1 00:00:02,680 --> 00:00:05,160 S1: All right. I want to do something crazy here. Specifically, 2 00:00:05,160 --> 00:00:07,800 S1: I want to talk about the future of hacking. And 3 00:00:07,800 --> 00:00:09,479 S1: what do I mean by that? What do I mean 4 00:00:10,039 --> 00:00:14,960 S1: by hacking? I mean all hacking attack, defense bug bounty, 5 00:00:15,000 --> 00:00:23,880 S1: personal automation stacks, enterprise automation stacks, attacker automation stacks, enterprise security. Everything. 6 00:00:24,120 --> 00:00:27,320 S1: Everything hacking related, I think is going to come down 7 00:00:27,320 --> 00:00:29,560 S1: to what I'm about to talk about. And I am 8 00:00:29,560 --> 00:00:31,680 S1: aware of how big of a claim that is. The 9 00:00:31,680 --> 00:00:33,839 S1: reason I'm able to make this prediction is I'm not 10 00:00:33,840 --> 00:00:36,920 S1: stupid enough to claim to know how it's going to happen, 11 00:00:36,920 --> 00:00:40,040 S1: or exactly when or with what companies or like what 12 00:00:40,080 --> 00:00:42,800 S1: technologies exactly it's going to manifest as. That would be 13 00:00:42,800 --> 00:00:46,440 S1: ridiculous because the stuff is basically unpredictable. What I'm going 14 00:00:46,479 --> 00:00:49,040 S1: to show you is a direction. And I think once 15 00:00:49,040 --> 00:00:51,560 S1: you see it, you will be unable to unsee it. 16 00:00:52,360 --> 00:00:53,840 S1: And by the way, this video is going to be 17 00:00:53,840 --> 00:00:57,319 S1: around 30 minutes. But the whole first 25 minutes is 18 00:00:57,320 --> 00:00:59,600 S1: leading up to the last five. The last five is 19 00:00:59,760 --> 00:01:03,140 S1: the good stuff. All right. So quick intro for people 20 00:01:03,140 --> 00:01:04,700 S1: who don't know me. I've been in security since like 21 00:01:04,700 --> 00:01:08,500 S1: 1999 and I went heavy into AI in late 2022, 22 00:01:09,020 --> 00:01:11,660 S1: still doing tons of security stuff just with this AI 23 00:01:11,700 --> 00:01:13,539 S1: wrapper around it. And you're going to see why here 24 00:01:13,540 --> 00:01:16,020 S1: in a second. And I would say most of my 25 00:01:16,020 --> 00:01:18,539 S1: technical background, I mean, I've done lots of different stuff, 26 00:01:18,540 --> 00:01:21,660 S1: but it kind of boils down to a container of 27 00:01:21,660 --> 00:01:27,300 S1: security assessment that's like the main outline. So first going 28 00:01:27,340 --> 00:01:29,420 S1: to show you how I kind of walked into this idea. 29 00:01:29,420 --> 00:01:32,420 S1: So when I start to do a security assessment this 30 00:01:32,420 --> 00:01:36,780 S1: goes back, you know, 15, 20 years, uh, doing security assessments. 31 00:01:37,300 --> 00:01:39,020 S1: I like to start at the very top. When I 32 00:01:39,020 --> 00:01:41,940 S1: talk to a company, I like to interview the CEO 33 00:01:42,459 --> 00:01:44,380 S1: if I'm able to, if it's a, you know, medium 34 00:01:44,380 --> 00:01:47,860 S1: sized company or below. And I talked to CEO, I 35 00:01:47,860 --> 00:01:49,900 S1: talked to the CEO, I talked to the head of legal, 36 00:01:49,900 --> 00:01:52,420 S1: I talked to like, as many people at the top, 37 00:01:52,420 --> 00:01:54,500 S1: and I'm sort of asking them the same questions. And 38 00:01:54,500 --> 00:01:56,140 S1: then I move down through the structure. I talked to 39 00:01:56,140 --> 00:01:59,580 S1: all the VP's and senior VP's and CISO and the 40 00:01:59,580 --> 00:02:01,880 S1: rest of the C-suite and everybody. And then I start 41 00:02:01,880 --> 00:02:04,200 S1: moving through all the management, and I'm asking kind of 42 00:02:04,240 --> 00:02:06,800 S1: similar questions, but I'm also asking different questions because now 43 00:02:06,800 --> 00:02:08,960 S1: I'm playing off the answers I got before. And I 44 00:02:08,960 --> 00:02:10,520 S1: just moved through the whole structure all the way down 45 00:02:10,520 --> 00:02:13,519 S1: to the people who do the actual work. And then 46 00:02:13,520 --> 00:02:15,440 S1: as I keep gathering more and more information, I start 47 00:02:15,440 --> 00:02:19,920 S1: filling in these elaborate diagrams that describe to me exactly 48 00:02:19,919 --> 00:02:22,360 S1: how this company works, like here's how the information flows. 49 00:02:22,360 --> 00:02:24,280 S1: Here's where the data is stored. Oh, we got vendors 50 00:02:24,280 --> 00:02:26,399 S1: over here. They're able to touch this data or whatever. 51 00:02:26,840 --> 00:02:28,919 S1: And ultimately I'm trying to figure out like what they're protecting, 52 00:02:28,919 --> 00:02:31,400 S1: how they're doing it, what day to day business looks like. 53 00:02:32,400 --> 00:02:34,360 S1: After a couple of weeks of this, I then start 54 00:02:34,360 --> 00:02:37,280 S1: doing my technical assessment to find vulnerabilities. So I'm also 55 00:02:37,280 --> 00:02:40,760 S1: reviewing their previous technical assessments, but I'm really doing my 56 00:02:40,760 --> 00:02:43,040 S1: own as well to go and probe in these various 57 00:02:43,040 --> 00:02:46,800 S1: different areas and point my, uh, observations at things that 58 00:02:46,800 --> 00:02:50,360 S1: I've seen in the interviews. But the underlying theme here 59 00:02:50,360 --> 00:02:53,960 S1: is I'm taking all the context, not just of the 60 00:02:53,960 --> 00:02:57,040 S1: vulnerabilities and the technical aspects like of the IT stack, 61 00:02:57,400 --> 00:03:00,049 S1: but of the business itself. Right. All of that. I'm 62 00:03:00,090 --> 00:03:02,650 S1: gathering into one place, and that's kind of how I 63 00:03:02,650 --> 00:03:05,730 S1: view and how I start security assessments. The other teams 64 00:03:05,730 --> 00:03:09,690 S1: are still managing GRC with spreadsheets, screenshots and manual processes, 65 00:03:09,690 --> 00:03:14,130 S1: but with everything evolving compliance frameworks, third party risk, customer expectations, 66 00:03:14,130 --> 00:03:16,970 S1: this is no longer good enough. And the problem isn't 67 00:03:16,970 --> 00:03:19,770 S1: just that it's time consuming. It can actually hold you 68 00:03:19,770 --> 00:03:23,530 S1: back slow. Audits miss risks and give you less time 69 00:03:23,530 --> 00:03:26,769 S1: to focus on what actually matters, which is improving your security. 70 00:03:28,370 --> 00:03:31,410 S1: Trust management platform is designed to help with that. It 71 00:03:31,410 --> 00:03:35,850 S1: automates the core parts of your GRC program, things like compliance, readiness, 72 00:03:35,890 --> 00:03:39,570 S1: vendor risk, and internal controls so you're not buried in 73 00:03:39,610 --> 00:03:44,130 S1: manual work. According to IDC teams, using Vanta 129% more 74 00:03:44,130 --> 00:03:47,690 S1: productive in their GRC work. That means faster prep, fewer surprises, 75 00:03:47,690 --> 00:03:50,010 S1: and more time for real security work. It's not about 76 00:03:50,010 --> 00:03:53,290 S1: making compliance easy for the sake of it. It's about 77 00:03:53,290 --> 00:03:54,890 S1: getting the friction out of the way so you can 78 00:03:54,890 --> 00:03:58,890 S1: move faster, do better work, and build trust more efficiently. 