1 00:00:00,880 --> 00:00:05,000 S1: Unsupervised Learning is a podcast about trends and ideas in cybersecurity, 2 00:00:05,040 --> 00:00:09,960 S1: national security, AI, technology and society, and how best to 3 00:00:10,000 --> 00:00:18,600 S1: upgrade ourselves to be ready for what's coming. All right, Harry, 4 00:00:18,600 --> 00:00:20,120 S1: welcome to Unsupervised Learning. 5 00:00:22,800 --> 00:00:23,880 S2: Hey, great to be here. 6 00:00:24,280 --> 00:00:28,080 S1: Yeah. So, uh, I understand you're doing some cool stuff with, uh, 7 00:00:28,120 --> 00:00:31,280 S1: AI and vulnerability management and stuff like that. Can you 8 00:00:31,280 --> 00:00:32,520 S1: tell me what you're working on? 9 00:00:34,720 --> 00:00:37,840 S2: Yeah, sure. So just over a year ago, I co-founded 10 00:00:37,840 --> 00:00:39,960 S2: with a couple of others, a company called maze. Um, 11 00:00:39,960 --> 00:00:42,440 S2: we just came out of stealth, maybe like, two months 12 00:00:42,440 --> 00:00:45,320 S2: ago now. Uh, so, so really quite recent, but super 13 00:00:45,320 --> 00:00:48,680 S2: experienced team. And what we've been doing is building basically 14 00:00:48,680 --> 00:00:51,639 S2: a series of AI agents that can deeply interrogate and 15 00:00:51,640 --> 00:00:54,440 S2: understand the vulnerability. Um, so kind of can go off 16 00:00:54,440 --> 00:00:56,560 S2: and do the kind of analysis that, like, really experienced 17 00:00:56,560 --> 00:00:59,280 S2: security engineer might be able to do into a vulnerability, 18 00:00:59,530 --> 00:01:02,610 S2: do it completely automatically. And by doing that, we can 19 00:01:02,610 --> 00:01:05,130 S2: do it over like hundreds of thousands or millions of 20 00:01:05,130 --> 00:01:07,929 S2: vulnerabilities all at once. And therefore, we can get people 21 00:01:07,930 --> 00:01:10,490 S2: out of this like constant hell that we found ourselves in, 22 00:01:10,490 --> 00:01:12,330 S2: in our old jobs. And I know plenty of others 23 00:01:12,330 --> 00:01:14,930 S2: have been where you're just constantly firefighting, like an endless 24 00:01:14,930 --> 00:01:18,690 S2: backlog of vulnerabilities with kind of no, no hope in sight. Um, yeah. 25 00:01:18,730 --> 00:01:20,850 S2: Hopefully we're starting to help people out of that, out 26 00:01:20,890 --> 00:01:22,450 S2: of that mess. Um, so yeah. 27 00:01:22,530 --> 00:01:26,570 S1: Okay. Interesting. So yeah, I've got some thoughts around this. 28 00:01:26,569 --> 00:01:30,850 S1: So are you, um, are you focused on the vulnerability 29 00:01:30,850 --> 00:01:33,450 S1: or are you focused on, like the context of the org? 30 00:01:33,730 --> 00:01:37,930 S1: Like where do you think you're going to get the most, like, um, 31 00:01:37,970 --> 00:01:42,449 S1: signal or benefit, uh, when it comes to the actual remediation? Because, um, 32 00:01:42,450 --> 00:01:44,650 S1: I've done a whole bunch of management in my career 33 00:01:44,650 --> 00:01:48,690 S1: as well, and it seems like the problem is always remediation, uh, 34 00:01:48,690 --> 00:01:52,450 S1: as opposed to, like, the prioritization of the vulns. What 35 00:01:52,450 --> 00:01:53,170 S1: are your thoughts? 36 00:01:54,930 --> 00:01:58,590 S2: Yeah. So one of the interesting things that we've we've 37 00:01:58,590 --> 00:02:00,550 S2: found along the way. And I've got going into this 38 00:02:00,550 --> 00:02:03,670 S2: was like the volume of vulnerabilities is so ridiculous. And 39 00:02:03,670 --> 00:02:05,870 S2: it's like, as people know, like it's climbing crazy like 40 00:02:05,910 --> 00:02:08,110 S2: year on year. At the moment, the volume is so high. 41 00:02:08,230 --> 00:02:09,990 S2: The problem doesn't make sense because the volume is just 42 00:02:09,990 --> 00:02:11,910 S2: so high. So people end up with all these different 43 00:02:11,910 --> 00:02:15,950 S2: approaches to it, prioritization and scoring. And can we use 44 00:02:15,990 --> 00:02:20,030 S2: SPSS and Kev and all these different approaches. And the 45 00:02:20,310 --> 00:02:22,270 S2: premise that we've come at it from is if you 46 00:02:22,270 --> 00:02:23,870 S2: go and chat to and I'm sure maybe you are 47 00:02:23,870 --> 00:02:25,790 S2: one of these people once upon a time like go 48 00:02:25,790 --> 00:02:27,230 S2: chat to a team that's dealing with this day in 49 00:02:27,230 --> 00:02:29,829 S2: day out and say, okay, if you were to go 50 00:02:29,870 --> 00:02:32,750 S2: look into like, start with the top of your list. 51 00:02:32,790 --> 00:02:34,190 S2: If you were to go into look into it for 52 00:02:34,230 --> 00:02:36,389 S2: like 2 or 3 hours in the context of your environment, 53 00:02:36,389 --> 00:02:39,550 S2: what would you find? Right? And then theoretically, if you 54 00:02:39,550 --> 00:02:41,230 S2: could do that over every single one, what would you 55 00:02:41,230 --> 00:02:44,510 S2: find and how big would that list be relative to 56 00:02:44,550 --> 00:02:48,470 S2: your current list? Right. And invariably, maybe you disagree with this, 57 00:02:48,470 --> 00:02:50,030 S2: but like most of the time when we ask people 58 00:02:50,030 --> 00:02:52,109 S2: that question, they're like the answers range from like it 59 00:02:52,110 --> 00:02:54,549 S2: would be 80% bigger to like the most extreme one 60 00:02:54,550 --> 00:02:57,720 S2: ever was like 99.99% bigger. I think I've seen one 61 00:02:57,720 --> 00:02:59,720 S2: true positive ever, which I think was a bit bold 62 00:02:59,720 --> 00:03:00,639 S2: to be honest. 63 00:03:00,639 --> 00:03:01,680 S1: But um, yeah, yeah. 64 00:03:01,720 --> 00:03:04,040 S2: But the the premise is basically like if you spend 65 00:03:04,040 --> 00:03:06,040 S2: time with them and if you try and actually deeply 66 00:03:06,040 --> 00:03:08,239 S2: understand what the attacker would need to have to do 67 00:03:08,240 --> 00:03:10,400 S2: to exploit it and what your environment is actually like, 68 00:03:11,040 --> 00:03:13,800 S2: a huge proportion of the time the vulnerability isn't there. 69 00:03:13,840 --> 00:03:16,440 S2: Like it is not in any way, shape or form exploitable. 70 00:03:16,720 --> 00:03:18,840 S2: And so when we've been building all these prioritization criteria 71 00:03:18,880 --> 00:03:22,280 S2: over the years, we've been like shuffling this pack of 72 00:03:22,280 --> 00:03:24,799 S2: cards where most of the pack of cards should never 73 00:03:24,800 --> 00:03:27,160 S2: have been in the first place. Right? We should have 74 00:03:27,160 --> 00:03:29,800 S2: just been removing, you know, 48 of the 52 cards 75 00:03:29,800 --> 00:03:32,359 S2: or whatever, and focusing on those four rather than trying 76 00:03:32,360 --> 00:03:35,400 S2: to figure out how to sort them 1 to 52. Um, 77 00:03:35,680 --> 00:03:37,080 S2: so that's a lot of the premise of why we 78 00:03:37,080 --> 00:03:39,440 S2: think this world can go, which is if you can 79 00:03:39,440 --> 00:03:42,200 S2: build tools that are intelligent enough to do that really 80 00:03:42,200 --> 00:03:45,280 S2: deep technical analysis, you can actually remove most of the 81 00:03:45,280 --> 00:03:47,000 S2: deck of cards rather than trying to figure out how 82 00:03:47,000 --> 00:03:49,280 S2: to prioritize it all. Because I agree with you. It 83 00:03:49,280 --> 00:03:51,240 S2: doesn't matter if we can prioritize them. If we can't remediate, 84 00:03:51,280 --> 00:03:53,920 S2: it's literally irrelevant that we've got a prioritized list if 85 00:03:53,920 --> 00:03:56,740 S2: we can't actually act on them. But the only way 86 00:03:56,740 --> 00:03:59,340 S2: that you can figure out how to use your limited 87 00:03:59,340 --> 00:04:01,900 S2: remediation resources to act on them is to figure out 88 00:04:01,900 --> 00:04:04,100 S2: which ones you can throw away and which ones you 89 00:04:04,100 --> 00:04:05,500 S2: actually need to keep, and maybe which ones you need 90 00:04:05,500 --> 00:04:08,260 S2: to like, fix like today. Um, so that's one side 91 00:04:08,260 --> 00:04:09,740 S2: of it. We also think there's a bunch of use 92 00:04:09,740 --> 00:04:12,260 S2: cases for AI to actually help with remediation. So just 93 00:04:12,260 --> 00:04:14,900 S2: take like everything from I figured out I want to 94 00:04:14,900 --> 00:04:17,740 S2: fix something to it is fixed and see how much 95 00:04:17,740 --> 00:04:20,420 S2: of that you can get AI to help you with. 96 00:04:20,740 --> 00:04:23,140 S2: I think like running all the way to fully automating it. 97 00:04:23,140 --> 00:04:25,700 S2: I think we're a little bit despite what some people 98 00:04:25,900 --> 00:04:27,500 S2: are hoping at the moment. I think we're still like 99 00:04:27,500 --> 00:04:29,500 S2: a little bit away from it. Like just AI going 100 00:04:29,500 --> 00:04:31,700 S2: in and changing our environments day in, day out. But like, 101 00:04:31,740 --> 00:04:33,220 S2: I think we can do we can take people a 102 00:04:33,220 --> 00:04:35,339 S2: lot further than they are today. Um, so when you 103 00:04:35,339 --> 00:04:37,619 S2: stick all that together end to end, you get like much, 104 00:04:37,620 --> 00:04:40,340 S2: much smaller list and then you get much faster remediation 105 00:04:40,339 --> 00:04:42,099 S2: and then you start being able to work on the 106 00:04:42,100 --> 00:04:45,140 S2: stuff that matters, um, much, much quicker, uh, we think. 