Subscribe now

Share

Introducing the AI Security Platform Built on Data Security

AI adoption is exploding. But most security tools still can’t see what data AI is touching.

Varonis Atlas is designed to secure AI across the entire AI lifecycle, with data context built in. From visibility to runtime protection to governance, Atlas can secure everything you build and run with AI in one platform.

See it in action here

Though I’m still recovering from a 9-day conference stretch, this was easily my favorite BSidesSF + RSAC week. The energy was on point. I had 100+ conversations with security leaders on what they’re most excited about, biggest pain points, you name it. After RSAC, I ended up traveling 15 hours to another security conference where I presented on Saturday (more on that in a separate post ;)

It’s interesting because I wear multiple hats at conferences. I run this newsletter, so I’m always watching the emerging landscape from tradecraft to threats, tooling and capabilities, and how security leaders are future-proofing their teams and environments.

I’m also Head of Growth at Monad, so I do sales, marketing, and a bit of product management. If I learn that you have pain points Monad can solve, I will gladly pitch you on Monad and tell you about all the great stuff we’re up to. And at my core, I’m a security practitioner who still loves nerding out on how teams are staying current and how my previous crafts of detection engineering and cloud security continue to evolve.

That said, this post is an amalgamation and distillation of my biggest takeaways from the con from a holistic standpoint. Not my typical announcements roundup. That will come on Thursday!

Build vs. Buy is Shifting

In recent years, Build vs. Buy has become even more of a hot topic. The continual improvement of LLMs and agentic development has seriously lowered the barrier for entry. People are obviously all over the spectrum on this debate, but I feel like more people are leaning towards “Build” on certain categories than ever.

This was a main topic on the BSidesSF panel w/ security leaders from Anthropic, OpenAI, Perplexity, and Cursor. Here’s what stuck w/ me most after synthesizing a bunch of takes on this topic last week:

• The gap between MVP and “production-ready” is where things get ugly. It varies by application, use case, and criticality, but that middle stretch is always messy.

• Shipping it is only the beginning. Even after something is production-ready, you still have to staff for maintenance and scalability.

• Some problems are just too hairy to own. Sometimes it makes more sense to pay someone else and hand off the problem entirely.

Midmarket Security Is Quietly Overconfident — And the Numbers Prove It

94% of midmarket security leaders say they can catch critical risks before attackers do. But 51% admit a zero-day would take a week to assess. Something doesn't add up. Intruder surveyed 500+ security decision-makers at companies with 400–6,000 employees to get the real picture of how teams are coping with growing digital estates, shrinking exploitation windows, and tooling built for enterprise budgets.

Get the full report

People Are Building Really Cool Things with AI

I had a few convos with security leaders including some at F500s who are super AI-pilled. We’re talking dedicated homegrown agents and skills for dozens of different security functions, mostly handling initial triage and investigations all the way through recommending remediation paths.

I also spoke with a leader who built a living, digital twin of their entire environment. If an AWS asset config gets changed, the digital twin gets updated. If a new admin account is spun up in Okta, the digital twin records it. Now, this person is an anomaly and pretty forward-thinking, but I think more and more people will continue to get creative with AI for security in meaningful ways. The ones who think outside the box, own the future, as always.

MCP is Changing the Game

Model Context Protocol (MCP) has played a massive role in modernizing security workflows. One leader I spoke with even said he won’t consider a new vendor if they don’t have MCP capabilities. I don’t agree with his take as I think MCP eats a lot of tokens.

But it does makes sense when you look at what it unlocks. Security teams are using MCP to give AI agents direct access to their tools. Think an AI assistant that can pull alert context from your SIEM, query your CMDB for asset ownership, and check your threat intel platform for IOC enrichment, all in a single investigation flow. Teams are also building MCP-enabled agents that can take action like isolating endpoints, creating tickets, or kicking off response playbooks based on findings.

It’s basically turning every security tool with an MCP server into a composable building block that AI can orchestrate across.

The security data lake for AI agents

Scanner is an agentic security data lake to investigate alerts, hunt threats, and respond to incidents. It indexes logs directly in S3, making years of data searchable in seconds. Scanner scales up when needed and scales to zero after, so you pay for answers, not idle compute. Open-source agents help you get started fast.

See Scanner in Action

Decoupled Architectures for Security Operations

This goes hand in hand with the previous takeaway. More and more security leaders are considering a decoupled security architecture. Security data needs to live in more places than ever, especially with teams gaining more appetite to augment their tooling with homegrown capabilities. Recent breakthroughs are enabling teams to keep telemetry in ultra cost-effective, highly performant storage layers (Scanner.dev being a prime example) while data pipeline players like Monad have pretty much been the trojan horse enabling security teams to gain back control of how and where they route their data, with added benefits like enrichments and transformations that make data AI-ready.

I also heard more rumblings around federated search and how AI agents are good at querying data at the source for investigative work. The dust has yet to settle here but it’s clear that most security leaders are redrawing their SOC architectures, and there are a lot of emerging approaches and tooling to choose from. As someone who worked closely with Fortune 500 teams on detection engineering and response while at Accenture, this is a feel-good story. Security teams are breaking out of vendor lock-in and rebuilding their stacks with composable, best-of-breed solutions.

I’d say that after a long, hard-fought battle, SIEMs are no longer the one-stop shop for security analytics, response, and investigations. MCP, data lakes, data pipelines, triage agents etc. have disrupted the SIEMs moat. What comes next?

Talent and Upskilling

Security leaders are thinking hard about how to keep their teams at the forefront, not just of threats, but of evolving capabilities and tooling. They’re encouraging their people to adopt a builder mindset and go wider.

The world is changing fast. The ones who lean into the hacker and builder mindset will excel.

Honorable Mentions

Attack velocity + volume: Bad guys are using AI to find 0-days, exploit unpatched systems, and scale their campaigns. Defenders are cognizant of this and while there’s not an impending sense of doom, people are feeling the heat.

Agentic AI Identity: Still the wild west. No clear winner or winning approach, imo but we’re getting closer.

AI Pen Testing: Lots of funding and hype around it. I think it’s a space at risk if frontier model shops really wanted to go after it. Regardless, there’s a massive need for AI pen testing in validating vulns, securing new attack surface, and ensuring secure code and apps. This was a part of the security cycle that was painfully manual and having continual coverage here is a big upgrade.

Data Security: Scorching hot space and a top concern. Agentic AI is creating entirely new data access patterns that most teams aren’t equipped to govern yet. When your AI agents can autonomously query databases, pull documents, and chain API calls together, the blast radius of a misconfigured permission or over-scoped identity gets a lot bigger. Lots of energy here, and rightfully so.

Securing AI Code Gen Output and Agent Usage: Velocity and volume are big concerns, along with non-devs building small scripts to automate tasks. No clear winner here though the incumbents like Semgrep, Snyk, OX, etc. are shipping capabilities to keep up with the madness.

Software Supply Chain Security: Software Supply Chain Security: This one keeps getting scarier and giving me whiplash. March alone gave us the TeamPCP cascading campaign that started with compromising Aqua’s Trivy scanner, spread to Checkmarx KICS, and then used stolen CI/CD credentials to poison LiteLLM on PyPI (a library present in 36% of cloud environments according to Wiz). One compromised security tool turned into five compromised ecosystems in under a week.

And then literally today, Axios got hit with a hijacked maintainer account pushing a RAT through poisoned npm releases to a package with 100M+ weekly downloads. The window was only a couple hours but the blast radius is wild.

Scary pattern. Recommend checking these blogs out if you’re responding to these attacks:

• Supply Chain Attack on Axios Pulls Malicious Dependency from npm

• Trivy - StepSecurity

• LiteLLM - ReversingLabs

The dust has settled on BSidesSF and RSAC 2026, but there is still SO much in flux for security teams. So in that sense, the dust may never for security teams. Just have to keep operating through the chaos which is easier when you have strong leadership + culture. Fun time to be in security.

I’ve still got a lot more to share. On Thursday, I’ll drop Part II covering the biggest announcements, my favorite events, and the overall vibes from the week etc. Stay tuned!

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of 20,000+ CISOs, practitioners, founders, and investors across 135+ countries 🌎

👉 Learn more here!

Subscribe now

Share

A Personal Note

Every now and again I come across a security vendor doing genuinely innovative and differentiated work. A breath of fresh air in a space full of copy/paste products with different logos.

I vet every TCP sponsor carefully to ensure I only put the best in front of you so if I’m writing a deep dive on a company, know that it’s passed a high bar. Clover Security brought me back to my Product Security days at Johnson & Johnson, where design-phase security reviews and threat modeling weren’t optional best practices, they were FDA and HITRUST requirements. This is a platform that would have made life meaningfully easier back then.

I’m excited to bring you this piece. Let’s get into it.

Executive Summary

The engineering world is undergoing a structural shift. AI coding agents now handle implementation at a pace and volume that human-led security processes were never designed to match. Innovation cycles are compressing. The response from the most forward-thinking engineering orgs isn’t to scan more code faster. It’s to invest in design and architecture rigor, the phase where most risk actually originates.

Clover Security made this bet two years ago. They’ve raised $36M and built a platform of AI agents that embed security into the design phase, where PRDs are written, architecture decisions are made, and threat models should live.

This deep dive covers why the design phase has become the critical gap in most security programs, how Clover’s platform actually works, what their early customer results look like, and where the product is headed as agentic development accelerates.

The Perfect Storm

Two years ago, a senior engineer would split their week between writing code, reviewing code, debugging code, and making architectural decisions. Today, AI coding agents handle the first three. Spotify’s co-CEO said it plainly on their Q4 earnings call. The company’s best developers haven’t written a single line of code since December. That trend is only accelerating.

What’s emerging is a fundamental reprioritization across engineering orgs. The smartest teams are investing in design and architecture rigor, the phase where risk actually enters the system. Innovation cycles are compressing. A feature that took a team two sprints now ships in days. The human role in software development is shifting from writing code to designing systems, choosing infrastructure, and deciding how services interact. The design decisions that determine whether a system is secure are now the most consequential part humans still control.

And this math was broken long before AI code generation entered the picture. Product security engineers are outnumbered by developers 300-to-1 at most technology companies. CrowdStrike’s 2024 State of Application Security Report quantifies the downstream impact. Over half of major code changes don’t undergo full security reviews (50% median, 54% mean). That was before AI-generated code tripled the volume. Jerry Gamblin’s 2025 CVE data review counted 48,185 published vulnerabilities, a 21% jump over 2024, with XSS still the most common class at over 8,000 entries despite decades of tooling investment. FIRST’s 2026 forecast projects that number climbing to roughly 59,000.

Clover Security saw this coming. Founded in 2023, right as the AI coding wave began to take shape, the company raised $36M on the thesis that the entire AppSec model was pointed at the wrong phase of development.

Their bet is that AI agents embedded in design and architecture workflows are the only way to close the gap. Two years in, the market is moving in their direction.

Now they’re building for what the next two years look like.

The Founding Story

Clover’s founding story starts with a big tech engineer and a product leader at two of the largest AppSec vendors in the world, both independently arriving at the same conclusion that scanning code after it’s written was never going to be enough. Then they found each other on X.

Alon Kollmann (CEO) spent 15+ years as an engineer at Microsoft and Google before taking strategic roles at Hysolate and Dazz, the ASPM company acquired by Wiz for roughly $450M.

Or Chen (CPO) spent 8 years in Unit 8200 leading technical cyber operations, then founded a startup acquired by Checkmarx. He rose to VP and built their SCA and API Security offerings from the ground up.

The two found each other the way a lot of good things start in 2022: sliding into each other’s DMs on Twitter. They had arrived at the same conclusion from opposite sides of the security stack, and connected right as ChatGPT launched and the AI coding revolution started to take shape. The timing validated their shared conviction: code generation would be automated, making design the true security chokepoint. They co-founded Clover in 2023.

Clover raised $36M across a seed led by Team8 and a Series A led by Notable Capital, with Team8 and SVCI participating. The angel roster tells the real story: Wiz co-founders Assaf Rappaport and Yinon Costica, Shlomo Kramer (Check Point, Imperva, Cato Networks), Rene Bonvanie (former CMO, Palo Alto Networks), and senior executives from Snyk, CrowdStrike, Atlassian, and Google.

You Can’t Scan Your Way Out of Insecure Design Choices

Every AppSec tool on the market today works the same way, downstream: wait for code to exist, then scan it. SAST, SCA, DAST, ASPM, runtime scanning.

Product Security (ProdSec) operates upstream. Architecture review, threat modeling, design-phase risk assessment. Security baked into how a system is designed, not bolted on after it’s built. If you’ve worked in automotive or medical devices, none of this is new. ProdSec is table stakes in those worlds.

I interned on Ford Motor’s Red Team and spent 2.5 years doing product security for a robotic surgical system at Johnson & Johnson. When you’re threat modeling software that controls a robot performing surgery on a human being, design-phase security reviews are a non-negotiable. The gap is that most pure software companies haven’t adopted this discipline yet, and the ones that have are doing it manually, expensively, and at a coverage rate that never keeps pace with engineering velocity.

In practice, ProdSec means a security engineer sits down with a PRD or architecture doc before a single line of code is written and asks: where are the trust boundaries? What are the data flows? Where could business logic be abused? How does this feature interact with existing services? They map the design against frameworks like OWASP ASVS or STRIDE, identify threats at the architecture level, and write security requirements into the ticket.

Here’s why this matters concretely. A team builds a payments integration where users can link external bank accounts. The code is solid: encrypted connections, proper auth tokens, passes every scan. But the design never accounted for what happens when a user links an account, initiates a transfer, then unlinks the account before settlement completes. The transaction goes through with no account to claw back from. That’s not a vulnerability. It’s a business logic gap that only exists at the design layer, and no scanner on the market catches it.