79 00:03:58,990 --> 00:04:01,150 S1: And if you're thinking about how to approach AI risk 80 00:04:01,350 --> 00:04:04,190 S1: than to put together a free AI security assessment, it's 81 00:04:04,190 --> 00:04:07,790 S1: a structured way to evaluate risk across AI use, development 82 00:04:07,790 --> 00:04:15,750 S1: and governance. You can get the assessment at. That's. And 83 00:04:15,750 --> 00:04:20,510 S1: thanks to Vanta for sponsoring this video. So in a 84 00:04:20,510 --> 00:04:23,549 S1: completely separate thread of consumer tech, in 2013, I started 85 00:04:23,550 --> 00:04:25,310 S1: getting a picture of where I thought all this AI 86 00:04:25,350 --> 00:04:27,550 S1: tech was going, like on the consumer side, which at 87 00:04:27,550 --> 00:04:30,990 S1: the time I called IoT and I was actually talking 88 00:04:30,990 --> 00:04:33,830 S1: about this with my friend Jason Haddox in like 2013, 89 00:04:33,830 --> 00:04:35,430 S1: which I was reminded of this because I just read 90 00:04:35,430 --> 00:04:38,109 S1: the foreword and I was thanking him for encouraging me 91 00:04:38,110 --> 00:04:42,110 S1: to write this book in 2013. But, um, these ideas 92 00:04:42,110 --> 00:04:44,270 S1: are pretty decent. The book is actually crap, so you 93 00:04:44,270 --> 00:04:46,229 S1: don't need to read that. In fact, I have it 94 00:04:46,230 --> 00:04:49,750 S1: published online, um, as a blog post. It's very short. 95 00:04:49,750 --> 00:04:51,870 S1: You should go read it there. It's actually not half bad. 96 00:04:51,870 --> 00:04:53,710 S1: Plus you could use AI to help you read it. 97 00:04:53,710 --> 00:04:56,550 S1: Plus it's got way better typography. So I would say 98 00:04:56,550 --> 00:04:58,970 S1: skip the book and just go read the blog. but 99 00:04:58,970 --> 00:05:01,570 S1: the basic ideas are quite good, even though the book 100 00:05:01,570 --> 00:05:04,890 S1: is not so great. Um, so the basic idea is 101 00:05:04,890 --> 00:05:07,490 S1: you have digital assistants that know everything about you and 102 00:05:07,490 --> 00:05:09,890 S1: they advocate for you, and then everything gets an API, 103 00:05:10,130 --> 00:05:13,450 S1: including people and objects and businesses and everything. This is 104 00:05:13,490 --> 00:05:16,250 S1: like the second piece of this, and it's really, really important. 105 00:05:16,610 --> 00:05:19,210 S1: And your digital assistant, your Da, basically uses all those 106 00:05:19,210 --> 00:05:22,490 S1: services to interact with those APIs on your behalf. Then 107 00:05:22,529 --> 00:05:25,930 S1: your Da will use augmented reality to show you context 108 00:05:25,930 --> 00:05:29,210 S1: for wherever and whatever you're doing, right. So you're wearing 109 00:05:29,210 --> 00:05:32,610 S1: glasses or lenses or whatever. Neuralink, whatever. It doesn't matter. 110 00:05:32,610 --> 00:05:37,930 S1: It'll start with glasses, obviously. And basically your Da knows 111 00:05:37,930 --> 00:05:40,370 S1: everything about you, knows your entire personality, it knows your 112 00:05:40,370 --> 00:05:42,850 S1: entire history or whatever. So it knows when you're scared. 113 00:05:42,850 --> 00:05:45,089 S1: It knows when you're skeptical. It knows when you're hungry. 114 00:05:45,089 --> 00:05:48,210 S1: It knows, you know when you're curious. And it's using 115 00:05:48,210 --> 00:05:51,570 S1: these millions of services that are available at APIs to 116 00:05:51,610 --> 00:05:54,530 S1: get data back for you and change the screen. Okay. 117 00:05:54,570 --> 00:05:56,730 S1: Sometimes it's a security screen, sometimes it's like a social 118 00:05:56,730 --> 00:05:59,029 S1: screen because you're trying to find, you know, your life 119 00:05:59,029 --> 00:06:02,070 S1: partner or whatever. So it's constantly changing what you're looking 120 00:06:02,070 --> 00:06:04,390 S1: at to help you. Maybe it's popping up little notes 121 00:06:04,390 --> 00:06:08,030 S1: or little reminders or whatever. Right? A security overlay if 122 00:06:08,029 --> 00:06:10,670 S1: you're in danger or something. So that's the third piece, 123 00:06:10,670 --> 00:06:13,710 S1: which is augmented reality, displaying the information from all these 124 00:06:13,710 --> 00:06:16,870 S1: APIs from your from your Da, who is like the 125 00:06:16,870 --> 00:06:19,909 S1: one handling all of this and advocating for you. And finally, 126 00:06:19,910 --> 00:06:22,790 S1: the last idea is that when you have like an 127 00:06:22,790 --> 00:06:26,270 S1: entire family or an entire city or an entire country 128 00:06:26,270 --> 00:06:30,430 S1: with all these demons, all these APIs available, that produces 129 00:06:30,470 --> 00:06:33,150 S1: tons of context that a top level AI could look 130 00:06:33,150 --> 00:06:36,150 S1: at and say, okay, how can I manage this city better? 131 00:06:36,190 --> 00:06:38,110 S1: How can I manage its resources? How can I turn 132 00:06:38,110 --> 00:06:41,350 S1: on these lights and turn these off and reflow this traffic? 133 00:06:41,350 --> 00:06:43,270 S1: And you know, how can I optimize? How can I 134 00:06:43,310 --> 00:06:45,789 S1: help this city achieve its goals based on all the 135 00:06:45,790 --> 00:06:48,350 S1: context that I know about it, from all this context, 136 00:06:48,350 --> 00:06:52,029 S1: from all these APIs and demons? So that was fun. 137 00:06:52,310 --> 00:06:54,710 S1: That was a cool book. That was some cool ideas. 138 00:06:54,990 --> 00:06:57,070 S1: Then in 2018, I got a job at Apple doing 139 00:06:57,160 --> 00:07:00,239 S1: information security stuff, but the team I came in on 140 00:07:00,560 --> 00:07:04,159 S1: was with Joel Parish and we actually built, um, well, 141 00:07:04,160 --> 00:07:06,080 S1: he was already doing machine learning, right? He was part 142 00:07:06,080 --> 00:07:09,440 S1: of the machine learning team within security. So, um, I 143 00:07:09,480 --> 00:07:11,240 S1: wanted to study up and just get really good at 144 00:07:11,240 --> 00:07:15,200 S1: this stuff. Excuse me. And my math was really bad, 145 00:07:15,200 --> 00:07:17,600 S1: so I had to refresh my horrible math, and I 146 00:07:17,600 --> 00:07:21,680 S1: went and did Andrew Ng's entire machine learning course. And, um, 147 00:07:21,720 --> 00:07:23,400 S1: over the course of my time there, I got exposed 148 00:07:23,400 --> 00:07:26,280 S1: to tons of ML stuff and practical uses of ML 149 00:07:26,320 --> 00:07:29,040 S1: like before the current AI stuff, and it was really helpful. 150 00:07:29,040 --> 00:07:31,120 S1: I ended up building a product there which is still 151 00:07:31,120 --> 00:07:34,000 S1: used today, so I'm happy about that. In early 21, 152 00:07:34,000 --> 00:07:35,840 S1: I left Apple to go build the Appsec and build 153 00:07:35,840 --> 00:07:38,680 S1: management teams at Robinhood with Caleb Sima. And there I 154 00:07:38,680 --> 00:07:45,200 S1: did a blackhat talk about building vulnerability management programs based 155 00:07:45,200 --> 00:07:49,280 S1: on company context and specifically around asset management. And that 156 00:07:49,280 --> 00:07:51,080 S1: turned out to be another brick in this path that 157 00:07:51,080 --> 00:07:53,840 S1: I'm laying out here. After doing that, I decided it 158 00:07:53,840 --> 00:07:55,640 S1: was time for me to go build things on my 159 00:07:55,640 --> 00:07:57,500 S1: own and do like my own consulting. So I went 160 00:07:57,500 --> 00:08:00,420 S1: independent with unsupervised learning in like August of 22. And 161 00:08:00,420 --> 00:08:02,180 S1: it turns out that was just a few months before 162 00:08:02,220 --> 00:08:05,540 S1: ChatGPT came out. And obviously I went absolutely apeshit. When 163 00:08:05,540 --> 00:08:07,540 S1: that came out, I called everyone, I called Jason, I 164 00:08:07,540 --> 00:08:10,140 S1: called Clint, I called Caleb, I called my mom, I 165 00:08:10,180 --> 00:08:11,780 S1: called my dog. I don't have a dog. But yeah, 166 00:08:11,780 --> 00:08:15,660 S1: I called everyone. And the first place that my head 167 00:08:15,660 --> 00:08:18,100 S1: went with all of this was like security assessment and 168 00:08:18,100 --> 00:08:21,100 S1: building and managing security programs. So I started doing that immediately. Basically, 169 00:08:21,100 --> 00:08:24,260 S1: I took everything I was doing previously with all this context, right, 170 00:08:24,260 --> 00:08:25,940 S1: that I've been doing, like, you know, a decade and 171 00:08:25,940 --> 00:08:27,860 