107 00:04:46,260 --> 00:04:49,420 S1: Yeah. Yeah, that makes sense. I feel like as you're 108 00:04:49,420 --> 00:04:52,620 S1: talking there, I mean, there's there's multiple steps, right? There's 109 00:04:53,589 --> 00:04:57,230 S1: understanding the bone deeply. And then, um, I guess there's 110 00:04:57,270 --> 00:05:01,190 S1: the threat Intel component as well. And you've seen like, CVS, 111 00:05:01,230 --> 00:05:04,430 S1: like try to try to capture all these in different 112 00:05:04,430 --> 00:05:08,830 S1: fields of the Volm. So there's like an active threat 113 00:05:08,830 --> 00:05:11,430 S1: Intel for like how many people know about this? How 114 00:05:11,430 --> 00:05:15,390 S1: easy is it to exploit? Then there's the Volm details itself. 115 00:05:15,390 --> 00:05:17,430 S1: Like how bad is it? Like what is the attack 116 00:05:17,430 --> 00:05:21,870 S1: surface that it actually impacts? And then there's the thing 117 00:05:21,910 --> 00:05:25,270 S1: of like, okay, do we have that here at the company? 118 00:05:25,710 --> 00:05:30,830 S1: Is that installed? Where is it installed? Um, what versions? 119 00:05:30,830 --> 00:05:34,830 S1: And how does that relate to the vulnerable version. Um, 120 00:05:35,029 --> 00:05:38,430 S1: and then given all of that now what is the prioritization? 121 00:05:38,910 --> 00:05:43,830 S1: And I feel like those are all like, uh, individual components. Um, 122 00:05:43,870 --> 00:05:45,950 S1: and then the thing I've been thinking a lot about 123 00:05:45,950 --> 00:05:50,670 S1: is like, okay, but where are the developers? Um, if 124 00:05:50,710 --> 00:05:54,320 S1: you find the vuln in like some readout somewhere in 125 00:05:54,320 --> 00:05:57,960 S1: some report, and it's in this particular piece of code, 126 00:05:58,400 --> 00:06:03,520 S1: what app is that code part of? Um, who actually, uh, 127 00:06:03,520 --> 00:06:07,200 S1: is responsible for that app? And then, um, when you 128 00:06:07,200 --> 00:06:11,040 S1: go to create a patch or a fix or whatever, um, 129 00:06:11,080 --> 00:06:13,119 S1: how do we get that to the right person in 130 00:06:13,120 --> 00:06:15,719 S1: the form that requires the least amount of effort for them? 131 00:06:15,839 --> 00:06:17,840 S1: So I feel like those are all the pieces, and 132 00:06:18,040 --> 00:06:20,880 S1: it's almost like you can have multiple companies working on 133 00:06:20,880 --> 00:06:25,560 S1: each one of those pieces. Um, but somebody who could do, like, 134 00:06:25,600 --> 00:06:27,800 S1: all of them pretty well, that's going to be a 135 00:06:27,800 --> 00:06:28,520 S1: massive win. 136 00:06:30,080 --> 00:06:32,560 S2: Yeah. So that that's, that's that's our concept as well, 137 00:06:32,560 --> 00:06:34,359 S2: which is basically if you think of all these different 138 00:06:34,360 --> 00:06:36,839 S2: moving pieces, you kind of want a series of agents 139 00:06:36,880 --> 00:06:40,640 S2: like AI agents, not not the old school type tackling 140 00:06:40,640 --> 00:06:43,160 S2: each of those component pieces. Right. So like you mentioned there, 141 00:06:43,160 --> 00:06:45,919 S2: like who owns the thing? That's a great use case 142 00:06:45,920 --> 00:06:48,719 S2: for AI and particularly agents because like there is information 143 00:06:48,760 --> 00:06:51,180 S2: out there to help you solve that problem? Yes, but 144 00:06:51,180 --> 00:06:52,900 S2: for a human, it's just like it's a, it's a 145 00:06:52,940 --> 00:06:55,219 S2: like a it's like one of those long tail problems where, like, 146 00:06:55,260 --> 00:06:57,180 S2: you could go find the answer. It's going to take 147 00:06:57,180 --> 00:06:58,820 S2: you often a long time to like go figure it out. 148 00:06:58,820 --> 00:07:00,500 S2: And then going and figuring it out for every single 149 00:07:00,500 --> 00:07:02,820 S2: ball and every single day becomes really annoying. But for AI, 150 00:07:02,860 --> 00:07:05,460 S2: that's actually pretty. Like if you've got the right data sources, 151 00:07:05,460 --> 00:07:09,020 S2: it's actually quite, quite a tolerable problem. Um, so then 152 00:07:09,020 --> 00:07:10,660 S2: you imagine, like putting an agent on all of those 153 00:07:10,660 --> 00:07:15,220 S2: different places, like you mentioned, prioritization. Well, before you before 154 00:07:15,260 --> 00:07:17,380 S2: threat Intel becomes relevant at all, you have to figure 155 00:07:17,380 --> 00:07:18,980 S2: out whether it can be exploited or not. And that's 156 00:07:18,980 --> 00:07:21,060 S2: got to be your first agent, because if it can't 157 00:07:21,060 --> 00:07:23,700 S2: be exploited, it's irrelevant whether it's got threat Intel associated 158 00:07:23,700 --> 00:07:25,940 S2: with it or whether the business context is is bad, 159 00:07:25,940 --> 00:07:27,340 S2: or whether the outcome could be bad or how to 160 00:07:27,340 --> 00:07:30,300 S2: fix it, like everything else becomes irrelevant because you just 161 00:07:30,300 --> 00:07:32,420 S2: need to stop there. So you, like, start there with 162 00:07:32,420 --> 00:07:34,500 S2: that agent and then build out like agent by agent 163 00:07:34,500 --> 00:07:36,900 S2: for each part of that flow. And as you said, 164 00:07:36,940 --> 00:07:40,340 S2: like figuring out who owns it, um, what action they 165 00:07:40,340 --> 00:07:42,060 S2: need to take, what would be the most efficient action. 166 00:07:42,060 --> 00:07:43,220 S2: And then you can go all the way through to 167 00:07:43,260 --> 00:07:45,260 S2: like starting to generate those actions for them. Right? Which 168 00:07:45,260 --> 00:07:47,740 S2: is like, yes, I don't think we're quite there with 169 00:07:47,740 --> 00:07:50,230 S2: just taking the action. But if we've done enough work 170 00:07:50,230 --> 00:07:53,390 S2: intelligently to figure out what the problem is, how it's fixed, 171 00:07:53,430 --> 00:07:55,630 S2: what the ramifications could be, then we can start to 172 00:07:55,630 --> 00:07:58,670 S2: generate actions for people and saying like, look, hey Sarah, 173 00:07:59,350 --> 00:08:02,550 S2: I found this vulnerability. I proved it could be exploited. 174 00:08:02,590 --> 00:08:04,710 S2: I proved it could be bad. I actually figured out 175 00:08:04,710 --> 00:08:06,710 S2: what the right thing to do would be. I generated 176 00:08:06,710 --> 00:08:08,150 S2: it for you. Do you want to do it? Yes 177 00:08:08,150 --> 00:08:10,910 S2: or no? That's a hell of a lot better experience than, like, 178 00:08:11,070 --> 00:08:13,870 S2: here's ten findings, of which one of them's probably maybe 179 00:08:13,870 --> 00:08:17,230 S2: bad good luck. Which is kind of like today's situation oftentimes. 