The problem is that ProdSec requires people who understand both software architecture and threat modeling deeply enough to review designs at speed. Those people are rare. Most orgs either can’t hire them or can’t hire enough of them, which is why even mature security teams end up triaging by risk and only reviewing the highest-priority features manually.

As AI handles more implementation, design is the last human-controlled artifact. If security isn’t embedded there, there’s no checkpoint before code ships. Clover’s bet is that as AI eliminates trivial code-level vulnerabilities, the remaining risk concentrates at the logic and architecture layer.

How It Works

Clover runs eight purpose-built AI agents, each handling a specific security function but all built on the same platform core. Design risk is the guiding principle, but risk can initiate at any point. A review can start from a PRD for a brand new feature just as easily as from code drifting from its original design requirements. The result is a platform that tracks design risk from the first spec through production, and catches drift long after code ships.

The Context Layer

The most differentiated thing I saw in the demo was Clover’s context engine. Two components work together here.

The Memory Agent builds and maintains a living knowledge base of your organization, split across three dimensions. Technical context covers your tech stack, infrastructure components, APIs, and data points. Business memory captures how your org makes decisions, internal glossary, and product relationships. Inferred memory surfaces connections the platform identifies across your environment over time.

The Feature Context Graph maps how a single feature connects to requirements, framework standards, code, and infrastructure. You can drill into the specific standards a feature was reviewed against, see which code repos are linked, and trace from design doc to implementation.

These two components are what make everything below possible. Without organizational context, an AI agent reviewing a design doc is just guessing. With it, the agent knows your tech stack, your policies, your architecture patterns, and how this feature connects to everything else you’ve already built.

Scenario 1. A new feature lands in your project management tool.

Your product team writes a PRD in Notion for a new instant peer-to-peer payments feature. Clover’s Discovery Agent picks it up automatically, identifies it as high-priority based on the financial data flows and regulatory surface involved, and flags it for security review.

The Design Review Agent takes over and runs a security review against your configured frameworks and threat models, whether that’s OWASP ASVS, PCI, STRIDE, or your own internal standards. Because of the context layer, Clover knows this feature interacts with your existing account linking service, handles external bank credentials, and exposes a new transaction initiation path to end users. The review reflects that specificity rather than returning generic findings.

Business logic flaws are a major focus. Or walked me through examples like logic gaps that let attackers siphon funds from a gaming platform, and arbitrage attacks on a prediction market. These are the exact categories of risk that traditional scanners miss because they have no awareness of what the feature is supposed to do, only what the code does.

On the app level, security teams manage risk posture through custom-built security models around applications, architecture, data flows, and risks. Each application view lets security teams tune prioritization sensitivity across three dimensions. Risk, Business Impact, and Depth and Complexity. You can also feed it pentest reports and it incorporates findings into the posture view.

Scenario 2. Code ships that drifts from the original design.

Your design spec requires encryption at rest for all candidate records. A developer (or an AI coding agent) implements the database layer but skips the encryption step.

The Developer Guidance Agent integrates with GitHub, GitLab, and Bitbucket, and compares implemented code against original design specifications and PRDs. It surfaces the drift between what was designed and what was built. Traditional SAST tools see code in isolation. They’d look at this implementation and find no vulnerability pattern, no dependency flaw, no known CVE. Clover sees the intent behind the code.

Scenario 3. Your developers are using Cursor, Codex and Claude Code. Who’s watching?

This is the forward-looking bet. Clover’s MCP Agent provides visibility into AI-generated code, enforces organizational policies for coding agents, and monitors MCP connections across AI-driven development workflows. The Vibe Coding Agent evaluates shadow AI and vibe coding for misconfigurations, excessive permissions, and missing controls.

What makes this tangible rather than theoretical is the Agent Observability dashboard. Clover gives you granular visibility into which LLMs are being used across your environment (Claude 3.5 Sonnet, GPT-4, GPT-4-turbo in this instance), which developers are using them, lines of code written with coding agents over time, how many MCP connections are active, and where the PR blind spots are.

Most security teams today have zero visibility into what AI coding agents are generating across their org. Engineering teams are three steps ahead of security teams on AI coding agent adoption. Clover has built an observability layer that helps make the invisible visible, which models, which developers, how much code, and where the blind spots are

Integrations and Day One Value

Clover hooks into where teams already work.

The platform also functions as a contextual security chatbot within Slack, where teams can ask questions like “What auth method should I use for this service?” and get answers informed by their org’s specific context and policies.

Clover produces actionable security reviews from day one, covering framework checks, threat modeling, and architecture anti-patterns out of the box. As it ingests more documentation and observes how teams build, reviews get sharper and more tailored to your specific environment.

From Stealth to Scale

Most security startups launch publicly, spend heavily on marketing, and grind through 12-month enterprise sales cycles before landing their first logos. Clover did it backwards. They hit millions in ARR before publicly launching. No website, no press, no conference booths. Deals came through CISO networks and word of mouth, which tells you something about how the product landed with the people actually using it.

Neo4j went from 49% to 100% design review coverage. CISO David Fox: “Manual review covered 49% of tickets, but with Clover’s automation we hit 100%.” (Full case study)

Lemonade cut review time from roughly two hours to fifteen minutes. Before Clover, Lemonade triaged reviews by perceived risk because the volume was too high to cover everything. Now they review all documents, not just the ones they think are risky. (Full case study)

Virgin Money, one of the UK’s largest retail banks serving 6.6 million customers, achieved 4x faster design reviews. But the bigger story is what changed qualitatively. Before Clover, reviews depended on individual interpretation across hundreds of policy controls. Now every design is reviewed against the same standard, every time. Head of Security Solutions Gordon Moon: “Clover turns generic threats into design-specific threats so our teams understand what really matters in that system.” (Full case study)

The fact that CISOs at Neo4j, Lemonade, and Virgin Money are willing to go on record with specific metrics at this stage is strong signal for both company direction and product validation. Excited to see how these numbers evolve as deployments scale.

Closing Thoughts

I’ve covered a lot of security startups through TCP. Very few make me stop and rethink how an entire category should work.

Where the bet gets bigger. AI coding agents are already writing production code across thousands of engineering orgs. Most security teams have zero visibility into what those agents are generating, which models they’re using, or whether the output aligns with internal policies. That’s not a future problem.

Clover’s MCP Agent and Vibe Coding Agent are newer than the design review core, but they’re pointed at exactly the right problem. The agent observability dashboard alone is the kind of visibility security leaders will be demanding within 12 months. Clover is building it now.

Who should care. If you’re a CISO or Head of ProdSec at a company with 50+ engineers and you’re still doing design reviews manually (or not doing them at all), Clover should be on your shortlist. If your team is drowning in review requests and triaging by gut because you can’t cover everything, this is built for you.

Product Security as a discipline has historically been locked behind scarce human expertise. The security architects who can review a design doc, run a threat model, and identify business logic flaws before code is written are among the hardest hires in the industry. Most companies either can’t find them or can’t afford enough of them. If Clover’s agents can replicate that thinking at scale, they’re not just building a product. They’re making ProdSec accessible to teams that could never afford to staff it the way it deserves.

Having done this work by hand, I can tell you: this is the platform I wish I’d had.

I've shown you the thesis and where I think things are headed. Let them show you the product.

See Clover in Action

Subscribe now

Share

Intezer recently dropped their 2026 AI SOC Report. A full analysis of 25 million security alerts triaged across live enterprise SOCs in 2025. I read all 35 pages. Here’s what stood out, what it means, and what I think most security teams can take from it.

The math inside most SOCs is broken, and it has been for years. Too many alerts, not enough analysts, and the people in those seats are legit running on fumes. Burnt-out analysts and overworked IR teams don’t just slow down. They miss things. So teams triage aggressively, auto-close the low-severity stuff, and hope nothing slips through.

This has been true for decades. Detection engineers can tune rules and build enrichment playbooks all day, but the volume problem is structural. Industry surveys consistently show that over 60% of alerts are never reviewed. Not by in-house SOC teams. Not by MDRs. They get deprioritized or buried.

Intezer just put a number on what “slips through” actually looks like and the cost of the trade-off that most SOCs make.

The scale of the dataset alone sets this apart:

• 25 million alerts. 10 million monitored endpoints and identities.

• 180 million files analyzed. 7 million IP addresses investigated. 550,000 emails analyzed.

• Over 82,000 endpoint forensic investigations, including live memory scans.

This wasn’t a survey or a simulation. It’s operational data from production SOC environments like NVIDIA, MGM Resorts, and Equifax.

I spent years building detection rules and investigation playbooks, and I work with detection engineers and SOC teams daily at Monad. I know what’s supposed to happen after a rule fires. I also know what actually happens. This report quantifies that gap.

Get the report here

Why I’m Writing About a Vendor Report

Let me be direct. AI SOC is a crowded, noisy market. There are 25+ vendors selling some version of it right now. Most are glorified LLM wrappers that summarize alert metadata and call it “investigation.” If you’re skeptical of the category, you should be.

I’ve watched Intezer’s platform evolve over years. Where most AI SOC tools are pattern-matching on alert metadata and hoping for the best LLM-generated verdict, Intezer is doing actual forensic analysis. Deterministic, not probabilistic. Every verdict is fully auditable. And the analysis goes to forensic depth: live memory scans, genetic code analysis, actual endpoint investigation.

The framing matters too. Intezer isn’t selling “replace your analysts.” They’re selling “cover the 60% that was never getting covered.” That’s a fundamentally different value proposition.

But the report itself earned this writeup on its own merits. It’s genuinely educational in a way that leads me to recommend it to anyone from Jr.-level operators to CISOs. Take the section on plaintext password alerts (p.20). They don’t just flag “we found unencrypted credentials on the wire” and move on. They trace it to directory services still running unencrypted LDAP, transmitting credentials in cleartext because nobody configured LDAPS or StartTLS. That level of precision tells you the people who wrote this have actually done the work. It’s a great refresher or learning track for pretty much any level.

And it puts numbers behind things practitioners have said for years but could hardly prove. “Most impossible travel alerts are false positives.” “Low-sev alerts are hiding real threats.” “EDRs aren’t as reliable as we think.” Now there are receipts.

The Math Nobody Wanted to See

Of everything in this report, this is the finding I keep coming back to.

Nearly 1% of low-severity and informational alerts turned out to be real threats

That sounds small until you do the math. The average enterprise generates around 450,000 alerts per year. Over 60% never get reviewed. At that scale, 1% of low-severity alerts being real means roughly 54 genuine threats per year that nobody investigates. That’s about one per week (!!)

On endpoints it’s worse. 2% of low-severity endpoint alerts were confirmed incidents. Active, real, and invisible to the teams responsible for catching them.

Intezer ran over 82,000 forensic scans on endpoints throughout the year, including live memory analysis. In 1.6% of those scans, the endpoint was still actively compromised even though the EDR had reported the threat as mitigated. The EDR closed the case. The analyst moved on. The attacker was still there.

And over half of all endpoint alerts were never automatically mitigated by endpoint protection in the first place. Of those non-mitigated alerts, roughly 9% were confirmed malicious.

There could be legitimate explanations. Vendor quirks, timing issues, partial remediation. But the operational reality doesn’t change: if you’re trusting your EDR’s “mitigated” status without verification, you have a blind spot.

As someone who built detection rules and playbooks that generate these exact alert types, I know the gap between the intended workflow and what actually happens. The detection fires, the alert enters the queue, and the math takes over. Low-severity stuff gets deprioritized or auto-closed.

That’s the real value of AI-driven triage. Not replacing analysts. Doing forensic-grade analysis on the alerts that were going to be ignored anyway. Finding the threats that may slip through.

Where Attacks Are Actually Evolving

Three patterns jumped out from the threat data. None of them are what most vendors are selling against.

Phishing Doesn’t Need Your Endpoint Anymore

Intezer analyzed 550,000 user-reported phishing emails. Less than 8% were confirmed malicious. But look at how those malicious emails actually breakdown: less than 6% carried an attachment. Around 30% relied on a link.

The attack surface has moved. Endpoints and inboxes are well-defended, and attackers know it. So they’re keeping the entire kill chain inside the browser, where most security stacks have minimal visibility.

Intezer found platforms like Vercel, CodePen, JSitor, and JSBin hosting live credential-harvesting pages on trusted domains. Phishing sites impersonating crypto wallets and exchanges, asking victims for recovery phrases. Legitimate developer infrastructure being used as disposable phishing hosting. Most threat intel feeds won’t flag these domains because the domains themselves aren’t malicious.

Microsoft was the most impersonated brand, representing nearly a third of all phishing URLs. Microsoft and DocuSign together accounted for almost 85% of brand impersonation. Brand impersonation was the top phishing technique at 28.7%, with callback scams right behind at 25.3%.

Attackers are also increasingly gating phishing pages behind Cloudflare’s Turnstile CAPTCHA. The majority of URLs using Google reCAPTCHA were safe. That ratio completely flipped for Cloudflare Turnstile. Attackers are using CAPTCHAs not to stop bots, but to stop security scanners from seeing what’s behind the page.

Identity Is Drowning in Noise

Location and geo anomalies made up over 36% of all identity alerts. Login failures accounted for 22%. But 74.1% of login verdicts were classified as likely benign. The “impossible travel” alerts that flood every SOC queue? Only about 2% were confirmed real compromises.

Roughly 30% of those alerts were caused by VPN activity. Mobile phones routing through distant data centers and overlapping security tools triggering alerts against each other accounted for most of the rest. The identity layer has become the highest-noise signal source in the SOC, and separating real compromise from normal variability at scale is one of the hardest unsolved problems in the space. I imagine this problem gets worse with the explosion of Non-Human Identities (NHI).

