WEBVTT - The Future of Hacking is Context 0:00:02.680 --> 0:00:05.160 All right. I want to do something crazy here. Specifically, 0:00:05.160 --> 0:00:07.800 I want to talk about the future of hacking. And 0:00:07.800 --> 0:00:09.479 what do I mean by that? What do I mean 0:00:10.039 --> 0:00:14.960 by hacking? I mean all hacking attack, defense bug bounty, 0:00:15.000 --> 0:00:23.880 personal automation stacks, enterprise automation stacks, attacker automation stacks, enterprise security. Everything. 0:00:24.120 --> 0:00:27.320 Everything hacking related, I think is going to come down 0:00:27.320 --> 0:00:29.560 to what I'm about to talk about. And I am 0:00:29.560 --> 0:00:31.680 aware of how big of a claim that is. The 0:00:31.680 --> 0:00:33.839 reason I'm able to make this prediction is I'm not 0:00:33.840 --> 0:00:36.920 stupid enough to claim to know how it's going to happen, 0:00:36.920 --> 0:00:40.040 or exactly when or with what companies or like what 0:00:40.080 --> 0:00:42.800 technologies exactly it's going to manifest as. That would be 0:00:42.800 --> 0:00:46.440 ridiculous because the stuff is basically unpredictable. What I'm going 0:00:46.479 --> 0:00:49.040 to show you is a direction. And I think once 0:00:49.040 --> 0:00:51.560 you see it, you will be unable to unsee it. 0:00:52.360 --> 0:00:53.840 And by the way, this video is going to be 0:00:53.840 --> 0:00:57.319 around 30 minutes. But the whole first 25 minutes is 0:00:57.320 --> 0:00:59.600 leading up to the last five. The last five is 0:00:59.760 --> 0:01:03.140 the good stuff. All right. So quick intro for people 0:01:03.140 --> 0:01:04.700 who don't know me. I've been in security since like 0:01:04.700 --> 0:01:08.500 1999 and I went heavy into AI in late 2022, 0:01:09.020 --> 0:01:11.660 still doing tons of security stuff just with this AI 0:01:11.700 --> 0:01:13.539 wrapper around it. And you're going to see why here 0:01:13.540 --> 0:01:16.020 in a second. And I would say most of my 0:01:16.020 --> 0:01:18.539 technical background, I mean, I've done lots of different stuff, 0:01:18.540 --> 0:01:21.660 but it kind of boils down to a container of 0:01:21.660 --> 0:01:27.300 security assessment that's like the main outline. So first going 0:01:27.340 --> 0:01:29.420 to show you how I kind of walked into this idea. 0:01:29.420 --> 0:01:32.420 So when I start to do a security assessment this 0:01:32.420 --> 0:01:36.780 goes back, you know, 15, 20 years, uh, doing security assessments. 0:01:37.300 --> 0:01:39.020 I like to start at the very top. When I 0:01:39.020 --> 0:01:41.940 talk to a company, I like to interview the CEO 0:01:42.459 --> 0:01:44.380 if I'm able to, if it's a, you know, medium 0:01:44.380 --> 0:01:47.860 sized company or below. And I talked to CEO, I 0:01:47.860 --> 0:01:49.900 talked to the CEO, I talked to the head of legal, 0:01:49.900 --> 0:01:52.420 I talked to like, as many people at the top, 0:01:52.420 --> 0:01:54.500 and I'm sort of asking them the same questions. And 0:01:54.500 --> 0:01:56.140 then I move down through the structure. I talked to 0:01:56.140 --> 0:01:59.580 all the VP's and senior VP's and CISO and the 0:01:59.580 --> 0:02:01.880 rest of the C-suite and everybody. And then I start 0:02:01.880 --> 0:02:04.200 moving through all the management, and I'm asking kind of 0:02:04.240 --> 0:02:06.800 similar questions, but I'm also asking different questions because now 0:02:06.800 --> 0:02:08.960 I'm playing off the answers I got before. And I 0:02:08.960 --> 0:02:10.520 just moved through the whole structure all the way down 0:02:10.520 --> 0:02:13.519 to the people who do the actual work. And then 0:02:13.520 --> 0:02:15.440 as I keep gathering more and more information, I start 0:02:15.440 --> 0:02:19.920 filling in these elaborate diagrams that describe to me exactly 0:02:19.919 --> 0:02:22.360 how this company works, like here's how the information flows. 0:02:22.360 --> 0:02:24.280 Here's where the data is stored. Oh, we got vendors 0:02:24.280 --> 0:02:26.399 over here. They're able to touch this data or whatever. 0:02:26.840 --> 0:02:28.919 And ultimately I'm trying to figure out like what they're protecting, 0:02:28.919 --> 0:02:31.400 how they're doing it, what day to day business looks like. 0:02:32.400 --> 0:02:34.360 After a couple of weeks of this, I then start 0:02:34.360 --> 0:02:37.280 doing my technical assessment to find vulnerabilities. So I'm also 0:02:37.280 --> 0:02:40.760 reviewing their previous technical assessments, but I'm really doing my 0:02:40.760 --> 0:02:43.040 own as well to go and probe in these various 0:02:43.040 --> 0:02:46.800 different areas and point my, uh, observations at things that 0:02:46.800 --> 0:02:50.360 I've seen in the interviews. But the underlying theme here 0:02:50.360 --> 0:02:53.960 is I'm taking all the context, not just of the 0:02:53.960 --> 0:02:57.040 vulnerabilities and the technical aspects like of the IT stack, 0:02:57.400 --> 0:03:00.049 but of the business itself. Right. All of that. I'm 0:03:00.090 --> 0:03:02.650 gathering into one place, and that's kind of how I 0:03:02.650 --> 0:03:05.730 view and how I start security assessments. The other teams 0:03:05.730 --> 0:03:09.690 are still managing GRC with spreadsheets, screenshots and manual processes, 0:03:09.690 --> 0:03:14.130 but with everything evolving compliance frameworks, third party risk, customer expectations, 0:03:14.130 --> 0:03:16.970 this is no longer good enough. And the problem isn't 0:03:16.970 --> 0:03:19.770 just that it's time consuming. It can actually hold you 0:03:19.770 --> 0:03:23.530 back slow. Audits miss risks and give you less time 0:03:23.530 --> 0:03:26.769 to focus on what actually matters, which is improving your security. 0:03:28.370 --> 0:03:31.410 Trust management platform is designed to help with that. It 0:03:31.410 --> 0:03:35.850 automates the core parts of your GRC program, things like compliance, readiness, 0:03:35.890 --> 0:03:39.570 vendor risk, and internal controls so you're not buried in 0:03:39.610 --> 0:03:44.130 manual work. According to IDC teams, using Vanta 129% more 0:03:44.130 --> 0:03:47.690 productive in their GRC work. That means faster prep, fewer surprises, 0:03:47.690 --> 0:03:50.010 and more time for real security work. It's not about 0:03:50.010 --> 0:03:53.290 making compliance easy for the sake of it. It's about 0:03:53.290 --> 0:03:54.890 getting the friction out of the way so you can 0:03:54.890 --> 0:03:58.890 move faster, do better work, and build trust more efficiently. 