180 00:08:17,270 --> 00:08:17,830 S1: Yeah. 181 00:08:17,910 --> 00:08:19,270 S2: Um, so yeah, that's the idea. 182 00:08:19,470 --> 00:08:22,190 S1: Yeah. No, I really love that. I mean, if you're 183 00:08:22,190 --> 00:08:25,910 S1: inside of their tool, let's say it's, it's, um, GitHub 184 00:08:25,910 --> 00:08:28,190 S1: or whatever it is, and it's just like, here's a 185 00:08:28,230 --> 00:08:31,550 S1: PR that I've submitted. You can see the diff right here. 186 00:08:32,070 --> 00:08:34,790 S1: And like this is what she does every day, all 187 00:08:34,790 --> 00:08:39,030 S1: day anyway in this exact tool. So she's like yes, 188 00:08:39,030 --> 00:08:44,469 S1: I accept. Boom. That's way, way easier than the thing 189 00:08:44,470 --> 00:08:47,050 S1: that just doesn't work. Which is Witches. They received a 190 00:08:47,050 --> 00:08:51,050 S1: report which had like 480 things in it. And and 191 00:08:51,050 --> 00:08:52,650 S1: now it's her job to figure out if any of 192 00:08:52,650 --> 00:08:55,410 S1: those apply to her. And then when she looks inside, 193 00:08:55,410 --> 00:08:58,730 S1: the vulnerability description is just like this wall of text, 194 00:08:59,130 --> 00:09:02,770 S1: which came from like a generic vulnerability description. And so 195 00:09:02,770 --> 00:09:06,290 S1: she's left trying to figure out like, okay, like what 196 00:09:06,290 --> 00:09:10,970 S1: exactly is this saying? And guess what? That's why management 197 00:09:11,290 --> 00:09:14,410 S1: like hasn't been doing so well over the last like 198 00:09:14,450 --> 00:09:15,410 S1: 25 years. 199 00:09:16,970 --> 00:09:19,290 S2: Yeah. Yeah. Well the worst thing is though like for 200 00:09:19,290 --> 00:09:22,290 S2: Sarah there a lot of places now have got to 201 00:09:22,290 --> 00:09:24,610 S2: the point where they like one of the easiest applications 202 00:09:24,610 --> 00:09:27,850 S2: of AI was throw a list of existing findings in 203 00:09:27,850 --> 00:09:30,209 S2: and like get some suggested actions out because it was 204 00:09:30,210 --> 00:09:32,290 S2: just like literally like single call. You could like throw 205 00:09:32,290 --> 00:09:34,370 S2: a finding in, give you some code, give you something. 206 00:09:34,410 --> 00:09:36,410 S2: And that's where a lot of like our auto fix 207 00:09:36,410 --> 00:09:38,970 S2: suggestions kind of come from today. The problem is that 208 00:09:38,970 --> 00:09:41,370 S2: because they started there, rather than starting right at the 209 00:09:41,370 --> 00:09:42,850 S2: root of the problem, which is like most of the 210 00:09:42,850 --> 00:09:46,300 S2: findings don't mean anything. Yeah. We end up with, let's 211 00:09:46,300 --> 00:09:48,460 S2: say we have a list. Your list of 480 findings 212 00:09:48,460 --> 00:09:52,620 S2: turns into 480 auto fixes. And so we've got a 213 00:09:52,620 --> 00:09:54,660 S2: lot of work getting generated that doesn't need to be 214 00:09:54,660 --> 00:09:56,420 S2: there in the first place. And also, most of them 215 00:09:56,460 --> 00:09:58,860 S2: lack a lot of the context about, like, how this 216 00:09:58,860 --> 00:10:00,860 S2: thing exploited what would be the most appropriate fix. So 217 00:10:00,860 --> 00:10:02,260 S2: we've kind of like started at the end in a 218 00:10:02,260 --> 00:10:04,100 S2: lot of cases now. And we need to go, I 219 00:10:04,100 --> 00:10:06,460 S2: think like back to the start, get back to the 220 00:10:06,460 --> 00:10:08,500 S2: root of the problem, figure out how bad these things 221 00:10:08,540 --> 00:10:10,380 S2: like figure out what like if they can be exploited, 222 00:10:10,380 --> 00:10:12,180 S2: how bad they are, what the context is around them, 223 00:10:12,179 --> 00:10:14,180 S2: and then feed all of that into our remediation efforts. 224 00:10:14,179 --> 00:10:16,340 S2: And suddenly Sarah gets not only like a shorter list, 225 00:10:16,340 --> 00:10:18,980 S2: but like a way more intelligent list of, of of 226 00:10:18,980 --> 00:10:20,579 S2: actions you could take. And then, as you said, she 227 00:10:20,580 --> 00:10:22,980 S2: gets away from, you know, just getting that like blank 228 00:10:22,980 --> 00:10:25,260 S2: report with a vague description to you just need to 229 00:10:25,260 --> 00:10:27,980 S2: do this thing now. Okay, great. Like click uh, and 230 00:10:27,980 --> 00:10:30,220 S2: that's hopefully like, honestly it's kind of why we started 231 00:10:30,220 --> 00:10:32,020 S2: the company is we used to lead like the PM 232 00:10:32,020 --> 00:10:34,380 S2: and engineering teams at various places. And it just it 233 00:10:34,380 --> 00:10:36,700 S2: just annoyed us because because the teams were spending so 234 00:10:36,700 --> 00:10:39,660 S2: much so long like, uh, spinning their wheels around the problem. 235 00:10:39,660 --> 00:10:41,260 S2: And it was just annoying. So we just thought like, 236 00:10:41,260 --> 00:10:43,679 S2: this can't be right. Um, and so, Yeah, here we are. 237 00:10:44,760 --> 00:10:49,120 S1: Yeah. That's it from my experience. That's absolutely the best 238 00:10:49,120 --> 00:10:52,120 S1: place to have a startup is like, the founders are 239 00:10:52,120 --> 00:10:55,920 S1: familiar with the pain of the problem, right? And it's 240 00:10:55,920 --> 00:10:59,040 S1: like they just wish that they had this in the 241 00:10:59,040 --> 00:11:02,800 S1: past for their problem. And, like, it's just a really 242 00:11:03,559 --> 00:11:07,120 S1: pure way to start a company. Um, so what can 243 00:11:07,120 --> 00:11:10,920 S1: you say about the, um, the current state of agents, um, 244 00:11:10,960 --> 00:11:13,959 S1: with all the hype and what, like what works? Uh, 245 00:11:13,960 --> 00:11:16,480 S1: and as much as you can share about about your, like, 246 00:11:16,520 --> 00:11:20,080 S1: approach to the agents, like how many are there? Are they, 247 00:11:20,120 --> 00:11:23,200 S1: are they working on different things all at the same time? 248 00:11:23,200 --> 00:11:27,040 S1: Are they coming back and like unifying into one context, 249 00:11:27,080 --> 00:11:27,880 S1: that kind of stuff? 250 00:11:29,559 --> 00:11:31,880 S2: Yeah. Good question. I was actually just I was just 251 00:11:31,880 --> 00:11:33,880 S2: talking to a CSO about this earlier today, and we 252 00:11:33,880 --> 00:11:36,200 S2: have quite a funny chat about it of where people's 253 00:11:36,200 --> 00:11:38,439 S2: expectations sometimes of what agents can do are and like 254 00:11:38,440 --> 00:11:43,170 S2: the reality and some of the like. They sometimes they 255 00:11:43,170 --> 00:11:45,730 S2: look so impressive when you first start using them that 256 00:11:45,730 --> 00:11:49,530 S2: you kind of imagine that they're capable of just tackling 257 00:11:49,570 --> 00:11:51,890 S2: like all sorts of tasks with limited guidance. Right? You're 258 00:11:51,890 --> 00:11:54,090 S2: just a bit like imagine, like you're working with like 259 00:11:54,090 --> 00:11:56,490 S2: a really senior colleague. You can give them a really 260 00:11:56,490 --> 00:11:58,530 S2: vague instruction and they'll just like figure it out and 261 00:11:58,530 --> 00:12:01,449 S2: probably get a good result. The agents can sometimes feel 262 00:12:01,450 --> 00:12:03,170 S2: a bit like that. So people end up being like, cool, 263 00:12:03,170 --> 00:12:04,969 S2: we're going to build this platform and agents are going 264 00:12:04,970 --> 00:12:07,290 S2: to do all these like 100 different things, right? And 265 00:12:07,290 --> 00:12:09,730 S2: I see some security companies starting to, like, fall into 266 00:12:09,730 --> 00:12:11,610 S2: this trap a little bit where they're like, we use 267 00:12:11,610 --> 00:12:13,570 S2: agents now. We use agents for like this and this 268 00:12:13,570 --> 00:12:16,410 S2: and this and this and this. And having worked with 269 00:12:16,410 --> 00:12:19,810 S2: them for the last over a year now, my perception 270 00:12:19,809 --> 00:12:23,530 S2: of them is they're much more like very knowledgeable, like 16, 271 00:12:23,530 --> 00:12:26,929 S2: 17 year olds, right? In that like they're knowledgeable, they're 272 00:12:26,929 --> 00:12:29,530 S2: capable of getting a task done. But they need a 273 00:12:29,530 --> 00:12:35,329 S2: ton of like clear instructions, guidance, guardrails like training back 274 00:12:35,330 --> 00:12:37,570 S2: and forth with a manager again and again and again 275 00:12:37,570 --> 00:12:39,490 S2: and again. And then you can get them a bit 276 00:12:39,490 --> 00:12:42,220 S2: like teaching a grad how to do a specific job. 277 00:12:42,260 --> 00:12:44,380 S2: You can take your like 17 year old and turn 278 00:12:44,380 --> 00:12:47,060 S2: them into someone who is pretty capable at that job 279 00:12:47,100 --> 00:12:48,380 S2: day in, day out, but they still need to be 280 00:12:48,380 --> 00:12:51,220 S2: doing it in like a relatively narrow, confined space. And 281 00:12:51,220 --> 00:12:53,460 S2: they still need a lot of guidance and training and oversight. 