S1: a half or whatever. And I'm like, okay, how can 172 00:08:27,860 --> 00:08:31,580 S1: I use AI to, you know, make this even better? And, 173 00:08:31,740 --> 00:08:34,220 S1: you know, you know, put the context first. So in 174 00:08:34,220 --> 00:08:37,220 S1: March of 23, I wrote this post called Sspca, which 175 00:08:37,220 --> 00:08:40,780 S1: basically says everything is about state policy questions and actions. Basically, 176 00:08:40,780 --> 00:08:42,540 S1: we have current context for a company or a program 177 00:08:42,540 --> 00:08:44,820 S1: or whatever. Then you have the policy, which is what 178 00:08:44,820 --> 00:08:46,780 S1: you're trying to accomplish. Then you have the questions you're 179 00:08:46,780 --> 00:08:51,020 S1: constantly wanting to ask and have answers to, and then 180 00:08:51,020 --> 00:08:54,220 S1: you have actions or you know, that we could take 181 00:08:54,220 --> 00:08:56,960 S1: or that I could take against that context. So I 182 00:08:56,960 --> 00:08:59,280 S1: feel like I'm starting to zero in on this concept 183 00:08:59,280 --> 00:09:01,280 S1: and this got decent traction. But I wanted to like 184 00:09:01,320 --> 00:09:03,040 S1: have a demo or something for it. So I did 185 00:09:03,040 --> 00:09:06,400 S1: another blackhat talk, I think maybe the following year or maybe, yeah, 186 00:09:06,400 --> 00:09:08,760 S1: it must have been the following year, uh, to put 187 00:09:08,760 --> 00:09:11,360 S1: together a demo for this. So I put together a 188 00:09:11,360 --> 00:09:14,600 S1: fake company called alma, and I put in tons of 189 00:09:14,600 --> 00:09:16,600 S1: context for this thing. I basically made a copy of 190 00:09:16,600 --> 00:09:19,560 S1: one of my security assessments the way that I do it. Um, 191 00:09:19,559 --> 00:09:21,320 S1: but I did it for a fake company with a 192 00:09:21,320 --> 00:09:23,120 S1: whole bunch of fake data. So I've got company mission, 193 00:09:23,120 --> 00:09:25,839 S1: I've got their goals, how they're different from their competitors, 194 00:09:25,840 --> 00:09:27,960 S1: what they do in business. I got the risk register. 195 00:09:27,960 --> 00:09:30,120 S1: I've got their full tech stack. I've got their security 196 00:09:30,160 --> 00:09:32,760 S1: team and their members. Like the skill sets of the 197 00:09:32,760 --> 00:09:36,640 S1: team members. Um, the list of applications, the full IT stack, 198 00:09:36,640 --> 00:09:39,640 S1: every app that they use, um, all their documentation. I've 199 00:09:39,640 --> 00:09:43,360 S1: got some fake, like, slack conversations in there. Um, what 200 00:09:43,400 --> 00:09:46,959 S1: repositories they use, what dev teams they belong to, how 201 00:09:46,960 --> 00:09:49,079 S1: they push code, all that stuff. It's all in here. 202 00:09:49,520 --> 00:09:51,360 S1: So then I can ask questions the same way that 203 00:09:51,360 --> 00:09:53,280 S1: I do in security assessments. And using this, you can 204 00:09:53,320 --> 00:09:56,939 S1: actually manage the entire security program using this context that 205 00:09:56,940 --> 00:09:58,700 S1: you have because you could do planning from here, you 206 00:09:58,700 --> 00:10:01,020 S1: could do threat modeling, you could do your communications. You 207 00:10:01,020 --> 00:10:04,100 S1: can produce your reports. Like I'm doing this for a customer. 208 00:10:04,100 --> 00:10:06,980 S1: I could produce a report like a quarterly update security 209 00:10:06,980 --> 00:10:10,820 S1: report in 30s, which used to take them months and 210 00:10:10,820 --> 00:10:13,460 S1: like hundreds upon hundreds of hours of some of their 211 00:10:13,460 --> 00:10:15,860 S1: best people actually trying to make this report, just to 212 00:10:15,860 --> 00:10:17,340 S1: be able to prove to the rest of the organization 213 00:10:17,340 --> 00:10:19,940 S1: that they're actually effective. So turn that to a couple 214 00:10:19,940 --> 00:10:22,260 S1: of minutes. Right. The other cool thing is you can 215 00:10:22,260 --> 00:10:25,220 S1: respond to security questionnaires, because if you have a static 216 00:10:25,220 --> 00:10:29,380 S1: database of answers, you they always ask the question differently. 217 00:10:29,380 --> 00:10:32,020 S1: And it doesn't perfectly match when that you have. Right. 218 00:10:32,059 --> 00:10:34,300 S1: But if you have this kind of system with context, 219 00:10:34,540 --> 00:10:37,380 S1: it can answer it perfectly every time. So this is 220 00:10:37,380 --> 00:10:39,300 S1: an example of like a CISO making a statement about 221 00:10:39,300 --> 00:10:41,940 S1: no more connections are allowed to a particular sensitive resource. 222 00:10:41,980 --> 00:10:44,059 S1: And we're asking the question to the AI system, this 223 00:10:44,059 --> 00:10:45,900 S1: is a real AI system, right? And this is back 224 00:10:45,900 --> 00:10:47,980 S1: in 23 that I did this. So it's a real 225 00:10:47,980 --> 00:10:50,420 S1: AI system. I'm asking the question, should Julie be allowed 226 00:10:50,420 --> 00:10:52,179 S1: to connect to this thing. And it says no, she 227 00:10:52,179 --> 00:10:55,910 S1: shouldn't because the CISO just said nobody should be allowed 228 00:10:55,910 --> 00:10:58,270 S1: to connect to this thing anymore. Right. So you could 229 00:10:58,270 --> 00:11:00,790 S1: do really cool stuff when you have context. So throughout 230 00:11:00,790 --> 00:11:03,310 S1: 23 and 24 and into this year, I've been building 231 00:11:03,309 --> 00:11:05,670 S1: more and more stuff around this theme of context and AI. 232 00:11:06,070 --> 00:11:08,270 S1: So later in 23, I built this thing called threshold. 233 00:11:08,270 --> 00:11:10,910 S1: So it takes a whole bunch of sources and I 234 00:11:10,910 --> 00:11:13,910 S1: have context of what I enjoy. Right? The kind of 235 00:11:13,910 --> 00:11:16,510 S1: content that I think is high quality, lots of good ideas, 236 00:11:16,510 --> 00:11:18,790 S1: lots of density in the ideas, lots of novelty in 237 00:11:18,790 --> 00:11:21,510 S1: the ideas. So I give it tons of context and 238 00:11:21,510 --> 00:11:23,949 S1: that becomes the filter for the quality level. And then 239 00:11:23,950 --> 00:11:26,550 S1: I can slide this bar to say, I only want 240 00:11:26,590 --> 00:11:30,870 S1: to see things from these 3000 different sources that exceed 241 00:11:31,790 --> 00:11:35,110 S1: at least this quality level. Right. So that's threshold. I'm 242 00:11:35,110 --> 00:11:37,550 S1: currently about to launch another enterprise product called Same Page. 243 00:11:37,550 --> 00:11:40,510 S1: It's basically a whole bunch of management like this around 244 00:11:40,510 --> 00:11:44,790 S1: different stuff security management for programs especially. Another thing I've 245 00:11:44,790 --> 00:11:46,870 S1: had for like nine years that didn't have any AI 246 00:11:46,910 --> 00:11:50,949 S1: whatsoever until, you know, a couple years ago was my 247 00:11:50,950 --> 00:11:53,510 S1: attack surface monitoring service called Helios. And I'm in the 248 00:11:53,510 --> 00:11:56,250 S1: middle of rewriting this entire thing to be like what 249 00:11:56,250 --> 00:11:58,970 S1: we're about to talk about. And once again, this is 250 00:11:58,970 --> 00:12:01,050 S1: all about using the context. That's a central part of 251 00:12:01,050 --> 00:12:03,610 S1: the rewrite. And the last one I'll mention is like 252 00:12:03,610 --> 00:12:07,250 S1: a daily brief for intelligence. So I basically go find 253 00:12:07,250 --> 00:12:09,530 S1: all my Osint people, all my national security people that 254 00:12:09,530 --> 00:12:11,650 S1: I know have high signal, you know, high alpha in 255 00:12:11,650 --> 00:12:14,850 S1: what they say. And I basically bring that in and say, okay, 256 00:12:14,929 --> 00:12:18,050 S1: here's everything they said yesterday. Turn that into a picture 257 00:12:18,050 --> 00:12:20,410 S1: of like where this might be going. Like, where are 258 00:12:20,410 --> 00:12:22,010 S1: they agreeing in a way that looks like there might 259 00:12:22,010 --> 00:12:24,770 S1: be signal there. And then I make myself a daily report. 