WEBVTT - A Conversation With Harry Wetherald CO-Founder & CEO At Maze 0:00:00.880 --> 0:00:05.000 Unsupervised Learning is a podcast about trends and ideas in cybersecurity, 0:00:05.040 --> 0:00:09.960 national security, AI, technology and society, and how best to 0:00:10.000 --> 0:00:18.600 upgrade ourselves to be ready for what's coming. All right, Harry, 0:00:18.600 --> 0:00:20.120 welcome to Unsupervised Learning. 0:00:22.800 --> 0:00:23.880 Hey, great to be here. 0:00:24.280 --> 0:00:28.080 Yeah. So, uh, I understand you're doing some cool stuff with, uh, 0:00:28.120 --> 0:00:31.280 AI and vulnerability management and stuff like that. Can you 0:00:31.280 --> 0:00:32.520 tell me what you're working on? 0:00:34.720 --> 0:00:37.840 Yeah, sure. So just over a year ago, I co-founded 0:00:37.840 --> 0:00:39.960 with a couple of others, a company called maze. Um, 0:00:39.960 --> 0:00:42.440 we just came out of stealth, maybe like, two months 0:00:42.440 --> 0:00:45.320 ago now. Uh, so, so really quite recent, but super 0:00:45.320 --> 0:00:48.680 experienced team. And what we've been doing is building basically 0:00:48.680 --> 0:00:51.639 a series of AI agents that can deeply interrogate and 0:00:51.640 --> 0:00:54.440 understand the vulnerability. Um, so kind of can go off 0:00:54.440 --> 0:00:56.560 and do the kind of analysis that, like, really experienced 0:00:56.560 --> 0:00:59.280 security engineer might be able to do into a vulnerability, 0:00:59.530 --> 0:01:02.610 do it completely automatically. And by doing that, we can 0:01:02.610 --> 0:01:05.130 do it over like hundreds of thousands or millions of 0:01:05.130 --> 0:01:07.929 vulnerabilities all at once. And therefore, we can get people 0:01:07.930 --> 0:01:10.490 out of this like constant hell that we found ourselves in, 0:01:10.490 --> 0:01:12.330 in our old jobs. And I know plenty of others 0:01:12.330 --> 0:01:14.930 have been where you're just constantly firefighting, like an endless 0:01:14.930 --> 0:01:18.690 backlog of vulnerabilities with kind of no, no hope in sight. Um, yeah. 0:01:18.730 --> 0:01:20.850 Hopefully we're starting to help people out of that, out 0:01:20.890 --> 0:01:22.450 of that mess. Um, so yeah. 0:01:22.530 --> 0:01:26.570 Okay. Interesting. So yeah, I've got some thoughts around this. 0:01:26.569 --> 0:01:30.850 So are you, um, are you focused on the vulnerability 0:01:30.850 --> 0:01:33.450 or are you focused on, like the context of the org? 0:01:33.730 --> 0:01:37.930 Like where do you think you're going to get the most, like, um, 0:01:37.970 --> 0:01:42.449 signal or benefit, uh, when it comes to the actual remediation? Because, um, 0:01:42.450 --> 0:01:44.650 I've done a whole bunch of management in my career 0:01:44.650 --> 0:01:48.690 as well, and it seems like the problem is always remediation, uh, 0:01:48.690 --> 0:01:52.450 as opposed to, like, the prioritization of the vulns. What 0:01:52.450 --> 0:01:53.170 are your thoughts? 0:01:54.930 --> 0:01:58.590 Yeah. So one of the interesting things that we've we've 0:01:58.590 --> 0:02:00.550 found along the way. And I've got going into this 0:02:00.550 --> 0:02:03.670 was like the volume of vulnerabilities is so ridiculous. And 0:02:03.670 --> 0:02:05.870 it's like, as people know, like it's climbing crazy like 0:02:05.910 --> 0:02:08.110 year on year. At the moment, the volume is so high. 0:02:08.230 --> 0:02:09.990 The problem doesn't make sense because the volume is just 0:02:09.990 --> 0:02:11.910 so high. So people end up with all these different 0:02:11.910 --> 0:02:15.950 approaches to it, prioritization and scoring. And can we use 0:02:15.990 --> 0:02:20.030 SPSS and Kev and all these different approaches. And the 0:02:20.310 --> 0:02:22.270 premise that we've come at it from is if you 0:02:22.270 --> 0:02:23.870 go and chat to and I'm sure maybe you are 0:02:23.870 --> 0:02:25.790 one of these people once upon a time like go 0:02:25.790 --> 0:02:27.230 chat to a team that's dealing with this day in 0:02:27.230 --> 0:02:29.829 day out and say, okay, if you were to go 0:02:29.870 --> 0:02:32.750 look into like, start with the top of your list. 0:02:32.790 --> 0:02:34.190 If you were to go into look into it for 0:02:34.230 --> 0:02:36.389 like 2 or 3 hours in the context of your environment, 0:02:36.389 --> 0:02:39.550 what would you find? Right? And then theoretically, if you 0:02:39.550 --> 0:02:41.230 could do that over every single one, what would you 0:02:41.230 --> 0:02:44.510 find and how big would that list be relative to 0:02:44.550 --> 0:02:48.470 your current list? Right. And invariably, maybe you disagree with this, 0:02:48.470 --> 0:02:50.030 but like most of the time when we ask people 0:02:50.030 --> 0:02:52.109 that question, they're like the answers range from like it 0:02:52.110 --> 0:02:54.549 would be 80% bigger to like the most extreme one 0:02:54.550 --> 0:02:57.720 ever was like 99.99% bigger. I think I've seen one 0:02:57.720 --> 0:02:59.720 true positive ever, which I think was a bit bold 0:02:59.720 --> 0:03:00.639 to be honest. 0:03:00.639 --> 0:03:01.680 But um, yeah, yeah. 0:03:01.720 --> 0:03:04.040 But the the premise is basically like if you spend 0:03:04.040 --> 0:03:06.040 time with them and if you try and actually deeply 0:03:06.040 --> 0:03:08.239 understand what the attacker would need to have to do 0:03:08.240 --> 0:03:10.400 to exploit it and what your environment is actually like, 0:03:11.040 --> 0:03:13.800 a huge proportion of the time the vulnerability isn't there. 0:03:13.840 --> 0:03:16.440 Like it is not in any way, shape or form exploitable. 0:03:16.720 --> 0:03:18.840 And so when we've been building all these prioritization criteria 0:03:18.880 --> 0:03:22.280 over the years, we've been like shuffling this pack of 0:03:22.280 --> 0:03:24.799 cards where most of the pack of cards should never 0:03:24.800 --> 0:03:27.160 have been in the first place. Right? We should have 0:03:27.160 --> 0:03:29.800 just been removing, you know, 48 of the 52 cards 0:03:29.800 --> 0:03:32.359 or whatever, and focusing on those four rather than trying 0:03:32.360 --> 0:03:35.400 to figure out how to sort them 1 to 52. Um, 0:03:35.680 --> 0:03:37.080 so that's a lot of the premise of why we 0:03:37.080 --> 0:03:39.440 think this world can go, which is if you can 0:03:39.440 --> 0:03:42.200 build tools that are intelligent enough to do that really 0:03:42.200 --> 0:03:45.280 deep technical analysis, you can actually remove most of the 0:03:45.280 --> 0:03:47.000 deck of cards rather than trying to figure out how 0:03:47.000 --> 0:03:49.280 to prioritize it all. Because I agree with you. It 0:03:49.280 --> 0:03:51.240 doesn't matter if we can prioritize them. If we can't remediate, 0:03:51.280 --> 0:03:53.920 it's literally irrelevant that we've got a prioritized list if 0:03:53.920 --> 0:03:56.740 we can't actually act on them. But the only way 0:03:56.740 --> 0:03:59.340 that you can figure out how to use your limited 0:03:59.340 --> 0:04:01.900 remediation resources to act on them is to figure out 0:04:01.900 --> 0:04:04.100 which ones you can throw away and which ones you 0:04:04.100 --> 0:04:05.500 actually need to keep, and maybe which ones you need 0:04:05.500 --> 0:04:08.260 to like, fix like today. Um, so that's one side 0:04:08.260 --> 0:04:09.740 of it. We also think there's a bunch of use 0:04:09.740 --> 0:04:12.260 cases for AI to actually help with remediation. So just 0:04:12.260 --> 0:04:14.900 take like everything from I figured out I want to 0:04:14.900 --> 0:04:17.740 fix something to it is fixed and see how much 0:04:17.740 --> 0:04:20.420 of that you can get AI to help you with. 0:04:20.740 --> 0:04:23.140 I think like running all the way to fully automating it. 0:04:23.140 --> 0:04:25.700 I think we're a little bit despite what some people 0:04:25.900 --> 0:04:27.500 are hoping at the moment. I think we're still like 0:04:27.500 --> 0:04:29.500 a little bit away from it. Like just AI going 0:04:29.500 --> 0:04:31.700 in and changing our environments day in, day out. But like, 0:04:31.740 --> 0:04:33.220 I think we can do we can take people a 0:04:33.220 --> 0:04:35.339 lot further than they are today. Um, so when you 0:04:35.339 --> 0:04:37.619 stick all that together end to end, you get like much, 0:04:37.620 --> 0:04:40.340 much smaller list and then you get much faster remediation 0:04:40.339 --> 0:04:42.099 and then you start being able to work on the 0:04:42.100 --> 0:04:45.140 stuff that matters, um, much, much quicker, uh, we think. 