Cloud Attackers Are Playing the Long Game

Defense evasion and persistence dominated cloud TTPs. Attackers are getting in (usually through identity) and sitting quietly. Token manipulation, obfuscation, abuse of legitimate cloud features etc. The goal is long-term access + recon, not immediate impact.

S3 accounted for roughly 70% of all AWS control violations. Buckets still using ACLs instead of IAM policies, missing server access logging, overly permissive cross-account policies.

I spent years at Accenture and Datadog building the CSPM rules that flag these exact misconfigurations. The fact that they’re still this prevalent in 2026 tells you everything you need to know.

What to Actually Do About It

Invest in making your team AI-fluent, and seriously evaluate AI SOC platforms. LLMs are great for log analysis, triage assistance, detection rule development, playbook drafting. But for alert triage, the build vs. buy math almost never favors build. Reviewing every alert across every tool, investigating regardless of the original verdict, at forensic depth (live memory scans, genetic code analysis, full auditability)? That’s years of engineering, not a side project. The teams that figure out how to pair human judgment with AI speed at that level are the ones that will actually close the coverage gaps this report quantifies.

Stop trusting your tooling’s verdicts blindly. Real threats are hiding in low-severity alerts and EDRs are reporting “mitigated” while endpoints remain compromised. If your team can’t cover the full alert volume manually, that’s a strong case for AI-augmented triage.

Reassess your phishing defense model for browser-based attacks. The attack surface has shifted from attachments to links, from endpoints to browsers. If your phishing defense stack is primarily focused on catching malicious files, you’re defending last year’s battlefield. The code sandbox abuse and callback scam patterns in this report deserve your immediate attention.

Audit your cloud posture against what you’re actually running, not what the docs say. S3 misconfigs aren’t news. But 70% of all AWS violations concentrating there suggests most organizations still haven’t done the unglamorous work of cleaning up notoriously bad configurations.

The Full Report

I don’t say this often about vendor reports: go read the whole thing here. It’s 35 pages, it’s technical, and it respects your intelligence.

If you’re a CISO, send it to your SOC lead. If you’re a SOC lead, send it to your analysts. If you build detections, you’ll find data in here that validates half the arguments you’ve been losing in meetings.

Get the full report

Subscribe now

Share

Splunk’s user conference, .conf, took place in Boston last week and I had a front row seat to it all. I spent the week at the con sitting through keynotes, workshops, and catching up with friends + Splunk customers. This post will highlight what matters most to security teams and those building in the SecOps space.

TL;DR 📰

Splunk bringing a lot more capabilities into their SIEM offering including domain-specific AI agents, AI x SOAR and a detection studio. They’ve also added federated search support for Snowflake and announced their upcoming launch of their Time Series Foundation Model on Hugging Face.

Security teams deserve better than building integrations, parsers and pipelines

Stop spending hours wrangling APIs, building custom parsers and data pipelines. Monad is the easy button for security data integration, with 150+ pre-built connectors that just work. Our flexible platform seamlessly routes data from any source to any destination—whether you're using Splunk, Snowflake, S3, or all of the above. Transform, filter, and enrich your data with the utmost flexibility.

Let your security engineers focus on catching threats, not building plumbing. Monad handles the data complexity while saving you over 70% on your SIEM bill so your team can focus on what matters most: securing the org.

👉🏼 Start Free - 1TB/month

Standout Announcements from .conf 🚀

Triage Agent

The Triage Agent streamlines alert prioritization with AI-driven analysis, automatically executing investigation steps and reducing MTTR through automated insights. It evaluates, prioritizes, and explains alerts. This is expected in Alpha in January 2026 so long way till it’s in the hands of all Splunk users.

This is their “AI for SOC” answer. Lots of funding has been poured into AI for SOC startups in recent years. It’ll be interesting to see Splunk’s roll-out and the industry’s reception to this.

Malware Reversing Agent

Splunk's malware reversing agent unpacks malicious scripts step-by-step for clear analysis. It extracts IOCs, maps threats to MITRE ATT&CK, and eliminates bottlenecks from limited coding expertise. The demo showed it analyzing PowerShell commands in real-time, constructing temporary file paths, instantiating WebClient objects, downloading MSI files from remote servers, and invoking malware installation. The agent explains each line of code, flags evasion techniques, and groups recurring behaviors.

Most SOC analysts aren't malware reverse engineers so this is pretty significant.

AI SOAR Playbook Authoring

This feature converts natural language commands into SOAR playbooks. The interface shows a simple prompt like "Build a playbook to isolate a host if X alert triggers" and generates the complete workflow with custom code blocks and action blocks.

Lots of the qualms w/ SOAR is the technical complexity required to actually roll-out sophisticated playbooks. Hopefully this helps ease that thrash and reduce the need for hiring 3rd parties to build your playbooks.

Detection Studio with AI Enhancement

Detection Studio now includes AI-powered features that help with many steps across the detection lifecycle including ideation, testing, fine-tuning, and monitoring. The interface shows real-time detection coverage metrics, validates data source availability, and includes a Personalized Detection SPL Generator that customizes detections for unique SOC environments. You can test detections against historical data (using data replays), deploy in safe test mode, and run automated quality checks before production deployment.

The Detection studio is in Alpha stage so still may be a while till it’s generally available.

Read the full press release here.

The Cisco Data Fabric + Time Series Foundation Model

The “data fabric” term is not new and probably dates back a decade+ at this point. However, I think Splunk is perfectly positioned to scale this out given the amount and variety (SecOps, NetOps, ITOps etc.) of telemetry they ingest + analyze. The Cisco Data Fabric will enable customers to build custom AI models with their proprietary data, unify distributed data sources for real-time insights, and power agentic workflows.

As part of this effort, they also launched a Time Series Foundation Model specifically for anomaly detection that'll hit Hugging Face in November.

There aren’t many foundation models that exist for security and I haven't come across one that is specifically trained for SecOps use cases so this is truly a game changer. This will enable anyone to build applications and use cases on top of that model and will be helpful for correlation (events, identities, etc), anomaly detection, predictive stuff and more. Excited for this to ship!

Read the full press release here.

Federated Search Support for Snowflake

Snowflake integration will be in Alpha in February 2026. This will allow security teams to query Snowflake directly from Splunk. Jeetu Patel, CPO @ Cisco is calling distributed data stores "data ponds" and "data puddles". More water x data metaphors..

Federated search is great for conducting retroactive data/log analysis (i.e., threat hunting, investigations). It allows you to store data in cost-effective stores while still being able to query it from Splunk. Some security teams have adopted Snowflake for security data storage and many enterprises use it to store other business data so having access to that context directly from Splunk will be pretty dope.

Read the full press release here.

The Quiet Part Said Out Loud💰

The elephant in the room: cost. Let’s face it. Splunk is cost-prohibitive for SMBs and even larger enterprises with small security budgets. If you’ve been in the SecOps space, you’ve probably heard this more than a few times. Even Splunk presenters themselves brought up pricing concerns on multiple occasions. That's how you know it's bad.

Kudos to Splunk for addressing it head on though. Not highlighted much on the mainstage but more so in the breakout rooms is that they’re building to make Splunk less cost-prohibitive including edge processors, ingest filtering, federated search, S3 replay, and even free Cisco firewall log ingestion (is there any fine print here?).

The Bottom Line 🤷🏽‍♂️

Should you care? If you're already a Splunk customer, absolutely. If you’re a Splunk SIEM or SOAR competitor? Certainly. What about if you’re a startup building in AI for SOC, federated search or the ETL space? Maybe… You should certainly be paying attention.

The reality is that Splunk remains the enterprise default because it’s been proven at the largest of scales for decades. The world’s largest and most important enterprises rely on Splunk as their SOCs command center. While the paradigm has shifted, these latest innovations show they’re not getting complacent and are building for the long-haul.

Splunk is going deep on SecOps workflows with features like Detection Studio, recommended data onboarding plans, S3 data replay, and enhanced federated search. That paired with their AI announcements brought into one unified experience will be a game changer for customers once it’s all in place.

Will Splunk still dominate enterprise SIEM in three years? 🤷🏽‍♂️ I don’t have a crystal ball and as always, it’s all about execution.

However, I do know that the announcements made at this year’s Splunk .conf positions them well as we move into the AI era in security.

Interested in sponsoring TCP?

Sponsoring TCP not only helps me continue to bring you the latest in security innovation, but it also connects you to a dedicated audience of ~7,300 CISOs, practitioners, founders, and investors across 125+ countries 🌎

👉 Learn more here!

Subscribe now

About the Author

Hi! 👋 I’m Darwin Salazar and I've dealt with data security challenges up close from multiple angles, including leading HITRUST compliance initiatives and building medical device-to-cloud pipelines at Johnson & Johnson, consulting on PCI DSS engagements for Fortune 500 clients, and crafting cloud misconfiguration detection rules at Datadog. I'm excited to share what I’m seeing in the space, where I think we’re headed, and who’s at the forefront in this space.

TL;DR 🎯

• Proprietary data is the crown jewel for most organizations. For attackers, it's either the prize itself or the means to their ultimate goal.

• AI has fundamentally changed the way organizations think about data security.

  • Think about the rate of adoption and impact of AI agents, MCP servers, Shadow AI, 3rd party AI supply chain risks.

  • Think GenAI generated sensitive data based off of sensitive inputs.

  • Think data poisoning and risks to AI model integrity.

• The traditional data security risks have not gone away.

• The data security regulatory landscape has only intensified in recent years.

• The difference between data security and any other domain is that data security must be horizontal by nature, spanning across identity, cloud, endpoints, and applications rather than living in any single domain.

• Point solutions and traditional DLP fail to keep up with the velocity and distribution of sensitive data.

• A unified platform approach helps tackle most of our previous shortcomings in data security while addressing emerging threat vectors.

• We cover how Varonis is a great case study of the platform approach applied to data security due to their metadata framework, 20+ yrs of evolution, MDDR, DAM, DSPM, identity security capabilities and much more.

The bottom line: In an AI-powered world where data moves at machine speed, only unified platforms can provide the visibility, context, and automated response needed to stay ahead of traditional and emerging threats.

Introduction

We spent 20 years building walls around our data. Then we gave AI the keys to nearly every door. For many organizations, their data is their moat and is what’s paving their next wave of growth as they build, adapt, and deploy AI systems across their workflows. Think about patented tech, billion dollar+ R&D efforts, legally protected info, healthcare patient records, etc. Now think about just how fast consumers and enterprises are adopting the latest AI apps and integrating it across the board. The speed is mind-boggling and opens us up to many unknowns.

Take EchoLeak, for example. It was a novel vulnerability type discovered in Microsoft 365 Copilot that could have allowed exfiltration of sensitive data right out of Copilot’s context window with little user interaction. Then you have enterprise AI apps and new protocols like Model Context Protocol (MCP) which integrate with existing tech stacks, inherit permission debt and can access sensitive data. To make things worse, it feels like AI is generating more sensitive data on a weekly basis than what humans create in a lifetime.

That said, I’m not here to spread doom and gloom. Security adapts as we always have. There are world-class security leaders that have navigated similar challenges for decades and there are vendors who have done the same. Think about the emergence of the data center, virtualization, the cloud, SaaS apps, and now AI. Each new wave introduces more complexity that stacks on top of existing challenges, yet we always adapt over time to meet them. The AI wave is different from others for many reasons, but I also have a sense of optimism about what AI can do for data security programs.

In this report, I’ll be digging into how the data security landscape has evolved in recent years, what a data security platform should look like in 2025 (using Varonis as an example), and what may lie ahead for the space.

New Data Security Risks in the AI Era

AI Agents

Widely adopted AI agents like Microsoft 365 Copilot, Glean and Salesforce Agentforce come with large promises, but also new risks. Many of these AI agents inherit their creator’s user permissions by default, which means if your users have more access than they actually need (most do), then the AI tools do as well. In fact, according to Varonis’ latest research, 99% of organizations have sensitive data unnecessarily exposed to AI.

Even more concerning: around 90% of sensitive cloud data is left openly accessible to these AI apps. A simple prompt could trigger an AI to pull sensitive information from various sources, making attackers' lives much easier. Traditional DLP and DSPM controls just can’t keep up with the speed and scale at which these AI agents operate.

Modern data security platforms must see AI the way attackers do—as a privileged user with unprecedented reach. This means understanding not just where sensitive data lives, but how AI agents access it, what permissions they inherit, and whether that access aligns with business needs. When your AI can touch data across clouds, SaaS apps, databases, and file shares in milliseconds, your security must operate at the same speed and scale.

MCP and New Protocols

The emergence of Model Context Protocol (MCP) servers represents a fundamental shift in how AI agents, apps, and humans interact with organizational data. While MCP servers enable us to securely access local data sources, databases, and APIs through standardized protocols, they also introduce new attack vectors where a single compromised server could expose multiple data sources simultaneously.

While MCP gives AI superpowers, it also amplifies traditional prompt injection attacks like the EchoLeak vulnerability by allowing attackers to potentially manipulate AI agents into executing malicious commands across their MCP connections. As MCP servers aggregate access across previously isolated data silos, the principle of least privilege becomes more critical than ever. Organizations must now address this convergence of risks where infrastructure designed to enhance AI capabilities could become their weakest security link.

As seen in previous technology waves, when there is a rush to adoption, security is often an afterthought. New AI tools are not immune to the same risks that have plagued us for decades. Case in point, look at the recent Asana MCP bug or the critical severity vuln that allowed for Remote Code Execution (RCE) in mcp-remote, a popular MCP tool downloaded over 400K times. The risks don’t stop there.

While there hasn’t been a public incident where an MCP server compromise was the cause, the vulnerabilities and risks are certainly there so it may only be a matter of time.