260 00:12:24,929 --> 00:12:28,130 S1: So just another example. So these are all kind of 261 00:12:28,170 --> 00:12:31,250 S1: like separate ideas hovering loosely around the concept of context. 262 00:12:31,250 --> 00:12:34,490 S1: And I and I feel like I was doing pretty 263 00:12:34,490 --> 00:12:36,650 S1: well here. I feel like I kind of had a 264 00:12:36,650 --> 00:12:38,730 S1: grasp of this, but a couple of weeks ago I'm like, 265 00:12:38,929 --> 00:12:41,410 S1: wait a minute. I think I actually have a much 266 00:12:41,410 --> 00:12:43,530 S1: better way to think about this and to describe it. 267 00:12:43,530 --> 00:12:46,610 S1: And that is something I'm calling unified entity context. And 268 00:12:46,610 --> 00:12:48,329 S1: that won't be the real name that gets used, because 269 00:12:48,370 --> 00:12:50,329 S1: Gartner will come up with their own name. And of course, 270 00:12:50,330 --> 00:12:53,449 S1: that'll become the official thing. But if we look at 271 00:12:53,450 --> 00:12:56,230 S1: cybersecurity in general. We look at some use cases. There 272 00:12:56,230 --> 00:12:59,990 S1: are some interesting patterns and similarities. So for SOC you 273 00:13:00,030 --> 00:13:01,790 S1: got to look at all these different types of data right. 274 00:13:01,830 --> 00:13:04,429 S1: And try to like come up with like what actually happened. 275 00:13:04,470 --> 00:13:07,829 S1: Like is this thing bad? Is it okay. Is it benign. Whatever. 276 00:13:08,110 --> 00:13:09,590 S1: For IR it's a lot of the same stuff. You 277 00:13:09,630 --> 00:13:11,750 S1: got a whole bunch of different data you're trying to 278 00:13:11,750 --> 00:13:14,390 S1: figure out. Like, is it bad? Did it actually happen? 279 00:13:14,390 --> 00:13:17,630 S1: What's the blast radius? Pentesting you're also collecting tons of 280 00:13:17,630 --> 00:13:19,790 S1: information and you're trying to figure out, like, what path 281 00:13:19,790 --> 00:13:21,709 S1: do I go down? How do I show impact? Same 282 00:13:21,710 --> 00:13:23,990 S1: with Red team. It's just like more extreme. You're trying to, 283 00:13:24,190 --> 00:13:26,350 S1: you know, show more of a story and like the 284 00:13:26,350 --> 00:13:30,230 S1: actual impact to the business with management, you actually need 285 00:13:30,230 --> 00:13:32,710 S1: to understand the organization and like how they push code 286 00:13:32,710 --> 00:13:35,590 S1: and how they do remediation. Otherwise you can't actually help 287 00:13:35,590 --> 00:13:39,270 S1: them fix things. For program management, you need project management, 288 00:13:39,270 --> 00:13:42,710 S1: budgeting strategy, time management, GRC. You've got like what do 289 00:13:42,710 --> 00:13:45,429 S1: we have to be compliant with in which jurisdictions and why? 290 00:13:45,429 --> 00:13:47,270 S1: And what are our current gaps right. And how those 291 00:13:47,270 --> 00:13:49,990 S1: mix together. So the common issue with most of these 292 00:13:50,030 --> 00:13:53,070 S1: is the actual ability to see multiple parts of the 293 00:13:53,070 --> 00:13:56,490 S1: organization at the same time and then to connect those pieces, right. 294 00:13:56,530 --> 00:13:59,050 S1: This is why security analysts and red team people, and 295 00:13:59,050 --> 00:14:01,810 S1: especially like principal people, people who have been doing this five, ten, 296 00:14:01,850 --> 00:14:05,930 S1: 15 years are so valuable. It's not actually a single 297 00:14:05,929 --> 00:14:09,570 S1: task that is difficult. The problem is getting all the 298 00:14:09,570 --> 00:14:13,210 S1: information together to paint a picture to actually do the task. 299 00:14:14,450 --> 00:14:17,250 S1: So I'm going to take vulnerability management as an example. 300 00:14:17,250 --> 00:14:19,970 S1: Since I've lived in this hellscape for so long. What 301 00:14:19,970 --> 00:14:24,050 S1: is actually so hard about vulnerability management? Is it finding vulnerabilities? 302 00:14:24,570 --> 00:14:28,650 S1: Is it like making a pretty enough dashboard to show vulnerabilities? No, 303 00:14:28,850 --> 00:14:31,530 S1: it's actually fixing vulnerabilities. And the reason it's hard to 304 00:14:31,530 --> 00:14:33,530 S1: fix them is because you have to know what application 305 00:14:33,530 --> 00:14:36,170 S1: it's part of. You have to find the right engineering team. 306 00:14:36,170 --> 00:14:39,330 S1: What repo does that code go into? What's the DevOps 307 00:14:39,330 --> 00:14:43,610 S1: workflow for that? Like the team changed, right? There was 308 00:14:43,610 --> 00:14:46,570 S1: there was a a riff. And now that team doesn't 309 00:14:46,570 --> 00:14:48,210 S1: even exist. And it got combined with this other one. 310 00:14:48,210 --> 00:14:51,010 S1: Where did that one developer go? Who's responsible for that 311 00:14:51,010 --> 00:14:53,290 S1: one app. Oh, it's different this week than it was 312 00:14:53,380 --> 00:14:56,580 S1: last week. This stuff is not easy to do because 313 00:14:56,580 --> 00:15:00,020 S1: it's constant change inside this company. So here's the question. 314 00:15:00,340 --> 00:15:02,460 S1: How much of our inability to do a good job 315 00:15:02,460 --> 00:15:05,500 S1: at vulnerability management or security in general over the last 316 00:15:05,500 --> 00:15:08,620 S1: 15 years is actually a security problem? And how much 317 00:15:08,620 --> 00:15:12,980 S1: of it is actually an organizational knowledge problem? And think 318 00:15:12,980 --> 00:15:17,060 S1: about that for all of security. Even crazier, think about it. 319 00:15:17,060 --> 00:15:21,500 S1: For all of it. Right. Or all of software and services. Right. 320 00:15:21,540 --> 00:15:25,220 S1: HR collects, you know, HR data and asks HR questions 321 00:15:25,220 --> 00:15:27,820 S1: and they put it into an HR interface. Right. Project 322 00:15:27,820 --> 00:15:32,740 S1: management collects project management information into a project management database. 323 00:15:33,020 --> 00:15:35,300 S1: They ask project management questions and they put it into 324 00:15:35,340 --> 00:15:38,700 S1: a UI design for project management. Do we really think 325 00:15:38,700 --> 00:15:40,700 S1: these things are going to need their own separate databases 326 00:15:40,700 --> 00:15:44,940 S1: going forward? Their own separate APIs, their own separate questions? 327 00:15:44,940 --> 00:15:46,980 S1: Maybe they need their own questions. Do they need their 328 00:15:46,980 --> 00:15:50,660 S1: own interfaces? I don't think so. I think that all 329 00:15:50,700 --> 00:15:53,400 S1: kind of goes away and we end up with this 330 00:15:53,400 --> 00:15:57,160 S1: thing called unified entity context, or building a world model 331 00:15:57,320 --> 00:15:59,200 S1: for the thing that you care about. So if you're 332 00:15:59,200 --> 00:16:01,960 S1: an individual, your history, your belief system, your aspirations, your 333 00:16:01,960 --> 00:16:04,600 S1: favorite books and music, your past, your traumas, your salary, 334 00:16:05,040 --> 00:16:09,120 S1: blood pressure, friendships, job, career, family goals, financial goals, your upbringing, 335 00:16:09,120 --> 00:16:11,560 S1: your medical history, how strong you are, how much you 336 00:16:11,560 --> 00:16:15,760 S1: can curl like you know your blood sugar levels, right? 337 00:16:15,800 --> 00:16:17,360 S1: And then you can ask questions. Just like with the 338 00:16:17,360 --> 00:16:19,720 S1: security program, you could be like, why is my relationship 339 00:16:19,720 --> 00:16:21,920 S1: not working? What can I do to improve my health? 