0:03:58.990 --> 0:04:01.150 And if you're thinking about how to approach AI risk 0:04:01.350 --> 0:04:04.190 than to put together a free AI security assessment, it's 0:04:04.190 --> 0:04:07.790 a structured way to evaluate risk across AI use, development 0:04:07.790 --> 0:04:15.750 and governance. You can get the assessment at. That's. And 0:04:15.750 --> 0:04:20.510 thanks to Vanta for sponsoring this video. So in a 0:04:20.510 --> 0:04:23.549 completely separate thread of consumer tech, in 2013, I started 0:04:23.550 --> 0:04:25.310 getting a picture of where I thought all this AI 0:04:25.350 --> 0:04:27.550 tech was going, like on the consumer side, which at 0:04:27.550 --> 0:04:30.990 the time I called IoT and I was actually talking 0:04:30.990 --> 0:04:33.830 about this with my friend Jason Haddox in like 2013, 0:04:33.830 --> 0:04:35.430 which I was reminded of this because I just read 0:04:35.430 --> 0:04:38.109 the foreword and I was thanking him for encouraging me 0:04:38.110 --> 0:04:42.110 to write this book in 2013. But, um, these ideas 0:04:42.110 --> 0:04:44.270 are pretty decent. The book is actually crap, so you 0:04:44.270 --> 0:04:46.229 don't need to read that. In fact, I have it 0:04:46.230 --> 0:04:49.750 published online, um, as a blog post. It's very short. 0:04:49.750 --> 0:04:51.870 You should go read it there. It's actually not half bad. 0:04:51.870 --> 0:04:53.710 Plus you could use AI to help you read it. 0:04:53.710 --> 0:04:56.550 Plus it's got way better typography. So I would say 0:04:56.550 --> 0:04:58.970 skip the book and just go read the blog. but 0:04:58.970 --> 0:05:01.570 the basic ideas are quite good, even though the book 0:05:01.570 --> 0:05:04.890 is not so great. Um, so the basic idea is 0:05:04.890 --> 0:05:07.490 you have digital assistants that know everything about you and 0:05:07.490 --> 0:05:09.890 they advocate for you, and then everything gets an API, 0:05:10.130 --> 0:05:13.450 including people and objects and businesses and everything. This is 0:05:13.490 --> 0:05:16.250 like the second piece of this, and it's really, really important. 0:05:16.610 --> 0:05:19.210 And your digital assistant, your Da, basically uses all those 0:05:19.210 --> 0:05:22.490 services to interact with those APIs on your behalf. Then 0:05:22.529 --> 0:05:25.930 your Da will use augmented reality to show you context 0:05:25.930 --> 0:05:29.210 for wherever and whatever you're doing, right. So you're wearing 0:05:29.210 --> 0:05:32.610 glasses or lenses or whatever. Neuralink, whatever. It doesn't matter. 0:05:32.610 --> 0:05:37.930 It'll start with glasses, obviously. And basically your Da knows 0:05:37.930 --> 0:05:40.370 everything about you, knows your entire personality, it knows your 0:05:40.370 --> 0:05:42.850 entire history or whatever. So it knows when you're scared. 0:05:42.850 --> 0:05:45.089 It knows when you're skeptical. It knows when you're hungry. 0:05:45.089 --> 0:05:48.210 It knows, you know when you're curious. And it's using 0:05:48.210 --> 0:05:51.570 these millions of services that are available at APIs to 0:05:51.610 --> 0:05:54.530 get data back for you and change the screen. Okay. 0:05:54.570 --> 0:05:56.730 Sometimes it's a security screen, sometimes it's like a social 0:05:56.730 --> 0:05:59.029 screen because you're trying to find, you know, your life 0:05:59.029 --> 0:06:02.070 partner or whatever. So it's constantly changing what you're looking 0:06:02.070 --> 0:06:04.390 at to help you. Maybe it's popping up little notes 0:06:04.390 --> 0:06:08.030 or little reminders or whatever. Right? A security overlay if 0:06:08.029 --> 0:06:10.670 you're in danger or something. So that's the third piece, 0:06:10.670 --> 0:06:13.710 which is augmented reality, displaying the information from all these 0:06:13.710 --> 0:06:16.870 APIs from your from your Da, who is like the 0:06:16.870 --> 0:06:19.909 one handling all of this and advocating for you. And finally, 0:06:19.910 --> 0:06:22.790 the last idea is that when you have like an 0:06:22.790 --> 0:06:26.270 entire family or an entire city or an entire country 0:06:26.270 --> 0:06:30.430 with all these demons, all these APIs available, that produces 0:06:30.470 --> 0:06:33.150 tons of context that a top level AI could look 0:06:33.150 --> 0:06:36.150 at and say, okay, how can I manage this city better? 0:06:36.190 --> 0:06:38.110 How can I manage its resources? How can I turn 0:06:38.110 --> 0:06:41.350 on these lights and turn these off and reflow this traffic? 0:06:41.350 --> 0:06:43.270 And you know, how can I optimize? How can I 0:06:43.310 --> 0:06:45.789 help this city achieve its goals based on all the 0:06:45.790 --> 0:06:48.350 context that I know about it, from all this context, 0:06:48.350 --> 0:06:52.029 from all these APIs and demons? So that was fun. 0:06:52.310 --> 0:06:54.710 That was a cool book. That was some cool ideas. 0:06:54.990 --> 0:06:57.070 Then in 2018, I got a job at Apple doing 0:06:57.160 --> 0:07:00.239 information security stuff, but the team I came in on 0:07:00.560 --> 0:07:04.159 was with Joel Parish and we actually built, um, well, 0:07:04.160 --> 0:07:06.080 he was already doing machine learning, right? He was part 0:07:06.080 --> 0:07:09.440 of the machine learning team within security. So, um, I 0:07:09.480 --> 0:07:11.240 wanted to study up and just get really good at 0:07:11.240 --> 0:07:15.200 this stuff. Excuse me. And my math was really bad, 0:07:15.200 --> 0:07:17.600 so I had to refresh my horrible math, and I 0:07:17.600 --> 0:07:21.680 went and did Andrew Ng's entire machine learning course. And, um, 0:07:21.720 --> 0:07:23.400 over the course of my time there, I got exposed 0:07:23.400 --> 0:07:26.280 to tons of ML stuff and practical uses of ML 0:07:26.320 --> 0:07:29.040 like before the current AI stuff, and it was really helpful. 0:07:29.040 --> 0:07:31.120 I ended up building a product there which is still 0:07:31.120 --> 0:07:34.000 used today, so I'm happy about that. In early 21, 0:07:34.000 --> 0:07:35.840 I left Apple to go build the Appsec and build 0:07:35.840 --> 0:07:38.680 management teams at Robinhood with Caleb Sima. And there I 0:07:38.680 --> 0:07:45.200 did a blackhat talk about building vulnerability management programs based 0:07:45.200 --> 0:07:49.280 on company context and specifically around asset management. And that 0:07:49.280 --> 0:07:51.080 turned out to be another brick in this path that 0:07:51.080 --> 0:07:53.840 I'm laying out here. After doing that, I decided it 0:07:53.840 --> 0:07:55.640 was time for me to go build things on my 0:07:55.640 --> 0:07:57.500 own and do like my own consulting. So I went 0:07:57.500 --> 0:08:00.420 independent with unsupervised learning in like August of 22. And 0:08:00.420 --> 0:08:02.180 it turns out that was just a few months before 0:08:02.220 --> 0:08:05.540 ChatGPT came out. And obviously I went absolutely apeshit. When 0:08:05.540 --> 0:08:07.540 that came out, I called everyone, I called Jason, I 0:08:07.540 --> 0:08:10.140 called Clint, I called Caleb, I called my mom, I 0:08:10.180 --> 0:08:11.780 called my dog. I don't have a dog. But yeah, 0:08:11.780 --> 0:08:15.660 I called everyone. And the first place that my head 0:08:15.660 --> 0:08:18.100 went with all of this was like security assessment and 0:08:18.100 --> 0:08:21.100 building and managing security programs. So I started doing that immediately. Basically, 0:08:21.100 --> 0:08:24.260 I took everything I was doing previously with all this context, right, 0:08:24.260 --> 0:08:25.940 that I've been doing, like, you know, a decade and 0:08:25.940 --> 0:08:27.860 a half or whatever. And I'm like, okay, how can 0:08:27.860 --> 0:08:31.580 I use AI to, you know, make this even better? And, 0:08:31.740 --> 0:08:34.220 you know, you know, put the context first. So in 0:08:34.220 --> 0:08:37.220 March of 23, I wrote this post called Sspca, which 0:08:37.220 --> 0:08:40.780 basically says everything is about state policy questions and actions. Basically, 0:08:40.780 --> 0:08:42.540 we have current context for a company or a program 0:08:42.540 --> 0:08:44.820 or whatever. Then you have the policy, which is what 0:08:44.820 --> 0:08:46.780 you're trying to accomplish. Then you have the questions you're 0:08:46.780 --> 0:08:51.020 constantly wanting to ask and have answers to, and then 0:08:51.020 --> 0:08:54.220 you have actions or you know, that we could take 0:08:54.220 --> 0:08:56.960 or that I could take against that context. So I 0:08:56.960 --> 0:08:59.280 feel like I'm starting to zero in on this concept 0:08:59.280 --> 0:09:01.280 and this got decent traction. But I wanted to like 0:09:01.320 --> 0:09:03.040 have a demo or something for it. So I did 0:09:03.040 --> 0:09:06.400 another blackhat talk, I think maybe the following year or maybe, yeah, 0:09:06.400 --> 0:09:08.760 it must have been the following year, uh, to put 0:09:08.760 --> 0:09:11.360 together a demo for this. So I put together a 0:09:11.360 --> 0:09:14.600 fake company called alma, and I put in tons of 0:09:14.600 --> 0:09:16.600 context for this thing. I basically made a copy of 0:09:16.600 --> 0:09:19.560 one of my security assessments the way that I do it. Um, 0:09:19.559 --> 0:09:21.320 but I did it for a fake company with a 0:09:21.320 --> 0:09:23.120 whole bunch of fake data. So I've got company mission, 0:09:23.120 --> 0:09:25.839 I've got their goals, how they're different from their competitors, 0:09:25.840 --> 0:09:27.960 what they do in business. I got the risk register. 0:09:27.960 --> 0:09:30.120 I've got their full tech stack. I've got their security 0:09:30.160 --> 0:09:32.760 team and their members. Like the skill sets of the 0:09:32.760 --> 0:09:36.640 team members. Um, the list of applications, the full IT stack, 0:09:36.640 --> 0:09:39.640 every app that they use, um, all their documentation. I've 0:09:39.640 --> 0:09:43.360 got some fake, like, slack conversations in there. Um, what 0:09:43.400 --> 0:09:46.959 repositories they use, what dev teams they belong to, how 0:09:46.960 --> 0:09:49.079 they push code, all that stuff. It's all in here. 0:09:49.520 --> 0:09:51.360 So then I can ask questions the same way that 0:09:51.360 --> 0:09:53.280 I do in security assessments. And using this, you can 0:09:53.320 --> 0:09:56.939 actually manage the entire security program using this context that 0:09:56.940 --> 0:09:58.700 you have because you could do planning from here, you 0:09:58.700 --> 0:10:01.020 could do threat modeling, you could do your communications. You 0:10:01.020 --> 0:10:04.100 can produce your reports. Like I'm doing this for a customer. 0:10:04.100 --> 0:10:06.980 I could produce a report like a quarterly update security 0:10:06.980 --> 0:10:10.820 report in 30s, which used to take them months and 0:10:10.820 --> 0:10:13.460 like hundreds upon hundreds of hours of some of their 0:10:13.460 --> 0:10:15.860 best people actually trying to make this report, just to 0:10:15.860 --> 0:10:17.340 be able to prove to the rest of the organization 0:10:17.340 --> 0:10:19.940 that they're actually effective. So turn that to a couple 0:10:19.940 --> 0:10:22.260 of minutes. Right. The other cool thing is you can 0:10:22.260 --> 0:10:25.220 respond to security questionnaires, because if you have a static 0:10:25.220 --> 0:10:29.380 database of answers, you they always ask the question differently. 0:10:29.380 --> 0:10:32.020 And it doesn't perfectly match when that you have. Right. 0:10:32.059 --> 0:10:34.300 But if you have this kind of system with context, 0:10:34.540 --> 0:10:37.380 it can answer it perfectly every time. So this is 0:10:37.380 --> 0:10:39.300 an example of like a CISO making a statement about 0:10:39.300 --> 0:10:41.940 no more connections are allowed to a particular sensitive resource. 0:10:41.980 --> 0:10:44.059 And we're asking the question to the AI system, this 0:10:44.059 --> 0:10:45.900 is a real AI system, right? And this is back 0:10:45.900 --> 0:10:47.980 in 23 that I did this. So it's a real 0:10:47.980 --> 0:10:50.420 AI system. I'm asking the question, should Julie be allowed 0:10:50.420 --> 0:10:52.179 to connect to this thing. And it says no, she 0:10:52.179 --> 0:10:55.910 shouldn't because the CISO just said nobody should be allowed 0:10:55.910 --> 0:10:58.270 to connect to this thing anymore. Right. So you could 0:10:58.270 --> 0:11:00.790 do really cool stuff when you have context. So throughout 0:11:00.790 --> 0:11:03.310 23 and 24 and into this year, I've been building 0:11:03.309 --> 0:11:05.670 more and more stuff around this theme of context and AI. 0:11:06.070 --> 0:11:08.270 So later in 23, I built this thing called threshold. 0:11:08.270 --> 0:11:10.910 So it takes a whole bunch of sources and I 0:11:10.910 --> 0:11:13.910 have context of what I enjoy. Right? The kind of 0:11:13.910 --> 0:11:16.510 content that I think is high quality, lots of good ideas, 0:11:16.510 --> 0:11:18.790 lots of density in the ideas, lots of novelty in 0:11:18.790 --> 0:11:21.510 the ideas. So I give it tons of context and 0:11:21.510 --> 0:11:23.949 that becomes the filter for the quality level. And then 0:11:23.950 --> 0:11:26.550 I can slide this bar to say, I only want 0:11:26.590 --> 0:11:30.870 to see things from these 3000 different sources that exceed 0:11:31.790 --> 0:11:35.110 at least this quality level. Right. So that's threshold. I'm 0:11:35.110 --> 0:11:37.550 currently about to launch another enterprise product called Same Page. 0:11:37.550 --> 0:11:40.510 It's basically a whole bunch of management like this around 0:11:40.510 --> 0:11:44.790 different stuff security management for programs especially. Another thing I've 0:11:44.790 --> 0:11:46.870 had for like nine years that didn't have any AI 0:11:46.910 --> 0:11:50.949 whatsoever until, you know, a couple years ago was my 0:11:50.950 --> 0:11:53.510 attack surface monitoring service called Helios. And I'm in the 0:11:53.510 --> 0:11:56.250 middle of rewriting this entire thing to be like what 0:11:56.250 --> 0:11:58.970 we're about to talk about. And once again, this is 0:11:58.970 --> 0:12:01.050 all about using the context. That's a central part of 0:12:01.050 --> 0:12:03.610 the rewrite. And the last one I'll mention is like 0:12:03.610 --> 0:12:07.250 a daily brief for intelligence. So I basically go find 0:12:07.250 --> 0:12:09.530 all my Osint people, all my national security people that 0:12:09.530 --> 0:12:11.650 I know have high signal, you know, high alpha in 0:12:11.650 --> 0:12:14.850 what they say. And I basically bring that in and say, okay, 0:12:14.929 --> 0:12:18.050 here's everything they said yesterday. Turn that into a picture 0:12:18.050 --> 0:12:20.410 of like where this might be going. Like, where are 0:12:20.410 --> 0:12:22.010 they agreeing in a way that looks like there might 0:12:22.010 --> 0:12:24.770 be signal there. And then I make myself a daily report. 