0:04:46.260 --> 0:04:49.420 Yeah. Yeah, that makes sense. I feel like as you're 0:04:49.420 --> 0:04:52.620 talking there, I mean, there's there's multiple steps, right? There's 0:04:53.589 --> 0:04:57.230 understanding the bone deeply. And then, um, I guess there's 0:04:57.270 --> 0:05:01.190 the threat Intel component as well. And you've seen like, CVS, 0:05:01.230 --> 0:05:04.430 like try to try to capture all these in different 0:05:04.430 --> 0:05:08.830 fields of the Volm. So there's like an active threat 0:05:08.830 --> 0:05:11.430 Intel for like how many people know about this? How 0:05:11.430 --> 0:05:15.390 easy is it to exploit? Then there's the Volm details itself. 0:05:15.390 --> 0:05:17.430 Like how bad is it? Like what is the attack 0:05:17.430 --> 0:05:21.870 surface that it actually impacts? And then there's the thing 0:05:21.910 --> 0:05:25.270 of like, okay, do we have that here at the company? 0:05:25.710 --> 0:05:30.830 Is that installed? Where is it installed? Um, what versions? 0:05:30.830 --> 0:05:34.830 And how does that relate to the vulnerable version. Um, 0:05:35.029 --> 0:05:38.430 and then given all of that now what is the prioritization? 0:05:38.910 --> 0:05:43.830 And I feel like those are all like, uh, individual components. Um, 0:05:43.870 --> 0:05:45.950 and then the thing I've been thinking a lot about 0:05:45.950 --> 0:05:50.670 is like, okay, but where are the developers? Um, if 0:05:50.710 --> 0:05:54.320 you find the vuln in like some readout somewhere in 0:05:54.320 --> 0:05:57.960 some report, and it's in this particular piece of code, 0:05:58.400 --> 0:06:03.520 what app is that code part of? Um, who actually, uh, 0:06:03.520 --> 0:06:07.200 is responsible for that app? And then, um, when you 0:06:07.200 --> 0:06:11.040 go to create a patch or a fix or whatever, um, 0:06:11.080 --> 0:06:13.119 how do we get that to the right person in 0:06:13.120 --> 0:06:15.719 the form that requires the least amount of effort for them? 0:06:15.839 --> 0:06:17.840 So I feel like those are all the pieces, and 0:06:18.040 --> 0:06:20.880 it's almost like you can have multiple companies working on 0:06:20.880 --> 0:06:25.560 each one of those pieces. Um, but somebody who could do, like, 0:06:25.600 --> 0:06:27.800 all of them pretty well, that's going to be a 0:06:27.800 --> 0:06:28.520 massive win. 0:06:30.080 --> 0:06:32.560 Yeah. So that that's, that's that's our concept as well, 0:06:32.560 --> 0:06:34.359 which is basically if you think of all these different 0:06:34.360 --> 0:06:36.839 moving pieces, you kind of want a series of agents 0:06:36.880 --> 0:06:40.640 like AI agents, not not the old school type tackling 0:06:40.640 --> 0:06:43.160 each of those component pieces. Right. So like you mentioned there, 0:06:43.160 --> 0:06:45.919 like who owns the thing? That's a great use case 0:06:45.920 --> 0:06:48.719 for AI and particularly agents because like there is information 0:06:48.760 --> 0:06:51.180 out there to help you solve that problem? Yes, but 0:06:51.180 --> 0:06:52.900 for a human, it's just like it's a, it's a 0:06:52.940 --> 0:06:55.219 like a it's like one of those long tail problems where, like, 0:06:55.260 --> 0:06:57.180 you could go find the answer. It's going to take 0:06:57.180 --> 0:06:58.820 you often a long time to like go figure it out. 0:06:58.820 --> 0:07:00.500 And then going and figuring it out for every single 0:07:00.500 --> 0:07:02.820 ball and every single day becomes really annoying. But for AI, 0:07:02.860 --> 0:07:05.460 that's actually pretty. Like if you've got the right data sources, 0:07:05.460 --> 0:07:09.020 it's actually quite, quite a tolerable problem. Um, so then 0:07:09.020 --> 0:07:10.660 you imagine, like putting an agent on all of those 0:07:10.660 --> 0:07:15.220 different places, like you mentioned, prioritization. Well, before you before 0:07:15.260 --> 0:07:17.380 threat Intel becomes relevant at all, you have to figure 0:07:17.380 --> 0:07:18.980 out whether it can be exploited or not. And that's 0:07:18.980 --> 0:07:21.060 got to be your first agent, because if it can't 0:07:21.060 --> 0:07:23.700 be exploited, it's irrelevant whether it's got threat Intel associated 0:07:23.700 --> 0:07:25.940 with it or whether the business context is is bad, 0:07:25.940 --> 0:07:27.340 or whether the outcome could be bad or how to 0:07:27.340 --> 0:07:30.300 fix it, like everything else becomes irrelevant because you just 0:07:30.300 --> 0:07:32.420 need to stop there. So you, like, start there with 0:07:32.420 --> 0:07:34.500 that agent and then build out like agent by agent 0:07:34.500 --> 0:07:36.900 for each part of that flow. And as you said, 0:07:36.940 --> 0:07:40.340 like figuring out who owns it, um, what action they 0:07:40.340 --> 0:07:42.060 need to take, what would be the most efficient action. 0:07:42.060 --> 0:07:43.220 And then you can go all the way through to 0:07:43.260 --> 0:07:45.260 like starting to generate those actions for them. Right? Which 0:07:45.260 --> 0:07:47.740 is like, yes, I don't think we're quite there with 0:07:47.740 --> 0:07:50.230 just taking the action. But if we've done enough work 0:07:50.230 --> 0:07:53.390 intelligently to figure out what the problem is, how it's fixed, 0:07:53.430 --> 0:07:55.630 what the ramifications could be, then we can start to 0:07:55.630 --> 0:07:58.670 generate actions for people and saying like, look, hey Sarah, 0:07:59.350 --> 0:08:02.550 I found this vulnerability. I proved it could be exploited. 0:08:02.590 --> 0:08:04.710 I proved it could be bad. I actually figured out 0:08:04.710 --> 0:08:06.710 what the right thing to do would be. I generated 0:08:06.710 --> 0:08:08.150 it for you. Do you want to do it? Yes 0:08:08.150 --> 0:08:10.910 or no? That's a hell of a lot better experience than, like, 0:08:11.070 --> 0:08:13.870 here's ten findings, of which one of them's probably maybe 0:08:13.870 --> 0:08:17.230 bad good luck. Which is kind of like today's situation oftentimes. 