340 00:16:22,640 --> 00:16:24,000 S1: And if you're a company, it's back to the stuff 341 00:16:24,000 --> 00:16:26,160 S1: we talked about with alma. It's all of its goals. 342 00:16:26,160 --> 00:16:29,440 S1: It's all of its competitors. It's all of its slack communications. 343 00:16:29,440 --> 00:16:31,680 S1: It's all the transcripts from all of its calls. It's 344 00:16:31,680 --> 00:16:34,160 S1: all of its Google Docs and Confluence and all of that. 345 00:16:34,160 --> 00:16:37,080 S1: It's their desired are for the company, all the product 346 00:16:37,080 --> 00:16:38,840 S1: marketing that you're putting out for all of your products 347 00:16:38,840 --> 00:16:41,000 S1: and all the product marketing your competitors are putting out 348 00:16:41,000 --> 00:16:44,000 S1: for all their products. This becomes the baseline for everything. 349 00:16:44,480 --> 00:16:47,080 S1: Once you have that, then you do this. Then you 350 00:16:47,080 --> 00:16:51,360 S1: take the smartest, biggest context AI that you have and 351 00:16:51,400 --> 00:16:53,740 S1: this will be massive in the future. Right. It's getting 352 00:16:53,740 --> 00:16:56,140 S1: bigger all the time. And you look down at this 353 00:16:56,140 --> 00:16:59,300 S1: entire context and it can hold it all in its 354 00:16:59,300 --> 00:17:03,660 S1: mind all at once. So this is completely insane. Basically, 355 00:17:03,660 --> 00:17:07,460 S1: I think most people have this eye thing exactly backwards 356 00:17:07,460 --> 00:17:10,219 S1: instead of cybersecurity or finance or whatever, being at the 357 00:17:10,220 --> 00:17:13,140 S1: center with context and AI being things that you kind 358 00:17:13,140 --> 00:17:17,420 S1: of like sprinkle on to do that thing better. It's 359 00:17:17,460 --> 00:17:21,620 S1: actually the opposite. The context of the entity is everything. 360 00:17:21,619 --> 00:17:24,980 S1: The world model that you have for this thing is everything. 361 00:17:25,420 --> 00:17:28,100 S1: Software verticals kind of go away. They just become use 362 00:17:28,100 --> 00:17:33,899 S1: cases on top of this architecture. Cool. But we were 363 00:17:33,900 --> 00:17:37,180 S1: talking about hacking, right? How do we bring this back 364 00:17:37,180 --> 00:17:42,939 S1: to hacking? So basically the future of hacking, because all 365 00:17:42,940 --> 00:17:48,020 S1: of this relates to context, is basically how you can 366 00:17:48,020 --> 00:17:52,560 S1: keep an exhaustive, accurate and up to date world model 367 00:17:52,880 --> 00:17:55,679 S1: of the thing that you are attacking. And this is 368 00:17:55,680 --> 00:17:58,679 S1: true whether you're actually attacking or whether you're defending. So 369 00:17:59,160 --> 00:18:03,240 S1: it turns into a giant competition between attackers and defenders 370 00:18:03,240 --> 00:18:08,080 S1: and attackers versus attackers and defenders versus defenders between who 371 00:18:08,080 --> 00:18:10,160 S1: has the most accurate and up to date world model 372 00:18:10,160 --> 00:18:16,160 S1: for their organization. So everyone listening to this, every attacker, 373 00:18:16,680 --> 00:18:19,600 S1: every bounty player, we are all going to have a 374 00:18:19,600 --> 00:18:22,080 S1: stack like this. I've been building this for years already, 375 00:18:22,080 --> 00:18:24,320 S1: so like and I know some people on this call 376 00:18:24,359 --> 00:18:27,640 S1: are probably along the path as well. So it's not 377 00:18:27,640 --> 00:18:31,160 S1: a bunch of agents with random tools. It's an interoperable 378 00:18:31,160 --> 00:18:33,800 S1: system where the output of one is the input to 379 00:18:33,840 --> 00:18:35,760 S1: the next one. Okay. This is a big thing that 380 00:18:35,760 --> 00:18:38,200 S1: people aren't understanding about that whole agent thing. You don't 381 00:18:38,200 --> 00:18:41,400 S1: just say blah and give it like a prompt and 382 00:18:41,400 --> 00:18:43,480 S1: then say, oh, agents, figure it out, because then you're 383 00:18:43,520 --> 00:18:46,480 S1: offloading all the work to the model to actually do 384 00:18:46,480 --> 00:18:49,040 S1: the hard work of building the system itself. The better 385 00:18:49,040 --> 00:18:50,600 S1: way to do this? And if you talk to the 386 00:18:50,600 --> 00:18:54,180 S1: people at AI. eye, the people who are actually building 387 00:18:54,180 --> 00:18:57,380 S1: these systems to actually go and find vulnerabilities, exploit them, 388 00:18:57,380 --> 00:18:59,940 S1: fix them or whatever. They need a system like this. 389 00:18:59,940 --> 00:19:02,859 S1: These are the systems I've been building for years. They 390 00:19:02,900 --> 00:19:06,140 S1: are modular. Each little piece does one thing well. It's 391 00:19:06,140 --> 00:19:09,420 S1: a Unix concept, right? Each little piece does one thing well, right. 392 00:19:09,619 --> 00:19:12,139 S1: So I've got a million of these things finding domains, 393 00:19:12,140 --> 00:19:15,580 S1: finding websites, crawling the websites, running automated scans. And each 394 00:19:15,580 --> 00:19:18,540 S1: one of these could be like a super basic version. 395 00:19:18,540 --> 00:19:21,460 S1: It's like curl okay. You got curl on one side 396 00:19:21,859 --> 00:19:26,220 S1: and you've got fully automated puppeteer browser automation going through 397 00:19:26,220 --> 00:19:28,700 S1: bright data on the other side, right? So you have 398 00:19:28,700 --> 00:19:32,140 S1: all these quality, you know, spectrums in between for each 399 00:19:32,140 --> 00:19:35,740 S1: of these modules. But the whole system works together based 400 00:19:35,740 --> 00:19:38,980 S1: on a set of goals. Right. So running automated crawls, 401 00:19:38,980 --> 00:19:42,260 S1: parsing all endpoints, pulling out every single API endpoint from 402 00:19:42,260 --> 00:19:47,060 S1: every piece of JavaScript writing exploits, POCs actually doing the attacking, um, 403 00:19:47,100 --> 00:19:50,379 S1: writing up reports. All of these are separate modules. So 404 00:19:50,420 --> 00:19:53,830 S1: let's say the target, you know, has like five main 405 00:19:53,830 --> 00:19:57,389 S1: web applications, like a few hundred pages per site. And, 406 00:19:57,430 --> 00:19:59,949 S1: you know, there's a whole bunch of agents. Think of this. 407 00:19:59,950 --> 00:20:02,670 S1: You're going to have like thousands of agents. You'll start 408 00:20:02,670 --> 00:20:05,910 S1: with dozens, right? Dozens, then hundreds, then thousands, then whatever. 409 00:20:06,310 --> 00:20:11,310 S1: So we're also learning from new marketing campaigns on X 410 00:20:11,310 --> 00:20:14,750 S1: or LinkedIn. Keep in mind multiple of these these modules 411 00:20:14,750 --> 00:20:18,669 S1: are actually watching the company. They're watching everything the company does, 412 00:20:18,670 --> 00:20:21,750 S1: every piece of marketing, every piece of information that's put 413 00:20:21,750 --> 00:20:24,390 S1: out about this company gets parsed and brought back into 414 00:20:24,390 --> 00:20:27,990 S1: the context, because the system as a whole and the 415 00:20:27,990 --> 00:20:30,550 S1: AI that's sitting on top of it, watching the goals, 416 00:20:30,590 --> 00:20:33,270 S1: is using that new information to tweak how we're going 417 00:20:33,270 --> 00:20:35,669 S1: to do this attack. Right. So they have a new 418 00:20:35,670 --> 00:20:37,990 S1: product launch, which is a new website, a mobile app. Cool. 419 00:20:37,990 --> 00:20:41,189 S1: Go download that. Right. Right now we can't do too 420 00:20:41,190 --> 00:20:43,830 S1: much with that because that's a little bit difficult. In 421 00:20:43,830 --> 00:20:45,310 S1: a year or so, we're going to be able to 422 00:20:45,310 --> 00:20:48,750 S1: go download that full mobile app, run the mobile app 423 00:20:48,750 --> 00:20:51,210 S1: in a full virtual environment, Run a whole bunch of 424 00:20:51,210 --> 00:20:54,210 S1: mobile tools, find out like which APIs aren't secured where 425 00:20:54,210 --> 00:20:57,209 S1: they're not using TLS. Um, all sorts of issues that 426 00:20:57,210 --> 00:21:00,730 S1: you have with mobile security. And that'll just be one 427 00:21:00,730 --> 00:21:03,050 S1: little tiny module which brings that context back into the 428 00:21:03,050 --> 00:21:05,929 S1: overall engine, which enhances all the other components inside of 429 00:21:05,970 --> 00:21:09,930 S1: that engine. Right. Send that over to automated Burp intruder tool. Right. 