GenAI Data Leaks

GenAI has exploded across enterprises, with 96% of organizations now actively using these apps—three times more than just a year ago. But there’s a downside: nearly half (46%) of recent data loss incidents involved proprietary code mistakenly shared via AI prompts. Samsung experienced this firsthand when engineers accidentally leaked confidential source code to ChatGPT leading to a full suspension of all ChatGPT use till they figured out how to secure it.

Such incidents highlight that well-intentioned employees can easily expose sensitive data by pasting it into AI prompts, effectively creating an unsanctioned data pipeline out of the business.

Shadow AI

Then there’s Shadow AI, AI tools that employees adopt without security’s approval. 98% of organizations have unapproved AI apps lurking within their environments 🤯. Often, these tools integrate directly into apps like Slack or email via OAuth or browser extensions, gaining deep access to sensitive information without anyone in security even noticing.

For instance, a seemingly innocent AI-powered email assistant could access calendars, customer data, or sensitive files. If not vetted by security, this tool could expose sensitive data in a number of ways. When users adopt apps that make their jobs easier/better, they will be extremely reluctant to give them up just because security says so. They will almost always try and find a way to circumvent whatever controls are in place.

In short, while the AI revolution has delivered immense value to businesses around the world, it’s also opened up a can of worms on the data security front.

3rd Party AI Supply Chain Risks

The third-party AI supply chain introduces another layer of complexity and builds on our Shadow AI + GenAI Data Leak sections. Many enterprise AI apps are essentially wrappers around foundational models like GPT, Claude or even DeepSeek in some instances. The key here is that some vendors, especially startups, are not always transparent about it.

This creates hard-to-track data patterns where sensitive data might be processed, cached, or stored across multiple vendors without clear visibility. When an employee connects an AI writing assistant to your email, that tool might be sending your data through nested API calls to various AI providers, each with their own retention policies and security practices (or lack thereof). You lose the chain of custody for your data, which could be exposed through a vulnerability in any link of this AI supply chain. Even the most mature security teams have trouble keeping up with this which is why an AI governance plan + proper tooling is crucial, especially in heavily regulated industries.

Traditional Threats Haven't Disappeared

Sensitive Data is Everywhere

In 2025, sensitive data lives everywhere: on-prem file shares, cloud platforms, productivity tools, employee devices, and even shadow AI applications. It's become incredibly easy to deploy new resources across multi-cloud and hybrid environments, often using just a few lines of code. This ease significantly complicates visibility and governance. App-to-app and AI-to-AI integrations only make matters worse by exponentially expanding the potential attack surface and letting sensitive data move freely.

Insider Threats

Malicious insiders, careless users, and compromised accounts all fall under this category. Insiders often already have broad access, so if their account goes rogue or if they upload sensitive data to a shady AI app, it can eventually constitute as a data breach. We’ll discuss how to combat this in following sections.

Ransomware and Supply Chain Attacks

Ransomware attacks can cripple operations and expose a company’s sensitive data. Take the Change Healthcare breach for example, it devastated medical supply chains across US, leading to some medical practices temporarily shutting down and people not being able to receive their medication from pharmacies.

Just as ransomware can impact physical supply chains, it can come by way of your digital supply chain. Your data doesn't only live in systems you directly control. Partners, vendors, contractors, and SaaS providers often store or can access your sensitive information. A breach in your supply chain can be as devastating as one in-house. Recent years have shown us numerous examples of attackers exploiting weaker links ( i.e., a supplier, an IT service provider, a cloud tool) to get to the ultimate target.

The Evolving Regulatory Landscape

New regulations are pushing companies to prioritize security with increasing urgency. Here's what's driving compliance requirements today:

Global Privacy Laws

• GDPR enforcement has escalated (Meta's €1.2B fine in 2023)

• Similar laws spreading globally mean stringent data protection is required almost everywhere

Industry-Specific Frameworks

• PCI DSS 4.0 and HITRUST now emphasize continuous compliance over periodic checks

• Healthcare and finance face the strictest requirements with severe penalties

AI and Disclosure Requirements

• EU AI Act (fully enforceable 2026) classifies AI systems by risk level

• SEC mandates 4-day cyber incident disclosure for public companies

• Board-level accountability is now standard

U.S. State Laws

• California's CPRA and similar state laws require "reasonable security" measures

• Focus on encryption and breach impact mitigation

The Shift to Data-Centric Security and Unified Platform Approaches

Traditional perimeter-based security fails when sensitive data spans multiple cloud platforms, SaaS applications, AI apps, and on-prem environments. Data-centric security is an approach that shifts focus from securing access points to protecting the data itself, wherever it resides. This requires answering critical questions that most organizations struggle with:

1. Where is our sensitive data located? What are our crown jewel data stores?

2. Who has access, and is that access right-sized?

3. How is data classified and encrypted?

4. How do we know when certain data usage or activity is anomalous or risky?

DSPM tools have become table stakes because they continuously discover, classify, and monitor sensitive data exposures across your entire environment. While DLP capabilities are still key, as a standalone product, it simply generates too much noise. The broader challenge here is trying to address AI agents, MCP vulnerabilities, shadow AI, insider threats, and compliance requirements with disconnected tools. Without visibility and correlation across the activity taking place with your critical identities, environments, and crown jewel data stores, you’re pretty much flying blind.

Modern data security requires a platform approach that provides unified visibility across identity, data access, AI usage, and user behavior. You need detection and that understands context and automated response + prevention that acts at AI speed. Without integrated coverage across IAM, AI security, cloud + on-prem, UEBA, and detection & response, organizations are often left with blind spots.

The difference between data security and any other domain is that data security must be horizontal by nature, spanning across identity, cloud, endpoints, and applications rather than living in any single domain. It’s clear that as data security becomes more complex, point solutions will have trouble keeping up.

In this next section, we'll dive deeper into how Varonis addresses these challenges through their unified platform approach and why they're uniquely positioned as a leader in the AI era.

Why Varonis?

I don't partner with vendors lightly, especially for reports of this gravity. I decided to collaborate with Varonis on this report because after monitoring the data security space for years, they consistently stood out, not only for their product innovation velocity, but also how they stay ahead of emerging threats while solving real problems security teams face today. Their research team is also continuously finding vulns in critical enterprise apps like the recent data inference vuln in Service Now.

Varonis has been doing data security for over 20 years, long before it was trendy. They're the established market leaders with the customer base (i.e., NASA, Lowe’s, and Stryker) and industry recognition to prove it. But unlike many legacy vendors, they haven't gotten complacent. Instead, they've doubled down on their original vision to account for AI and emerging threats while maintaining their core strength in data security. This collaboration made sense because Varonis has been building the future of data security for decades. After spending years helping Fortune 500 organizations navigate similar challenges, I wanted to work with the vendor that's at the forefront of data security.

Inside Varonis: A Leader's Approach to Data Security

The Foundation: Understanding Data Relationships at Scale

At the core, Varonis built their platform around a simple but powerful idea: you need to inventory and understand the relationships between users, permissions, and data before you can protect anything. Their unified data security platform takes a holistic approach to data security, combining the capabilities needed to stop data breaches and ensure compliance — all with minimal effort from you.

What this means in practice is that the platform knows where sensitive data is stored, on what assets, the asset’s configuration, who can access what, how they got that access, and whether they're actually using it. Taking this approach, they’re able to provide a holistic view across on-prem file shares, cloud storage, databases, email, collaboration platforms, and now AI tools. Everything is connected in one view.

Since many breaches result from attackers leveraging existing accounts and permissions or from misconfigured data stores, having a real-time view of the nuances of your data is critically important.

AI-Powered Classification Built on Two Decades of Experience

Varonis has been doing data classification since before it was cool — over 20 years now. While most vendors still use basic RegEx patterns to find credit cards and SSNs. Varonis leverages proprietary AI/ML approaches (not just GPT wrappers) to bring world-class data classification to its customers.

Their three-tier classification engine combines:

• Traditional ML for known patterns (leveraging 20+ years of refinement)

• LLMs (GPT-4 models via Azure) for contextual understanding

• Compliance rules for regulatory requirements

• Incremental scanning (only processing what's changed)

This approach ensures that it knows the difference between a SSN in an HR document versus a sample one being used in a dev environment for testing. Same pattern, completely different risk profile. This contextual understanding reduces false positives and helps teams with prioritization and remediation.

Their "Three Cs" approach is crucial to securing the full data lifecycle. Complete scans with no blind spots, Contextual understanding of data exposure and threats, and Current real-time visibility. Beyond basic pattern matching, it performs sentiment analysis, proximity matching (multiple indicators = higher confidence), and even OCR for images.

Another thing I appreciate is their commitment to privacy and transparency when it comes to AI use. They don't train ML models on customer data, only public and licensed datasets. Plus, the explainable AI provides actual reasoning when someone asks why data was flagged as sensitive, not just a black box decision.

The World’s First Agentic MDDR

Varonis built the first MDDR service that uses AI agents to investigate threats before human analysts see them Traditional vendors that stop at alerting, but Varonis combines AI-powered investigation with human expertise.

How it works:

• Anomalous activity triggers AI investigation

• AI agents correlate user behavior, peer groups, access patterns, and device info for full context

• Only escalates to human analysts when it's a true threat

SLAs + Response times: 30 minutes for ransomware, 120 for everything else.

Having the vendor provide MDDR solves the expertise gap. Most orgs can't hire and retain data security experts who understand these platforms deeply. With Varonis MDDR, you get analysts who live and breathe this stuff, backed by AI that's learning from thousands of deployments. Nobody else in data security offers this combination.

UEBA Built Specifically for Data Threats

Most UEBA tools watch endpoints, cloud, and user activity. Varonis built theirs from the ground up specifically for data security. The platform creates behavioral baselines for every user and device, learning what's normal across your entire data estate. It uses hundreds of ML threat models trained on anonymized data from their full customer base, not just your environment.

Detection coverage spans the full attack chain:

• Data-layer threats: Unusual access patterns, permission changes, mass deletion/encryption

• Identity threats: Privilege escalation, geo-hopping, impossible travel

• Advanced TTPs: Data staging, exfiltration attempts, lateral movement (MITRE ATT&CK)

• Endpoint visibility: Via Microsoft Defender and SentinelOne integrations

• Full-stack coverage: Data, identity, network, cloud apps - all in one view

This data-centric UEBA helps Varonis catch what others miss. While traditional tools alert on suspicious network connections or atypical login location, Varonis alerts when that same user suddenly accesses sensitive data they've never touched before.

The system enriches every alert with full context — who did what, to which data, how sensitive it was, and whether this behavior matches known attack patterns. This is another massive value add for security leaders and differentiator from other solutions.

Modern-Day Database Monitoring

The 2025 Cyral acquisition transformed Varonis' database coverage. While traditional DAM requires agents, performance hits, and endless configuration, Varonis/Cyral deploys in an agentless fashion without touching your databases.

Comprehensive coverage across every database type:

• Traditional: Oracle, SQL Server, MySQL, PostgreSQL

• Cloud-native: Aurora, DynamoDB, CosmosDB, BigQuery, Snowflake

• Universal connector for future databases

The architecture is elegantly simple: stateless proxies that see everything without impacting performance. It runs on the same Metadata Framework, so database activity connects to file access, identity events, and cloud behavior in one unified view.

Built-in compliance mapping (NIST, HIPAA, SOX, GDPR, PCI) and real-time ransomware detection watches for database-specific indicators like disabling automatic backups, mass data exports, and snapshot deletions.

The key differentiator is that the DAM capabilities are integrated within their full platform.

Automated Remediation That Won't Break Production

Automated remediation has been a controversial topic ever since I started in security. The main concern I always hear is that humans/machines/automation often make mistakes and those mistakes could lead to key system downtime and business disruption.

Think of an automated flow taking down the payments system production Kubernetes cluster because it closed down a critical port due to missing context of a compensating control. That would suck wouldn’t it? Scenarios like this are a key reason why our industry has been hesitant to adopt automated remediation. In the most critical cases, having a human in the loop to make the decision is a non-negotiable.

However, the world is moving toward an automated future and there are smart people with massive R&D budgets working on making automated remediation a reality with minimal friction.

Varonis is achieving this today in real-world environments across multiple domains to secure sensitive data. The key is the simulation, rollback, and multi-engine capabilities:

Multi-Engine Architecture:

• File systems: Multi-threaded distributed commit engine

• Cloud: Policy automation for SaaS/IaaS configurations

• Intelligent decision-making about actual access needs

• Automatic rollback if something breaks

Access cleanup: Removes global access groups ("Everyone"), stale users, excessive permissions, dead collaboration links, and risky third-party apps. The ML-powered recommendations mean you're not guessing what's safe to remove.

Data protection: Real-time masking for Redshift, BigQuery, and Snowflake that's role-aware and classification-driven. Automatic labeling through Microsoft Purview integration ensures consistency across platforms.

What makes this different is the intelligence behind it. The system understands who actually needs access based on usage patterns, business context, dependencies between systems, and when to roll back versus push through.

Their approach enables continuous reduction of attack surface without business disruption. Simulation lets you preview impact before committing changes. The distributed architecture means you can remediate at scale.

Huge kudos to Varonis for being one of the only vendors deeply investing in and actually realizing automated remediation.

Securing AI Agents

When deployed without security oversight, AI agents are essentially superusers with API access to everything. While everyone's rushing to deploy Copilot, ChatGPT Enterprise, and Salesforce Agentforce, most haven't figured out the security implications. Varonis has been at the forefront of handling this challenge every step along the way.