282 00:12:53,740 --> 00:12:55,660 S2: And that, I think, is where we currently are with 283 00:12:55,660 --> 00:12:58,020 S2: a lot of agents. But that doesn't mean for security, 284 00:12:58,020 --> 00:13:01,060 S2: because we have so many tightly well-defined problems, lots of 285 00:13:01,059 --> 00:13:05,020 S2: data and lots of ways to give guardrails to these things. 286 00:13:05,059 --> 00:13:07,260 S2: If you spend enough time honing them, they can just 287 00:13:07,260 --> 00:13:10,500 S2: start doing incredible stuff. But it's really not a case 288 00:13:10,500 --> 00:13:12,820 S2: of like, cool, I'll just throw this problem into Claude 289 00:13:12,820 --> 00:13:15,179 S2: and just like, see what it comes out with. Because 290 00:13:15,580 --> 00:13:17,099 S2: a lot of a that's gonna be very expensive a 291 00:13:17,100 --> 00:13:18,699 S2: lot of time if you do it without any optimization, 292 00:13:18,740 --> 00:13:21,660 S2: B you're gonna end up with like, such an unpredictable 293 00:13:21,660 --> 00:13:24,260 S2: result that you're going to go off the idea entirely. Um, 294 00:13:24,660 --> 00:13:26,059 S2: and I run into teams like that all the time 295 00:13:26,059 --> 00:13:27,699 S2: where they're like, oh, yeah, I tried this for like 296 00:13:27,740 --> 00:13:29,860 S2: a day, and it didn't quite work. It's like, well, 297 00:13:29,860 --> 00:13:32,179 S2: you need to spend so long, like getting them there. 298 00:13:32,179 --> 00:13:34,100 S2: So that's kind of my perception of it. They I 299 00:13:34,100 --> 00:13:35,700 S2: don't know what you're seeing. I'm sure you're playing around 300 00:13:35,700 --> 00:13:37,900 S2: with them in your own world, but like, they can 301 00:13:37,900 --> 00:13:41,160 S2: do incredible things. It just takes work basically would be 302 00:13:41,160 --> 00:13:41,720 S2: the summary. 303 00:13:42,040 --> 00:13:44,720 S1: Yeah, yeah, very much agree with that. Yeah. I just 304 00:13:44,720 --> 00:13:48,680 S1: got done talking to, uh, Matthew Brown, uh, who led 305 00:13:48,679 --> 00:13:52,320 S1: the AI sec competition. Are you following that whole thing? 306 00:13:54,040 --> 00:13:55,920 S2: Yes. Yeah, vaguely followed it. 307 00:13:55,920 --> 00:14:01,080 S1: Yeah. The this, uh, DARPA competition and it's open source project, 308 00:14:01,200 --> 00:14:05,240 S1: and basically, they'll all release their things. I'm not sure, um, 309 00:14:05,960 --> 00:14:08,679 S1: if anyone's messed with them yet, but the idea was 310 00:14:08,679 --> 00:14:12,760 S1: to just go and find vulnerabilities on GitHub, and then 311 00:14:12,800 --> 00:14:14,559 S1: you have to be able to fix them. So that's 312 00:14:14,559 --> 00:14:18,240 S1: this multi-year competition from DARPA. So I was talking to 313 00:14:18,280 --> 00:14:21,520 S1: him about this agent design thing, and he was like, yeah, 314 00:14:21,560 --> 00:14:24,600 S1: the first, most important thing is like break the problems 315 00:14:24,600 --> 00:14:29,360 S1: into categories. And the category is, um, should you even 316 00:14:29,400 --> 00:14:33,880 S1: be using AI at all for this? Right. So, um, 317 00:14:33,960 --> 00:14:37,650 S1: and try to do as much with regular deterministic code 318 00:14:37,650 --> 00:14:42,210 S1: is possible and like it because too much. Intelligence is 319 00:14:42,210 --> 00:14:45,090 S1: the thing. Too much creativity is a thing. Um, and 320 00:14:45,090 --> 00:14:49,050 S1: especially if you ask a model, does this look vulnerable 321 00:14:49,050 --> 00:14:51,290 S1: to you? They will try to find a way to 322 00:14:51,330 --> 00:14:56,130 S1: say yes. Right. So it's like it's this weird balance 323 00:14:56,130 --> 00:15:00,970 S1: between deterministic, uh, deterministic code and then using intelligence where 324 00:15:00,970 --> 00:15:04,090 S1: you have to, for example, does this look like a cat. 325 00:15:04,250 --> 00:15:06,490 S1: You can't use deterministic code for that. You have to 326 00:15:06,490 --> 00:15:09,290 S1: use ML or AI or whatever for that. But like 327 00:15:09,330 --> 00:15:12,450 S1: this whole system design thing is really fascinating to me. 328 00:15:13,850 --> 00:15:16,530 S2: Yeah. Your example of like, does this look vulnerable to 329 00:15:16,530 --> 00:15:19,330 S2: you is a great example of where, like, the agents 330 00:15:19,330 --> 00:15:22,890 S2: aren't at that level of competency, it's too broad and 331 00:15:22,890 --> 00:15:25,330 S2: too vague for them. Like they like a human may 332 00:15:25,330 --> 00:15:26,930 S2: not even be able to answer that. Like, you line 333 00:15:26,930 --> 00:15:28,490 S2: up ten humans and they might give you a bit 334 00:15:28,490 --> 00:15:30,770 S2: different answers anyway, let alone what agents would give you. 335 00:15:31,170 --> 00:15:33,090 S2: So yeah, you're right. I think like the nature of 336 00:15:33,090 --> 00:15:36,070 S2: it is how do you distill it down to smaller 337 00:15:36,070 --> 00:15:39,350 S2: and smaller and smaller questions and like make it impossible 338 00:15:39,350 --> 00:15:41,390 S2: to get it wrong, given the knowledge that it has 339 00:15:41,430 --> 00:15:43,670 S2: and like the ability that it has? And again, much like, 340 00:15:43,710 --> 00:15:46,390 S2: like imagine you're like leading a team of like new grads, 341 00:15:46,390 --> 00:15:48,110 S2: like you're not going to just ask them vague stuff 342 00:15:48,110 --> 00:15:49,270 S2: at the start of the day and see how they 343 00:15:49,270 --> 00:15:50,670 S2: get on. Like a week later. You're going to give 344 00:15:50,670 --> 00:15:53,590 S2: them all very like tight, refined tasks. You got to 345 00:15:53,590 --> 00:15:55,670 S2: keep checking in on them. And then you're probably going 346 00:15:55,670 --> 00:15:57,910 S2: to like, you know, aggregate their work at the end 347 00:15:57,910 --> 00:16:01,350 S2: and then you're going to come out with something useful, hopefully. Um, 348 00:16:01,350 --> 00:16:02,830 S2: and I think that's much more like where we are. 349 00:16:02,870 --> 00:16:06,870 S1: Yeah. So, so what is, um, the product that you have? 350 00:16:06,950 --> 00:16:09,790 S1: What does it do? Like, how does the work, like, 351 00:16:09,790 --> 00:16:13,830 S1: what sources are you pulling from? Are you aggregating other sources? 352 00:16:13,830 --> 00:16:17,190 S1: Are you finding yourself, uh, like, what is the workflow 353 00:16:17,190 --> 00:16:18,630 S1: look like for somebody using it? 354 00:16:20,430 --> 00:16:22,630 S2: Yeah. So in essence, it's really just a way of 355 00:16:22,670 --> 00:16:25,110 S2: going from like, I have a potential risk. I need 356 00:16:25,110 --> 00:16:27,510 S2: to investigate it and figure out how bad it is. 357 00:16:27,550 --> 00:16:29,910 S2: I need I need help fixing it. Like that's the 358 00:16:29,950 --> 00:16:31,870 S2: really the workflow that it does at the moment. It 359 00:16:31,870 --> 00:16:37,920 S2: does that all with cloud CVS. It's basically like cloud infrastructure, um, VMs, containers, etc. 360 00:16:37,960 --> 00:16:41,760 S2: pull in the vulnerabilities that are found by scanners. Investigate 361 00:16:41,760 --> 00:16:44,800 S2: every single one of them. Come away with that you 362 00:16:44,800 --> 00:16:47,840 S2: know 10% as long list. And then within that list 363 00:16:47,840 --> 00:16:49,960 S2: prioritize the very, very, very small number that are going 364 00:16:49,960 --> 00:16:51,880 S2: to lead to something bad happening and then help people 365 00:16:51,880 --> 00:16:53,520 S2: fix them. Um, so that's the flow at the moment. 366 00:16:53,560 --> 00:16:57,040 S2: Like cloud vulns in um, like human level triage, I 367 00:16:57,040 --> 00:16:58,840 S2: guess in the middle and then like, fixes come out 368 00:16:58,840 --> 00:17:00,960 S2: the other end. And as you can imagine, then as 369 00:17:00,960 --> 00:17:02,520 S2: we build out that platform, it gives us more and 370 00:17:02,520 --> 00:17:04,840 S2: more potential to throw more and more different types of 371 00:17:04,840 --> 00:17:07,520 S2: data at that same platform. But for now, very kind 372 00:17:07,520 --> 00:17:09,240 S2: of focused on on just cloud CVS. 373 00:17:09,280 --> 00:17:13,840 S1: Yeah, that makes sense. And so, um, pretty much the 374 00:17:13,840 --> 00:17:17,520 S1: top products that are out there, like when they're emitting vulns, 375 00:17:17,520 --> 00:17:19,600 S1: you can just consume from them, you can connect to 376 00:17:19,600 --> 00:17:23,360 S1: them and get their phones, uh, a list essentially. 