430 00:21:09,930 --> 00:21:12,770 S1: Then all of burps output. And that's a lot of output. 431 00:21:12,810 --> 00:21:16,530 S1: It overwhelms anything including Gemini by the way. So this 432 00:21:16,530 --> 00:21:18,850 S1: is still a place where, you know, the AI has 433 00:21:18,850 --> 00:21:23,970 S1: to grow because, um, something like burp output from crawling 434 00:21:23,970 --> 00:21:26,609 S1: a website is still massive. Anyway, you've got all that 435 00:21:26,609 --> 00:21:30,129 S1: content coming out. All that content can then be repassed 436 00:21:30,170 --> 00:21:32,370 S1: to find the JavaScript in there, to find where they're 437 00:21:32,369 --> 00:21:35,250 S1: doing all their controls on the client side. Again, you 438 00:21:35,250 --> 00:21:37,209 S1: only have to tell it a couple of core things 439 00:21:37,210 --> 00:21:39,010 S1: inside of the system. Here are the types of things 440 00:21:39,010 --> 00:21:41,290 S1: I'm looking for. Any output that you get, go and 441 00:21:41,290 --> 00:21:42,969 S1: look for the following things. Oh cool. We got new 442 00:21:43,010 --> 00:21:45,650 S1: output from burp. We found new JavaScript files. Let's go 443 00:21:45,690 --> 00:21:47,410 S1: parse the hell out of them and find the files 444 00:21:47,410 --> 00:21:51,110 S1: and API endpoints. Bring that back into the system. Right? 445 00:21:52,350 --> 00:21:55,310 S1: And meanwhile, all this stuff is being fed into the 446 00:21:55,310 --> 00:21:58,990 S1: appropriate modules. So let's say we find some good stuff, uh, 447 00:21:59,030 --> 00:22:01,150 S1: send off to the exploit agents and try to do 448 00:22:01,550 --> 00:22:05,270 S1: something according to the rules, uh, in goals we've laid out. Right. Uh, 449 00:22:05,270 --> 00:22:07,150 S1: so for an attacker, we're trying to extract data. Maybe 450 00:22:07,150 --> 00:22:09,310 S1: we're going to sell that access to a broker for 451 00:22:09,310 --> 00:22:11,030 S1: a bounty person. We're going to create a POC in 452 00:22:11,030 --> 00:22:15,070 S1: a short video to go with the automated report, and 453 00:22:15,070 --> 00:22:18,150 S1: we're going to submit it to Hackerone or Bugcrowd or whatever. Right. 454 00:22:18,190 --> 00:22:20,909 S1: And that just becomes another module that your thing is 455 00:22:20,910 --> 00:22:24,189 S1: good at, right? It's automated workflow, but that's not the 456 00:22:24,190 --> 00:22:26,909 S1: cool part. The cool part is this thing never sleeps. 457 00:22:27,270 --> 00:22:30,470 S1: Dozens or hundreds or thousands of agents in this infrastructure 458 00:22:30,510 --> 00:22:34,230 S1: working at all times, finding new domains, finding a new 459 00:22:34,230 --> 00:22:36,870 S1: announcement which includes a new domain which you then go 460 00:22:36,869 --> 00:22:39,190 S1: find the subdomains, which you then go find all the infrastructure. 461 00:22:39,190 --> 00:22:41,150 S1: You find the web apps that are listening. You then 462 00:22:41,150 --> 00:22:44,790 S1: go crawl those ad infinitum through this entire system, right? 463 00:22:44,830 --> 00:22:47,109 S1: Open admin portals. You're taking all the screenshots. You're finding 464 00:22:47,109 --> 00:22:49,970 S1: the screenshots. Oh, that's an admin portal. That thing's wide open. Oh, look. 465 00:22:50,010 --> 00:22:53,930 S1: Default credentials. Right. Looking for open ports. Seeing if there's 466 00:22:53,930 --> 00:22:57,810 S1: any new stuff out there right now. This sounds complex 467 00:22:57,810 --> 00:22:59,649 S1: because there's lots of different tools and everything to keep 468 00:22:59,650 --> 00:23:03,050 S1: in mind. But this system only needs to be built once, 469 00:23:03,050 --> 00:23:06,250 S1: and then you're just adding modules and upgrading the modules. 470 00:23:06,490 --> 00:23:07,730 S1: And this is a big part of what the AI 471 00:23:07,770 --> 00:23:09,530 S1: helps you do. It helps you just make each one 472 00:23:09,530 --> 00:23:14,450 S1: of these little things better and smarter. Again, everyone is 473 00:23:14,450 --> 00:23:16,850 S1: going to have a stack like this. Individual bounty hunters, 474 00:23:16,850 --> 00:23:20,010 S1: individual people just doing security research or hacking on their own, 475 00:23:20,010 --> 00:23:22,690 S1: and definitely the attacker organizations. And guess who else needs 476 00:23:22,690 --> 00:23:25,650 S1: to have it? The defenders. If you are a defender 477 00:23:25,650 --> 00:23:28,810 S1: and you are not running this against yourself, you are 478 00:23:28,810 --> 00:23:32,410 S1: going to lose. You are going to lose because because 479 00:23:32,410 --> 00:23:33,969 S1: there are going to be so many people running a 480 00:23:33,970 --> 00:23:36,090 S1: stack like this against you, you are just going to 481 00:23:36,090 --> 00:23:40,930 S1: lose now at first, including everything I built for myself. Right. 482 00:23:40,930 --> 00:23:43,570 S1: This was just going to be some basic information, right? 483 00:23:43,570 --> 00:23:46,330 S1: Because we can't do the full version of this yet. Right? 484 00:23:46,330 --> 00:23:48,810 S1: This is a year, two, three, four years. You know, 485 00:23:48,940 --> 00:23:51,780 S1: This gets better as the AI tech stack gets better. 486 00:23:51,780 --> 00:23:56,020 S1: But the system itself is core. So, um, this is 487 00:23:56,020 --> 00:23:58,899 S1: like an internal. This is the AI remake I'm currently 488 00:23:58,900 --> 00:24:01,820 S1: doing of my Helios system. And, you know, it's not 489 00:24:01,820 --> 00:24:03,660 S1: going to have fully automated burp yet. It's not going 490 00:24:03,660 --> 00:24:05,980 S1: to have a bunch of different modules. But like I said, 491 00:24:06,020 --> 00:24:08,820 S1: this gets better as the tech gets better. The other 492 00:24:08,820 --> 00:24:12,260 S1: thing is running, you know, hundreds of agents constantly. That's 493 00:24:12,260 --> 00:24:15,260 S1: not cheap, right? So these prices have to come down 494 00:24:15,260 --> 00:24:17,980 S1: the context windows have to go up. It's an upgrade process. 495 00:24:18,660 --> 00:24:22,179 S1: So some vignettes to just think about this. So imagine 496 00:24:22,180 --> 00:24:24,580 S1: that you're out at dinner and you get a notification 497 00:24:24,580 --> 00:24:28,860 S1: that some employee at some company. Right. Um, they just 498 00:24:28,859 --> 00:24:31,140 S1: talked about how, oh, I've got this thing at work 499 00:24:31,140 --> 00:24:33,540 S1: and blah, blah, blah. This thing is a they're drunk 500 00:24:33,540 --> 00:24:35,939 S1: or whatever, and they're talking online and some, you know, 501 00:24:35,980 --> 00:24:38,979 S1: Reddit subreddit or whatever, and they're like, yeah, this new 502 00:24:38,980 --> 00:24:41,139 S1: domain we put up and it doesn't have toufar. And 503 00:24:41,140 --> 00:24:43,540 S1: I can't believe they used default credentials. That's why I 504 00:24:43,540 --> 00:24:45,420 S1: want to quit. I'm going to start my own business 505 00:24:45,420 --> 00:24:48,640 S1: or whatever. And so, um, you're sitting there eating dinner 506 00:24:48,640 --> 00:24:50,840 S1: with a friend and you get a discord message from 507 00:24:50,840 --> 00:24:53,600 S1: your AI bot and it's like, hey, some, uh, some 508 00:24:53,600 --> 00:24:56,240 S1: dumbass just got drunk and posted that, um, there's a 509 00:24:56,240 --> 00:24:59,840 S1: brand new, uh, domain open and, uh, potentially there's a 510 00:24:59,840 --> 00:25:01,920 S1: vulnerability here. Do you want me to go mess with it? 511 00:25:02,280 --> 00:25:04,760 S1: And you're like, yeah, yeah, go mess with it. So 512 00:25:04,760 --> 00:25:07,760 S1: it comes back and it tells you basically. Yeah. The 513 00:25:07,760 --> 00:25:11,119 S1: vuln that they mentioned actually does exist. Um, I do 514 00:25:11,119 --> 00:25:12,960 S1: you want me to exploit it? Yes. Cool. All right. 