0:08:17.270 --> 0:08:17.830 Yeah. 0:08:17.910 --> 0:08:19.270 Um, so yeah, that's the idea. 0:08:19.470 --> 0:08:22.190 Yeah. No, I really love that. I mean, if you're 0:08:22.190 --> 0:08:25.910 inside of their tool, let's say it's, it's, um, GitHub 0:08:25.910 --> 0:08:28.190 or whatever it is, and it's just like, here's a 0:08:28.230 --> 0:08:31.550 PR that I've submitted. You can see the diff right here. 0:08:32.070 --> 0:08:34.790 And like this is what she does every day, all 0:08:34.790 --> 0:08:39.030 day anyway in this exact tool. So she's like yes, 0:08:39.030 --> 0:08:44.469 I accept. Boom. That's way, way easier than the thing 0:08:44.470 --> 0:08:47.050 that just doesn't work. Which is Witches. They received a 0:08:47.050 --> 0:08:51.050 report which had like 480 things in it. And and 0:08:51.050 --> 0:08:52.650 now it's her job to figure out if any of 0:08:52.650 --> 0:08:55.410 those apply to her. And then when she looks inside, 0:08:55.410 --> 0:08:58.730 the vulnerability description is just like this wall of text, 0:08:59.130 --> 0:09:02.770 which came from like a generic vulnerability description. And so 0:09:02.770 --> 0:09:06.290 she's left trying to figure out like, okay, like what 0:09:06.290 --> 0:09:10.970 exactly is this saying? And guess what? That's why management 0:09:11.290 --> 0:09:14.410 like hasn't been doing so well over the last like 0:09:14.450 --> 0:09:15.410 25 years. 0:09:16.970 --> 0:09:19.290 Yeah. Yeah. Well the worst thing is though like for 0:09:19.290 --> 0:09:22.290 Sarah there a lot of places now have got to 0:09:22.290 --> 0:09:24.610 the point where they like one of the easiest applications 0:09:24.610 --> 0:09:27.850 of AI was throw a list of existing findings in 0:09:27.850 --> 0:09:30.209 and like get some suggested actions out because it was 0:09:30.210 --> 0:09:32.290 just like literally like single call. You could like throw 0:09:32.290 --> 0:09:34.370 a finding in, give you some code, give you something. 0:09:34.410 --> 0:09:36.410 And that's where a lot of like our auto fix 0:09:36.410 --> 0:09:38.970 suggestions kind of come from today. The problem is that 0:09:38.970 --> 0:09:41.370 because they started there, rather than starting right at the 0:09:41.370 --> 0:09:42.850 root of the problem, which is like most of the 0:09:42.850 --> 0:09:46.300 findings don't mean anything. Yeah. We end up with, let's 0:09:46.300 --> 0:09:48.460 say we have a list. Your list of 480 findings 0:09:48.460 --> 0:09:52.620 turns into 480 auto fixes. And so we've got a 0:09:52.620 --> 0:09:54.660 lot of work getting generated that doesn't need to be 0:09:54.660 --> 0:09:56.420 there in the first place. And also, most of them 0:09:56.460 --> 0:09:58.860 lack a lot of the context about, like, how this 0:09:58.860 --> 0:10:00.860 thing exploited what would be the most appropriate fix. So 0:10:00.860 --> 0:10:02.260 we've kind of like started at the end in a 0:10:02.260 --> 0:10:04.100 lot of cases now. And we need to go, I 0:10:04.100 --> 0:10:06.460 think like back to the start, get back to the 0:10:06.460 --> 0:10:08.500 root of the problem, figure out how bad these things 0:10:08.540 --> 0:10:10.380 like figure out what like if they can be exploited, 0:10:10.380 --> 0:10:12.180 how bad they are, what the context is around them, 0:10:12.179 --> 0:10:14.180 and then feed all of that into our remediation efforts. 0:10:14.179 --> 0:10:16.340 And suddenly Sarah gets not only like a shorter list, 0:10:16.340 --> 0:10:18.980 but like a way more intelligent list of, of of 0:10:18.980 --> 0:10:20.579 actions you could take. And then, as you said, she 0:10:20.580 --> 0:10:22.980 gets away from, you know, just getting that like blank 0:10:22.980 --> 0:10:25.260 report with a vague description to you just need to 0:10:25.260 --> 0:10:27.980 do this thing now. Okay, great. Like click uh, and 0:10:27.980 --> 0:10:30.220 that's hopefully like, honestly it's kind of why we started 0:10:30.220 --> 0:10:32.020 the company is we used to lead like the PM 0:10:32.020 --> 0:10:34.380 and engineering teams at various places. And it just it 0:10:34.380 --> 0:10:36.700 just annoyed us because because the teams were spending so 0:10:36.700 --> 0:10:39.660 much so long like, uh, spinning their wheels around the problem. 0:10:39.660 --> 0:10:41.260 And it was just annoying. So we just thought like, 0:10:41.260 --> 0:10:43.679 this can't be right. Um, and so, Yeah, here we are. 0:10:44.760 --> 0:10:49.120 Yeah. That's it from my experience. That's absolutely the best 0:10:49.120 --> 0:10:52.120 place to have a startup is like, the founders are 0:10:52.120 --> 0:10:55.920 familiar with the pain of the problem, right? And it's 0:10:55.920 --> 0:10:59.040 like they just wish that they had this in the 0:10:59.040 --> 0:11:02.800 past for their problem. And, like, it's just a really 0:11:03.559 --> 0:11:07.120 pure way to start a company. Um, so what can 0:11:07.120 --> 0:11:10.920 you say about the, um, the current state of agents, um, 0:11:10.960 --> 0:11:13.959 with all the hype and what, like what works? Uh, 0:11:13.960 --> 0:11:16.480 and as much as you can share about about your, like, 0:11:16.520 --> 0:11:20.080 approach to the agents, like how many are there? Are they, 0:11:20.120 --> 0:11:23.200 are they working on different things all at the same time? 0:11:23.200 --> 0:11:27.040 Are they coming back and like unifying into one context, 0:11:27.080 --> 0:11:27.880 that kind of stuff? 0:11:29.559 --> 0:11:31.880 Yeah. Good question. I was actually just I was just 0:11:31.880 --> 0:11:33.880 talking to a CSO about this earlier today, and we 0:11:33.880 --> 0:11:36.200 have quite a funny chat about it of where people's 0:11:36.200 --> 0:11:38.439 expectations sometimes of what agents can do are and like 0:11:38.440 --> 0:11:43.170 the reality and some of the like. They sometimes they 0:11:43.170 --> 0:11:45.730 look so impressive when you first start using them that 0:11:45.730 --> 0:11:49.530 you kind of imagine that they're capable of just tackling 0:11:49.570 --> 0:11:51.890 like all sorts of tasks with limited guidance. Right? You're 0:11:51.890 --> 0:11:54.090 just a bit like imagine, like you're working with like 0:11:54.090 --> 0:11:56.490 a really senior colleague. You can give them a really 0:11:56.490 --> 0:11:58.530 vague instruction and they'll just like figure it out and 0:11:58.530 --> 0:12:01.449 probably get a good result. The agents can sometimes feel 0:12:01.450 --> 0:12:03.170 a bit like that. So people end up being like, cool, 0:12:03.170 --> 0:12:04.969 we're going to build this platform and agents are going 0:12:04.970 --> 0:12:07.290 to do all these like 100 different things, right? And 0:12:07.290 --> 0:12:09.730 I see some security companies starting to, like, fall into 0:12:09.730 --> 0:12:11.610 this trap a little bit where they're like, we use 0:12:11.610 --> 0:12:13.570 agents now. We use agents for like this and this 0:12:13.570 --> 0:12:16.410 and this and this and this. And having worked with 0:12:16.410 --> 0:12:19.810 them for the last over a year now, my perception 0:12:19.809 --> 0:12:23.530 of them is they're much more like very knowledgeable, like 16, 0:12:23.530 --> 0:12:26.929 17 year olds, right? In that like they're knowledgeable, they're 0:12:26.929 --> 0:12:29.530 capable of getting a task done. But they need a 0:12:29.530 --> 0:12:35.329 ton of like clear instructions, guidance, guardrails like training back 0:12:35.330 --> 0:12:37.570 and forth with a manager again and again and again 0:12:37.570 --> 0:12:39.490 and again. And then you can get them a bit 0:12:39.490 --> 0:12:42.220 like teaching a grad how to do a specific job. 0:12:42.260 --> 0:12:44.380 You can take your like 17 year old and turn 0:12:44.380 --> 0:12:47.060 them into someone who is pretty capable at that job 0:12:47.100 --> 0:12:48.380 day in, day out, but they still need to be 0:12:48.380 --> 0:12:51.220 doing it in like a relatively narrow, confined space. And 0:12:51.220 --> 0:12:53.460 they still need a lot of guidance and training and oversight. 