Below is how they handle security for some of the most popular AI agents:

For Salesforce Agentforce:

• Real-time visibility into how agents access, create, and edit Salesforce data

• Automatic flagging when sensitive data gets exported

• Policy enforcement that prevents data leakage before it happens

For ChatGPT Enterprise:

• Parses every prompt and response for sensitive data

• Catches users pasting PII into prompts

• Comprehensive audit logs for compliance

• Automatic access revocation when risk thresholds are exceeded

For Microsoft 365 Copilot:

• Dashboard showing exactly what sensitive data Copilot can access

• Automatic lockdown of over-permissive folders

• Prompt-level auditing with NIST CSF 2.0 alignment

• Full integration with SharePoint, OneDrive, and Teams security

This coverage is integrated with Varonis' existing classification, UEBA, and remediation engines. When Copilot accesses sensitive data it shouldn't see, the platform knows immediately because it already classified that data and baselined normal behavior.

AI agents need the same security controls as human users, plus additional monitoring and governance for their unique risks. Varonis delivers both, which is why I’d say they’re even ahead of most pure play AI security vendors.

Identity Protection – Uniting Identity and Data Security

Most orgs manage identity and data security separately, creating a significant blind spot. Identity tools verify logins but can't see data access patterns. Data security tools monitor file access but lack context about whether that access is normal for that user. Attackers exploit this gap by using valid credentials and moving laterally while appearing legitimate to separate identity and data security solutions.

Varonis’ recent Identity Protection launch addresses this disconnect by unifying identity and data security in one platform. This gives security teams visibility into the identity layer, enabling them to correlate authentication activity with actual data access patterns.

Varonis is the first platform to fully integrate ITDR capabilities with data security, catching MFA bypasses, lateral movement, and suspicious logins while understanding what data is actually at risk. Traditional identity tools stop at "did they log in successfully?" Varonis asks, "What are they doing with that access?"

The Path Forward

The data security landscape has fundamentally changed. Enterprises and consumers now leverage GenAI and agentic AI on a daily basis, while this accelerates innovation it also, unprecedented security risk. Traditional security approaches that segment identity, cloud, data, endpoints, and AI into separate domains have never kept up, and certainly won't moving forward. Organizations need unified platforms that can correlate activity and anomalies across multiple domains and give teams governance capabilities simultaneously.

We're watching AI evolve at breakneck speed, from GenAI assistants to MCP-enabled agents, with quantum computing threats and opportunities landing in the next couple of years. The future of data security must be unified, automated, and adaptive.

The winners in this new landscape will be those who recognize that data security isn't just another security domain. It's the foundation upon which all other security efforts must build. In a world where AI agents can access terabytes of data in milliseconds, where shadow AI proliferates faster than policies can be written, and where traditional perimeters have dissolved entirely, data-centric security is pretty much one of the final frontiers.

Organizations that are proactive in their data security programs in the AI era will thrive. AI is a massive enabler, and the last thing we want to do as an industry or as a security leader is to bottleneck that because we couldn’t keep up. The future of data security is unified.

📧 Subscribe for More 📧

Subscribe now

At the time of acquisition, Wiz was generating ~$17M in enterprise value every. single. day. $32B divided by 1825 days (5 years) equals $17.5M. Not too shabby.

In Part I of our blog series, I covered Wiz’s journey to product-market fit (PMF) and how they designed a winning brand. Both were integral to the success that followed. Once they had PMF and their founders sold their first couple million in annual recurring revenue (ARR), they hit the gas pedal and invested heavily in their GTM motions.

In this post, I’ll be dissecting their approach to sales, channel, and alliances and attempt to provide practical takeaways other GTM teams can apply. Below are the areas I’ll cover:

• Sales org structure and key hires

• Top-down sales strategy

• Channel: Cloud marketplaces, resellers, alliances

• Regional and international expansion

Note: I’m taking a black box approach and mostly leveraging public sources like leadership interviews, press, and case studies to dissect Wiz’s approach at each stage of its journey.

Tl;dr

There’s an immense amount of value and important context throughout the post so I encourage you to read til the end. However, if you’re in a time crunch, here are the biggest takeaways for founders and GTM operators:

• Start with Founder-Led Sales until $1-3M in ARR

• Once PMF, hire world-class revenue leaders early

• Grow ahead of demand, not behind it.

• Build a layered channel & partner strategy (Resellers, MSSPs, Tech alliances, etc)

• Go top-down from day one. Go for massive deals v. SMB (if you have the choice)

• Continuously iterate on Time-to-Value (TTV).

• Align with how customers want to buy. Be flexible on timelines + transaction methods.

• Treat cloud marketplaces as strategic channels. Nurture and invest.

  • Off topic, but on topic: CrowdStrike sold $1 billion in revenue on AWS Marketplace in 2024 🤯

• Ask questions, sit back. Listen more than what you speak during customer conversations.

Fall in love with your security logs again. Detect & respond like a boss.

Here's the hard truth: traditional SIEM and logging tools are struggling under today's massive log volumes, with costs quickly escalating to six or seven figures per year. That's why teams are searching for better alternatives. But there's a catch: these alternatives often require significant data engineering work to maintain.

That's where Scanner.dev comes in - Our platform transforms how you SIEM. Just load your raw log data into S3 buckets, and let our schemaless indexing engine take care of the rest. With Scanner.dev, querying is a breeze thanks to our free text search, which processes data at blazing speeds up to 10TB/sec 🤯. Plus, you have the flexibility to use our default detection rules or customize your own and sync them from GitHub.

👉 Check out their playground here

Sales Org Structure and Talent

Wiz leaned heavily on founder-led sales in the early stages. Once they discovered how to position and sell the product to their core ICPs (cloud+infra security, CISOs), they then had a repeatable sales motion of sorts which laid the groundwork for seasoned sales leaders to build upon.

People are more likely to buy from people they like and trust. This is especially true in cybersecurity. So the first few sales hires are crucial for establishing and scaling a winning team and culture.

Bringing in a World-Class Sales Leader

With early traction on tap, Wiz poured gasoline on the fire by hiring Colin Jones, a world-class revenue leader who previously spent 6 years at Duo. Colin joined as CRO in February 2021, just three months after Wiz came out of stealth with $100M in funding, tasked with driving growth from $0 to $100M ARR. In this podcast interview with SaaStr CRO Confidential, Colin discusses the early days scaling Wiz’s sales org. Here are my key takeaways:

• Playbooks are prisons: Instead of leveraging his playbook from Duo, Colin onboarded by going on a “listening tour” by joining as many customer calls as possible to get acclimated with Wiz’s value proposition. He encouraged new hires to do the same.

• Customer-driven GTM shifts: In 2023, Wiz went from hybrid direct/channel model to 100% channel since this is what customers were demanding at the time.

• On scaling: Wiz was hiring GTM based on forecasted growth numbers. They erred on the side of over-hiring to meet demand. In other words, they ‘Blitzscaled’.

• Listen first: Always listen first. Ask questions more than you speak.

• Network and trust: In security, your network and trust is earned over an extended period of time. Cybersecurity is not a transactional field. It’s a trust-based one.

• Leveraging network for critical hires: Colin was introduced to Wiz CEO, Assaf Rappaport, by the investor network at Index Ventures and Sequoia Capital.

• A players attract A players: Demand outpaced time and resources. Wiz had to build product, sell, and scale talent simultaneously. Colin was critical in recruiting more sales leaders.

• “The only way to figure out how great you can be is to fall short of it.” 🔥

Great interview that’s worth a full listen. Skip to minute 5 + listen on 1.5x speed to save precious time.

Note: Colin is no longer at Wiz. He’s recently joined Sublime Security, an email security startup taking the world by storm.

Blitzscaling the Sales Org

Aside from bringing in a notable CRO, they brought in former Zscaler executives like Dali Rajic, who joined as Wiz’s first President/COO in 2024. By early last year, Wiz’s global workforce had reached approximately 900 employees, with an additional 400 planned hires, largely focused on sales and go-to-market roles. The sales org structure evolved into regional teams covering Americas, EMEA, and APAC, headed by experienced VPs.

After hiring Dali, Wiz brought on two more notable former Zscaler sales folks including their former Americas sales SVP, Mike Earnest, as VP of Worldwide Sales and Tom Henderson as new VP of Channels & Alliances who was brought in to formalize partner strategy. By scaling up talent and leadership quickly, Wiz ensured it had the bandwidth to engage Fortune 100 customers globally and not lose deals due to capacity.

Talent + Culture Impact

Wiz’s sales momentum became a virtuous cycle, attracting top talent and new customers alike. Prospective employees were drawn to Wiz’s evident market leadership and potential for substantial rewards, making recruitment easier and reinforcing growth.

From the outside looking in, Wiz’s incentive structures were probably aligned with its GTM goals, offering competitive compensation, equity incentives, and clear alignment to encourage enterprise deals and channel-driven revenue growth. Incentives were probably also great for product, eng., ops and all other functions at the company.

Everyone wants to be part of a rocketship 🚀

Top of the Top-Down Sales Strategy

From the beginning, Wiz combined aggressive outbound top-down sales with strategically engineered inbound interest via marketing efforts. Unlike typical SaaS growth models in crowded categories, Wiz skipped freemium and self-service trials, focusing from day one on top-down selling to Fortune 500 CISOs. By 2024, 40% of the Fortune 100 were customers.

How did they do it?

• Outbound, Big-Deal Focus: Wiz’s sales team went straight after the Fortune 100 and large enterprises, rather than “starting mid-market” like most startups. Early wins included Bridgewater, Morgan Stanley, DocuSign, Slack, BMW, and others as customers. By targeting the biggest “whales” with acute cloud security pain, Wiz closed large annual contracts that rapidly boosted their ARR. Sales cycles that normally take 12–18 months in cybersecurity were compressed dramatically because their agentless platform could deploy in minutes and showed value almost immediately.

• Rapid Proof-of-Value (PoV): Wiz’s product enabled rapid, frictionless evaluations, demonstrating significant security findings within minutes. This immediate "time-to-value" (TTV) turned prospects into eager customers and generated powerful word-of-mouth among CISOs. One Fortune 100 CISO said Wiz’s demo "felt like magic" in how quickly it exposed issues. This led to fast-tracked purchases. As a result, Wiz rapidly built a roster of blue-chip customers, and by publicly announcing ARR milestones, it created a perception of inevitability: everyone is buying Wiz. This momentum pulled in even more customers and boxed out slower-moving competitors. Check out their 'Customer Stories' page for examples: https://www.wiz.io/customers

• Early Inbound via Network and Marketing: Wiz benefited from investor-driven referrals and world-class marketing that created strong industry buzz (expanding on this in Part III). Their investments and execution in marketing meant that by the time a sales rep engaged a new prospect, they had likely already heard of Wiz as the hot new solution for cloud security.

Channel, Cloud, Resellers and Tech Alliances

In 2023, Wiz made the decision to go 100% pure channel sales and doubled down on hiring experienced channel leadership. This was a strategic decision to remove friction in the purchasing process and tap into existing customer budgets and relationships. Over its lifecycle, Wiz’s channel strategy evolved from opportunistic use of cloud marketplaces to a fully structured partner program by 2024.

💡 For clarity, channel = 3rd parties that help you sell your product.

Cloud Marketplaces

Nearly every Wiz deal had the option to transact via the major cloud marketplaces (AWS, Microsoft Azure, and Google Cloud). In fact, 99% of Wiz sellers closed at least one deal through AWS, Azure, or GCP marketplaces. By aligning with the cloud marketplaces, Wiz unlocked enterprise funds already earmarked for cloud. Many large companies commit spend to AWS/Azure as part of their cloud contracts; purchasing Wiz through the marketplace allowed clients to draw down those pre-committed budgets. It also simplified vendor onboarding and billing. Seems like Wiz partnered with a company called Tackle.io to help cloud marketplace selling.

Many deals today happen on cloud marketplaces. CrowdStrike did $1 billion in sales just on the AWS Marketplace in 2024 🤯

Resellers and VAR Partnerships

Beyond cloud marketplaces, Wiz built relationships with security resellers and integrators (often called VARs or channel partners). Early on, these were ad-hoc. For example, Trace3, a major IT solutions provider, became one of Wiz’s first U.S. partners and helped introduce Wiz to joint customers. Seeing the value, Wiz decided to put much more resources into partner-driven growth in 2024. This meant enabling and rewarding partners for sourcing and co-selling deals.

Wiz provided training, attractive margins, and marketing support to top channel partners. In return, partners like Trace3, Optiv, and Big Four consulting firms started bringing Wiz into large “cloud transformation” projects. By leaning into the channel, Wiz could reach many more customers, especially in regions or verticals where using a trusted local reseller is key. As CEO Assaf Rappaport explained, “In cybersecurity, partners are super, super important…we’ve always seen huge potential…and there is so much more we can do” by aligning with them. This partner-first mindset became a priority as Wiz scaled. Key to note that Palo Alto Networks also leaned in heavily in to channel sales on their path to $100B valuation.

MSSPs and Managed Service Providers

Wiz also forged alliances with managed security service providers (MSSPs) as well. A notable partnership was with Expel, a Managed Detection & Response (MDR) provider. In 2024, Wiz and Expel announced an integration enabling Expel’s SOC analysts to natively ingest Wiz’s cloud risk findings. This effectively lets MSSPs include Wiz’s cloud security as part of their monitoring services. “The unique value MSSPs get from this partnership is the coupling of Wiz’s cloud detection with Expel’s analysis,” noted an Expel spokesperson.

By partnering with MSSPs, Wiz extended its reach to smaller enterprises that use outsourced security, without having to sell to each one directly. It gave MSSPs a differentiator (advanced cloud visibility via Wiz), creating a win-win. Wiz also made sure its product could integrate with other MSSP tools and multi-tenant management, smoothing adoption in that channel. The end result is that Wiz became a popular choice for MSSPs looking to bolster their cloud protection offerings. This “channel on steroids” meant even organizations without in-house security teams became Wiz customers via service providers.