377 00:17:24,960 --> 00:17:27,120 S2: Exactly. Yeah. Because it's always been a very integrated kind 378 00:17:27,119 --> 00:17:30,240 S2: of like area of VM was, you know, probably probably. No. 379 00:17:30,240 --> 00:17:33,330 S2: And so, um, so yeah, I think people are very 380 00:17:33,330 --> 00:17:35,450 S2: used to kind of like aggregating data from scanners and 381 00:17:35,450 --> 00:17:37,290 S2: bringing it around and stuff like that. This is a 382 00:17:37,290 --> 00:17:39,290 S2: a big twist on that, because rather than aggregating it 383 00:17:39,290 --> 00:17:40,889 S2: and putting some kind of score on top of it 384 00:17:40,890 --> 00:17:44,650 S2: or something, you're aggregating it and then letting AI kind 385 00:17:44,690 --> 00:17:47,050 S2: of like, investigate everything like a human would have done, 386 00:17:47,050 --> 00:17:49,090 S2: and then coming away with a very different answer on 387 00:17:49,090 --> 00:17:52,490 S2: the other side. Um, but yeah, we basically pulled from API's, uh, 388 00:17:52,490 --> 00:17:54,970 S2: pulled from the cloud environment, gather all the context, pull 389 00:17:54,970 --> 00:17:57,050 S2: from other systems if we need to, sometimes to like 390 00:17:57,050 --> 00:17:59,970 S2: gather more context to help us with our assessments and then, um, 391 00:18:00,250 --> 00:18:02,330 S2: you know, create actions at the other end. But it's 392 00:18:02,330 --> 00:18:04,410 S2: meant to as I said, the analogy is just always like, 393 00:18:04,450 --> 00:18:07,210 S2: what would what would, like Daniel four years ago or 394 00:18:07,210 --> 00:18:09,210 S2: something have done, like trying to solve this internally? Like, 395 00:18:09,210 --> 00:18:11,290 S2: what would you have gone in if you had the time? Like, 396 00:18:11,290 --> 00:18:12,570 S2: what would you have gone and looked at? What data 397 00:18:12,570 --> 00:18:14,890 S2: would you have gathered? How would you put it all together? 398 00:18:14,890 --> 00:18:16,730 S2: And then how do we do that automatically? 399 00:18:16,730 --> 00:18:20,290 S1: Basically, yeah, I really love that framing of AI. Like, um, 400 00:18:20,290 --> 00:18:24,090 S1: I try to discourage people, especially who are negative about AI, 401 00:18:24,130 --> 00:18:27,530 S1: from thinking of it like as some special tech and 402 00:18:27,530 --> 00:18:31,510 S1: just imagining it as extra eyes and hands. And to 403 00:18:31,510 --> 00:18:35,109 S1: your point right now, 16 and 17 year old eyes 404 00:18:35,109 --> 00:18:36,990 S1: and hands. Right. So it's like. 405 00:18:37,270 --> 00:18:37,830 S2: Yeah, yeah. 406 00:18:37,869 --> 00:18:40,070 S1: Um, what what would you have done if you had 407 00:18:40,070 --> 00:18:44,550 S1: 10,000 people to put on every given day to go 408 00:18:44,550 --> 00:18:46,350 S1: and look? And it's like, well, I would go and 409 00:18:46,350 --> 00:18:49,469 S1: collect them and I would go and analyze them. I 410 00:18:49,470 --> 00:18:52,429 S1: would dig into the details and all the things that 411 00:18:52,430 --> 00:18:55,830 S1: you just said. That's what we would do be doing manually. 412 00:18:55,830 --> 00:18:57,590 S1: So that's what we should try to get the agents 413 00:18:57,590 --> 00:19:00,030 S1: to do. It's like it's not complex. It's like not 414 00:19:00,030 --> 00:19:02,710 S1: special tech. It's just you've got extra eyes and hands. 415 00:19:02,710 --> 00:19:03,669 S1: What do you do with them? 416 00:19:05,190 --> 00:19:07,710 S2: Yeah, exactly. And they don't get bored. Um, and they 417 00:19:07,950 --> 00:19:09,669 S2: can use as many of them as you want within 418 00:19:09,670 --> 00:19:12,109 S2: within reason. Um, and that's why I think a lot 419 00:19:12,109 --> 00:19:15,150 S2: of people get wrong sometimes is like they're trying to 420 00:19:16,310 --> 00:19:18,910 S2: they try and like. Yeah, they try and just think like, okay. 421 00:19:18,950 --> 00:19:21,470 S2: Like there is like human jobs today. And there is 422 00:19:21,510 --> 00:19:23,270 S2: what AI can do. And like it's just a one 423 00:19:23,270 --> 00:19:26,190 S2: for one fight. But it's not. It's more like, it's 424 00:19:26,190 --> 00:19:28,110 S2: more like, what is all the long tail of stuff 425 00:19:28,560 --> 00:19:30,399 S2: that like four years ago, I couldn't write software to 426 00:19:30,400 --> 00:19:32,960 S2: help me with. But now I can use software to 427 00:19:32,960 --> 00:19:34,960 S2: help me with and like, what's that long tail of 428 00:19:34,960 --> 00:19:36,639 S2: stuff that I'm never, ever going to get time to do, 429 00:19:36,640 --> 00:19:38,280 S2: but would be useful if I do enough of it 430 00:19:38,280 --> 00:19:40,280 S2: and I can aggregate it all up like that's where 431 00:19:40,280 --> 00:19:43,119 S2: the value is today. And this insecurity, like security, is 432 00:19:43,119 --> 00:19:46,160 S2: absolutely full of use cases like that where like theoretically 433 00:19:46,160 --> 00:19:47,560 S2: we would like to go and look at a bunch 434 00:19:47,560 --> 00:19:49,920 S2: of stuff, read a bunch of different data points, pull 435 00:19:49,920 --> 00:19:52,000 S2: it all together, come up with conclusions, etc. but we 436 00:19:52,000 --> 00:19:54,560 S2: just don't have the time. So yeah, I think hopefully, 437 00:19:55,080 --> 00:19:56,760 S2: hopefully people are starting to figure that out, which is 438 00:19:56,760 --> 00:19:58,170 S2: like it doesn't have to be just like a 1 439 00:19:58,170 --> 00:20:00,000 S2: to 1 with what a human is doing. It's more 440 00:20:00,040 --> 00:20:02,600 S2: like a yeah, what's what's the list of stuff you 441 00:20:02,600 --> 00:20:05,280 S2: would do if your day was 100 times longer or something? 442 00:20:05,800 --> 00:20:10,560 S1: Yeah, yeah. That's right. And yeah, I've been thinking about this, uh, 443 00:20:10,560 --> 00:20:14,200 S1: limitations of creativity. Um, like, I call it a type 444 00:20:14,200 --> 00:20:18,480 S1: three limitation, um, because there's two others. But the limitation 445 00:20:18,480 --> 00:20:23,200 S1: is basically not realizing because we grew up in the past, obviously, 446 00:20:23,200 --> 00:20:27,300 S1: that's the way time moves is forward. And it's like, Um, 447 00:20:27,619 --> 00:20:31,820 S1: we just have blocked out a million different things that 448 00:20:31,820 --> 00:20:34,780 S1: we could be doing in life. Life and at work 449 00:20:34,780 --> 00:20:37,460 S1: or whatever. And so I kind of think of, like 450 00:20:37,500 --> 00:20:40,260 S1: how many logs are actually streaming in to, into a 451 00:20:40,260 --> 00:20:44,740 S1: given organization, right? Let's say terabytes per day, depending on 452 00:20:44,740 --> 00:20:48,140 S1: the size of the company. And like the natural assumption 453 00:20:48,140 --> 00:20:50,500 S1: over the last 20 years is, well, we could look at, 454 00:20:50,540 --> 00:20:55,180 S1: you know, 0.01%. So let's try to find that 0.01%. 455 00:20:55,580 --> 00:20:58,500 S1: And so we we without even knowing it, we have 456 00:20:58,500 --> 00:21:02,540 S1: these invisible barriers on us. And what AI is like 457 00:21:02,580 --> 00:21:05,940 S1: forcing me and like, you know, us in general to 458 00:21:05,980 --> 00:21:10,220 S1: do is like, think outside of that. Think what could 459 00:21:10,220 --> 00:21:13,699 S1: you do potentially if in that case, it wouldn't be 460 00:21:13,700 --> 00:21:16,220 S1: like if I could double my team because it would 461 00:21:16,220 --> 00:21:19,900 S1: still be 0.01%. But if you had a million agents 462 00:21:21,180 --> 00:21:24,020 S1: that could read logs or whatever, and maybe some of 463 00:21:24,020 --> 00:21:26,629 S1: them can help you whittle down how many logs are 464 00:21:26,630 --> 00:21:30,830 S1: being generated or whatever, but it's like I find it 465 00:21:30,830 --> 00:21:35,550 S1: strange that we have these artificial barriers on ourselves about 466 00:21:35,550 --> 00:21:38,830 S1: what is possible, based on the fact that we grew 467 00:21:38,830 --> 00:21:40,270 S1: up in tech in the past. 468 00:21:42,470 --> 00:21:44,070 S2: Yeah, I see that all the time, but that's a 469 00:21:44,070 --> 00:21:46,189 S2: great way of phrasing it. I think one one good 470 00:21:46,190 --> 00:21:48,469 S2: way of breaking out of that, which I think you 471 00:21:48,470 --> 00:21:50,830 S2: can use outside of security. But it's interesting in security 472 00:21:50,830 --> 00:21:54,909 S2: is fast forward like five years, right? Yeah. And AI 473 00:21:54,950 --> 00:21:57,110 S2: is way is way progressed. And I'm sure we're going 474 00:21:57,109 --> 00:21:58,669 S2: to go through like peaks and troughs with AI during 475 00:21:58,670 --> 00:22:01,710 S2: that time, you know, of, of of success and failures 476 00:22:01,710 --> 00:22:03,510 S2: and stuff like that. But over five years you'd expect 477 00:22:03,510 --> 00:22:05,710 S2: it to get pretty far and it's spread pretty wide 478 00:22:05,710 --> 00:22:07,429 S2: and change a lot of how we do all that stuff. 