0:12:53.740 --> 0:12:55.660 And that, I think, is where we currently are with 0:12:55.660 --> 0:12:58.020 a lot of agents. But that doesn't mean for security, 0:12:58.020 --> 0:13:01.060 because we have so many tightly well-defined problems, lots of 0:13:01.059 --> 0:13:05.020 data and lots of ways to give guardrails to these things. 0:13:05.059 --> 0:13:07.260 If you spend enough time honing them, they can just 0:13:07.260 --> 0:13:10.500 start doing incredible stuff. But it's really not a case 0:13:10.500 --> 0:13:12.820 of like, cool, I'll just throw this problem into Claude 0:13:12.820 --> 0:13:15.179 and just like, see what it comes out with. Because 0:13:15.580 --> 0:13:17.099 a lot of a that's gonna be very expensive a 0:13:17.100 --> 0:13:18.699 lot of time if you do it without any optimization, 0:13:18.740 --> 0:13:21.660 B you're gonna end up with like, such an unpredictable 0:13:21.660 --> 0:13:24.260 result that you're going to go off the idea entirely. Um, 0:13:24.660 --> 0:13:26.059 and I run into teams like that all the time 0:13:26.059 --> 0:13:27.699 where they're like, oh, yeah, I tried this for like 0:13:27.740 --> 0:13:29.860 a day, and it didn't quite work. It's like, well, 0:13:29.860 --> 0:13:32.179 you need to spend so long, like getting them there. 0:13:32.179 --> 0:13:34.100 So that's kind of my perception of it. They I 0:13:34.100 --> 0:13:35.700 don't know what you're seeing. I'm sure you're playing around 0:13:35.700 --> 0:13:37.900 with them in your own world, but like, they can 0:13:37.900 --> 0:13:41.160 do incredible things. It just takes work basically would be 0:13:41.160 --> 0:13:41.720 the summary. 0:13:42.040 --> 0:13:44.720 Yeah, yeah, very much agree with that. Yeah. I just 0:13:44.720 --> 0:13:48.680 got done talking to, uh, Matthew Brown, uh, who led 0:13:48.679 --> 0:13:52.320 the AI sec competition. Are you following that whole thing? 0:13:54.040 --> 0:13:55.920 Yes. Yeah, vaguely followed it. 0:13:55.920 --> 0:14:01.080 Yeah. The this, uh, DARPA competition and it's open source project, 0:14:01.200 --> 0:14:05.240 and basically, they'll all release their things. I'm not sure, um, 0:14:05.960 --> 0:14:08.679 if anyone's messed with them yet, but the idea was 0:14:08.679 --> 0:14:12.760 to just go and find vulnerabilities on GitHub, and then 0:14:12.800 --> 0:14:14.559 you have to be able to fix them. So that's 0:14:14.559 --> 0:14:18.240 this multi-year competition from DARPA. So I was talking to 0:14:18.280 --> 0:14:21.520 him about this agent design thing, and he was like, yeah, 0:14:21.560 --> 0:14:24.600 the first, most important thing is like break the problems 0:14:24.600 --> 0:14:29.360 into categories. And the category is, um, should you even 0:14:29.400 --> 0:14:33.880 be using AI at all for this? Right. So, um, 0:14:33.960 --> 0:14:37.650 and try to do as much with regular deterministic code 0:14:37.650 --> 0:14:42.210 is possible and like it because too much. Intelligence is 0:14:42.210 --> 0:14:45.090 the thing. Too much creativity is a thing. Um, and 0:14:45.090 --> 0:14:49.050 especially if you ask a model, does this look vulnerable 0:14:49.050 --> 0:14:51.290 to you? They will try to find a way to 0:14:51.330 --> 0:14:56.130 say yes. Right. So it's like it's this weird balance 0:14:56.130 --> 0:15:00.970 between deterministic, uh, deterministic code and then using intelligence where 0:15:00.970 --> 0:15:04.090 you have to, for example, does this look like a cat. 0:15:04.250 --> 0:15:06.490 You can't use deterministic code for that. You have to 0:15:06.490 --> 0:15:09.290 use ML or AI or whatever for that. But like 0:15:09.330 --> 0:15:12.450 this whole system design thing is really fascinating to me. 0:15:13.850 --> 0:15:16.530 Yeah. Your example of like, does this look vulnerable to 0:15:16.530 --> 0:15:19.330 you is a great example of where, like, the agents 0:15:19.330 --> 0:15:22.890 aren't at that level of competency, it's too broad and 0:15:22.890 --> 0:15:25.330 too vague for them. Like they like a human may 0:15:25.330 --> 0:15:26.930 not even be able to answer that. Like, you line 0:15:26.930 --> 0:15:28.490 up ten humans and they might give you a bit 0:15:28.490 --> 0:15:30.770 different answers anyway, let alone what agents would give you. 0:15:31.170 --> 0:15:33.090 So yeah, you're right. I think like the nature of 0:15:33.090 --> 0:15:36.070 it is how do you distill it down to smaller 0:15:36.070 --> 0:15:39.350 and smaller and smaller questions and like make it impossible 0:15:39.350 --> 0:15:41.390 to get it wrong, given the knowledge that it has 0:15:41.430 --> 0:15:43.670 and like the ability that it has? And again, much like, 0:15:43.710 --> 0:15:46.390 like imagine you're like leading a team of like new grads, 0:15:46.390 --> 0:15:48.110 like you're not going to just ask them vague stuff 0:15:48.110 --> 0:15:49.270 at the start of the day and see how they 0:15:49.270 --> 0:15:50.670 get on. Like a week later. You're going to give 0:15:50.670 --> 0:15:53.590 them all very like tight, refined tasks. You got to 0:15:53.590 --> 0:15:55.670 keep checking in on them. And then you're probably going 0:15:55.670 --> 0:15:57.910 to like, you know, aggregate their work at the end 0:15:57.910 --> 0:16:01.350 and then you're going to come out with something useful, hopefully. Um, 0:16:01.350 --> 0:16:02.830 and I think that's much more like where we are. 0:16:02.870 --> 0:16:06.870 Yeah. So, so what is, um, the product that you have? 0:16:06.950 --> 0:16:09.790 What does it do? Like, how does the work, like, 0:16:09.790 --> 0:16:13.830 what sources are you pulling from? Are you aggregating other sources? 0:16:13.830 --> 0:16:17.190 Are you finding yourself, uh, like, what is the workflow 0:16:17.190 --> 0:16:18.630 look like for somebody using it? 0:16:20.430 --> 0:16:22.630 Yeah. So in essence, it's really just a way of 0:16:22.670 --> 0:16:25.110 going from like, I have a potential risk. I need 0:16:25.110 --> 0:16:27.510 to investigate it and figure out how bad it is. 0:16:27.550 --> 0:16:29.910 I need I need help fixing it. Like that's the 0:16:29.950 --> 0:16:31.870 really the workflow that it does at the moment. It 0:16:31.870 --> 0:16:37.920 does that all with cloud CVS. It's basically like cloud infrastructure, um, VMs, containers, etc. 0:16:37.960 --> 0:16:41.760 pull in the vulnerabilities that are found by scanners. Investigate 0:16:41.760 --> 0:16:44.800 every single one of them. Come away with that you 0:16:44.800 --> 0:16:47.840 know 10% as long list. And then within that list 0:16:47.840 --> 0:16:49.960 prioritize the very, very, very small number that are going 0:16:49.960 --> 0:16:51.880 to lead to something bad happening and then help people 0:16:51.880 --> 0:16:53.520 fix them. Um, so that's the flow at the moment. 0:16:53.560 --> 0:16:57.040 Like cloud vulns in um, like human level triage, I 0:16:57.040 --> 0:16:58.840 guess in the middle and then like, fixes come out 0:16:58.840 --> 0:17:00.960 the other end. And as you can imagine, then as 0:17:00.960 --> 0:17:02.520 we build out that platform, it gives us more and 0:17:02.520 --> 0:17:04.840 more potential to throw more and more different types of 0:17:04.840 --> 0:17:07.520 data at that same platform. But for now, very kind 0:17:07.520 --> 0:17:09.240 of focused on on just cloud CVS. 0:17:09.280 --> 0:17:13.840 Yeah, that makes sense. And so, um, pretty much the 0:17:13.840 --> 0:17:17.520 top products that are out there, like when they're emitting vulns, 0:17:17.520 --> 0:17:19.600 you can just consume from them, you can connect to 0:17:19.600 --> 0:17:23.360 them and get their phones, uh, a list essentially. 