, 0:26:06.230 --> 0:26:09.310 you know, you have all the rest in Amazon S3. And, um, 0:26:09.550 --> 0:26:11.270 you know, you need to be able to pull them. 0:26:11.270 --> 0:26:14.870 This is something where tines can help make that retrieval process, uh, 0:26:14.869 --> 0:26:18.550 and rehydration process a lot more, a lot more simple. Um, 0:26:18.550 --> 0:26:21.669 and so yeah, we're absolutely seeing people using tines as 0:26:21.670 --> 0:26:25.430 sort of, you know, the meta orchestration and monitoring layer 0:26:25.590 --> 0:26:29.149 on top of these data pipelines that they're building because, uh, yeah, 0:26:29.190 --> 0:26:31.590 at the end of the day, you know, there's the 0:26:31.590 --> 0:26:34.070 number of people that have data pipelines that don't have 0:26:34.070 --> 0:26:37.149 a data engineering team is a lot larger than, uh, yeah, 0:26:37.190 --> 0:26:38.910 the teams that do, unfortunately. Right. 0:26:39.230 --> 0:26:41.570 Yeah, that makes sense. And as far as like AI 0:26:41.730 --> 0:26:44.290 and security wise, what are the main use cases that 0:26:44.290 --> 0:26:44.850 you're seeing? 0:26:46.010 --> 0:26:50.010 Yeah, I mean, AI is, uh, you know, what we're seeing, uh, 0:26:50.010 --> 0:26:54.489 used a lot is again, sort of, uh, either, you know, 0:26:54.530 --> 0:26:59.169 extracting context. Um, you know, we're we see threat intelligence 0:26:59.170 --> 0:27:02.050 teams are using AI in a couple of different, really 0:27:02.050 --> 0:27:05.570 interesting ways around reporting. The first is, you know, when 0:27:05.570 --> 0:27:09.210 you consume, uh, threat intelligence reporting that has been produced 0:27:09.210 --> 0:27:12.850 by another organization being able to extract indicators and all 0:27:12.890 --> 0:27:15.649 that sort of stuff. Um, but then when you are 0:27:15.770 --> 0:27:19.609 actually producing, reporting, uh, there's a lot of different consumers 0:27:19.609 --> 0:27:21.409 of that, some of whom are human and want a 0:27:21.450 --> 0:27:24.850 PDF and some of whom are computers and can't read 0:27:24.850 --> 0:27:28.450 a PDF, right. Uh, and so being able to use 0:27:28.450 --> 0:27:32.610 these capabilities to produce multiple different kinds of, you know, 0:27:32.609 --> 0:27:35.290 intelligence distribution, I think has been a really to me, 0:27:35.290 --> 0:27:37.810 that was sort of an unexpected but really fascinating use 0:27:37.810 --> 0:27:40.900 case to see, um, of like, oh, right. It's not 0:27:40.900 --> 0:27:43.620 just about reading data, right? It's about producing the data 0:27:43.619 --> 0:27:47.020 that our, you know, translation of data. Really, uh, for 0:27:47.020 --> 0:27:49.020 for the right audience. Um, so. 0:27:49.020 --> 0:27:52.940 You have, like, a little piece of useful intelligence and 0:27:52.940 --> 0:27:56.260 you have, um, yeah. I did a lot of work 0:27:56.260 --> 0:27:59.740 on this, uh, at Apple, actually, with the threat Intel team, 0:27:59.740 --> 0:28:03.500 they have this little nugget of intelligence, and their customers 0:28:03.500 --> 0:28:07.540 are like, whatever, 19 different customers, including, like, global security, 0:28:07.540 --> 0:28:10.100 which is physical security. And then you have all these 0:28:10.100 --> 0:28:13.300 different product teams and software teams, and they all care 0:28:13.300 --> 0:28:14.540 about something different. 0:28:14.940 --> 0:28:15.340 Right? 0:28:15.380 --> 0:28:18.300 And that's a workflow combined with AI that you could 0:28:18.300 --> 0:28:20.619 just produce those 19 different artifacts. 0:28:20.900 --> 0:28:24.540 Right? Exactly right. The CISO just wants to know, basically, 0:28:24.540 --> 0:28:26.380 are we vulnerable? Have we been hit right. And that's 0:28:26.380 --> 0:28:28.939 that's about it. Um, and the SoC may want to 0:28:28.980 --> 0:28:31.220 know a little bit more technical detail and so on 0:28:31.220 --> 0:28:33.660 and so forth. Um, so yeah, that to me, that 0:28:33.660 --> 0:28:36.460 has been a really fascinating use case of, you know, 0:28:36.500 --> 0:28:39.460 it's it's avoiding toil, but not in the way that 0:28:39.560 --> 0:28:41.520 everyone thinks, right? Like you still, as the human, are 0:28:41.520 --> 0:28:44.840 putting your creativity into this report and developing the nuance 0:28:44.840 --> 0:28:47.960 and understanding, and then AI is helping you translate that 0:28:47.960 --> 0:28:49.320 into a different context. 