479 00:22:07,990 --> 00:22:11,390 S2: You got to think in that scenario. What is competition 480 00:22:11,869 --> 00:22:14,910 S2: from people using AI more heavily than you are going 481 00:22:14,910 --> 00:22:17,590 S2: to change about your behavior by then? Right. And so 482 00:22:17,830 --> 00:22:21,110 S2: in security, the competition there is not necessarily other companies. 483 00:22:21,109 --> 00:22:24,850 S2: It's actually attackers. And I'm always like, remiss to like, 484 00:22:25,369 --> 00:22:26,730 S2: say too much of this because you don't want to 485 00:22:26,730 --> 00:22:29,609 S2: feel like I'm scaremongering or anything like that. But if 486 00:22:29,650 --> 00:22:31,969 S2: you think about what we've what we're now seeing, like 487 00:22:32,010 --> 00:22:33,530 S2: you and I are working with AI agents and stuff 488 00:22:33,530 --> 00:22:35,810 S2: like that, and we're seeing what they can do and 489 00:22:35,810 --> 00:22:38,050 S2: how they're starting to scale into like pretty complex security tasks. 490 00:22:38,050 --> 00:22:40,770 S2: Just like imagine that on the flip side. And so 491 00:22:41,250 --> 00:22:43,970 S2: if teams are kind of like slower to to think 492 00:22:43,970 --> 00:22:45,729 S2: creatively and think out the box of like how much 493 00:22:45,730 --> 00:22:47,290 S2: they could get out of this in the short term, 494 00:22:47,650 --> 00:22:49,209 S2: they're going to be forced to in the long term 495 00:22:49,410 --> 00:22:52,010 S2: because eventually attackers are not like they're not going to 496 00:22:52,010 --> 00:22:53,890 S2: like hang around. They're just going to be like ruthless 497 00:22:53,890 --> 00:22:55,530 S2: in terms of figuring out how to do it. And 498 00:22:55,530 --> 00:22:58,410 S2: they're gonna, um, and they're going to start forcing our 499 00:22:58,410 --> 00:23:02,090 S2: hand to actually think, okay, well, it's not it's not 500 00:23:02,090 --> 00:23:03,770 S2: just a nice to have anymore to, like, be able 501 00:23:03,770 --> 00:23:06,409 S2: to go and tackle those 10,000 other, like, things that 502 00:23:06,410 --> 00:23:08,010 S2: you might do if you had the time. Like it 503 00:23:08,010 --> 00:23:10,410 S2: starts to become a must have, because suddenly the stuff 504 00:23:10,410 --> 00:23:13,649 S2: that used to be easy to defend against starts to 505 00:23:13,650 --> 00:23:15,570 S2: become hard to defend against, and all our behaviors have 506 00:23:15,570 --> 00:23:18,250 S2: to change. I think actually applies across a bunch of industries. Like, 507 00:23:18,290 --> 00:23:20,330 S2: you can apply that to all sorts of different products, 508 00:23:20,330 --> 00:23:22,580 S2: which is like if you're struggling to think creatively about 509 00:23:22,580 --> 00:23:25,500 S2: where this could all go, think five years forward. Think 510 00:23:25,500 --> 00:23:27,659 S2: about what the competitive landscape around you looks like. If 511 00:23:27,660 --> 00:23:30,100 S2: everyone else is really heavily using AI. And then work 512 00:23:30,100 --> 00:23:32,260 S2: backwards to like what you probably need to do. And 513 00:23:32,260 --> 00:23:35,020 S2: I think a lot of security is probably like that today, 514 00:23:35,020 --> 00:23:36,179 S2: although it's going to take a bit of time for 515 00:23:36,180 --> 00:23:37,139 S2: it to all shake out. 516 00:23:37,740 --> 00:23:40,340 S1: Yeah, I very much agree with that. Um, the way 517 00:23:40,340 --> 00:23:45,460 S1: I characterize it for the future is essentially, um, in, 518 00:23:45,460 --> 00:23:48,619 S1: in the, uh, the head of DeepMind thinks this way 519 00:23:48,619 --> 00:23:51,420 S1: as well, is like this, um, it's all about building 520 00:23:51,420 --> 00:23:54,140 S1: world models of the things you care about. So in 521 00:23:54,140 --> 00:23:58,540 S1: the case of of what we're doing, it's like understanding the, um, 522 00:23:58,580 --> 00:24:02,459 S1: the it stack perfectly understanding the business, perfectly understanding the 523 00:24:02,460 --> 00:24:05,780 S1: people there and the developers and the projects they're working 524 00:24:05,780 --> 00:24:08,780 S1: on and their spend. And just like having a perfect 525 00:24:08,780 --> 00:24:12,940 S1: picture of that company, or in the case of attackers, 526 00:24:12,940 --> 00:24:15,859 S1: which is guaranteed to be using the same tech against you, 527 00:24:16,020 --> 00:24:18,780 S1: they have a world model of a world model of 528 00:24:18,820 --> 00:24:22,469 S1: their target. And we are the target. So we better 529 00:24:22,470 --> 00:24:25,230 S1: have a better world model of ourselves than they have 530 00:24:25,270 --> 00:24:29,869 S1: of us. Because in a way, it's just dueling banjos 531 00:24:29,910 --> 00:24:34,910 S1: of their AI system against our AI system. Who has 532 00:24:34,910 --> 00:24:38,710 S1: the most up to date data now? Um, and, and 533 00:24:38,750 --> 00:24:43,909 S1: I basically say that attackers are going to win first 534 00:24:43,910 --> 00:24:47,270 S1: because they could just start shipping with this quick. Right? 535 00:24:47,510 --> 00:24:50,230 S1: And right now, everyone's like trying to figure out what's 536 00:24:50,230 --> 00:24:52,550 S1: going on. So attackers are going to move first. But 537 00:24:52,550 --> 00:24:56,470 S1: ideally and for somebody like Google already, they are so 538 00:24:56,470 --> 00:24:59,990 S1: organized that they should have more up to date internal 539 00:24:59,990 --> 00:25:04,110 S1: information coming out of these platforms to feed to their 540 00:25:04,109 --> 00:25:08,470 S1: agents to keep that context more up to date. Um, 541 00:25:08,750 --> 00:25:12,910 S1: but I very much agree with your your characterization here. 542 00:25:12,910 --> 00:25:17,030 S1: It's like, look, just imagine that your attacker knows everything 543 00:25:17,030 --> 00:25:20,810 S1: about you and they can sense changes in your environment. 544 00:25:20,810 --> 00:25:23,889 S1: So you added this new company because there was a 545 00:25:23,890 --> 00:25:29,450 S1: merger and acquisition which they learned about from from Crunchbase. Okay. 546 00:25:29,650 --> 00:25:32,770 S1: So now they're going to profile that entire company, and 547 00:25:32,770 --> 00:25:35,170 S1: they're going to assume that what Vulns are there are 548 00:25:35,170 --> 00:25:38,210 S1: going to now be your vulns for a period of time. 549 00:25:38,369 --> 00:25:41,930 S1: So they're going to start attacking those things. And it's like, well, 550 00:25:41,930 --> 00:25:44,450 S1: how fast are you making that adjustment? Because they're going 551 00:25:44,490 --> 00:25:47,770 S1: to make it pretty fast. And it really is this 552 00:25:48,050 --> 00:25:50,530 S1: that's the game. That's the competition is who has a 553 00:25:50,530 --> 00:25:51,369 S1: better system. 