0:17:24.960 --> 0:17:27.120 Exactly. Yeah. Because it's always been a very integrated kind 0:17:27.119 --> 0:17:30.240 of like area of VM was, you know, probably probably. No. 0:17:30.240 --> 0:17:33.330 And so, um, so yeah, I think people are very 0:17:33.330 --> 0:17:35.450 used to kind of like aggregating data from scanners and 0:17:35.450 --> 0:17:37.290 bringing it around and stuff like that. This is a 0:17:37.290 --> 0:17:39.290 a big twist on that, because rather than aggregating it 0:17:39.290 --> 0:17:40.889 and putting some kind of score on top of it 0:17:40.890 --> 0:17:44.650 or something, you're aggregating it and then letting AI kind 0:17:44.690 --> 0:17:47.050 of like, investigate everything like a human would have done, 0:17:47.050 --> 0:17:49.090 and then coming away with a very different answer on 0:17:49.090 --> 0:17:52.490 the other side. Um, but yeah, we basically pulled from API's, uh, 0:17:52.490 --> 0:17:54.970 pulled from the cloud environment, gather all the context, pull 0:17:54.970 --> 0:17:57.050 from other systems if we need to, sometimes to like 0:17:57.050 --> 0:17:59.970 gather more context to help us with our assessments and then, um, 0:18:00.250 --> 0:18:02.330 you know, create actions at the other end. But it's 0:18:02.330 --> 0:18:04.410 meant to as I said, the analogy is just always like, 0:18:04.450 --> 0:18:07.210 what would what would, like Daniel four years ago or 0:18:07.210 --> 0:18:09.210 something have done, like trying to solve this internally? Like, 0:18:09.210 --> 0:18:11.290 what would you have gone in if you had the time? Like, 0:18:11.290 --> 0:18:12.570 what would you have gone and looked at? What data 0:18:12.570 --> 0:18:14.890 would you have gathered? How would you put it all together? 0:18:14.890 --> 0:18:16.730 And then how do we do that automatically? 0:18:16.730 --> 0:18:20.290 Basically, yeah, I really love that framing of AI. Like, um, 0:18:20.290 --> 0:18:24.090 I try to discourage people, especially who are negative about AI, 0:18:24.130 --> 0:18:27.530 from thinking of it like as some special tech and 0:18:27.530 --> 0:18:31.510 just imagining it as extra eyes and hands. And to 0:18:31.510 --> 0:18:35.109 your point right now, 16 and 17 year old eyes 0:18:35.109 --> 0:18:36.990 and hands. Right. So it's like. 0:18:37.270 --> 0:18:37.830 Yeah, yeah. 0:18:37.869 --> 0:18:40.070 Um, what what would you have done if you had 0:18:40.070 --> 0:18:44.550 10,000 people to put on every given day to go 0:18:44.550 --> 0:18:46.350 and look? And it's like, well, I would go and 0:18:46.350 --> 0:18:49.469 collect them and I would go and analyze them. I 0:18:49.470 --> 0:18:52.429 would dig into the details and all the things that 0:18:52.430 --> 0:18:55.830 you just said. That's what we would do be doing manually. 0:18:55.830 --> 0:18:57.590 So that's what we should try to get the agents 0:18:57.590 --> 0:19:00.030 to do. It's like it's not complex. It's like not 0:19:00.030 --> 0:19:02.710 special tech. It's just you've got extra eyes and hands. 0:19:02.710 --> 0:19:03.669 What do you do with them? 0:19:05.190 --> 0:19:07.710 Yeah, exactly. And they don't get bored. Um, and they 0:19:07.950 --> 0:19:09.669 can use as many of them as you want within 0:19:09.670 --> 0:19:12.109 within reason. Um, and that's why I think a lot 0:19:12.109 --> 0:19:15.150 of people get wrong sometimes is like they're trying to 0:19:16.310 --> 0:19:18.910 they try and like. Yeah, they try and just think like, okay. 0:19:18.950 --> 0:19:21.470 Like there is like human jobs today. And there is 0:19:21.510 --> 0:19:23.270 what AI can do. And like it's just a one 0:19:23.270 --> 0:19:26.190 for one fight. But it's not. It's more like, it's 0:19:26.190 --> 0:19:28.110 more like, what is all the long tail of stuff 0:19:28.560 --> 0:19:30.399 that like four years ago, I couldn't write software to 0:19:30.400 --> 0:19:32.960 help me with. But now I can use software to 0:19:32.960 --> 0:19:34.960 help me with and like, what's that long tail of 0:19:34.960 --> 0:19:36.639 stuff that I'm never, ever going to get time to do, 0:19:36.640 --> 0:19:38.280 but would be useful if I do enough of it 0:19:38.280 --> 0:19:40.280 and I can aggregate it all up like that's where 0:19:40.280 --> 0:19:43.119 the value is today. And this insecurity, like security, is 0:19:43.119 --> 0:19:46.160 absolutely full of use cases like that where like theoretically 0:19:46.160 --> 0:19:47.560 we would like to go and look at a bunch 0:19:47.560 --> 0:19:49.920 of stuff, read a bunch of different data points, pull 0:19:49.920 --> 0:19:52.000 it all together, come up with conclusions, etc. but we 0:19:52.000 --> 0:19:54.560 just don't have the time. So yeah, I think hopefully, 0:19:55.080 --> 0:19:56.760 hopefully people are starting to figure that out, which is 0:19:56.760 --> 0:19:58.170 like it doesn't have to be just like a 1 0:19:58.170 --> 0:20:00.000 to 1 with what a human is doing. It's more 0:20:00.040 --> 0:20:02.600 like a yeah, what's what's the list of stuff you 0:20:02.600 --> 0:20:05.280 would do if your day was 100 times longer or something? 0:20:05.800 --> 0:20:10.560 Yeah, yeah. That's right. And yeah, I've been thinking about this, uh, 0:20:10.560 --> 0:20:14.200 limitations of creativity. Um, like, I call it a type 0:20:14.200 --> 0:20:18.480 three limitation, um, because there's two others. But the limitation 0:20:18.480 --> 0:20:23.200 is basically not realizing because we grew up in the past, obviously, 0:20:23.200 --> 0:20:27.300 that's the way time moves is forward. And it's like, Um, 0:20:27.619 --> 0:20:31.820 we just have blocked out a million different things that 0:20:31.820 --> 0:20:34.780 we could be doing in life. Life and at work 0:20:34.780 --> 0:20:37.460 or whatever. And so I kind of think of, like 0:20:37.500 --> 0:20:40.260 how many logs are actually streaming in to, into a 0:20:40.260 --> 0:20:44.740 given organization, right? Let's say terabytes per day, depending on 0:20:44.740 --> 0:20:48.140 the size of the company. And like the natural assumption 0:20:48.140 --> 0:20:50.500 over the last 20 years is, well, we could look at, 0:20:50.540 --> 0:20:55.180 you know, 0.01%. So let's try to find that 0.01%. 