0:28:49.960 --> 0:28:53.400 Yeah, that makes sense. So is workbench the main the 0:28:53.400 --> 0:28:56.080 main thing that you guys are working on and talking 0:28:56.080 --> 0:28:58.680 about right now? Tell us more about that. 0:28:59.360 --> 0:29:04.920 Yeah. Workbench uh, is definitely something that has really taken off, uh, 0:29:04.920 --> 0:29:07.520 in our customer base. Uh, and again, I think a 0:29:07.520 --> 0:29:09.880 lot of that is the fact that, you know, uh, 0:29:10.120 --> 0:29:11.640 a chat tool is a chat tool, right? There's a 0:29:11.640 --> 0:29:13.840 lot of those out there in the world. Um, but 0:29:13.880 --> 0:29:17.360 what tines provides is that private and secure access and 0:29:17.360 --> 0:29:21.400 the context and integration, uh, with all of your other 0:29:21.400 --> 0:29:25.600 data and most importantly, your other tines, workflows. Um, and 0:29:25.600 --> 0:29:30.040 so the way we're seeing people now start to use workbench, uh, is, 0:29:30.200 --> 0:29:32.600 you know, sort of almost like dipping in and out 0:29:32.600 --> 0:29:37.160 of using deterministic automation and also using a chat interface 0:29:37.160 --> 0:29:40.540 for their, for their analyst. So in an incident, um, 0:29:40.540 --> 0:29:43.700 you know, an analyst may go into workbench and say, 0:29:43.700 --> 0:29:47.180 I received this alert, please analyze it, recommend some next 0:29:47.180 --> 0:29:48.900 steps for me. Right. And one of those next steps 0:29:48.900 --> 0:29:52.260 might be, you know, this account looks like it's been compromised. 0:29:52.260 --> 0:29:56.260 You should probably lock this account. And you say okay, great. Uh, 0:29:56.260 --> 0:29:59.500 workbench allows you to trigger other workflows that have been 0:29:59.500 --> 0:30:02.540 built within tines. And so I don't have to worry 0:30:02.540 --> 0:30:09.700 about I maybe hallucinating the endpoint, uh, of our identity provider. Right. Or, uh, mistaking, 0:30:09.740 --> 0:30:11.500 you know, like, if, you know, there's a bunch of 0:30:11.500 --> 0:30:13.700 other people in tines named Matt, I don't have to 0:30:13.700 --> 0:30:15.420 worry that it's going to grab the wrong Matt. Right? 0:30:15.420 --> 0:30:20.420 Like I can actually delegate that task to a deterministic workflow, 0:30:20.700 --> 0:30:21.980 and then it comes back to workbench. 0:30:22.020 --> 0:30:22.660 That's great. 0:30:22.700 --> 0:30:26.820 That's great. And workbench says, uh, you know, great. We've 0:30:26.820 --> 0:30:28.500 done that part. Here's, you know, would you like me 0:30:28.500 --> 0:30:30.140 to write up an incident summary? Right. And you can 0:30:30.140 --> 0:30:33.340 close out this case. Um, and so really giving people, 0:30:33.380 --> 0:30:37.300 you know, a much more explicit way of working through 0:30:37.340 --> 0:30:41.880 common tasks, delegating to automation where necessary. Um, but, you know, 0:30:41.880 --> 0:30:44.000 this is still very much, you know, a sort of 0:30:44.040 --> 0:30:47.239 a co-pilot sort of use case. Um, one of the 0:30:47.240 --> 0:30:50.560 things we're really excited right now is excited about right 0:30:50.560 --> 0:30:53.920 now is, uh, you know, some of the agentic AI 0:30:54.280 --> 0:30:58.960 capabilities that, um, you know, we're we're starting to see some, uh, 0:30:58.960 --> 0:31:03.440 people using tines for sort of basic agentic AI stuff. Um, and, 0:31:03.480 --> 0:31:05.840 you know, in the same way that we didn't necessarily 0:31:05.840 --> 0:31:08.600 want to rush and be the first people to integrate 0:31:08.640 --> 0:31:12.320 a chat interface just to say we had AI Agentic AI, 0:31:12.360 --> 0:31:15.960 I think has had, uh, maybe an evolution, uh, in 0:31:15.960 --> 0:31:19.360 terms of our understanding of what an AI agent actually is, right? 