0:12:24.929 --> 0:12:28.130 So just another example. So these are all kind of 0:12:28.170 --> 0:12:31.250 like separate ideas hovering loosely around the concept of context. 0:12:31.250 --> 0:12:34.490 And I and I feel like I was doing pretty 0:12:34.490 --> 0:12:36.650 well here. I feel like I kind of had a 0:12:36.650 --> 0:12:38.730 grasp of this, but a couple of weeks ago I'm like, 0:12:38.929 --> 0:12:41.410 wait a minute. I think I actually have a much 0:12:41.410 --> 0:12:43.530 better way to think about this and to describe it. 0:12:43.530 --> 0:12:46.610 And that is something I'm calling unified entity context. And 0:12:46.610 --> 0:12:48.329 that won't be the real name that gets used, because 0:12:48.370 --> 0:12:50.329 Gartner will come up with their own name. And of course, 0:12:50.330 --> 0:12:53.449 that'll become the official thing. But if we look at 0:12:53.450 --> 0:12:56.230 cybersecurity in general. We look at some use cases. There 0:12:56.230 --> 0:12:59.990 are some interesting patterns and similarities. So for SOC you 0:13:00.030 --> 0:13:01.790 got to look at all these different types of data right. 0:13:01.830 --> 0:13:04.429 And try to like come up with like what actually happened. 0:13:04.470 --> 0:13:07.829 Like is this thing bad? Is it okay. Is it benign. Whatever. 0:13:08.110 --> 0:13:09.590 For IR it's a lot of the same stuff. You 0:13:09.630 --> 0:13:11.750 got a whole bunch of different data you're trying to 0:13:11.750 --> 0:13:14.390 figure out. Like, is it bad? Did it actually happen? 0:13:14.390 --> 0:13:17.630 What's the blast radius? Pentesting you're also collecting tons of 0:13:17.630 --> 0:13:19.790 information and you're trying to figure out, like, what path 0:13:19.790 --> 0:13:21.709 do I go down? How do I show impact? Same 0:13:21.710 --> 0:13:23.990 with Red team. It's just like more extreme. You're trying to, 0:13:24.190 --> 0:13:26.350 you know, show more of a story and like the 0:13:26.350 --> 0:13:30.230 actual impact to the business with management, you actually need 0:13:30.230 --> 0:13:32.710 to understand the organization and like how they push code 0:13:32.710 --> 0:13:35.590 and how they do remediation. Otherwise you can't actually help 0:13:35.590 --> 0:13:39.270 them fix things. For program management, you need project management, 0:13:39.270 --> 0:13:42.710 budgeting strategy, time management, GRC. You've got like what do 0:13:42.710 --> 0:13:45.429 we have to be compliant with in which jurisdictions and why? 0:13:45.429 --> 0:13:47.270 And what are our current gaps right. And how those 0:13:47.270 --> 0:13:49.990 mix together. So the common issue with most of these 0:13:50.030 --> 0:13:53.070 is the actual ability to see multiple parts of the 0:13:53.070 --> 0:13:56.490 organization at the same time and then to connect those pieces, right. 0:13:56.530 --> 0:13:59.050 This is why security analysts and red team people, and 0:13:59.050 --> 0:14:01.810 especially like principal people, people who have been doing this five, ten, 0:14:01.850 --> 0:14:05.930 15 years are so valuable. It's not actually a single 0:14:05.929 --> 0:14:09.570 task that is difficult. The problem is getting all the 0:14:09.570 --> 0:14:13.210 information together to paint a picture to actually do the task. 0:14:14.450 --> 0:14:17.250 So I'm going to take vulnerability management as an example. 0:14:17.250 --> 0:14:19.970 Since I've lived in this hellscape for so long. What 0:14:19.970 --> 0:14:24.050 is actually so hard about vulnerability management? Is it finding vulnerabilities? 0:14:24.570 --> 0:14:28.650 Is it like making a pretty enough dashboard to show vulnerabilities? No, 0:14:28.850 --> 0:14:31.530 it's actually fixing vulnerabilities. And the reason it's hard to 0:14:31.530 --> 0:14:33.530 fix them is because you have to know what application 0:14:33.530 --> 0:14:36.170 it's part of. You have to find the right engineering team. 0:14:36.170 --> 0:14:39.330 What repo does that code go into? What's the DevOps 0:14:39.330 --> 0:14:43.610 workflow for that? Like the team changed, right? There was 0:14:43.610 --> 0:14:46.570 there was a a riff. And now that team doesn't 0:14:46.570 --> 0:14:48.210 even exist. And it got combined with this other one. 0:14:48.210 --> 0:14:51.010 Where did that one developer go? Who's responsible for that 0:14:51.010 --> 0:14:53.290 one app. Oh, it's different this week than it was 0:14:53.380 --> 0:14:56.580 last week. This stuff is not easy to do because 0:14:56.580 --> 0:15:00.020 it's constant change inside this company. So here's the question. 0:15:00.340 --> 0:15:02.460 How much of our inability to do a good job 0:15:02.460 --> 0:15:05.500 at vulnerability management or security in general over the last 0:15:05.500 --> 0:15:08.620 15 years is actually a security problem? And how much 0:15:08.620 --> 0:15:12.980 of it is actually an organizational knowledge problem? And think 0:15:12.980 --> 0:15:17.060 about that for all of security. Even crazier, think about it. 0:15:17.060 --> 0:15:21.500 For all of it. Right. Or all of software and services. Right. 0:15:21.540 --> 0:15:25.220 HR collects, you know, HR data and asks HR questions 0:15:25.220 --> 0:15:27.820 and they put it into an HR interface. Right. Project 0:15:27.820 --> 0:15:32.740 management collects project management information into a project management database. 0:15:33.020 --> 0:15:35.300 They ask project management questions and they put it into 0:15:35.340 --> 0:15:38.700 a UI design for project management. Do we really think 0:15:38.700 --> 0:15:40.700 these things are going to need their own separate databases 0:15:40.700 --> 0:15:44.940 going forward? Their own separate APIs, their own separate questions? 0:15:44.940 --> 0:15:46.980 Maybe they need their own questions. Do they need their 0:15:46.980 --> 0:15:50.660 own interfaces? I don't think so. I think that all 0:15:50.700 --> 0:15:53.400 kind of goes away and we end up with this 0:15:53.400 --> 0:15:57.160 thing called unified entity context, or building a world model 0:15:57.320 --> 0:15:59.200 for the thing that you care about. So if you're 0:15:59.200 --> 0:16:01.960 an individual, your history, your belief system, your aspirations, your 0:16:01.960 --> 0:16:04.600 favorite books and music, your past, your traumas, your salary, 0:16:05.040 --> 0:16:09.120 blood pressure, friendships, job, career, family goals, financial goals, your upbringing, 0:16:09.120 --> 0:16:11.560 your medical history, how strong you are, how much you 0:16:11.560 --> 0:16:15.760 can curl like you know your blood sugar levels, right? 