0:20:55.580 --> 0:20:58.500 And so we we without even knowing it, we have 0:20:58.500 --> 0:21:02.540 these invisible barriers on us. And what AI is like 0:21:02.580 --> 0:21:05.940 forcing me and like, you know, us in general to 0:21:05.980 --> 0:21:10.220 do is like, think outside of that. Think what could 0:21:10.220 --> 0:21:13.699 you do potentially if in that case, it wouldn't be 0:21:13.700 --> 0:21:16.220 like if I could double my team because it would 0:21:16.220 --> 0:21:19.900 still be 0.01%. But if you had a million agents 0:21:21.180 --> 0:21:24.020 that could read logs or whatever, and maybe some of 0:21:24.020 --> 0:21:26.629 them can help you whittle down how many logs are 0:21:26.630 --> 0:21:30.830 being generated or whatever, but it's like I find it 0:21:30.830 --> 0:21:35.550 strange that we have these artificial barriers on ourselves about 0:21:35.550 --> 0:21:38.830 what is possible, based on the fact that we grew 0:21:38.830 --> 0:21:40.270 up in tech in the past. 0:21:42.470 --> 0:21:44.070 Yeah, I see that all the time, but that's a 0:21:44.070 --> 0:21:46.189 great way of phrasing it. I think one one good 0:21:46.190 --> 0:21:48.469 way of breaking out of that, which I think you 0:21:48.470 --> 0:21:50.830 can use outside of security. But it's interesting in security 0:21:50.830 --> 0:21:54.909 is fast forward like five years, right? Yeah. And AI 0:21:54.950 --> 0:21:57.110 is way is way progressed. And I'm sure we're going 0:21:57.109 --> 0:21:58.669 to go through like peaks and troughs with AI during 0:21:58.670 --> 0:22:01.710 that time, you know, of, of of success and failures 0:22:01.710 --> 0:22:03.510 and stuff like that. But over five years you'd expect 0:22:03.510 --> 0:22:05.710 it to get pretty far and it's spread pretty wide 0:22:05.710 --> 0:22:07.429 and change a lot of how we do all that stuff. 0:22:07.990 --> 0:22:11.390 You got to think in that scenario. What is competition 0:22:11.869 --> 0:22:14.910 from people using AI more heavily than you are going 0:22:14.910 --> 0:22:17.590 to change about your behavior by then? Right. And so 0:22:17.830 --> 0:22:21.110 in security, the competition there is not necessarily other companies. 0:22:21.109 --> 0:22:24.850 It's actually attackers. And I'm always like, remiss to like, 0:22:25.369 --> 0:22:26.730 say too much of this because you don't want to 0:22:26.730 --> 0:22:29.609 feel like I'm scaremongering or anything like that. But if 0:22:29.650 --> 0:22:31.969 you think about what we've what we're now seeing, like 0:22:32.010 --> 0:22:33.530 you and I are working with AI agents and stuff 0:22:33.530 --> 0:22:35.810 like that, and we're seeing what they can do and 0:22:35.810 --> 0:22:38.050 how they're starting to scale into like pretty complex security tasks. 0:22:38.050 --> 0:22:40.770 Just like imagine that on the flip side. And so 0:22:41.250 --> 0:22:43.970 if teams are kind of like slower to to think 0:22:43.970 --> 0:22:45.729 creatively and think out the box of like how much 0:22:45.730 --> 0:22:47.290 they could get out of this in the short term, 0:22:47.650 --> 0:22:49.209 they're going to be forced to in the long term 0:22:49.410 --> 0:22:52.010 because eventually attackers are not like they're not going to 0:22:52.010 --> 0:22:53.890 like hang around. They're just going to be like ruthless 0:22:53.890 --> 0:22:55.530 in terms of figuring out how to do it. And 0:22:55.530 --> 0:22:58.410 they're gonna, um, and they're going to start forcing our 0:22:58.410 --> 0:23:02.090 hand to actually think, okay, well, it's not it's not 0:23:02.090 --> 0:23:03.770 just a nice to have anymore to, like, be able 0:23:03.770 --> 0:23:06.409 to go and tackle those 10,000 other, like, things that 0:23:06.410 --> 0:23:08.010 you might do if you had the time. Like it 0:23:08.010 --> 0:23:10.410 starts to become a must have, because suddenly the stuff 0:23:10.410 --> 0:23:13.649 that used to be easy to defend against starts to 0:23:13.650 --> 0:23:15.570 become hard to defend against, and all our behaviors have 0:23:15.570 --> 0:23:18.250 to change. I think actually applies across a bunch of industries. Like, 0:23:18.290 --> 0:23:20.330 you can apply that to all sorts of different products, 0:23:20.330 --> 0:23:22.580 which is like if you're struggling to think creatively about 0:23:22.580 --> 0:23:25.500 where this could all go, think five years forward. Think 0:23:25.500 --> 0:23:27.659 about what the competitive landscape around you looks like. If 0:23:27.660 --> 0:23:30.100 everyone else is really heavily using AI. And then work 0:23:30.100 --> 0:23:32.260 backwards to like what you probably need to do. And 0:23:32.260 --> 0:23:35.020 I think a lot of security is probably like that today, 0:23:35.020 --> 0:23:36.179 although it's going to take a bit of time for 0:23:36.180 --> 0:23:37.139 it to all shake out. 0:23:37.740 --> 0:23:40.340 Yeah, I very much agree with that. Um, the way 0:23:40.340 --> 0:23:45.460 I characterize it for the future is essentially, um, in, 0:23:45.460 --> 0:23:48.619 in the, uh, the head of DeepMind thinks this way 0:23:48.619 --> 0:23:51.420 as well, is like this, um, it's all about building 0:23:51.420 --> 0:23:54.140 world models of the things you care about. So in 0:23:54.140 --> 0:23:58.540 the case of of what we're doing, it's like understanding the, um, 0:23:58.580 --> 0:24:02.459 the it stack perfectly understanding the business, perfectly understanding the 0:24:02.460 --> 0:24:05.780 people there and the developers and the projects they're working 0:24:05.780 --> 0:24:08.780 on and their spend. And just like having a perfect 0:24:08.780 --> 0:24:12.940 picture of that company, or in the case of attackers, 0:24:12.940 --> 0:24:15.859 which is guaranteed to be using the same tech against you, 0:24:16.020 --> 0:24:18.780 they have a world model of a world model of 0:24:18.820 --> 0:24:22.469 their target. And we are the target. So we better 0:24:22.470 --> 0:24:25.230 have a better world model of ourselves than they have 0:24:25.270 --> 0:24:29.869 of us. Because in a way, it's just dueling banjos 0:24:29.910 --> 0:24:34.910 of their AI system against our AI system. Who has 0:24:34.910 --> 0:24:38.710 the most up to date data now? Um, and, and 0:24:38.750 --> 0:24:43.909 I basically say that attackers are going to win first 0:24:43.910 --> 0:24:47.270 because they could just start shipping with this quick. Right? 0:24:47.510 --> 0:24:50.230 And right now, everyone's like trying to figure out what's 0:24:50.230 --> 0:24:52.550 going on. So attackers are going to move first. But 0:24:52.550 --> 0:24:56.470 ideally and for somebody like Google already, they are so 0:24:56.470 --> 0:24:59.990 organized that they should have more up to date internal 0:24:59.990 --> 0:25:04.110 information coming out of these platforms to feed to their 0:25:04.109 --> 0:25:08.470 agents to keep that context more up to date. Um, 0:25:08.750 --> 0:25:12.910 but I very much agree with your your characterization here. 0:25:12.910 --> 0:25:17.030 It's like, look, just imagine that your attacker knows everything 0:25:17.030 --> 0:25:20.810 about you and they can sense changes in your environment. 0:25:20.810 --> 0:25:23.889 So you added this new company because there was a 0:25:23.890 --> 0:25:29.450 merger and acquisition which they learned about from from Crunchbase. Okay. 0:25:29.650 --> 0:25:32.770 So now they're going to profile that entire company, and 0:25:32.770 --> 0:25:35.170 they're going to assume that what Vulns are there are 0:25:35.170 --> 0:25:38.210 going to now be your vulns for a period of time. 0:25:38.369 --> 0:25:41.930 So they're going to start attacking those things. And it's like, well, 0:25:41.930 --> 0:25:44.450 how fast are you making that adjustment? Because they're going 0:25:44.490 --> 0:25:47.770 to make it pretty fast. And it really is this 0:25:48.050 --> 0:25:50.530 that's the game. That's the competition is who has a 0:25:50.530 --> 0:25:51.369 better system. 