515 00:25:12,960 --> 00:25:14,400 S1: So we sent it in. We got the money. Or 516 00:25:14,400 --> 00:25:16,840 S1: if you're a bad guy, you know, you're, uh, stealing 517 00:25:16,840 --> 00:25:20,320 S1: data or whatever. And keep in mind, this could be from, like, 518 00:25:20,359 --> 00:25:24,120 S1: a forum post. Um, it could be an announcement on 519 00:25:24,119 --> 00:25:26,119 S1: TechCrunch that they just bought a company. So it's a 520 00:25:26,119 --> 00:25:31,440 S1: merger and acquisition. Um, anything on the internet relative to 521 00:25:31,480 --> 00:25:36,280 S1: your target? The agents are constantly watching new announcements, you know, 522 00:25:36,320 --> 00:25:40,439 S1: new mergers, disgruntled employees, uh, a new job req for 523 00:25:40,440 --> 00:25:42,440 S1: a new technology that you didn't know. So you add 524 00:25:42,440 --> 00:25:44,680 S1: it to the tech stack for that company. Uh, new 525 00:25:44,680 --> 00:25:47,080 S1: website posts are constantly being discovered, right, because they can 526 00:25:47,080 --> 00:25:49,100 S1: make a slight change to the site, but they added 527 00:25:49,100 --> 00:25:51,380 S1: a new API. Have we tested that API before? No, 528 00:25:51,380 --> 00:25:53,100 S1: it was actually a different team that built that API. 529 00:25:53,140 --> 00:25:56,060 S1: They didn't use all the security that the other team used. Boom. 530 00:25:56,100 --> 00:25:57,620 S1: Now that's how we got in. That's how we pulled 531 00:25:57,619 --> 00:26:00,620 S1: the data or whatever. New S3 buckets not probably secured 532 00:26:00,619 --> 00:26:03,459 S1: all this stuff. So the entire game here and this 533 00:26:03,460 --> 00:26:07,740 S1: is a really big point, is maintaining as accurate as 534 00:26:07,740 --> 00:26:11,780 S1: possible world models for these things you're attacking. It doesn't 535 00:26:11,780 --> 00:26:13,540 S1: matter if you're a company. It doesn't matter if you 536 00:26:13,580 --> 00:26:15,260 S1: were hired to defend the company. It doesn't matter if 537 00:26:15,260 --> 00:26:17,020 S1: you have your own startup. It doesn't matter if you're 538 00:26:17,020 --> 00:26:19,660 S1: a bounty player. It's all the same shit. You have 539 00:26:19,660 --> 00:26:23,859 S1: to keep the most updated version of this thing in 540 00:26:23,859 --> 00:26:28,220 S1: your mind as possible. And here's something else that's crazy 541 00:26:28,220 --> 00:26:30,340 S1: about this. One of the modules here is the actual 542 00:26:30,340 --> 00:26:33,340 S1: list of attacks that you run when you attack. Okay, 543 00:26:33,859 --> 00:26:36,460 S1: so check this out. You have like it's your bag 544 00:26:36,460 --> 00:26:39,020 S1: of tricks. Your bag of tricks is what gets thrown 545 00:26:39,020 --> 00:26:42,699 S1: at every web app. At every mobile app. Right? Um, 546 00:26:42,740 --> 00:26:45,900 S1: for every social engineering campaign, for every fish you have, 547 00:26:45,900 --> 00:26:48,679 S1: like your favorite little stuff that you do. Well, one 548 00:26:48,680 --> 00:26:51,120 S1: of the AI modules that you have inside of your 549 00:26:51,119 --> 00:26:55,160 S1: overall system is the one that parses new research. So 550 00:26:55,200 --> 00:26:57,439 S1: I keep forgetting the guy's name, but every blackhat he 551 00:26:57,440 --> 00:27:00,760 S1: releases like a new attack on HTTP itself. Um, he's 552 00:27:00,760 --> 00:27:04,000 S1: the guy that works with, uh, DAF over at, um, uh, 553 00:27:04,000 --> 00:27:07,720 S1: you know, burp. Um, portswigger. But anyway, uh, I want 554 00:27:07,760 --> 00:27:10,960 S1: to say albino wax, but that's not quite right. Anyway, 555 00:27:10,960 --> 00:27:14,119 S1: you all know the guy. So every time he releases something, 556 00:27:14,119 --> 00:27:17,080 S1: every time he tweets, I have another module which go 557 00:27:17,080 --> 00:27:19,560 S1: and reads that pulls it down and says, oh, that's 558 00:27:19,560 --> 00:27:22,920 S1: actually interesting. Guess what? Upgrade. It's like the Borg from 559 00:27:22,920 --> 00:27:25,159 S1: Star Trek. You hit it. Once it falls over, you 560 00:27:25,200 --> 00:27:29,760 S1: hit it the second time. It's blocked that technique. Okay, 561 00:27:29,800 --> 00:27:31,800 S1: Jason puts out a new video. He's like, oh, I've 562 00:27:31,800 --> 00:27:34,920 S1: got this new, uh, this new attack that I always 563 00:27:34,920 --> 00:27:37,439 S1: do against my things. It finds way more domains. I 564 00:27:37,480 --> 00:27:40,960 S1: got this new attack. It, uh, it goes through filters for, uh, 565 00:27:40,960 --> 00:27:45,000 S1: prompt injection. Right. Um, maybe, uh, Joseph is talking about that. 566 00:27:45,040 --> 00:27:47,609 S1: It goes straight through prompt injection. Cool. Add that to 567 00:27:47,609 --> 00:27:50,970 S1: the methodology. The whole system has now been upgraded. You 568 00:27:50,970 --> 00:27:53,609 S1: can have an entire dedicated thing. It does nothing but watch. 569 00:27:53,650 --> 00:27:58,010 S1: TLDR right, it watches Clint's entire thing. It finds every 570 00:27:58,010 --> 00:28:01,970 S1: single thing that it mentions. It reads, goes and reads every, um, 571 00:28:02,650 --> 00:28:05,970 S1: you know, every presentation, every GitHub repo. And it pulls 572 00:28:05,970 --> 00:28:09,330 S1: out the research and uses that to upgrade the methodology. 573 00:28:10,010 --> 00:28:13,250 S1: And again, that's also continuous. So the system is always 574 00:28:13,250 --> 00:28:16,090 S1: being upgraded. So then the question is like what are 575 00:28:16,090 --> 00:28:18,050 S1: you going to actually point this at. So I'm already 576 00:28:18,050 --> 00:28:21,810 S1: monitoring like all the new bounty programs as they go live. Right. 577 00:28:21,890 --> 00:28:24,730 S1: I'm not started testing them yet because I'm still building out, um, 578 00:28:24,730 --> 00:28:27,170 S1: the rest of this new stack based on context. But 579 00:28:28,530 --> 00:28:31,730 S1: my goal is to set this thing free on, uh, 580 00:28:31,730 --> 00:28:34,290 S1: on actual program soon. Um, but but the point I'm 581 00:28:34,290 --> 00:28:38,610 S1: mentioning this is that you can always be adding new targets, right? 582 00:28:38,650 --> 00:28:41,850 S1: Attackers are going to have their own criteria for picking targets, right? 583 00:28:41,890 --> 00:28:43,450 S1: Maybe they have a lot of money. Maybe they have. 584 00:28:43,450 --> 00:28:44,810 S1: It's a combination of a lot of money and a 585 00:28:44,810 --> 00:28:47,950 S1: bad security team. Maybe it's a combination of they have 586 00:28:47,950 --> 00:28:49,910 S1: a lot of money, but I just saw on LinkedIn 587 00:28:49,910 --> 00:28:52,630 S1: that half of their security team got fired. Oh, let's 588 00:28:52,670 --> 00:28:55,270 S1: add that one to unify context and let's start attacking 589 00:28:55,270 --> 00:28:59,790 S1: that one. Point is this is also continuous to find targets. 