0:16:15.800 --> 0:16:17.360 And then you can ask questions. Just like with the 0:16:17.360 --> 0:16:19.720 security program, you could be like, why is my relationship 0:16:19.720 --> 0:16:21.920 not working? What can I do to improve my health? 0:16:22.640 --> 0:16:24.000 And if you're a company, it's back to the stuff 0:16:24.000 --> 0:16:26.160 we talked about with alma. It's all of its goals. 0:16:26.160 --> 0:16:29.440 It's all of its competitors. It's all of its slack communications. 0:16:29.440 --> 0:16:31.680 It's all the transcripts from all of its calls. It's 0:16:31.680 --> 0:16:34.160 all of its Google Docs and Confluence and all of that. 0:16:34.160 --> 0:16:37.080 It's their desired are for the company, all the product 0:16:37.080 --> 0:16:38.840 marketing that you're putting out for all of your products 0:16:38.840 --> 0:16:41.000 and all the product marketing your competitors are putting out 0:16:41.000 --> 0:16:44.000 for all their products. This becomes the baseline for everything. 0:16:44.480 --> 0:16:47.080 Once you have that, then you do this. Then you 0:16:47.080 --> 0:16:51.360 take the smartest, biggest context AI that you have and 0:16:51.400 --> 0:16:53.740 this will be massive in the future. Right. It's getting 0:16:53.740 --> 0:16:56.140 bigger all the time. And you look down at this 0:16:56.140 --> 0:16:59.300 entire context and it can hold it all in its 0:16:59.300 --> 0:17:03.660 mind all at once. So this is completely insane. Basically, 0:17:03.660 --> 0:17:07.460 I think most people have this eye thing exactly backwards 0:17:07.460 --> 0:17:10.219 instead of cybersecurity or finance or whatever, being at the 0:17:10.220 --> 0:17:13.140 center with context and AI being things that you kind 0:17:13.140 --> 0:17:17.420 of like sprinkle on to do that thing better. It's 0:17:17.460 --> 0:17:21.620 actually the opposite. The context of the entity is everything. 0:17:21.619 --> 0:17:24.980 The world model that you have for this thing is everything. 0:17:25.420 --> 0:17:28.100 Software verticals kind of go away. They just become use 0:17:28.100 --> 0:17:33.899 cases on top of this architecture. Cool. But we were 0:17:33.900 --> 0:17:37.180 talking about hacking, right? How do we bring this back 0:17:37.180 --> 0:17:42.939 to hacking? So basically the future of hacking, because all 0:17:42.940 --> 0:17:48.020 of this relates to context, is basically how you can 0:17:48.020 --> 0:17:52.560 keep an exhaustive, accurate and up to date world model 0:17:52.880 --> 0:17:55.679 of the thing that you are attacking. And this is 0:17:55.680 --> 0:17:58.679 true whether you're actually attacking or whether you're defending. So 0:17:59.160 --> 0:18:03.240 it turns into a giant competition between attackers and defenders 0:18:03.240 --> 0:18:08.080 and attackers versus attackers and defenders versus defenders between who 0:18:08.080 --> 0:18:10.160 has the most accurate and up to date world model 0:18:10.160 --> 0:18:16.160 for their organization. So everyone listening to this, every attacker, 0:18:16.680 --> 0:18:19.600 every bounty player, we are all going to have a 0:18:19.600 --> 0:18:22.080 stack like this. I've been building this for years already, 0:18:22.080 --> 0:18:24.320 so like and I know some people on this call 0:18:24.359 --> 0:18:27.640 are probably along the path as well. So it's not 0:18:27.640 --> 0:18:31.160 a bunch of agents with random tools. It's an interoperable 0:18:31.160 --> 0:18:33.800 system where the output of one is the input to 0:18:33.840 --> 0:18:35.760 the next one. Okay. This is a big thing that 0:18:35.760 --> 0:18:38.200 people aren't understanding about that whole agent thing. You don't 0:18:38.200 --> 0:18:41.400 just say blah and give it like a prompt and 0:18:41.400 --> 0:18:43.480 then say, oh, agents, figure it out, because then you're 0:18:43.520 --> 0:18:46.480 offloading all the work to the model to actually do 0:18:46.480 --> 0:18:49.040 the hard work of building the system itself. The better 0:18:49.040 --> 0:18:50.600 way to do this? And if you talk to the 0:18:50.600 --> 0:18:54.180 people at AI. eye, the people who are actually building 0:18:54.180 --> 0:18:57.380 these systems to actually go and find vulnerabilities, exploit them, 0:18:57.380 --> 0:18:59.940 fix them or whatever. They need a system like this. 0:18:59.940 --> 0:19:02.859 These are the systems I've been building for years. They 0:19:02.900 --> 0:19:06.140 are modular. Each little piece does one thing well. It's 0:19:06.140 --> 0:19:09.420 a Unix concept, right? Each little piece does one thing well, right. 0:19:09.619 --> 0:19:12.139 So I've got a million of these things finding domains, 0:19:12.140 --> 0:19:15.580 finding websites, crawling the websites, running automated scans. And each 0:19:15.580 --> 0:19:18.540 one of these could be like a super basic version. 0:19:18.540 --> 0:19:21.460 It's like curl okay. You got curl on one side 0:19:21.859 --> 0:19:26.220 and you've got fully automated puppeteer browser automation going through 0:19:26.220 --> 0:19:28.700 bright data on the other side, right? So you have 0:19:28.700 --> 0:19:32.140 all these quality, you know, spectrums in between for each 0:19:32.140 --> 0:19:35.740 of these modules. But the whole system works together based 0:19:35.740 --> 0:19:38.980 on a set of goals. Right. So running automated crawls, 0:19:38.980 --> 0:19:42.260 parsing all endpoints, pulling out every single API endpoint from 0:19:42.260 --> 0:19:47.060 every piece of JavaScript writing exploits, POCs actually doing the attacking, um, 0:19:47.100 --> 0:19:50.379 writing up reports. All of these are separate modules. So 0:19:50.420 --> 0:19:53.830 let's say the target, you know, has like five main 0:19:53.830 --> 0:19:57.389 web applications, like a few hundred pages per site. And, 0:19:57.430 --> 0:19:59.949 you know, there's a whole bunch of agents. Think of this. 0:19:59.950 --> 0:20:02.670 You're going to have like thousands of agents. You'll start 0:20:02.670 --> 0:20:05.910 with dozens, right? Dozens, then hundreds, then thousands, then whatever. 0:20:06.310 --> 0:20:11.310 So we're also learning from new marketing campaigns on X 0:20:11.310 --> 0:20:14.750 or LinkedIn. Keep in mind multiple of these these modules 0:20:14.750 --> 0:20:18.669 are actually watching the company. They're watching everything the company does, 0:20:18.670 --> 0:20:21.750 every piece of marketing, every piece of information that's put 0:20:21.750 --> 0:20:24.390 out about this company gets parsed and brought back into 0:20:24.390 --> 0:20:27.990 the context, because the system as a whole and the 0:20:27.990 --> 0:20:30.550 AI that's sitting on top of it, watching the goals, 0:20:30.590 --> 0:20:33.270 is using that new information to tweak how we're going 0:20:33.270 --> 0:20:35.669 to do this attack. Right. So they have a new 0:20:35.670 --> 0:20:37.990 product launch, which is a new website, a mobile app. Cool. 0:20:37.990 --> 0:20:41.189 Go download that. Right. Right now we can't do too 0:20:41.190 --> 0:20:43.830 much with that because that's a little bit difficult. In 0:20:43.830 --> 0:20:45.310 a year or so, we're going to be able to 0:20:45.310 --> 0:20:48.750 go download that full mobile app, run the mobile app 0:20:48.750 --> 0:20:51.210 in a full virtual environment, Run a whole bunch of 0:20:51.210 --> 0:20:54.210 mobile tools, find out like which APIs aren't secured where 0:20:54.210 --> 0:20:57.209 they're not using TLS. Um, all sorts of issues that 0:20:57.210 --> 0:21:00.730 you have with mobile security. And that'll just be one 0:21:00.730 --> 0:21:03.050 little tiny module which brings that context back into the 0:21:03.050 --> 0:21:05.929 overall engine, which enhances all the other components inside of 0:21:05.970 --> 0:21:09.930 that engine. Right. Send that over to automated Burp intruder tool. Right. 