0:25:53.170 --> 0:25:55.409 Yeah. And it's not it's not like superhuman stuff I 0:25:55.410 --> 0:25:58.609 don't think. We may occasionally see some pretty, pretty wild attacks, 0:25:58.609 --> 0:26:00.609 but it's just going to be the stuff that we 0:26:00.650 --> 0:26:04.010 kind of think is kind of hard and therefore kind 0:26:04.050 --> 0:26:06.690 of rare today. Right? It's just going to happen way 0:26:06.690 --> 0:26:08.929 more frequently, I think is the most sensible thing that 0:26:08.970 --> 0:26:11.210 like your example there of like that's kind of rare 0:26:11.210 --> 0:26:13.169 for an attacker to have the sense and the timing 0:26:13.210 --> 0:26:14.610 to be like, okay, we're now going to go after 0:26:14.609 --> 0:26:16.810 you because we've got this acquisition, but that just becomes 0:26:17.300 --> 0:26:19.940 10 to 100 times cheaper to do in the New World, 0:26:19.940 --> 0:26:24.060 and therefore theoretically becomes a lot more common. Um, and 0:26:24.060 --> 0:26:25.899 we saw this I used to work in, uh, in 0:26:26.420 --> 0:26:30.179 fishing and pre like lem era. We saw some similar 0:26:30.180 --> 0:26:32.580 types of effects where basically there was this period of 0:26:32.580 --> 0:26:35.419 time where people went from, they figured out that like, 0:26:35.460 --> 0:26:38.300 you know, the Nigerian prince email didn't work anymore, like 0:26:38.300 --> 0:26:41.180 the mass mail phishing email didn't work anymore. And so 0:26:41.180 --> 0:26:43.660 they started working on more targeted stuff. And that worked. 0:26:43.940 --> 0:26:46.260 And then they realized it worked. And so they built 0:26:46.260 --> 0:26:47.860 a load of phishing kits like phishing as a service 0:26:47.859 --> 0:26:48.980 and all this kind of stuff, and they made it 0:26:48.980 --> 0:26:50.780 really cheap for each other to do it. And suddenly 0:26:50.780 --> 0:26:53.860 we saw this insane spike where it went from like 0:26:53.900 --> 0:26:56.100 business email compromise and similar types of emails being like 0:26:56.140 --> 0:26:59.780 kind of there, but not that common to suddenly they 0:26:59.780 --> 0:27:02.660 were unbelievably common because the attackers made it cheap for themselves. 0:27:02.700 --> 0:27:04.500 And so like as soon as attackers make stuff cheap 0:27:04.500 --> 0:27:06.540 for themselves, you see the volume go up. I feel 0:27:06.540 --> 0:27:09.379 like we're kind of nearing the precipice of that starting 0:27:09.420 --> 0:27:11.020 to starting to happen. I don't know whether it'll happen 0:27:11.060 --> 0:27:13.540 like this year or next year or something, but as 0:27:13.540 --> 0:27:15.220 you said, they'll be pretty ruthless with it. They won't 0:27:15.220 --> 0:27:18.600 they won't hang around and chat about it. Uh, they'll, uh, 0:27:18.600 --> 0:27:20.240 they'll just get to work and it starts working. 0:27:20.640 --> 0:27:24.160 Yeah. Yeah. And going back to your previous point that 0:27:24.160 --> 0:27:26.520 you made, um, that we were talking about with, like, 0:27:26.560 --> 0:27:30.640 the extra eyes and hands, um, and how this is 0:27:30.640 --> 0:27:34.120 just kind of like it. It's not superhuman stuff. It's 0:27:34.119 --> 0:27:36.040 stuff that you could do with more scale if you 0:27:36.040 --> 0:27:39.160 had more people. Um, and since you're talking about fishing, 0:27:40.000 --> 0:27:42.720 one of my greatest examples of this is like, what 0:27:42.720 --> 0:27:45.560 if you could just create a perfect dossier on every 0:27:45.560 --> 0:27:49.280 employee at the target? So, um, and I've already got 0:27:49.320 --> 0:27:51.239 a tech stack that does this, actually. So I could 0:27:51.240 --> 0:27:53.640 just give someone's name and it will build me, like 0:27:53.640 --> 0:27:58.840 a six page CIA background thing and like, including, like, 0:27:58.880 --> 0:28:02.960 likely personality analysis or whatever. Well, I could then feed 0:28:02.960 --> 0:28:06.280 that to a thing that writes spearfishing. So so here's 0:28:06.280 --> 0:28:10.320 the question if if you had um, if you used 0:28:10.320 --> 0:28:13.480 to be an attacker outfit with like a 19 people 0:28:14.050 --> 0:28:16.330 and like four of them were really smart or whatever. 0:28:16.450 --> 0:28:19.490 You have 19 people and you're barely able to. You 0:28:19.490 --> 0:28:24.050 have to focus on a very specific vertical. 1 or 2, uh, attack, um, 0:28:24.090 --> 0:28:27.250 you know, targets at a time. And, like, you're really effective, 0:28:27.250 --> 0:28:30.369 but you can only do so much as opposed to saying, hey, 0:28:30.650 --> 0:28:34.890 these 250 companies are the ones I want to go after. Um, 0:28:34.930 --> 0:28:38.770 create dossiers on all of them, then go find all 0:28:38.770 --> 0:28:42.410 their social media posts. Uh, find any time they're complaining 0:28:42.410 --> 0:28:45.090 or talking about the internal tech stack, or they mention 0:28:45.090 --> 0:28:48.610 an acquisition, or they do anything and use that to 0:28:48.650 --> 0:28:51.930 customize your spearfishing. How many people do you have to hire? 0:28:51.970 --> 0:28:55.450 Like this is all 100% possible. This is not special tech. 0:28:55.490 --> 0:29:00.850 It just requires so hundreds or thousands of people because 0:29:01.370 --> 0:29:04.730 do it every hour. Do it every day. Right? Yeah. 0:29:04.770 --> 0:29:07.810 And so so now it's just like you're just you 0:29:07.810 --> 0:29:11.490 just need more skill. And to your point about, um, 0:29:11.940 --> 0:29:15.180 Doing it internally. It's the same exact thing. You. You 0:29:15.220 --> 0:29:18.300 just need more eyes and hands to do this. And 0:29:18.500 --> 0:29:23.100 I'm just fascinated by the fact that, um, I mean, 0:29:23.100 --> 0:29:25.740 one way to characterize this is just imagine all your 0:29:25.740 --> 0:29:31.700 attackers who had 20 employees now have 20,000 employees. That 0:29:31.740 --> 0:29:32.820 that is your problem. 0:29:33.060 --> 0:29:36.460 Yeah. Yeah, that is quite literally. And and as I said, 0:29:36.460 --> 0:29:38.340 it's not like they're now doing stuff that they never 0:29:38.340 --> 0:29:40.460 did before. They're just doing it at they can just 0:29:40.460 --> 0:29:41.900 afford to do it a way bigger scale like your 0:29:41.900 --> 0:29:44.219 fishing example. The worst bit about that is that they 0:29:44.220 --> 0:29:46.980 don't even need to stop at writing the emails today. 0:29:47.260 --> 0:29:49.740 Like they can actually just build agents that can take 0:29:49.780 --> 0:29:53.260 your like dossier of them, right? Understand some stuff about 0:29:53.260 --> 0:29:56.020 them and then kick off a flow of actions that's 0:29:56.020 --> 0:29:58.620 actually gonna be way more effective than that single email, right? 0:29:58.860 --> 0:30:03.020 You know, uh, gently warm up the email recipient calls, 0:30:03.020 --> 0:30:09.060 whatsapps LinkedIn messages. Um, uh, real like real sounding voice calls. Like, 0:30:09.060 --> 0:30:11.720 if they really want to get into it. Fake, fake, 0:30:11.760 --> 0:30:13.920 fake web pages like that is all now in the 0:30:13.920 --> 0:30:16.800 remit of stuff that used to take a single person 0:30:16.800 --> 0:30:19.920 dedicated on that task, right? Like days at a time 0:30:19.920 --> 0:30:22.719 to get all that stuff done repeatedly to if you 0:30:22.720 --> 0:30:24.480 can at least give agents like a certain level of 0:30:24.480 --> 0:30:27.200 guidance around how to do it. That could be, you know, 0:30:27.240 --> 0:30:30.160 maybe not that cheap yet, but like reasonably cheap relative 0:30:30.160 --> 0:30:31.320 to what it used to be. And so, yeah, I 0:30:31.320 --> 0:30:35.320 think your analogy of what imagine you're attackers are now 0:30:35.520 --> 0:30:38.000 10 to 100 times in size each, each outfit, which 0:30:38.000 --> 0:30:40.560 they are like a lot of them are just businesses, right? Um, 0:30:40.600 --> 0:30:42.080 and so they're going to use AI in the same 0:30:42.080 --> 0:30:45.200 way we are. Like make us more efficient. Um, so yeah, 0:30:45.200 --> 0:30:48.120 I think security as an industry has to work backwards 0:30:48.120 --> 0:30:50.600 from there. Like imagine that that's the the current state 0:30:50.600 --> 0:30:52.480 or the future state and then work backwards from there. 