Technology Alliances and OEMs

Wiz created a strategic technology partnerships program called ‘WIN’ which set the stage for bidirectional integrations that augmented partner solutions and ultimately, gave customers a more unified view of their security landscape. For example, Wiz partnered with CrowdStrike to integrate Wiz’s cloud findings with CrowdStrike’s Falcon endpoint platform. This unified view helped joint customers correlate cloud and endpoint threats. It also opened cross-sell opportunities. A win-win.

In summary, Wiz smartly leveraged partnerships at every level: cloud hyperscalers, channel partners, resellers, and other security vendors. These alliances gave Wiz scale and credibility far beyond what its size would suggest, enabling them to punch above their weight and become the security darling of the world with an ecosystem rallying around it.

Regional Expansion and International GTM Efforts

To quickly sum this section up, Wiz combined centralized GTM strategy with regional execution. Wiz’s core value proposition – multi cloud security with quick and painless time-to-value – was universal. This meant the same product and messaging resonated globally, allowing the central team to roll out campaigns that regional teams could execute.

Wiz established hubs in key markets like the U.S., EMEA, and APAC. They opened a European HQ in London, expanded aggressively in Asia (Japan, Singapore, and Australia primarily) with SoftBank’s backing, and leveraged their Israeli R&D base for product, eng. and vulnerability research.

Wiz landed key European customers like Shell (Netherlands), BMW (Germany), LVMH (France), ASOS and Bank of England (UK) which certainly helped build a strong presence in the region. They also didn’t let off the gas in the US while they were expanding. They invested heavily in their public sector arm as evident by their FedRAMP Moderate authorization.

The result of their expansion efforts was global penetration. Wiz’s international GTM efforts contributed significantly to its hypergrowth; by not being U.S.-only, it tapped into budgets from London to Sydney, exponentially accelerating its ARR climb.

Regional Expansion and International GTM

To quickly sum this section up, Wiz combined centralized GTM strategy with regional execution. Wiz’s core value proposition – multi cloud security with quick and painless time-to-value – was universal. This meant the same product and messaging resonated globally, allowing the central team to roll out campaigns that regional teams could execute.

Wiz established hubs in key markets like the U.S., EMEA, and APAC. They opened a European HQ in London, expanded aggressively in Asia (Japan, Singapore, and Australia primarily) with SoftBank’s backing, and leveraged their Israeli R&D base for product, eng. and vulnerability research.

Wiz landed key European customers like Shell (Netherlands), BMW (Germany), LVMH (France), ASOS and Bank of England (UK) which certainly helped with word of mouth. They also didn’t let off the gas in the US while they were expanding. They invested heavily in their public sector arm as evident by their FedRAMP Moderate authorization.

The result of their global expansion efforts was global penetration. Wiz’s international GTM efforts contributed significantly to its hypergrowth; by not being U.S.-only, it tapped into budgets from London to Sydney, exponentially accelerating its ARR climb.

Conclusion

Wiz’s success is not just about a great product meeting a market need. Many things had to go right for them grow as fast and as well as they did. They executed a once-in-a-generation GTM strategy with near-perfect timing and intensity. The company built a sales organization that combined veteran leadership with creative, hungry talent. It pursued an unabashedly enterprise-focused approach. Selling top-down to the CISO and skipping the conventional “grow slow” wisdom – and proved that big deals can close fast when the value is clear. Wiz aligned itself with how customers wanted to buy, turning channels and cloud marketplaces into an advantage rather than an afterthought. By forging key partnerships (from AWS to Expel to SoftBank), Wiz extended its reach globally and was able to sell to customers of all types.

There is so much to learn from Wiz’s astronomical rise For founders and GTM leaders, here are the biggest lessons to take away:

• Start with Founder-Led Sales until $1-3M in ARR (or PMF)

• Go top-down from day one. Go for massive deals v. SMB.

• Once PMF, hire world-class revenue leaders early

• Grow ahead of demand, not behind it.

• Build a layered channel & partner strategy (Resellers, MSSPs, Tech alliances, etc)

• Continuously iterate on Time-to-Value (TTV).

• Align with how customers want to buy. Be flexible.

• Treat cloud marketplaces as strategic channels.

• Ask questions and listen more than you speak during customer convos.

Subscribe now

The RSA Conference (RSAC) Innovation Sandbox (ISB) top 10 finalists were just announced this morning. Now in it’s 20th year, they’ve added a new component of a $5 million investment via an uncapped Simple Agreement for Future Equity (SAFE) note from Crosspoint Capital Partners for all finalists. I have many questions + concerns about this including that the announcement post doesn’t mention whether finalists can decline the investment.

In any case, being an ISB finalist carries a lot of weight and helps open up doors for rising startups. Also, it’s great to see that only 4 of 10 focus on AI security during an era that has been consumed by AI.

Anyhow, let’s take a look at this year’s finalists!

The 2025 Finalists

The finalists (in alphabetical order) are:

Aurascape

Aurascape believes AI has the potential to supercharge how society works. However, unchecked use of AI, Generative AI, and AI Agents does bring risks. Aurascape gives security and AI leaders the protection they need to confidently embrace AI.

CalypsoAI

CalypsoAI secures applications and agents through its Inference Platform — protecting AI at runtime with customizable defensive controls, agentic red-teaming, remediation, governance, and observability solutions — helping enterprises safely scale AI.

Command Zero
Command Zero is an autonomous and AI-assisted investigations platform, built to transform security operations. It empowers analysts to run advanced investigations and threat hunts in complex environments. The platform reduces mean time to understand and respond — delivering expert outcomes at scale.

EQTY Lab AG

EQTY Lab pioneers solutions that accelerate trust in AI. The AI Integrity Suite applies cryptography to ensure that the governance of AI agents is accountable and verifiable. With applications in the public sector, life sciences, and finance, EQTY Lab is at the forefront of enabling AI innovation.

Knostic ⭐
Knostic provides need-to-know based access controls for LLMs. With knowledge-centric capabilities, Knostic enables organizations to accelerate the adoption of LLMs and drive AI-powered innovation without compromising value, security, or safety. Winner of the 2024 Blackhat Startup Spotlight competition.

Metalware

Metalware helps enterprises and governments secure critical infrastructure firmware at scale. Its binary fuzzing platform automates the traditionally complex process of firmware testing, enabling customers to detect and remediate vulnerabilities in embedded systems before deployment.

MIND
MIND is a data security platform that puts Data Loss Prevention (DLP) and Insider Risk Management (IRM) programs on autopilot to deliver both posture and prevention. MIND discovers and classifies sensitive data, fixes data security issues, and stops sensitive data leaks.

ProjectDiscovery
ProjectDiscovery.io equips security teams with open-source tools to find and fix vulnerabilities fast. Powered by Nuclei, the platform automates attack surface monitoring and vulnerability management — helping organizations stay ahead of real-world threats.

Smallstep
Smallstep ensures only company-owned devices can access sensitive resources. Co-developers of ACME Device Attestation with Google and Apple, the Device Identity Platform solves the "other half" of Zero Trust by securing Wi-Fi, VPNs, ZTNA, SaaS apps, and cloud APIs with hardware-bound credentials.

Twine Security
Twine builds AI digital employees who execute tasks from A to Z to help cyber teams close the talent gap. The company's first AI digital employee, Alex, learns, understands and takes away the burden of identity management tasks — proactively completing the organization's cyber objectives.

Source: PR Newswire

The Future of Security

Whether or not they take home the “Most Innovative Startup” crown, all ten finalists are certainly worth watching. In fact, some ISB runners-up have skyrocketed in years following the contest (Case in point: Wiz, which lost to winner Apiiro in 2021, was recently acquired by Google for $32B) and some have even IPO’d (SentinelOne, Imperva, Sumo Logic, and Sourcefire).

Out of the 10, I’m most bullish on Metalware, EQTY Lab, and CalypsoAI. Who are you most excited about? 👀

Leave a comment

Subscribe now

Google just acquired Wiz for $32B, 5 years after it’s founding. If you haven’t been watching closely, you may be asking yourself “How on earth did they achieve that?”. It’s an unprecedented, historic feat that will be talked about and studied for decades.

Sure they had many factors working in their favor from inception, but to me, the x-factor (aka “Secret Sauce”), was their Go-To-Market (GTM) strategy. I’d argue that they’ve had a greater GTM run than any other B2B company in recent history, except for maybe Salesforce.

As a former competitor to Wiz, a current tech partner through Monad, a market analyst with TCP, and a friend to several Wizards, I've had an up close look at their meteoric rise.

In this series, I’ll try to decode the exact growth and marketing tactics behind Wiz's historic exit. In this installment, we’ll dissect their journey from finding Product-Market Fit (PMF) to how they nailed branding that set them apart in a hyper competitive segment with well-established incumbents.

Curious about what growth + marketing hacks Wiz employed and how you can apply them to your own strategy? This series should act as some sort of guide for that!

Perspective

Wiz achieved $100M in annual recurring revenue (ARR) in August 2022, just 18 months after launch, making it the fastest software company to reach this milestone at the time. By May 2023, ARR reached $200M, and by February 2024, it was $350M, with a target of $1B ARR and a future Initial Public Offering (IPO).

In July 2024, rumors swirled that Google had extended a $23B buyout offer which was confirmed after Assaf sent a company-wide email stating they’ve turned the offer down to pursue an IPO. Their historic ascent ultimately culminated in a $32B acquisition by Google on March 17th, 2025.

Side note: Deal is pending regulatory scrutiny and approval. EU + UK government review led to the Figma x Adobe $20B deal falling through. Market and political conditions are different in 2025 + the dynamics of this deal are more synergistic/constructive than the Figma deal so 🤷🏽‍♂️

Time Machine

Let’s rewind back to 2020 before Wiz was founded. Cloud Security Posture Management (CSPM) had been a product category for 5+ years. The term ‘CNAPP’ didn’t exist. Companies like Palo Alto Networks, Aqua, Sysdig, and Checkpoint controlled the cloud security space.

So how did Wiz come in, kick the doors down, and capture enough market share to go from 0 to $32B in just 5 years? How did they dethrone incumbents and become the security darling of the world?

Of course, in retrospect, Wiz had many key ingredients working in their favor:

• Strong, proven founding team (Adallom founders + Microsoft Cloud Security Leadership)

• Great, sticky product

• Solving deeply felt pain point(s)

• Timing (founded just as the world goes remote due to COVID-19 + cloud boom)

• Legendary investors + network effects (Sequoia Capital, Cyberstarts, Index Ventures etc.)

• Lots of early funding ($480M+ within a year of emerging from stealth 🤯)

• Relentless execution

However, they weren’t first to market and they didn’t necessarily build a magic shield to stop all cyber attacks forever. While many of the stars seemingly aligned for Wiz, it wasn’t just luck or perfect timing.

So, how did they do it?

🪄Finding PMF

None of this happens without PMF, so let’s start there. What made Wiz different in a sea of 30+ cloud security tools is that they transformed a fragmented cloud security market of point solutions (CSPM, CWPP, CIEM, IaC scanning etc.) into a unified, user-friendly platform called Cloud-Native Application Protection Platform (CNAPP). A term they coined and championed which eventually became a new product category.

Their unified platform paired with their agentless approach made it super simple and fast to get value. Most cloud workload protection platforms required deploying and maintaining agents on workloads which added additional overhead. Wiz’s agentless approach removed this friction. Wiz also placed heavy emphasis on contextualization of security issues which led to their highly successful Wiz Security Graph and ‘Toxic Combinations’ visualizations.

This unified and contextualized solution allowed security teams to easily onboard, prioritize the most important stuff, and gain a holistic view of potential impact with much less overhead than traditional cloud security tools.

This fresh approach is what landed them PMF. Once they had PMF, they tripled down on sales and marketing.

Dig deeper → This Sequoia Capital post offers a deeper look at their PMF journey.

PMF Journey from CMO’s Perspective

This podcast with (🐐) and Raaz Herzberg, CMO at Wiz, dives into their early days and is an inside look into their journey to PMF.

Key takeaways below:

• Stealth Days - Wiz was initially founded as “Beyond Networks” with the intent to build a network security product. 10-15 calls a day (🤯) with security leaders led to realization that network security was not a burning pain point.

  • The founder’s and investor’s deep networks certainly played a key role in the 10-15 calls a day.

• The Magical “Pull” ✨ - A strong indicator that you’re headed in the right direction is when feedback goes from “Cool idea, not sure if we have a need for it right now” to “When can we start a PoV/PoC?”.

• Early Sales - Founding team closed ‘a couple million’ in ARR before bringing on their first salesperson.

  • Major lesson here is that if the founding team can’t sell the product repeatably end-to-end, it’s wishful thinking that bringing in a salesperson would be able to crack the PMF code for you.

• Product messaging - Must be crystal clear. Abstract it to a level where beginners or outsiders can understand the problem you’re solving and how. Ditch the acronyms. Have a ‘dummy explanation’.

• CMO Success Factors

  • Trust from founding team

  • Deep connection to the product (First-hand experience of the problem being solved goes a long way)

  • Deep connection to the market (Helps w/ positioning, differentiating etc.)

• Experimentation - “Let’s try everything and try to make noise” approach played a huge role in their marketing success.

  • Marketing is unlike product or engineering where decisions can directly negatively impact the user experience.

  • Unless you’re doing cringe marketing like ambulance chasing, let your creativity run wild with campaigns and channels. Worst that can happen is the post or campaign flops and you move onto the next one.

• Field Marketing - Raaz’s goal for big conferences was to make the Wiz booth as weird as possible in order to stand out from the rest. This led to a 5x increase in booth traffic compared to previous years.

  • This post from Roy Katz, their Head of Brand, breaks down their methodology for their booth approach and includes a checklist other companies could reuse to nail their booth game.