0:21:09.930 --> 0:21:12.770 Then all of burps output. And that's a lot of output. 0:21:12.810 --> 0:21:16.530 It overwhelms anything including Gemini by the way. So this 0:21:16.530 --> 0:21:18.850 is still a place where, you know, the AI has 0:21:18.850 --> 0:21:23.970 to grow because, um, something like burp output from crawling 0:21:23.970 --> 0:21:26.609 a website is still massive. Anyway, you've got all that 0:21:26.609 --> 0:21:30.129 content coming out. All that content can then be repassed 0:21:30.170 --> 0:21:32.370 to find the JavaScript in there, to find where they're 0:21:32.369 --> 0:21:35.250 doing all their controls on the client side. Again, you 0:21:35.250 --> 0:21:37.209 only have to tell it a couple of core things 0:21:37.210 --> 0:21:39.010 inside of the system. Here are the types of things 0:21:39.010 --> 0:21:41.290 I'm looking for. Any output that you get, go and 0:21:41.290 --> 0:21:42.969 look for the following things. Oh cool. We got new 0:21:43.010 --> 0:21:45.650 output from burp. We found new JavaScript files. Let's go 0:21:45.690 --> 0:21:47.410 parse the hell out of them and find the files 0:21:47.410 --> 0:21:51.110 and API endpoints. Bring that back into the system. Right? 0:21:52.350 --> 0:21:55.310 And meanwhile, all this stuff is being fed into the 0:21:55.310 --> 0:21:58.990 appropriate modules. So let's say we find some good stuff, uh, 0:21:59.030 --> 0:22:01.150 send off to the exploit agents and try to do 0:22:01.550 --> 0:22:05.270 something according to the rules, uh, in goals we've laid out. Right. Uh, 0:22:05.270 --> 0:22:07.150 so for an attacker, we're trying to extract data. Maybe 0:22:07.150 --> 0:22:09.310 we're going to sell that access to a broker for 0:22:09.310 --> 0:22:11.030 a bounty person. We're going to create a POC in 0:22:11.030 --> 0:22:15.070 a short video to go with the automated report, and 0:22:15.070 --> 0:22:18.150 we're going to submit it to Hackerone or Bugcrowd or whatever. Right. 0:22:18.190 --> 0:22:20.909 And that just becomes another module that your thing is 0:22:20.910 --> 0:22:24.189 good at, right? It's automated workflow, but that's not the 0:22:24.190 --> 0:22:26.909 cool part. The cool part is this thing never sleeps. 0:22:27.270 --> 0:22:30.470 Dozens or hundreds or thousands of agents in this infrastructure 0:22:30.510 --> 0:22:34.230 working at all times, finding new domains, finding a new 0:22:34.230 --> 0:22:36.870 announcement which includes a new domain which you then go 0:22:36.869 --> 0:22:39.190 find the subdomains, which you then go find all the infrastructure. 0:22:39.190 --> 0:22:41.150 You find the web apps that are listening. You then 0:22:41.150 --> 0:22:44.790 go crawl those ad infinitum through this entire system, right? 0:22:44.830 --> 0:22:47.109 Open admin portals. You're taking all the screenshots. You're finding 0:22:47.109 --> 0:22:49.970 the screenshots. Oh, that's an admin portal. That thing's wide open. Oh, look. 0:22:50.010 --> 0:22:53.930 Default credentials. Right. Looking for open ports. Seeing if there's 0:22:53.930 --> 0:22:57.810 any new stuff out there right now. This sounds complex 0:22:57.810 --> 0:22:59.649 because there's lots of different tools and everything to keep 0:22:59.650 --> 0:23:03.050 in mind. But this system only needs to be built once, 0:23:03.050 --> 0:23:06.250 and then you're just adding modules and upgrading the modules. 0:23:06.490 --> 0:23:07.730 And this is a big part of what the AI 0:23:07.770 --> 0:23:09.530 helps you do. It helps you just make each one 0:23:09.530 --> 0:23:14.450 of these little things better and smarter. Again, everyone is 0:23:14.450 --> 0:23:16.850 going to have a stack like this. Individual bounty hunters, 0:23:16.850 --> 0:23:20.010 individual people just doing security research or hacking on their own, 0:23:20.010 --> 0:23:22.690 and definitely the attacker organizations. And guess who else needs 0:23:22.690 --> 0:23:25.650 to have it? The defenders. If you are a defender 0:23:25.650 --> 0:23:28.810 and you are not running this against yourself, you are 0:23:28.810 --> 0:23:32.410 going to lose. You are going to lose because because 0:23:32.410 --> 0:23:33.969 there are going to be so many people running a 0:23:33.970 --> 0:23:36.090 stack like this against you, you are just going to 0:23:36.090 --> 0:23:40.930 lose now at first, including everything I built for myself. Right. 0:23:40.930 --> 0:23:43.570 This was just going to be some basic information, right? 0:23:43.570 --> 0:23:46.330 Because we can't do the full version of this yet. Right? 0:23:46.330 --> 0:23:48.810 This is a year, two, three, four years. You know, 0:23:48.940 --> 0:23:51.780 This gets better as the AI tech stack gets better. 0:23:51.780 --> 0:23:56.020 But the system itself is core. So, um, this is 0:23:56.020 --> 0:23:58.899 like an internal. This is the AI remake I'm currently 0:23:58.900 --> 0:24:01.820 doing of my Helios system. And, you know, it's not 0:24:01.820 --> 0:24:03.660 going to have fully automated burp yet. It's not going 0:24:03.660 --> 0:24:05.980 to have a bunch of different modules. But like I said, 0:24:06.020 --> 0:24:08.820 this gets better as the tech gets better. The other 0:24:08.820 --> 0:24:12.260 thing is running, you know, hundreds of agents constantly. That's 0:24:12.260 --> 0:24:15.260 not cheap, right? So these prices have to come down 0:24:15.260 --> 0:24:17.980 the context windows have to go up. It's an upgrade process. 0:24:18.660 --> 0:24:22.179 So some vignettes to just think about this. So imagine 0:24:22.180 --> 0:24:24.580 that you're out at dinner and you get a notification 0:24:24.580 --> 0:24:28.860 that some employee at some company. Right. Um, they just 0:24:28.859 --> 0:24:31.140 talked about how, oh, I've got this thing at work 0:24:31.140 --> 0:24:33.540 and blah, blah, blah. This thing is a they're drunk 0:24:33.540 --> 0:24:35.939 or whatever, and they're talking online and some, you know, 0:24:35.980 --> 0:24:38.979 Reddit subreddit or whatever, and they're like, yeah, this new 0:24:38.980 --> 0:24:41.139 domain we put up and it doesn't have toufar. And 0:24:41.140 --> 0:24:43.540 I can't believe they used default credentials. That's why I 0:24:43.540 --> 0:24:45.420 want to quit. I'm going to start my own business 0:24:45.420 --> 0:24:48.640 or whatever. And so, um, you're sitting there eating dinner 0:24:48.640 --> 0:24:50.840 with a friend and you get a discord message from 0:24:50.840 --> 0:24:53.600 your AI bot and it's like, hey, some, uh, some 0:24:53.600 --> 0:24:56.240 dumbass just got drunk and posted that, um, there's a 0:24:56.240 --> 0:24:59.840 brand new, uh, domain open and, uh, potentially there's a 0:24:59.840 --> 0:25:01.920 vulnerability here. Do you want me to go mess with it? 0:25:02.280 --> 0:25:04.760 And you're like, yeah, yeah, go mess with it. So 0:25:04.760 --> 0:25:07.760 it comes back and it tells you basically. Yeah. The 0:25:07.760 --> 0:25:11.119 vuln that they mentioned actually does exist. Um, I do 0:25:11.119 --> 0:25:12.960 you want me to exploit it? Yes. Cool. All right. 