0:30:52.480 --> 0:30:54.400 And what does that change about our current perceptions? Because 0:30:54.400 --> 0:30:56.200 I think a lot of our, a lot of our 0:30:56.200 --> 0:31:00.320 current ways of dealing with problems are, well, this will 0:31:00.320 --> 0:31:02.960 kind of be fine in today's world, right? It's like, 0:31:03.200 --> 0:31:05.840 you know, like I can deal with this many like 0:31:05.880 --> 0:31:07.880 back to initial conversation. I can deal with this many 0:31:07.880 --> 0:31:10.650 open vulnerabilities or I can deal with this slower way 0:31:10.650 --> 0:31:12.690 of responding to something, or I can deal with this 0:31:12.690 --> 0:31:16.050 slower a speed to get myself back online in the 0:31:16.050 --> 0:31:17.770 worst case scenario, whatever it might be. It's like, oh, 0:31:17.770 --> 0:31:19.450 we can deal with that. That's probably within the bounds 0:31:19.450 --> 0:31:21.770 of okay. But if all the attackers get 10 to 0:31:21.770 --> 0:31:24.970 100 times bigger, in your words, like, um, by by 0:31:25.010 --> 0:31:27.490 getting more leverage, then which of those things are still 0:31:27.490 --> 0:31:29.130 okay and which are not okay? And then how do 0:31:29.130 --> 0:31:31.410 we start adapting what we do today in response to 0:31:31.450 --> 0:31:33.770 what that's going to look like? Um, and as I said, 0:31:33.770 --> 0:31:36.290 I don't know how quickly all that's going to happen, but, um, 0:31:36.330 --> 0:31:37.930 it's very hard to make a good argument why it's 0:31:37.930 --> 0:31:39.090 not why it's not going to happen. 0:31:39.970 --> 0:31:42.490 Yeah. Totally agree. And I guess one of the most 0:31:42.490 --> 0:31:45.930 tangible ways of thinking about this is like, how how 0:31:46.490 --> 0:31:51.650 large can you tolerate for a window of vulnerability? Uh, right. 0:31:51.810 --> 0:31:55.210 Like maybe previously it was like, you know, ten years 0:31:55.210 --> 0:31:57.330 ago or whatever, it was like a week or whatever. 0:31:57.330 --> 0:31:59.170 And let's say it was half a week, let's say 0:31:59.210 --> 0:32:02.410 it's a day. And I think we start to move 0:32:02.410 --> 0:32:05.130 towards a world and, and who knows how fast. But 0:32:05.130 --> 0:32:08.350 you start to move to a world where hours and 0:32:08.350 --> 0:32:12.470 minutes really matter. Um, where if you have an exposed 0:32:12.470 --> 0:32:15.190 S3 bucket before it. I mean, it takes time for 0:32:15.230 --> 0:32:18.790 the tech and very few people who were automating that 0:32:18.790 --> 0:32:22.710 stuff to actually find that exposed bucket or whatever. I 0:32:22.710 --> 0:32:27.030 think that goes down to minutes. You know, eventually, potentially 0:32:27.030 --> 0:32:30.910 even seconds. So yeah, I, I find the whole thing, uh, 0:32:30.990 --> 0:32:34.630 really fascinating. Um, what what are you guys doing? That's 0:32:34.630 --> 0:32:37.310 that's exciting right now, um, you're looking to put out 0:32:37.310 --> 0:32:39.630 soon or you're excited about you just released? 0:32:41.670 --> 0:32:44.990 Yeah. I mean, we're we're like, um, we're we're so 0:32:44.990 --> 0:32:48.590 new still that we're just getting out there into the world, really. So, like, we're, um, 0:32:48.630 --> 0:32:50.910 we're I'd say we're like, hitting the point now where 0:32:50.910 --> 0:32:53.950 we are close to making some pretty big announcements about 0:32:53.950 --> 0:32:56.550 about where we are with the product and stuff like that. Um, 0:32:56.870 --> 0:32:58.790 but yeah, I think what we are excited about in 0:32:58.790 --> 0:33:00.430 particular at the moment is we've kind of like cracked 0:33:00.430 --> 0:33:02.830 a lot of the triage side of the problem of like, 0:33:02.870 --> 0:33:06.000 how do I understand which vulnerabilities matter? Where we're excited 0:33:06.000 --> 0:33:07.680 a lot at the moment is like, how do we 0:33:07.720 --> 0:33:09.120 how do we start helping people more and more with 0:33:09.120 --> 0:33:11.080 the remediation side? As I said, I think for now 0:33:11.080 --> 0:33:13.720 that's more about like cutting down all the human work 0:33:13.720 --> 0:33:16.000 to a smaller window as possible. But if we do 0:33:16.040 --> 0:33:18.320 theoretically need to get to a point of minutes, then 0:33:18.320 --> 0:33:21.520 you need to cut out humans entirely eventually. Um, but 0:33:21.520 --> 0:33:22.800 I think you've got to go like step by step 0:33:22.800 --> 0:33:25.000 by step. But yeah, we are we're super excited about 0:33:25.000 --> 0:33:26.920 some of the stuff that we're seeing so far in 0:33:26.960 --> 0:33:31.440 that world because, yeah, it's a super complex problem, obviously, 0:33:31.440 --> 0:33:33.320 and it's something you can get very wrong. Right. If 0:33:33.320 --> 0:33:36.160 we're like taking down people's prod environments on a daily 0:33:36.160 --> 0:33:39.640 basis or something. But, um, done right, like it can 0:33:39.640 --> 0:33:42.920 actually take us from this. We're just like shuffling big 0:33:42.920 --> 0:33:44.920 lists of red around, which is kind of what it 0:33:44.920 --> 0:33:48.640 feels like sometimes last few years, uh, to a point of, okay, 0:33:48.640 --> 0:33:50.760 we actually feel like we're making tangible progress day in 0:33:50.760 --> 0:33:52.640 and day out without a ton of effort. And then 0:33:52.640 --> 0:33:55.040 maybe all those engineers and SREs and all the other 0:33:55.040 --> 0:33:58.720 people involved can suddenly go and spend 5% more of 0:33:58.760 --> 0:34:00.400 their time or something like that, to shipping product, and 0:34:00.400 --> 0:34:02.440 then hopefully everyone wins at that point. So yeah, we're 0:34:02.440 --> 0:34:04.700 really excited about getting more into that side. and also 0:34:04.700 --> 0:34:07.820 just excited about having the the initial, uh, you know, 0:34:07.820 --> 0:34:09.379 version of the product now out there in the world and, 0:34:09.420 --> 0:34:10.620 you know, people starting to use it. 0:34:11.660 --> 0:34:15.020 No. It's awesome. And where can people learn more about it? 0:34:17.100 --> 0:34:19.780 Um, they can catch up with me online, my LinkedIn 0:34:19.820 --> 0:34:22.420 or Substack. Um, feel free to, like, reach out to 0:34:22.420 --> 0:34:26.060 me there. We also have a website where you can 0:34:26.100 --> 0:34:27.660 kind of catch up a bit more on what we're 0:34:27.660 --> 0:34:28.060 up to. 0:34:28.820 --> 0:34:31.859 Well very cool Harry, thanks for the chat. Very, uh, 0:34:31.900 --> 0:34:33.060 very cool conversation. 0:34:34.940 --> 0:34:35.779 I really enjoyed it. 0:34:36.500 --> 0:34:41.620 All right. Take care. Unsupervised learning is produced on Hindenburg 0:34:41.620 --> 0:34:45.940 Pro using an Sm7 microphone. A video version of the 0:34:45.940 --> 0:34:49.980 podcast is available on the Unsupervised Learning YouTube channel, and 0:34:49.980 --> 0:34:52.779 the text version with full links and notes is available 0:34:52.780 --> 0:34:57.420 at Daniel. Com newsletter. We'll see you next time.