554 00:25:53,170 --> 00:25:55,409 S2: Yeah. And it's not it's not like superhuman stuff I 555 00:25:55,410 --> 00:25:58,609 S2: don't think. We may occasionally see some pretty, pretty wild attacks, 556 00:25:58,609 --> 00:26:00,609 S2: but it's just going to be the stuff that we 557 00:26:00,650 --> 00:26:04,010 S2: kind of think is kind of hard and therefore kind 558 00:26:04,050 --> 00:26:06,690 S2: of rare today. Right? It's just going to happen way 559 00:26:06,690 --> 00:26:08,929 S2: more frequently, I think is the most sensible thing that 560 00:26:08,970 --> 00:26:11,210 S2: like your example there of like that's kind of rare 561 00:26:11,210 --> 00:26:13,169 S2: for an attacker to have the sense and the timing 562 00:26:13,210 --> 00:26:14,610 S2: to be like, okay, we're now going to go after 563 00:26:14,609 --> 00:26:16,810 S2: you because we've got this acquisition, but that just becomes 564 00:26:17,300 --> 00:26:19,940 S2: 10 to 100 times cheaper to do in the New World, 565 00:26:19,940 --> 00:26:24,060 S2: and therefore theoretically becomes a lot more common. Um, and 566 00:26:24,060 --> 00:26:25,899 S2: we saw this I used to work in, uh, in 567 00:26:26,420 --> 00:26:30,179 S2: fishing and pre like lem era. We saw some similar 568 00:26:30,180 --> 00:26:32,580 S2: types of effects where basically there was this period of 569 00:26:32,580 --> 00:26:35,419 S2: time where people went from, they figured out that like, 570 00:26:35,460 --> 00:26:38,300 S2: you know, the Nigerian prince email didn't work anymore, like 571 00:26:38,300 --> 00:26:41,180 S2: the mass mail phishing email didn't work anymore. And so 572 00:26:41,180 --> 00:26:43,660 S2: they started working on more targeted stuff. And that worked. 573 00:26:43,940 --> 00:26:46,260 S2: And then they realized it worked. And so they built 574 00:26:46,260 --> 00:26:47,860 S2: a load of phishing kits like phishing as a service 575 00:26:47,859 --> 00:26:48,980 S2: and all this kind of stuff, and they made it 576 00:26:48,980 --> 00:26:50,780 S2: really cheap for each other to do it. And suddenly 577 00:26:50,780 --> 00:26:53,860 S2: we saw this insane spike where it went from like 578 00:26:53,900 --> 00:26:56,100 S2: business email compromise and similar types of emails being like 579 00:26:56,140 --> 00:26:59,780 S2: kind of there, but not that common to suddenly they 580 00:26:59,780 --> 00:27:02,660 S2: were unbelievably common because the attackers made it cheap for themselves. 581 00:27:02,700 --> 00:27:04,500 S2: And so like as soon as attackers make stuff cheap 582 00:27:04,500 --> 00:27:06,540 S2: for themselves, you see the volume go up. I feel 583 00:27:06,540 --> 00:27:09,379 S2: like we're kind of nearing the precipice of that starting 584 00:27:09,420 --> 00:27:11,020 S2: to starting to happen. I don't know whether it'll happen 585 00:27:11,060 --> 00:27:13,540 S2: like this year or next year or something, but as 586 00:27:13,540 --> 00:27:15,220 S2: you said, they'll be pretty ruthless with it. They won't 587 00:27:15,220 --> 00:27:18,600 S2: they won't hang around and chat about it. Uh, they'll, uh, 588 00:27:18,600 --> 00:27:20,240 S2: they'll just get to work and it starts working. 589 00:27:20,640 --> 00:27:24,160 S1: Yeah. Yeah. And going back to your previous point that 590 00:27:24,160 --> 00:27:26,520 S1: you made, um, that we were talking about with, like, 591 00:27:26,560 --> 00:27:30,640 S1: the extra eyes and hands, um, and how this is 592 00:27:30,640 --> 00:27:34,120 S1: just kind of like it. It's not superhuman stuff. It's 593 00:27:34,119 --> 00:27:36,040 S1: stuff that you could do with more scale if you 594 00:27:36,040 --> 00:27:39,160 S1: had more people. Um, and since you're talking about fishing, 595 00:27:40,000 --> 00:27:42,720 S1: one of my greatest examples of this is like, what 596 00:27:42,720 --> 00:27:45,560 S1: if you could just create a perfect dossier on every 597 00:27:45,560 --> 00:27:49,280 S1: employee at the target? So, um, and I've already got 598 00:27:49,320 --> 00:27:51,239 S1: a tech stack that does this, actually. So I could 599 00:27:51,240 --> 00:27:53,640 S1: just give someone's name and it will build me, like 600 00:27:53,640 --> 00:27:58,840 S1: a six page CIA background thing and like, including, like, 601 00:27:58,880 --> 00:28:02,960 S1: likely personality analysis or whatever. Well, I could then feed 602 00:28:02,960 --> 00:28:06,280 S1: that to a thing that writes spearfishing. So so here's 603 00:28:06,280 --> 00:28:10,320 S1: the question if if you had um, if you used 604 00:28:10,320 --> 00:28:13,480 S1: to be an attacker outfit with like a 19 people 605 00:28:14,050 --> 00:28:16,330 S1: and like four of them were really smart or whatever. 606 00:28:16,450 --> 00:28:19,490 S1: You have 19 people and you're barely able to. You 607 00:28:19,490 --> 00:28:24,050 S1: have to focus on a very specific vertical. 1 or 2, uh, attack, um, 608 00:28:24,090 --> 00:28:27,250 S1: you know, targets at a time. And, like, you're really effective, 609 00:28:27,250 --> 00:28:30,369 S1: but you can only do so much as opposed to saying, hey, 610 00:28:30,650 --> 00:28:34,890 S1: these 250 companies are the ones I want to go after. Um, 611 00:28:34,930 --> 00:28:38,770 S1: create dossiers on all of them, then go find all 612 00:28:38,770 --> 00:28:42,410 S1: their social media posts. Uh, find any time they're complaining 613 00:28:42,410 --> 00:28:45,090 S1: or talking about the internal tech stack, or they mention 614 00:28:45,090 --> 00:28:48,610 S1: an acquisition, or they do anything and use that to 615 00:28:48,650 --> 00:28:51,930 S1: customize your spearfishing. How many people do you have to hire? 616 00:28:51,970 --> 00:28:55,450 S1: Like this is all 100% possible. This is not special tech. 617 00:28:55,490 --> 00:29:00,850 S1: It just requires so hundreds or thousands of people because 618 00:29:01,370 --> 00:29:04,730 S1: do it every hour. Do it every day. Right? Yeah. 619 00:29:04,770 --> 00:29:07,810 S1: And so so now it's just like you're just you 620 00:29:07,810 --> 00:29:11,490 S1: just need more skill. And to your point about, um, 621 00:29:11,940 --> 00:29:15,180 S1: Doing it internally. It's the same exact thing. You. You 622 00:29:15,220 --> 00:29:18,300 S1: just need more eyes and hands to do this. And 623 00:29:18,500 --> 00:29:23,100 S1: I'm just fascinated by the fact that, um, I mean, 624 00:29:23,100 --> 00:29:25,740 S1: one way to characterize this is just imagine all your 625 00:29:25,740 --> 00:29:31,700 S1: attackers who had 20 employees now have 20,000 employees. That 626 00:29:31,740 --> 00:29:32,820 S1: that is your problem. 627 00:29:33,060 --> 00:29:36,460 S2: Yeah. Yeah, that is quite literally. And and as I said, 628 00:29:36,460 --> 00:29:38,340 S2: it's not like they're now doing stuff that they never 629 00:29:38,340 --> 00:29:40,460 S2: did before. They're just doing it at they can just 630 00:29:40,460 --> 00:29:41,900 S2: afford to do it a way bigger scale like your 631 00:29:41,900 --> 00:29:44,219 S2: fishing example. The worst bit about that is that they 632 00:29:44,220 --> 00:29:46,980 S2: don't even need to stop at writing the emails today. 633 00:29:47,260 --> 00:29:49,740 S2: Like they can actually just build agents that can take 634 00:29:49,780 --> 00:29:53,260 S2: your like dossier of them, right? Understand some stuff about 635 00:29:53,260 --> 00:29:56,020 S2: them and then kick off a flow of actions that's 636 00:29:56,020 --> 00:29:58,620 S2: actually gonna be way more effective than that single email, right? 637 00:29:58,860 --> 00:30:03,020 S2: You know, uh, gently warm up the email recipient calls, 638 00:30:03,020 --> 00:30:09,060 S2: whatsapps LinkedIn messages. Um, uh, real like real sounding voice calls. Like, 639 00:30:09,060 --> 00:30:11,720 S2: if they really want to get into it. Fake, fake, 640 00:30:11,760 --> 00:30:13,920 S2: fake web pages like that is all now in the 641 00:30:13,920 --> 00:30:16,800 S2: remit of stuff that used to take a single person 642 00:30:16,800 --> 00:30:19,920 S2: dedicated on that task, right? Like days at a time 643 00:30:19,920 --> 00:30:22,719 S2: to get all that stuff done repeatedly to if you 644 00:30:22,720 --> 00:30:24,480 S2: can at least give agents like a certain level of 645 00:30:24,480 --> 00:30:27,200 S2: guidance around how to do it. That could be, you know, 646 00:30:27,240 --> 00:30:30,160 S2: maybe not that cheap yet, but like reasonably cheap relative 647 00:30:30,160 --> 00:30:31,320 S2: to what it used to be. And so, yeah, I 648 00:30:31,320 --> 00:30:35,320 S2: think your analogy of what imagine you're attackers are now 649 00:30:35,520 --> 00:30:38,000 S2: 10 to 100 times in size each, each outfit, which 650 00:30:38,000 --> 00:30:40,560 S2: they are like a lot of them are just businesses, right? Um, 651 00:30:40,600 --> 00:30:42,080 S2: and so they're going to use AI in the same 652 00:30:42,080 --> 00:30:45,200 S2: way we are. Like make us more efficient. Um, so yeah, 653 00:30:45,200 --> 00:30:48,120 S2: I think security as an industry has to work backwards 654 00:30:48,120 --> 00:30:50,600 S2: from there. Like imagine that that's the the current state 655 00:30:50,600 --> 00:30:52,480 S2: or the future state and then work backwards from there. 