590 00:29:00,390 --> 00:29:03,430 S1: And in my case, just parsing a brand new, uh, 591 00:29:03,430 --> 00:29:07,070 S1: bug bounty programs that are coming live. So the entire 592 00:29:07,070 --> 00:29:09,590 S1: game here is maintaining these accurate real time world models 593 00:29:09,590 --> 00:29:13,230 S1: for entities. Like I said, it doesn't matter who you are. Um, 594 00:29:13,630 --> 00:29:16,469 S1: what's really hilarious about this is AI is not the 595 00:29:16,470 --> 00:29:19,830 S1: main feature here. AI is not the point. AI is 596 00:29:19,830 --> 00:29:22,230 S1: just the tech that enables this to happen because of 597 00:29:22,230 --> 00:29:25,990 S1: the agents, and because of the fact that um, models 598 00:29:25,990 --> 00:29:28,470 S1: can hold way more information in their brains at one 599 00:29:28,470 --> 00:29:31,430 S1: time than we can. That's the only thing we're really 600 00:29:31,430 --> 00:29:34,110 S1: getting from the AI is the models are pretty smart, right? 601 00:29:34,110 --> 00:29:35,710 S1: And the smarter they get, the better this gets. But 602 00:29:35,750 --> 00:29:37,990 S1: it's not the kind of the point. The point is 603 00:29:37,990 --> 00:29:42,870 S1: the world model capture of this thing. It. Okay, so 604 00:29:42,910 --> 00:29:46,290 S1: just imagine this. Imagine it's 20 years in the future. 605 00:29:46,290 --> 00:29:49,330 S1: Imagine we're not dead yet. Or, you know, like, everything 606 00:29:49,330 --> 00:29:52,010 S1: has gone well. The planet is still here, uh, 20 607 00:29:52,010 --> 00:29:56,570 S1: years in the future. Imagine an ASI and this is 608 00:29:56,570 --> 00:29:59,290 S1: a little sci fi, but it's not too far off. Honestly. 609 00:30:00,250 --> 00:30:06,970 S1: Imagine China holding the United States context of every open port, 610 00:30:07,130 --> 00:30:13,730 S1: every vulnerable API path, every, um, opportunity for, like, file inclusion, 611 00:30:13,850 --> 00:30:18,730 S1: every single attack possible, every every AI agent that's vulnerable 612 00:30:18,730 --> 00:30:21,850 S1: to a particular type of prompt injection. It just pulls 613 00:30:21,850 --> 00:30:25,490 S1: in the entire context of the United States current state 614 00:30:25,490 --> 00:30:29,490 S1: of vulnerability and holds it in its mind in one piece. 615 00:30:29,530 --> 00:30:31,010 S1: And then they ask the question, who do I go 616 00:30:31,010 --> 00:30:34,650 S1: after first? What is the next best action to harm 617 00:30:34,650 --> 00:30:37,490 S1: the United States? The most right or to harm Russia 618 00:30:37,490 --> 00:30:39,690 S1: the most, or to harm whatever target that they are 619 00:30:39,690 --> 00:30:45,010 S1: pointing at? The point of this is that is millions 620 00:30:45,010 --> 00:30:48,110 S1: of IPS. Hundreds of millions of IPS. Is it billions 621 00:30:48,110 --> 00:30:50,510 S1: of IPS? The point is, think about how much context 622 00:30:50,510 --> 00:30:53,750 S1: you need for that, right? Doing this for a company 623 00:30:53,750 --> 00:30:56,469 S1: itself is actually hard enough, right? To understand its entire 624 00:30:56,470 --> 00:30:59,230 S1: history and every state change of all its IT and tech. 625 00:30:59,270 --> 00:31:04,470 S1: We're talking about terabytes or petabytes to hold a state 626 00:31:04,470 --> 00:31:06,270 S1: in its mind at once. And it's got to like 627 00:31:06,310 --> 00:31:08,630 S1: keep that in context. Keep in mind, so you think 628 00:31:08,630 --> 00:31:11,710 S1: we've actually gone far with AI? We haven't gone near 629 00:31:11,750 --> 00:31:13,950 S1: close to what we actually need. And the AI is 630 00:31:13,950 --> 00:31:16,030 S1: not the point. The point is having the size of 631 00:31:16,030 --> 00:31:18,670 S1: the state that you can hold in your mind at once, right? 632 00:31:19,270 --> 00:31:21,310 S1: So all this to say that the AI is not 633 00:31:21,310 --> 00:31:24,430 S1: that important. It's kind of a supporting actor because size 634 00:31:24,430 --> 00:31:27,350 S1: of context and yeah, okay. The models are smart. So 635 00:31:27,350 --> 00:31:30,630 S1: that emulates, you know, some human components of this. But 636 00:31:30,630 --> 00:31:33,590 S1: what actually matters is knowing that you have to keep 637 00:31:33,590 --> 00:31:36,350 S1: the state and understand this world model of the thing, 638 00:31:36,630 --> 00:31:41,510 S1: and that you build a system, a replicable system that 639 00:31:41,510 --> 00:31:44,310 S1: produces outputs based on how the different modules in the 640 00:31:44,310 --> 00:31:48,000 S1: system interact. The system is more important than the eye, right? 641 00:31:48,040 --> 00:31:51,560 S1: And the concept of context itself is more important than eye. 642 00:31:51,600 --> 00:31:55,360 S1: The eye is just the supporting tech. So what we 643 00:31:55,360 --> 00:31:58,560 S1: end up with here is a world where every single stone, 644 00:31:58,760 --> 00:32:02,360 S1: every single port, every single URL, every single API endpoint, 645 00:32:02,360 --> 00:32:06,880 S1: every single agent is constantly being overturned, checked, and double checked. 646 00:32:07,280 --> 00:32:10,400 S1: As an attacker, you are competing with hundreds of thousands 647 00:32:10,400 --> 00:32:13,640 S1: of other attackers. As a bounty player, you're competing with 648 00:32:13,800 --> 00:32:17,640 S1: hundreds of thousands of other bounty players and the attackers. 649 00:32:17,640 --> 00:32:20,400 S1: You're racing to go do that thing. And as a defender, 650 00:32:20,440 --> 00:32:23,760 S1: you're defending against all of them, plus all the other defenders, 651 00:32:23,760 --> 00:32:27,000 S1: because you know you want to be the one that 652 00:32:27,000 --> 00:32:30,000 S1: gets away from the bear while the other defender gets eaten. 653 00:32:30,880 --> 00:32:33,320 S1: So natural question is, okay, what does all this mean? 654 00:32:33,600 --> 00:32:36,760 S1: If this is correct, if you're a defender and you're 655 00:32:36,760 --> 00:32:39,040 S1: trying to determine what AI to build for your company, 656 00:32:39,040 --> 00:32:41,600 S1: you need to start building your own world model of 657 00:32:41,600 --> 00:32:45,660 S1: your company. You need USC context for your company. Your 658 00:32:45,660 --> 00:32:47,500 S1: attackers are going to have it and you better have 659 00:32:47,500 --> 00:32:50,180 S1: a better version. And if you're a bounty player, you 660 00:32:50,180 --> 00:32:53,460 S1: need to rebuild your automation stack. Putting the world model 661 00:32:53,500 --> 00:32:56,459 S1: building and USC at the center of it. And if 662 00:32:56,460 --> 00:32:59,060 S1: you don't have an automation stack, go look for a 663 00:32:59,060 --> 00:33:02,860 S1: new hobby because you're not long for this world. They're 664 00:33:02,860 --> 00:33:05,580 S1: about to be millions of people slash agents going after 665 00:33:05,580 --> 00:33:09,740 S1: the same bugs with constantly evolving and improving systems and 666 00:33:09,740 --> 00:33:13,940 S1: stacks and AI intelligence helping it. Right? So this is 667 00:33:13,940 --> 00:33:16,980 S1: a competition between their system versus your system, not one 668 00:33:16,980 --> 00:33:20,060 S1: of them against you. It's their system against yours, their 669 00:33:20,060 --> 00:33:23,940 S1: context against yours, their world model against yours. And finally, 670 00:33:23,940 --> 00:33:25,740 S1: if you're just trying to figure out, like where things 671 00:33:25,740 --> 00:33:27,940 S1: are going with all this AI stuff, just remember one 672 00:33:27,940 --> 00:33:30,980 S1: core idea. The game is not adding AI to stuff 673 00:33:30,980 --> 00:33:33,540 S1: we care about. The game is having real time world 674 00:33:33,540 --> 00:33:37,060 S1: models of what we care about, which we can then 675 00:33:37,060 --> 00:33:40,420 S1: take action on using AI. Thanks for your time.