0:31:19.400 --> 0:31:22.880 And what constitutes agentic AI and so on and so forth. Um, 0:31:23.040 --> 0:31:28.000 and now that these have more stable definitions, uh, we're 0:31:28.040 --> 0:31:31.400 investing in figuring out what agentic AI looks like when 0:31:31.400 --> 0:31:34.400 it comes to tines as well. So that's something that, uh, I, 0:31:34.640 --> 0:31:36.640 you know, we're, we're starting to get some internal sneak 0:31:36.640 --> 0:31:39.700 peeks on, uh, and it's, uh, it's pretty exciting. 0:31:40.420 --> 0:31:42.820 All right. Could you possibly, uh, show us a demo 0:31:42.820 --> 0:31:43.580 of workbench? 0:31:44.340 --> 0:31:48.180 Yeah, absolutely. I'd be delighted to, um. Let's see. Hopefully 0:31:48.180 --> 0:31:52.900 I have the correct screen pulled up here. Um, but 0:31:52.900 --> 0:31:57.860 this is the the workbench interface, and you can see here, uh, 0:31:57.860 --> 0:32:02.260 you know, it's a fairly classic chat interface. Um, and 0:32:02.700 --> 0:32:06.660 if you treat it just like any other chat bot, uh, 0:32:06.660 --> 0:32:10.500 you'll get fairly generic. Lem answers. Um, so in my 0:32:10.540 --> 0:32:13.820 in my previous role, I worked in security operations, uh, 0:32:13.820 --> 0:32:18.340 at Coinbase. Um, and we dealt with phishing all the time. 0:32:18.340 --> 0:32:22.060 We dealt with incidents, um, you know, and, uh, you know, 0:32:22.100 --> 0:32:25.060 got got attacked all the time. So, um, let's imagine 0:32:25.060 --> 0:32:27.500 here that I, you know, have received reports that the 0:32:27.540 --> 0:32:32.420 domain Coinbase is, is phishing. And I'm looking to learn more. Um, 0:32:32.820 --> 0:32:43.590 can you tell me if Coinbase So.com is phishing. And 0:32:43.590 --> 0:32:45.750 it'll think for a second. But you'll notice here that 0:32:45.750 --> 0:32:50.190 because we are only talking to the LLM, it gives 0:32:50.190 --> 0:32:52.870 us a fairly generic answer, right? I don't have any 0:32:52.910 --> 0:32:55.630 specific information. Um, and so because. 0:32:55.670 --> 0:32:57.750 This has got a training cut off date, right. This 0:32:57.750 --> 0:33:01.510 is like it only knows so much. It's not an 0:33:01.510 --> 0:33:03.630 expert on domains. 0:33:04.070 --> 0:33:08.350 Exactly, exactly. And you know, this is good generic advice, right? 0:33:08.390 --> 0:33:10.030 Like you should always check to see if it's an 0:33:10.030 --> 0:33:15.350 official Coinbase domain. Um, but as I start connecting tools, uh, 0:33:15.590 --> 0:33:18.950 things can get a little bit more interesting. So now 0:33:18.950 --> 0:33:23.590 if I ask it the same question, if Coinbase is 0:33:23.590 --> 0:33:31.630 so.com is phishing. It's going to look a little bit different, right? 0:33:31.670 --> 0:33:34.030 It knows that one of the tools available to it 0:33:34.030 --> 0:33:37.770 is URL scan. Um, and so now, rather than just 0:33:37.770 --> 0:33:41.410 giving me a generic answer, it's actually going to use, uh, 0:33:41.410 --> 0:33:46.250 URL scan. Um, and because it's searched for URL scan 0:33:46.250 --> 0:33:48.810 and found a result, it actually knows to then retrieve 0:33:48.810 --> 0:33:52.490 that result as well. It's kicking these things off automatically 0:33:52.490 --> 0:33:55.810 because these are read only actions, right? Like no system 0:33:55.810 --> 0:33:59.290 is going to change because, uh, you know, because it 0:33:59.330 --> 0:34:02.610 called these tools. Um, we also have the ability, you know, 0:34:02.650 --> 0:34:05.090 if there's a, you know, a write action or a, 0:34:05.090 --> 0:34:09.210 you know, potentially destructive action, it'll ask you to confirm, uh, 0:34:09.210 --> 0:34:12.529 before before it takes that action. But these are read only, right? 