0:25:12.960 --> 0:25:14.400 So we sent it in. We got the money. Or 0:25:14.400 --> 0:25:16.840 if you're a bad guy, you know, you're, uh, stealing 0:25:16.840 --> 0:25:20.320 data or whatever. And keep in mind, this could be from, like, 0:25:20.359 --> 0:25:24.120 a forum post. Um, it could be an announcement on 0:25:24.119 --> 0:25:26.119 TechCrunch that they just bought a company. So it's a 0:25:26.119 --> 0:25:31.440 merger and acquisition. Um, anything on the internet relative to 0:25:31.480 --> 0:25:36.280 your target? The agents are constantly watching new announcements, you know, 0:25:36.320 --> 0:25:40.439 new mergers, disgruntled employees, uh, a new job req for 0:25:40.440 --> 0:25:42.440 a new technology that you didn't know. So you add 0:25:42.440 --> 0:25:44.680 it to the tech stack for that company. Uh, new 0:25:44.680 --> 0:25:47.080 website posts are constantly being discovered, right, because they can 0:25:47.080 --> 0:25:49.100 make a slight change to the site, but they added 0:25:49.100 --> 0:25:51.380 a new API. Have we tested that API before? No, 0:25:51.380 --> 0:25:53.100 it was actually a different team that built that API. 0:25:53.140 --> 0:25:56.060 They didn't use all the security that the other team used. Boom. 0:25:56.100 --> 0:25:57.620 Now that's how we got in. That's how we pulled 0:25:57.619 --> 0:26:00.620 the data or whatever. New S3 buckets not probably secured 0:26:00.619 --> 0:26:03.459 all this stuff. So the entire game here and this 0:26:03.460 --> 0:26:07.740 is a really big point, is maintaining as accurate as 0:26:07.740 --> 0:26:11.780 possible world models for these things you're attacking. It doesn't 0:26:11.780 --> 0:26:13.540 matter if you're a company. It doesn't matter if you 0:26:13.580 --> 0:26:15.260 were hired to defend the company. It doesn't matter if 0:26:15.260 --> 0:26:17.020 you have your own startup. It doesn't matter if you're 0:26:17.020 --> 0:26:19.660 a bounty player. It's all the same shit. You have 0:26:19.660 --> 0:26:23.859 to keep the most updated version of this thing in 0:26:23.859 --> 0:26:28.220 your mind as possible. And here's something else that's crazy 0:26:28.220 --> 0:26:30.340 about this. One of the modules here is the actual 0:26:30.340 --> 0:26:33.340 list of attacks that you run when you attack. Okay, 0:26:33.859 --> 0:26:36.460 so check this out. You have like it's your bag 0:26:36.460 --> 0:26:39.020 of tricks. Your bag of tricks is what gets thrown 0:26:39.020 --> 0:26:42.699 at every web app. At every mobile app. Right? Um, 0:26:42.740 --> 0:26:45.900 for every social engineering campaign, for every fish you have, 0:26:45.900 --> 0:26:48.679 like your favorite little stuff that you do. Well, one 0:26:48.680 --> 0:26:51.120 of the AI modules that you have inside of your 0:26:51.119 --> 0:26:55.160 overall system is the one that parses new research. So 0:26:55.200 --> 0:26:57.439 I keep forgetting the guy's name, but every blackhat he 0:26:57.440 --> 0:27:00.760 releases like a new attack on HTTP itself. Um, he's 0:27:00.760 --> 0:27:04.000 the guy that works with, uh, DAF over at, um, uh, 0:27:04.000 --> 0:27:07.720 you know, burp. Um, portswigger. But anyway, uh, I want 0:27:07.760 --> 0:27:10.960 to say albino wax, but that's not quite right. Anyway, 0:27:10.960 --> 0:27:14.119 you all know the guy. So every time he releases something, 0:27:14.119 --> 0:27:17.080 every time he tweets, I have another module which go 0:27:17.080 --> 0:27:19.560 and reads that pulls it down and says, oh, that's 0:27:19.560 --> 0:27:22.920 actually interesting. Guess what? Upgrade. It's like the Borg from 0:27:22.920 --> 0:27:25.159 Star Trek. You hit it. Once it falls over, you 0:27:25.200 --> 0:27:29.760 hit it the second time. It's blocked that technique. Okay, 0:27:29.800 --> 0:27:31.800 Jason puts out a new video. He's like, oh, I've 0:27:31.800 --> 0:27:34.920 got this new, uh, this new attack that I always 0:27:34.920 --> 0:27:37.439 do against my things. It finds way more domains. I 0:27:37.480 --> 0:27:40.960 got this new attack. It, uh, it goes through filters for, uh, 0:27:40.960 --> 0:27:45.000 prompt injection. Right. Um, maybe, uh, Joseph is talking about that. 0:27:45.040 --> 0:27:47.609 It goes straight through prompt injection. Cool. Add that to 0:27:47.609 --> 0:27:50.970 the methodology. The whole system has now been upgraded. You 0:27:50.970 --> 0:27:53.609 can have an entire dedicated thing. It does nothing but watch. 0:27:53.650 --> 0:27:58.010 TLDR right, it watches Clint's entire thing. It finds every 0:27:58.010 --> 0:28:01.970 single thing that it mentions. It reads, goes and reads every, um, 0:28:02.650 --> 0:28:05.970 you know, every presentation, every GitHub repo. And it pulls 0:28:05.970 --> 0:28:09.330 out the research and uses that to upgrade the methodology. 0:28:10.010 --> 0:28:13.250 And again, that's also continuous. So the system is always 0:28:13.250 --> 0:28:16.090 being upgraded. So then the question is like what are 0:28:16.090 --> 0:28:18.050 you going to actually point this at. So I'm already 0:28:18.050 --> 0:28:21.810 monitoring like all the new bounty programs as they go live. Right. 0:28:21.890 --> 0:28:24.730 I'm not started testing them yet because I'm still building out, um, 0:28:24.730 --> 0:28:27.170 the rest of this new stack based on context. But 0:28:28.530 --> 0:28:31.730 my goal is to set this thing free on, uh, 0:28:31.730 --> 0:28:34.290 on actual program soon. Um, but but the point I'm 0:28:34.290 --> 0:28:38.610 mentioning this is that you can always be adding new targets, right? 0:28:38.650 --> 0:28:41.850 Attackers are going to have their own criteria for picking targets, right? 0:28:41.890 --> 0:28:43.450 Maybe they have a lot of money. Maybe they have. 0:28:43.450 --> 0:28:44.810 It's a combination of a lot of money and a 0:28:44.810 --> 0:28:47.950 bad security team. Maybe it's a combination of they have 0:28:47.950 --> 0:28:49.910 a lot of money, but I just saw on LinkedIn 0:28:49.910 --> 0:28:52.630 that half of their security team got fired. Oh, let's 0:28:52.670 --> 0:28:55.270 add that one to unify context and let's start attacking 0:28:55.270 --> 0:28:59.790 that one. Point is this is also continuous to find targets. 