Side note: and podcast are goldmines of resources for product builders 👑

Dig Deeper: This OpenView write-up covers how covers how Wiz became synonymous with the term CNAPP (Cloud-native Application Protection Platform) which is what made them break away from the rest of the cloud security providers.

🔨 Nailing Branding

How do you stand out as the new kid on the block in a hyper competitive space? Branding plays a massive role in that, and it bleeds through many key facets of the GTM machine. Branding is the identity of the company and it has a TON to do with human psychology.

Wiz’s branding starts with it’s name, short for “Wizard” and indicating magic. In an industry where fear, loss, and urgency are top of their customer’s mind. Wiz designed a fun, light-hearted brand with magic as the central theme. What comes to your mind when you think about magic?

To me, it’s defying universal laws. Evoking a sense of wonder and of anything being possible which is key for cultivating an innovative culture and product. From their logo, to their color palettes (royal blue, white, pink hues), to their messaging, Wiz chose optimism over fear.

This one decision to choose “Magic” as the center of it’s branding shows that Wiz understands their audience/ICP. It set the tone for their culture, GTM machine, how customers interact with them, product UX/UI and everything in between.

This blog post written by Roy Katz peels back the curtains on the How and Why of their branding.

Key Branding Takeaways

• Emotional Connection First – Be extremely thoughtful in the feelings you want your brand to evoke. Prioritize inspiring hope over fear.

  • Cybersecurity often uses fear to drive urgency. This can overwhelm customers. Wiz’s "magic" and optimism show you can address threats while empowering customers, building trust through confidence, not scare tactics or ambulance chasing.

• Color Palette – Use colors and designs to signal reliability in a high-stakes industry.

  • Wiz’s blue palette symbolizes trust, loyalty, and wisdom, paired with clean, intuitive design. Choose colors that reassure customers and ensure your product UX feels as reliable as your brand.

• Unique Brand Theme – Great brands have themes.

  • Wiz’s "magic" theme turns a technical product into an approachable experience. Pick a theme that aligns with your values, then weave it into messaging, UX, and every touchpoint for a cohesive identity.

• Playful Yet Professional – Wiz’s branding is very playful and indicates that the company likes to have fun. This helped build customer and community affinity for the brand.

  • Wiz uses pink accents and magical imagery but grounds it with blue and clean design.

• Branding Consistency - Wiz ensured consistency across website, product UI, conference booths, swag and everything in between.

Dig Deeper

• The Magic of Branding: ​Creating an Optimistic Identity for a Security Product - Roy Katz

• “Conquer Your Rebrand” by Bill Kenney, Founder + CEO at Focus Lab, is an A-Z masterclass on branding.

• Wiz Brand team Instagram: @wiz.style

Conclusion

There is so much to be learned from Wiz’s acquisition. It’s a masterclass in category creation and proving that a bold GTM strategy, a sticky product, and a magical brand can turn a startup into an industry darling (and $32B) in just five years.

Success leaves clues. How can the rest of us apply Wiz’s playbook to redefine our own respective categories?

Stay tuned for the next installment. We’re just warming up! ~

For More

There’s a ton of fantastic analysis dissecting the deal end-to-end and what it may mean for our industry. Below are a few of my favorites:

• W is for Wiz: Alphabet’s Audacious Acquisition - Cole Grolmus

• Looking Beyond The Google & Wiz Acquisition: The Future Of Cloud Security -

• Pramod Gosavi’s LinkedIn Posts 🔥

Subscribe now

GM! 🚀

While BlackHat 2024 officially kicks off today, yesterday was a jam-packed day with 1-day summits for CISOs, AI, Analysts, and Innovators & Investors (I&I).

I had the opportunity to spend time at the I&I summit (thanks, Coleen!) and was impressed by the programming, presenters, attendees, and the startup pitch competition.

While it’s 440am here and I still haven’t had my dbl shot espresso, I’ll attempt to put together my key takeaways and quick hits from the summit before going off and throwing iron around with some friends at the Lair 🐉

Before moving on though, why the f*ck is there not a spot serving coffee 24/7 in the Mandalay Bay towers!?!?!?!??

Anyway.. I&I quick hits.

Quick Hits

George Kurtz & Resilience 🛡️

Even after all the Crowdstrike-caused outages, threats, $10 gift cards, and lawsuits, George Kurtz still pulled through on his Blackhat commitments and faced the music with his head high and chest out. This is not something most people would do today, but its exemplary leadership and how Crowdstrike has handled it will be under the microscope for years to come. Kudos to Mr. Kurtz for taking this straight on.

The star-studded panel covered how to get your startup acquired + how to approach IPO. Industry staples like Barmak Meftah, Chenxi Wang, and Andrew Peterson also shared many gems for builders and investors.

Building Trust w/ CISOs 🫱🏽‍🫲🏻

This is the one I had been looking forward to the most and it did not disappoint! Fredrick Lee aka “Flee”, CISO at Reddit, John Flynn aka “Four” VP of Security at Google Deepmind, and Christina Cacioppo, Founder & CEO at Vanta had tremendous amounts of gems for founders, investors, and GTM teams.

Anyhow, below are my raw notes from the panel:

• Get deep into problems and platformize them; too many tools in security stack

• Software supply chain is a massive burning pain point for enterprises today

  • Open source + 3rd party

• Security startups should prioritize transparency and not BS about where they are in their security journey

• Security startups should understand that bringing them on as a vendor is expanding their attack surface

• "We want to be a partner; not a vendor"

  • Help build and extend their security team

  • Building something WITH you; not for YOU

• They appreciate founders who are passionate about the problem and not just the money

• Establish and chase your north star; don't just hunt down customer requests

  • Saying "Yes" too much is a real problem from a product perspective

• "Internalize the problem you are solving; take it personally"

• Security is rarely a technical problem; it is more of a workflow/biz ops/people problem

  ---

Identifying & Attracting the Right Investors💰

This was the panel after lunch but it still delivered. How could it not? Look at the panelists. Anyhow, my notes aren’t as detailed for this one but here you go:

• “Bootstrapping is not as hard as ppl make it seem. Put your head down and build for as long as you financially can without outside help”

  • Counter: There aren't a lot of bootstrappers that do FedRAMP or other expensive problems to solve.

• Security categories are becoming meaningless. Marketing BS. Thanks, Gartner!!!!

• Majority of companies coming out are 1 feature companies.

• Overlapping telemetry and functionality across tools.

• Risk reduction + prioritization > Visibility

  • THE INDUSTRY DOES NOT NEED MORE VISIBILITY

• On doing discovery: Ask buyers where their biggest problems are; don't tell them what you're building and if that would work for them.. Don't even tell them what you're building. Just listen to what’s plaguing them the most at the moment.

There were many other amazing, star-studded panels throughout the day but I didn’t capture any notes for those. Suffice it to say the summit was a hit. Now onto the Startup Spotlight!

Startup Competition 🏆

While Knostic brings the hardware home, the other 3 startups, which I wrote about here, delivered amazing pitches and are solving truly hard problems. Kudos to the other finalists and congratulations to Sounil and Gadi for the big W!

Knostic

Leadership: Sounil Yu, Co-Founder & CTO; Gadi Evron, Co-Founder & CEO

Problem Space: GenAI Security

Solution: Need-to-know based access control for LLMs to prevent oversharing of sensitive information. Their product analyzes existing permissions and roles to derive need-to-know levels across organizations, guiding employees and customers to the information they need while preventing access to unnecessary details.

One key area of focus for them seems to be Microsoft Copilots which are a privacy mess in and of themselves.

Founded in: 2023

HQ: Tel Aviv, IL

Total raised: $3.3M USD pre-seed

Website: Knostic.ai

Bye For Now!

I’ll be back next week with TCP #56 encapsulating all key product and feature releases for the week. Until then, if you see me in LV, say hello! And if you’re not here, thank the heavens and keep it cool.

Hasta la proxima! ✈️

Subscribe now

Zscaler's recent acquisition of Avalor has the industry buzzing with many folks, including seasoned practitioners and VCs, scratching their heads. Why did Zscaler drop ~$350M on a data fabric geared towards vulnerability management? Isn't Zscaler a network security, CNAPP, and zero trust player? What even is a data fabric? Zscaler CEO, Jay Chaudhry, states that it's an AI play. What does this all really mean?

The acquisition also seems to have served as a catalyst for Avalor-like companies to make moves. Below is a timeline of what transpired after the acquisition was finalized:

• March 14th: Zscaler finalizes Avalor acquisition for $350M.

• March 19th: Sentinel One's venture arm, S Ventures, invests in Auguria.

• March 21st: Tarsal raises $6M seed and appoints Barrett Lyon as CTO.

• March 22nd: Leen.dev announces their $2.8M pre-seed.

• March 26th: Abstract Security emerges from stealth with $8.5M seed funding.

All of this activity comes on the heels of the "best-of-breed vs. platform" debate Palo Alto Network's most recent earnings report sparked. In some way, this is all connected and in this post, I'll attempt to make sense of it. This is one of my lengthier posts so feel free to skip through the sections.

Here's what we'll be covering:

• Security Data Fabric v. Security Data ETL

• What Zscaler and Avalor do

• Why the acquisition makes sense

• What it means for the industry

Security Data Fabric v. Security Data ETL

It’s easy to conflate data fabrics with data ETL processes so let’s clearly define these before moving forward.

Security Data Fabric

A security data fabric is the infrastructure and processes that create an integrated layer across many nodes (or data sources). Data fabrics often leverage advanced analytics and machine learning to identify relationships and patterns among disparate data sources, enabling real-time, data-driven decision-making.

This is what Avalor does, for vulnerability management.

Security Data ETL

On the other hand, security data ETL (Extract, Transform, Load) is a specific process that focuses on extracting data from various sources, transforming it into a clean, standardized format, and loading it into a central repository for analysis. ETL ensures data consistency and accuracy but it does not include the analytical nor relational aspects of a data fabric.

While a security data fabric enables an integrated, flexible, and analytics-driven approach to managing security data, ETL processes are what set the foundations for a data fabric.

Now, let’s take a look at Zscaler and Avalor..

Zscaler

At a high level, Zscaler is a market leader in the Security Service Edge (SSE) space, a key cloud security contender with their Cloud-native application protection platform (CNAPP), and they also market a 'Zero Trust Exchange' platform. Ultimately, Zscaler has bundled many traditionally stand-alone products like a CSPM, CASB, CWPP, CIEM, firewalls, and web gateways into these various core platform offerings.

With nearly 3,500 customers and a wide array of offerings, I'd imagine Zscaler ingests, processes, and correlates at least a few petabytes of data per day. For reference, Chaudhry states that they process 400 billion cloud 'transactions' per day. You can only imagine how much they're doing on the SSE and Zero Trust Exchange side.

Lastly, Zscaler is no small fry. They're a publicly traded company with a market cap. of ~$29B.

Avalor

Avalor describes itself as a Data Fabric for Security with it's use case being vulnerability management. What this means is that Avalor extracts data from a customer's security solutions, normalizes and cross-pollinates findings from those solutions in order to surface highest-risk issues and then presents them to the customer. Avalor also has remediation assistance workflows so its not like they're solely surfacing vulns, but also helping with remediation.

Aside from having a robust correlation engine that factors in the context (i.e., environment, reachability, exploitability, resource tags) that influence potential vulnerability impact, they also seem to have highly performant data infrastructure that enables the above, at scale. Avalor also has 150+ 3rd party integrations which include some of Zscaler's competitors.

Note: While founded in 2022, Avalor came out of stealth in April 2023 with $30M in Series A funding. Backed by Cyberstarts, TCV, and Salesforce Ventures.

Why the acquisition makes sense

Simply put, the acquisition makes sense because it enables Zscaler to accelerate the implementation of AI into their products and it provides the infrastructure needed to correlate massive volumes of data across their offerings. This cross-correlation of data allows Zscaler to surface higher fidelity and prioritized findings to their customers, providing a level of precision and context that they weren’t previously able to.

In the past couple of years, we’ve seen vendors double down on contextualizing security issues, because without context, everything is seemingly on fire all the time and security teams struggle with deciding what to prioritize. I’m a firm believer that Wiz has eaten much of PANWs market share due to their attack path analysis and other contextual features. Without data infra to support cross-pollination of data sources, it’s nearly impossible to add context to security issues. This is why the Avalor acquisition gives Zscaler an upper hand in the near-term.

Building the data infra to power both AI and large-scale data correlation at Zscaler's scale is a tall and hairy engineering challenge. It requires processing petabytes of data from millions of endpoints, billions of daily transactions, and numerous different data sources. The data pipelines and storage systems must be highly scalable, secure, and optimized for real-time correlation and AI applications.

Avalor's data fabric offers a turnkey solution to this challenge. It can cleanse, normalize, and enrich data from Zscaler's various products to create a unified data asset that can be used for both training AI models and correlating security findings. For example, robust data infra can enable Retrieval-Augmented Generation (RAG) techniques to dynamically retrieve relevant snippets or context from the data fabric to inform AI-generated security recommendations.

With the acquisition, Zscaler gains access to Avalor's 150+ integrations, which allow the ingestion of diverse data from various sources, including Zscaler competitors. This rich dataset is INVALUABLE for training AI models and gives Zscaler a unqiue advantage in the market.

However, this also means that Zscaler now has a backdoor to competitor data through Avalor's integrations, which makes for a tricky situation. Maintaining these integrations require ongoing partnerships for API updates, troubleshooting etc. so it’ll be interesting to see how this all plays out.

Lastly, the acquisition also allows Zscaler to enter the vulnerability management space with a differentiated, mature product that is eating market share from incumbents. Another big win.