0:34:12.570 --> 0:34:16.010 And so now that we've pulled back, uh, some URL 0:34:16.050 --> 0:34:18.610 scan results, we can officially confirm that this is a 0:34:18.610 --> 0:34:22.170 phishing site, right? With the most up to date data. Um, and, 0:34:22.210 --> 0:34:24.330 you know, if you've been on URL, scan, com, you 0:34:24.330 --> 0:34:27.530 know that there's a lot of data that they pull back. Um, 0:34:27.530 --> 0:34:30.969 and this sort of provides this very quick, uh, insight 0:34:30.969 --> 0:34:35.830 into URL scan. Um, and so, you know, this is 0:34:35.830 --> 0:34:39.469 this is something where, you know, security teams, uh, in 0:34:39.469 --> 0:34:42.029 the past, if they wanted to use all of these 0:34:42.030 --> 0:34:45.710 different tools, uh, they had kind of one of two choices. 0:34:45.710 --> 0:34:48.109 They could either have a lot of different panes of 0:34:48.110 --> 0:34:51.150 glass open, uh, or they could, you know, sort of 0:34:51.190 --> 0:34:54.230 do like a one time enrichment into, you know, a 0:34:54.270 --> 0:34:57.029 case that came in. Right? Um, I may not know 0:34:57.070 --> 0:34:59.670 ahead of time what tool I want to use in 0:34:59.670 --> 0:35:02.750 order to investigate something. Uh, and so what workbench lets 0:35:02.750 --> 0:35:05.069 us do is say, okay, now, you know, we can 0:35:05.070 --> 0:35:07.390 pick some of the tools that are, you know, tools 0:35:07.390 --> 0:35:12.310 that are at our disposal, get the latest data. Um, and, uh, 0:35:12.310 --> 0:35:15.390 you know, ultimately, uh, you know, get that sort of 0:35:15.510 --> 0:35:19.390 much more dynamic, uh, you know, uh, interface without without 0:35:19.390 --> 0:35:20.910 ever having to leave workbench. 0:35:21.190 --> 0:35:23.790 Yeah. They just asked the question normal way. They don't 0:35:23.790 --> 0:35:26.550 think about the tools that would be required to answer 0:35:26.550 --> 0:35:27.390 it correctly. 0:35:28.150 --> 0:35:31.109 Exactly. Um, and, you know, let's imagine that, you know, 0:35:31.150 --> 0:35:34.029 we're not using URL scan. We're using a different, uh, 0:35:34.090 --> 0:35:37.730 Service provider to to analyze fishing. I don't have to 0:35:37.730 --> 0:35:40.690 know anything about that service provider. Right? Like, all I 0:35:40.690 --> 0:35:45.010 have to know is what information the AI has extracted 0:35:45.410 --> 0:35:48.370 in order to be able to make to make that determination. Um, 0:35:48.810 --> 0:35:50.489 and so for us, this is, you know, again, sort 0:35:50.489 --> 0:35:52.250 of feels like one of the best of both worlds 0:35:52.250 --> 0:35:55.290 when it comes to chat assistance, right? Like, you can 0:35:55.290 --> 0:35:58.890 get the, uh, validated data from the latest, uh, trusted 0:35:58.890 --> 0:36:01.650 data sources. Um, you don't have to know any of 0:36:01.650 --> 0:36:04.890 the technical details behind it. You remain in full control 0:36:04.890 --> 0:36:07.770 over what sources are connected, when actions are taken, and 0:36:07.770 --> 0:36:10.730 so on and so forth. Um, but ultimately, you know, 0:36:10.770 --> 0:36:13.689 it just sort of removes that cognitive burden of having to, 0:36:13.730 --> 0:36:16.410 you know, contact switch between a bunch of different systems. 0:36:16.890 --> 0:36:19.049 Yeah, that makes sense. I really liked what you were 0:36:19.050 --> 0:36:23.330 saying before when you were talking about building the workflows. Um, 0:36:23.969 --> 0:36:28.370 where you seamlessly pivoting between when you need intelligence and 0:36:28.370 --> 0:36:33.290 when you need the consistency of like a legacy or 0:36:33.330 --> 0:36:36.589 what did you call it? Um. Deterministic system. 0:36:36.630 --> 0:36:37.710 Yeah, exactly. 0:36:37.750 --> 0:36:40.870 Yeah, that's that's really, really important because when you talk 0:36:40.910 --> 0:36:44.390 about scale, you talk about processing terabytes of data. That's 0:36:44.390 --> 0:36:46.910 not an LMDh thing, right? Right. You got to you 0:36:46.950 --> 0:36:49.870 got to pivot to traditional tech there. Uh, I thought 0:36:49.870 --> 0:36:53.230 that was really interesting. Well, this is, um, this is awesome. 