0:29:00.390 --> 0:29:03.430 And in my case, just parsing a brand new, uh, 0:29:03.430 --> 0:29:07.070 bug bounty programs that are coming live. So the entire 0:29:07.070 --> 0:29:09.590 game here is maintaining these accurate real time world models 0:29:09.590 --> 0:29:13.230 for entities. Like I said, it doesn't matter who you are. Um, 0:29:13.630 --> 0:29:16.469 what's really hilarious about this is AI is not the 0:29:16.470 --> 0:29:19.830 main feature here. AI is not the point. AI is 0:29:19.830 --> 0:29:22.230 just the tech that enables this to happen because of 0:29:22.230 --> 0:29:25.990 the agents, and because of the fact that um, models 0:29:25.990 --> 0:29:28.470 can hold way more information in their brains at one 0:29:28.470 --> 0:29:31.430 time than we can. That's the only thing we're really 0:29:31.430 --> 0:29:34.110 getting from the AI is the models are pretty smart, right? 0:29:34.110 --> 0:29:35.710 And the smarter they get, the better this gets. But 0:29:35.750 --> 0:29:37.990 it's not the kind of the point. The point is 0:29:37.990 --> 0:29:42.870 the world model capture of this thing. It. Okay, so 0:29:42.910 --> 0:29:46.290 just imagine this. Imagine it's 20 years in the future. 0:29:46.290 --> 0:29:49.330 Imagine we're not dead yet. Or, you know, like, everything 0:29:49.330 --> 0:29:52.010 has gone well. The planet is still here, uh, 20 0:29:52.010 --> 0:29:56.570 years in the future. Imagine an ASI and this is 0:29:56.570 --> 0:29:59.290 a little sci fi, but it's not too far off. Honestly. 0:30:00.250 --> 0:30:06.970 Imagine China holding the United States context of every open port, 0:30:07.130 --> 0:30:13.730 every vulnerable API path, every, um, opportunity for, like, file inclusion, 0:30:13.850 --> 0:30:18.730 every single attack possible, every every AI agent that's vulnerable 0:30:18.730 --> 0:30:21.850 to a particular type of prompt injection. It just pulls 0:30:21.850 --> 0:30:25.490 in the entire context of the United States current state 0:30:25.490 --> 0:30:29.490 of vulnerability and holds it in its mind in one piece. 0:30:29.530 --> 0:30:31.010 And then they ask the question, who do I go 0:30:31.010 --> 0:30:34.650 after first? What is the next best action to harm 0:30:34.650 --> 0:30:37.490 the United States? The most right or to harm Russia 0:30:37.490 --> 0:30:39.690 the most, or to harm whatever target that they are 0:30:39.690 --> 0:30:45.010 pointing at? The point of this is that is millions 0:30:45.010 --> 0:30:48.110 of IPS. Hundreds of millions of IPS. Is it billions 0:30:48.110 --> 0:30:50.510 of IPS? The point is, think about how much context 0:30:50.510 --> 0:30:53.750 you need for that, right? Doing this for a company 0:30:53.750 --> 0:30:56.469 itself is actually hard enough, right? To understand its entire 0:30:56.470 --> 0:30:59.230 history and every state change of all its IT and tech. 0:30:59.270 --> 0:31:04.470 We're talking about terabytes or petabytes to hold a state 0:31:04.470 --> 0:31:06.270 in its mind at once. And it's got to like 0:31:06.310 --> 0:31:08.630 keep that in context. Keep in mind, so you think 0:31:08.630 --> 0:31:11.710 we've actually gone far with AI? We haven't gone near 0:31:11.750 --> 0:31:13.950 close to what we actually need. And the AI is 0:31:13.950 --> 0:31:16.030 not the point. The point is having the size of 0:31:16.030 --> 0:31:18.670 the state that you can hold in your mind at once, right? 0:31:19.270 --> 0:31:21.310 So all this to say that the AI is not 0:31:21.310 --> 0:31:24.430 that important. It's kind of a supporting actor because size 0:31:24.430 --> 0:31:27.350 of context and yeah, okay. The models are smart. So 0:31:27.350 --> 0:31:30.630 that emulates, you know, some human components of this. But 0:31:30.630 --> 0:31:33.590 what actually matters is knowing that you have to keep 0:31:33.590 --> 0:31:36.350 the state and understand this world model of the thing, 0:31:36.630 --> 0:31:41.510 and that you build a system, a replicable system that 0:31:41.510 --> 0:31:44.310 produces outputs based on how the different modules in the 0:31:44.310 --> 0:31:48.000 system interact. The system is more important than the eye, right? 0:31:48.040 --> 0:31:51.560 And the concept of context itself is more important than eye. 0:31:51.600 --> 0:31:55.360 The eye is just the supporting tech. So what we 0:31:55.360 --> 0:31:58.560 end up with here is a world where every single stone, 0:31:58.760 --> 0:32:02.360 every single port, every single URL, every single API endpoint, 0:32:02.360 --> 0:32:06.880 every single agent is constantly being overturned, checked, and double checked. 0:32:07.280 --> 0:32:10.400 As an attacker, you are competing with hundreds of thousands 0:32:10.400 --> 0:32:13.640 of other attackers. As a bounty player, you're competing with 0:32:13.800 --> 0:32:17.640 hundreds of thousands of other bounty players and the attackers. 0:32:17.640 --> 0:32:20.400 You're racing to go do that thing. And as a defender, 0:32:20.440 --> 0:32:23.760 you're defending against all of them, plus all the other defenders, 0:32:23.760 --> 0:32:27.000 because you know you want to be the one that 0:32:27.000 --> 0:32:30.000 gets away from the bear while the other defender gets eaten. 0:32:30.880 --> 0:32:33.320 So natural question is, okay, what does all this mean? 0:32:33.600 --> 0:32:36.760 If this is correct, if you're a defender and you're 0:32:36.760 --> 0:32:39.040 trying to determine what AI to build for your company, 0:32:39.040 --> 0:32:41.600 you need to start building your own world model of 0:32:41.600 --> 0:32:45.660 your company. You need USC context for your company. Your 0:32:45.660 --> 0:32:47.500 attackers are going to have it and you better have 0:32:47.500 --> 0:32:50.180 a better version. And if you're a bounty player, you 0:32:50.180 --> 0:32:53.460 need to rebuild your automation stack. Putting the world model 0:32:53.500 --> 0:32:56.459 building and USC at the center of it. And if 0:32:56.460 --> 0:32:59.060 you don't have an automation stack, go look for a 0:32:59.060 --> 0:33:02.860 new hobby because you're not long for this world. They're 0:33:02.860 --> 0:33:05.580 about to be millions of people slash agents going after 0:33:05.580 --> 0:33:09.740 the same bugs with constantly evolving and improving systems and 0:33:09.740 --> 0:33:13.940 stacks and AI intelligence helping it. Right? So this is 0:33:13.940 --> 0:33:16.980 a competition between their system versus your system, not one 0:33:16.980 --> 0:33:20.060 of them against you. It's their system against yours, their 0:33:20.060 --> 0:33:23.940 context against yours, their world model against yours. And finally, 0:33:23.940 --> 0:33:25.740 if you're just trying to figure out, like where things 0:33:25.740 --> 0:33:27.940 are going with all this AI stuff, just remember one 0:33:27.940 --> 0:33:30.980 core idea. The game is not adding AI to stuff 0:33:30.980 --> 0:33:33.540 we care about. The game is having real time world 0:33:33.540 --> 0:33:37.060 models of what we care about, which we can then 0:33:37.060 --> 0:33:40.420 take action on using AI. Thanks for your time.