656 00:30:52,480 --> 00:30:54,400 S2: And what does that change about our current perceptions? Because 657 00:30:54,400 --> 00:30:56,200 S2: I think a lot of our, a lot of our 658 00:30:56,200 --> 00:31:00,320 S2: current ways of dealing with problems are, well, this will 659 00:31:00,320 --> 00:31:02,960 S2: kind of be fine in today's world, right? It's like, 660 00:31:03,200 --> 00:31:05,840 S2: you know, like I can deal with this many like 661 00:31:05,880 --> 00:31:07,880 S2: back to initial conversation. I can deal with this many 662 00:31:07,880 --> 00:31:10,650 S2: open vulnerabilities or I can deal with this slower way 663 00:31:10,650 --> 00:31:12,690 S2: of responding to something, or I can deal with this 664 00:31:12,690 --> 00:31:16,050 S2: slower a speed to get myself back online in the 665 00:31:16,050 --> 00:31:17,770 S2: worst case scenario, whatever it might be. It's like, oh, 666 00:31:17,770 --> 00:31:19,450 S2: we can deal with that. That's probably within the bounds 667 00:31:19,450 --> 00:31:21,770 S2: of okay. But if all the attackers get 10 to 668 00:31:21,770 --> 00:31:24,970 S2: 100 times bigger, in your words, like, um, by by 669 00:31:25,010 --> 00:31:27,490 S2: getting more leverage, then which of those things are still 670 00:31:27,490 --> 00:31:29,130 S2: okay and which are not okay? And then how do 671 00:31:29,130 --> 00:31:31,410 S2: we start adapting what we do today in response to 672 00:31:31,450 --> 00:31:33,770 S2: what that's going to look like? Um, and as I said, 673 00:31:33,770 --> 00:31:36,290 S2: I don't know how quickly all that's going to happen, but, um, 674 00:31:36,330 --> 00:31:37,930 S2: it's very hard to make a good argument why it's 675 00:31:37,930 --> 00:31:39,090 S2: not why it's not going to happen. 676 00:31:39,970 --> 00:31:42,490 S1: Yeah. Totally agree. And I guess one of the most 677 00:31:42,490 --> 00:31:45,930 S1: tangible ways of thinking about this is like, how how 678 00:31:46,490 --> 00:31:51,650 S1: large can you tolerate for a window of vulnerability? Uh, right. 679 00:31:51,810 --> 00:31:55,210 S1: Like maybe previously it was like, you know, ten years 680 00:31:55,210 --> 00:31:57,330 S1: ago or whatever, it was like a week or whatever. 681 00:31:57,330 --> 00:31:59,170 S1: And let's say it was half a week, let's say 682 00:31:59,210 --> 00:32:02,410 S1: it's a day. And I think we start to move 683 00:32:02,410 --> 00:32:05,130 S1: towards a world and, and who knows how fast. But 684 00:32:05,130 --> 00:32:08,350 S1: you start to move to a world where hours and 685 00:32:08,350 --> 00:32:12,470 S1: minutes really matter. Um, where if you have an exposed 686 00:32:12,470 --> 00:32:15,190 S1: S3 bucket before it. I mean, it takes time for 687 00:32:15,230 --> 00:32:18,790 S1: the tech and very few people who were automating that 688 00:32:18,790 --> 00:32:22,710 S1: stuff to actually find that exposed bucket or whatever. I 689 00:32:22,710 --> 00:32:27,030 S1: think that goes down to minutes. You know, eventually, potentially 690 00:32:27,030 --> 00:32:30,910 S1: even seconds. So yeah, I, I find the whole thing, uh, 691 00:32:30,990 --> 00:32:34,630 S1: really fascinating. Um, what what are you guys doing? That's 692 00:32:34,630 --> 00:32:37,310 S1: that's exciting right now, um, you're looking to put out 693 00:32:37,310 --> 00:32:39,630 S1: soon or you're excited about you just released? 694 00:32:41,670 --> 00:32:44,990 S2: Yeah. I mean, we're we're like, um, we're we're so 695 00:32:44,990 --> 00:32:48,590 S2: new still that we're just getting out there into the world, really. So, like, we're, um, 696 00:32:48,630 --> 00:32:50,910 S2: we're I'd say we're like, hitting the point now where 697 00:32:50,910 --> 00:32:53,950 S2: we are close to making some pretty big announcements about 698 00:32:53,950 --> 00:32:56,550 S2: about where we are with the product and stuff like that. Um, 699 00:32:56,870 --> 00:32:58,790 S2: but yeah, I think what we are excited about in 700 00:32:58,790 --> 00:33:00,430 S2: particular at the moment is we've kind of like cracked 701 00:33:00,430 --> 00:33:02,830 S2: a lot of the triage side of the problem of like, 702 00:33:02,870 --> 00:33:06,000 S2: how do I understand which vulnerabilities matter? Where we're excited 703 00:33:06,000 --> 00:33:07,680 S2: a lot at the moment is like, how do we 704 00:33:07,720 --> 00:33:09,120 S2: how do we start helping people more and more with 705 00:33:09,120 --> 00:33:11,080 S2: the remediation side? As I said, I think for now 706 00:33:11,080 --> 00:33:13,720 S2: that's more about like cutting down all the human work 707 00:33:13,720 --> 00:33:16,000 S2: to a smaller window as possible. But if we do 708 00:33:16,040 --> 00:33:18,320 S2: theoretically need to get to a point of minutes, then 709 00:33:18,320 --> 00:33:21,520 S2: you need to cut out humans entirely eventually. Um, but 710 00:33:21,520 --> 00:33:22,800 S2: I think you've got to go like step by step 711 00:33:22,800 --> 00:33:25,000 S2: by step. But yeah, we are we're super excited about 712 00:33:25,000 --> 00:33:26,920 S2: some of the stuff that we're seeing so far in 713 00:33:26,960 --> 00:33:31,440 S2: that world because, yeah, it's a super complex problem, obviously, 714 00:33:31,440 --> 00:33:33,320 S2: and it's something you can get very wrong. Right. If 715 00:33:33,320 --> 00:33:36,160 S2: we're like taking down people's prod environments on a daily 716 00:33:36,160 --> 00:33:39,640 S2: basis or something. But, um, done right, like it can 717 00:33:39,640 --> 00:33:42,920 S2: actually take us from this. We're just like shuffling big 718 00:33:42,920 --> 00:33:44,920 S2: lists of red around, which is kind of what it 719 00:33:44,920 --> 00:33:48,640 S2: feels like sometimes last few years, uh, to a point of, okay, 720 00:33:48,640 --> 00:33:50,760 S2: we actually feel like we're making tangible progress day in 721 00:33:50,760 --> 00:33:52,640 S2: and day out without a ton of effort. And then 722 00:33:52,640 --> 00:33:55,040 S2: maybe all those engineers and SREs and all the other 723 00:33:55,040 --> 00:33:58,720 S2: people involved can suddenly go and spend 5% more of 724 00:33:58,760 --> 00:34:00,400 S2: their time or something like that, to shipping product, and 725 00:34:00,400 --> 00:34:02,440 S2: then hopefully everyone wins at that point. So yeah, we're 726 00:34:02,440 --> 00:34:04,700 S2: really excited about getting more into that side. and also 727 00:34:04,700 --> 00:34:07,820 S2: just excited about having the the initial, uh, you know, 728 00:34:07,820 --> 00:34:09,379 S2: version of the product now out there in the world and, 729 00:34:09,420 --> 00:34:10,620 S2: you know, people starting to use it. 730 00:34:11,660 --> 00:34:15,020 S1: No. It's awesome. And where can people learn more about it? 731 00:34:17,100 --> 00:34:19,780 S2: Um, they can catch up with me online, my LinkedIn 732 00:34:19,820 --> 00:34:22,420 S2: or Substack. Um, feel free to, like, reach out to 733 00:34:22,420 --> 00:34:26,060 S2: me there. We also have a website where you can 734 00:34:26,100 --> 00:34:27,660 S2: kind of catch up a bit more on what we're 735 00:34:27,660 --> 00:34:28,060 S2: up to. 736 00:34:28,820 --> 00:34:31,859 S1: Well very cool Harry, thanks for the chat. Very, uh, 737 00:34:31,900 --> 00:34:33,060 S1: very cool conversation. 738 00:34:34,940 --> 00:34:35,779 S2: I really enjoyed it. 739 00:34:36,500 --> 00:34:41,620 S1: All right. Take care. Unsupervised learning is produced on Hindenburg 740 00:34:41,620 --> 00:34:45,940 S1: Pro using an Sm7 microphone. A video version of the 741 00:34:45,940 --> 00:34:49,980 S1: podcast is available on the Unsupervised Learning YouTube channel, and 742 00:34:49,980 --> 00:34:52,779 S1: the text version with full links and notes is available 743 00:34:52,780 --> 00:34:57,420 S1: at Daniel. Com newsletter. We'll see you next time.