0:36:53.270 --> 0:36:55.750 What else is, uh, coming out? What else should people 0:36:55.750 --> 0:36:58.710 know about that? You're, um, either have out now or 0:36:58.710 --> 0:36:59.590 releasing soon. 0:37:00.550 --> 0:37:02.830 Yeah, some of the stuff coming out soon, we're, you know, 0:37:02.870 --> 0:37:07.150 we're adding, uh, a lot more into workbench. Uh, and, 0:37:07.190 --> 0:37:10.830 you know, right now, a lot of this, uh, interface is, uh, 0:37:10.830 --> 0:37:13.870 text based. Um, we've heard a lot of requests from 0:37:13.870 --> 0:37:15.790 our customers that they'd like to be able to do 0:37:15.790 --> 0:37:18.629 more with documents and images. Um, so that is, that 0:37:18.630 --> 0:37:22.109 is coming very, very soon here. Um, and then, you know, 0:37:22.190 --> 0:37:24.109 the other thing, uh, and, you know, if I look 0:37:24.110 --> 0:37:27.710 at here at this, uh, workbench builder or, excuse me, 0:37:27.710 --> 0:37:31.029 this story builder, uh, tab, um, right now we have 0:37:31.030 --> 0:37:35.160 an AI action that includes just a prompt right where 0:37:35.160 --> 0:37:39.600 I can maybe generate some some output. Um, as we 0:37:39.600 --> 0:37:42.600 start looking, uh, you know, over the next few months 0:37:42.600 --> 0:37:47.520 at how agentic, I, uh, you know, interfaces with, uh, 0:37:47.520 --> 0:37:51.239 both traditional workflows as well as, you know, uh, copilot 0:37:51.239 --> 0:37:54.880 chat workflows. Um, this is going to, uh, this is 0:37:54.880 --> 0:37:57.919 going to evolve, and, uh, I'll leave, uh, I'll leave 0:37:57.920 --> 0:38:01.520 the tease, uh, at, uh, you know, at, uh, you know, 0:38:01.560 --> 0:38:04.200 saying that there's going to be more than just workbench, uh, 0:38:04.200 --> 0:38:06.000 for sure, uh, over the next few months when it 0:38:06.000 --> 0:38:06.640 comes to AI. 0:38:07.680 --> 0:38:11.440 Fantastic. And where can people find out about you? Uh, 0:38:11.440 --> 0:38:12.560 the website and everything. 0:38:13.040 --> 0:38:16.719 Yeah. Folks, go to Tynes. T I n e s.com. Uh, 0:38:16.760 --> 0:38:19.600 they can find us there. Um, and if they want 0:38:19.640 --> 0:38:22.239 to get a taste of of all of this, uh, 0:38:22.280 --> 0:38:24.600 what we've shown today, what we've talked about, we have 0:38:24.600 --> 0:38:27.640 a free community edition. It's free for life. Uh, you know, 0:38:27.680 --> 0:38:30.680 comes with a whole bunch of different features. Um, and, 0:38:30.719 --> 0:38:33.380 you know, I have my own community edition tenant that 0:38:33.380 --> 0:38:37.140 I actually use for personal stuff outside of work as well. Um, 0:38:37.420 --> 0:38:41.580 we've had people use their, uh, tenants to actually, uh, 0:38:41.860 --> 0:38:44.180 build to do a fantasy football draft, which I thought 0:38:44.180 --> 0:38:47.580 was interesting. Um, and, uh, yeah, we want people to 0:38:47.580 --> 0:38:51.540 be able to experience, uh, you know, experience, uh, what's, uh, 0:38:51.540 --> 0:38:52.820 you know what? All we're building. 0:38:53.580 --> 0:38:57.140 Very cool. Well, Matt, I enjoy the conversation. I think 0:38:57.140 --> 0:39:00.460 this is, uh, super interesting. And, uh, look forward to 0:39:00.540 --> 0:39:01.739 talking to you in the future. 0:39:02.300 --> 0:39:04.820 Likewise. Thanks so much, Daniel. I really appreciate the conversation. 0:39:04.860 --> 0:39:05.660 All right. Take care. 0:39:05.980 --> 0:39:06.540 Cheers. 0:39:08.300 --> 0:39:13.140 Unsupervised learning is produced on Hindenburg Pro using an sm7 microphone. 0:39:13.940 --> 0:39:16.219 A video version of the podcast is available on the 0:39:16.260 --> 0:39:19.939 Unsupervised Learning YouTube channel, and the text version with full 0:39:19.940 --> 0:39:25.460 links and notes is available at Daniel Mysa.com newsletter. We'll 0:39:25.460 --> 0:39:26.300 see you next time.