By acquiring Avalor, Zscaler has:

1. Accelerated its AI roadmap by years. I expect a Zscaler copilot later this year.

2. Enhanced its ability to deliver high-fidelity, prioritized security findings.

3. Acquired a next-gen vulnerability management solution.

4. Inherited 150+ integrations with visibility into competitor’s data models.

In my opinion, this acquisition positions Zscaler extremely well moving forward. At the end of the day, integrating codebases, products and backends is not easy so the value left to be realized will come down to how well Zscaler can execute.

What it tells us about where we're headed

For Incumbent Vendors

The security industry has lagged other industries in adopting big data, ML and AI, but this acquisition highlights that security is finally becoming more data-driven.

To be competitive in the new security landscape, vendors need a robust data strategy. This includes data collection pipelines that can handle terabytes of data per day, scalable storage systems for petabyte-scale data lakes, stream and batch processing to derive real-time and historical insights, and schema management to impose structure on disparate data sources.

If you're a vendor with multiple products in your portfolio going for a platform play, you need a data fabric to deliver an integrated user experience. A data fabric enables normalizing data models across products, linking entities, and providing unified APIs and UIs. This is especially important for vendors who have grown via acquisition and have disparate backends.

Here are some security vendors investing in data fabrics:

• Crowdstrike: Falcon Platform and their threat graph.

• Microsoft: In 2019, Microsoft launched their Intelligent Security Graph which connects signals across their security ecosystem. I’d imagine their security copilot leverages this graph.

• F5: Recently launched an AI data fabric to that powers their AI copilot.

• SentinelOne: Singularity Platform and data lake depicted below.

For Startups

If you're a security startup looking to differentiate, a 3rd party data fabric can provide access to a diversity of data sources to power unique insights. By leveraging a data fabric, startups can focus on building innovative analytics and AI capabilities on top of a comprehensive dataset, rather than spending valuable resources on data integration and normalization.

This can help them quickly bring differentiated offerings to market that draw insights from a wider range of security signals.

For Security Teams

Security teams that are adopting a best-of-breed approach can leverage fabrics and ETL products to have harmonize, normalize, enrich, cross-correlate and move data on their own terms rather than on the terms of a vendor.

Every organization has a different risk profile and business environment. It’s impossible for platform vendors to account for this variability. Taking on a best-of-breed approach with a fabric or ETL solution, enables security teams to build tailor-made security strategies and solutions though it requires more work.

Security leaders can also leverage this tooling to create richer, continuous, and custom KPIs spanning multiple data sources rather than going the spreadsheet route. By optimizing data before feeding it into a SIEM, data lake, long-term storage etc., teams can save on compute, ingest, and storage costs.

In essence, security data fabrics and ETL products enable teams to own their data, maximize the value of their best-of-breed tools, streamline security operations, and create tailored KPIs while potentially reducing their massive SIEM costs. This approach puts the power back in the hands of security teams, rather than relying too much on vendors.

Conclusion

Zscaler's $350M acquisition of Avalor is evidence of the growing importance of data and AI in cybersecurity. By inheriting Avalor’s proven data fabric and differentiated vuln management solution into their portfolio, Zscaler has positioned itself extremely well for the next 5 years.

As the best-of-breed vs. platform debate rages on, one thing is clear: both approaches can benefit from a data fabric.

As more vendors invest in data fabrics and AI, the writing on the wall becomes more prominent. Data and AI will be the driving forces shaping the next decade of cybersecurity innovation.

Feedback?

Have any feedback or would like to keep the discussion going? Feel free to drop a comment, subscribe and share with friends!

Subscribe now

Share

Subscribe now

FUD on Wall St.? 🩸🐻

FUD = Fear, Uncertainty, and Doubt

Palo Alto Networks, which was overbought, got 28% of its market cap shaved off in trading hours today due to a strategic GTM shift + lowered full year guidance. It’s clear that PANW is aiming to be the go-to security platform, especially w/ recent acquisitions of Talon (by Palo Alto Networks) and Dig Security (acquired by Palo Alto Networks), but I guess hearing that on an earnings call spooked analysts who don't understand the space well.

Platform v. Best of Breed Approach?

The debate of one security platform vs. best of breed for each security domain is one that's been hotly debated for over a decade. As with anything else, one size doesn't fit all.

Resource-strapped (talent+$$) security orgs benefit from platformization, but give up control, pipe-fitted security coverage, and flexibility.

More mature and well-funded security teams will always tend to shy away from platformization. They want the best of breed solutions that will give them the best fighting chance against attackers.

While it may cost more and take longer to properly set the systems in place to make sense of the signals (i.e., telemetry, logs, alerts, threat intel, vulns etc.) coming from all the different point solutions, they're able to conjure up a security strategy that is best suited for their business.

This is why data-driven security, #SecurityDataMesh, #SecDataOps etc. has gained more traction in recent years. Mature security teams dislike vendor lock in. It often leaves them with blindspots and the inability to correlate or enrich signal with those of other solutions.

Mature security teams want full control over their security data so that they can cross-pollinate (analytics, hunting, enrichment, etc) signal from their different solutions in order to prioritize what makes most sense for them at the time.

What is #1 security priority for one business may not be the same for the other and this is where one-stop-shop security platforms fall short.

Conclusion

In any case, with PANW beating top + bottom line expectations, doubling down on AI security, and Nikesh Arora's killer track record as CEO, I have a feeling the platformization move + new GTM strategy will reap rewards in certain market segments.

Btw, many vendors are going after the consolidation/platformization play.. Maybe not as aggressively as PANW, but look at the product suites of Zscaler, Netskope, Tenable, Wiz, Rapid7, Fortinet, CrowdStrike... You name it. Many are going after the consolidation play. As primary and biggest pure play public security co, PANW absorbs the hit, others take the lessons.

You can access the full earnings report transcript here and check out Nikesh Arora’s CNBC interview w/ Jim Cramer here.

Hey! I'm Mike Dame, and I have 5+ years of experience in Offensive Security, working for Fortune 50 enterprises and more recently, consulting across multiple industries. I hold the OSCP, CRTO, PNPT, and AWS Security Specialty certifications to name a few. Though new to the TCP community, Darwin and I go way back to our days on Ford Motor’s Red Team. Fun times 🐍🔴

Throughout my career, I’ve dedicated most of my focus to offensive security which has allowed me to gain a firm grasp on how systems, networks, and infrastructures can be abused. My goal in my professional and personal career is to inspire growth and bring about positive change in everyone I meet. That said, I'm excited to connect with you and continue sharing what I've learned during my time in the industry.

When Darwin shot me the idea for this post, I was enthused to share some of the recent trends I’ve been noticing, especially considering how quickly things are now moving with the recent AI boom. That said, today I’ll be sharing Trends in Offensive Security Offerings and Services to keep an eye out for in 2024.

Defining Offensive Security Services and Offerings

These are the tactics and tools used by offensive security teams and consulting firms to test the defenses of a target. Whether it’s a penetration test or a full-blown red team engagement, methods have changed over the past couple of years and they will continue to as the security landscape progresses. Let’s take a look at where directions are headed and who are the ones blazing the trail. 

Overview 

1. Automated Penetration Testing Tools

2. Advancements in Cloud Penetration Testing and Cloud Red Teaming

3. “Continuous” for Penetration Tests and Vulnerability Scanning

4. Assumed Breaches

5. Client Portal Reporting

Automated Penetration Testing Tools 

Though many were skeptical of automated penetration testing (Pentest) tools at first, they’ve proven to be a valuable addition to the arsenal as their capabilities have matured. Automated pentest tools take the repetitive tasks that we’re all familiar with in a pentesting methodology and executes them on a recurring basis. This saves practitioners a ton of time, allowing them to focus on finding more advanced exploits and attack chains. 

The types of attacks that can be automated include:

• Poisoning and sniffing to capture credentials with Adversary in the Middle (AITM) attacks.

• Cracking hashes or passing the hash.

• Exploiting common CVE POCs like EternalBlue and Log4j. 

• Enumerating a host once a foothold has been established and extracting additional hases.

• Spraying found credentials to compromise additional hosts across the network.

While these tools are still in a stage where there's room for improvement, and manual exploitation is still a requirement for now, automated penetration testing tools can significantly reduce the workload for your offensive security team. This saving of valuable time during a client engagement or internal assessment enables you to concentrate on more in-depth dives, research, or chase rabbits to your heart's desire.

Below are a few notable products blazing the trail for automated pentesting: 

• NodeZero from Horizon3 AI

• Pentera Surface + Core

• Vonahai’s vPentest

• BishopFox Cosmos

They all offer free trials to corporate accounts. Check them out and see what works best for you!

Advancements in Cloud Pentesting and Cloud Red Teaming

As traditional on-premises networks transition to the cloud, and with an increasing utilization of cloud resources each year, the cloud remains a prominent attack surface. This area is one where the industry is in desperate need of more security experts. From an offensive security perspective, stay vigilant for advancements in attacker tactics and techniques with resources such as:

• HackTricks Cloud

• HackingTheCloud

• Red Sky Cyber

And the progression of exploitation toolkits. Check out their Github repos for new additions to be made. Some have come out more recent than others:

• Graph Runner (Azure)

• Storm Spotter (Azure)

• CloudFox (AWS + Azure)

• Pacu (AWS)

Unfortunately, I’ve not come across a GCP exploitation framework. Is this something we’ll finally see in 2024? If you’ve come across one, please reach out! It definitely seems to be a space that is trailing behind.

“Continuous” for Penetration Tests and Vulnerability Scanning

Another trend I've noticed is that teams are increasingly adopting a continuous offensive security approach, shifting from point-in-time assessments to more frequent, sometimes daily assessments. This change, often enabled by automation, helps identify security issues as they arise versus relying on annual or quarterly assessments. While there are limitations and trade-offs, this proactive approach is becoming more common due to its effectiveness in promptly uncovering and addressing vulnerabilities as they appear. 

I don't believe point-in-time assessments are becoming obsolete. There is significant value in a assessment at a specific point in time because it delves deeper than what automated tools or scanners may provide. The manual approach is where the real fun and creative exploits emerge. However, with continuous vulnerability scanning, increased frequency of penetration testing, and ongoing red teaming engagements (lasting for months attempting to breach an enterprise), we can more effectively mimic real threat actors and provide multiple assessments for the price of one. 

Considering that external assets are constantly scanned on the internet, and threat actors have unlimited time and resources to discover these flaws, offensive security professionals need to keep up. That's why I believe this trend will continue.

Assumed Breaches

In my years focusing on offensive security, the term "Assumed Breaches" has resonated more deeply with me, especially as attacks have become more sophisticated. This approach, which I've increasingly integrated into my practices, operates on the principle that breaches are not just possible; they're inevitable.

Why I Advocate for the Assumed Breach Approach

To me, adopting an "Assumed Breach" approach requires a mindset shift. It's about acknowledging that our defenses will be breached and focusing instead on how we prepare for, respond to, and recover from these incidents. By simulating malicious access to various parts of our network, we're not just testing our defenses; we're proactively preparing for real-world scenarios. This method allows us to uncover vulnerabilities that traditional assessments might miss.

Tailoring the Simulation

In my practice, the starting point for an assumed breach scenario is rarely the same. It's carefully chosen to reflect the unique nature of the environment that I’m targeting. For example, if a company's core operations revolve around development, I'll start with developer credentials and workstations. This approach ensures that the pentesting is as relevant and insightful as possible, mirroring potential real-world attack vectors that could be exploited by actual threat actors.

Looking Ahead

As we step into 2024, I'm convinced that the "Assumed Breaches" methodology will only become more relevant. 

Client Reporting Portal

Are traditional pentest reports becoming obsolete? From a consulting perspective, I certainly hope so.

There are rumors of a trend gaining traction within some teams. Bug and remediation tracking tools, such as JIRA for internal security teams, have evolved into the concept of an interactive dashboard. This dashboard can notify and display findings in real-time to a client, offering several advantages:

1. Speeds up the notification time.

2. Facilitates easier tracking and remediation.

3. Allows for comments and communications about findings in one place.

4. Enables a simpler export or attestation that confirms the penetration test was conducted and items were remediated.

If you take a step back and consider a primary purpose of offensive security services, it's to identify, exploit, and demonstrate the impact of vulnerabilities as well as provide this information to security teams, enabling them to understand the issue and remediate it as quickly as possible. With that in mind, having a faster, more iterative and more interactive method to deliver these results, such as a client reporting portal, just makes sense.

PlexTrac and Precursor Security are two companies that I’ve found are leading the charge in this space. Have you come across any? Please let me know in the comments! 

Conclusion

Those are the top trends I think will continue to be hot in 2024. Thanks for reading! If you have any predictions for what we might see more of in Offensive Security services in 2024 or have any questions about the topics I covered, feel free to message me on LinkedIn or leave a comment on this post! You can also follow my Github where I’ll be posting more resources around penetration testing and red teaming!

Share

Subscribe now

However as new technologies like GenAI emerge, I think we have a strong opportunity to close this gap. Just imagine being able to ask ChatGPT to explain how firewalls work, ask it to explain using analogies, and if there is anything you don’t understand, you can just continue to ask it “Why?” or “How?” until you fully comprehend the topic at hand. You can also ask it for a hands-on project using open-source solutions and it’ll generate one for you with instructions and then guide you through how to perform certain actions on your project or lab environment!

It’s insane how under-leveraged GenAI is as an educational tool and this is why I’m excited to introduce “The Cybersecurity Professor🪄🐐✨” GPT.

What is “The Cybersecurity Professor” GPT?

The Cybersecurity Professor (TCP) GPT, is a GPT agent that I rigorously tested, fine-tuned, and designed to make learning cybersecurity concepts accessible, relatable, and practical for aspiring professionals. It’s been configured to take on the role of a Stanford-level educator with 25+ years of cybersecurity experience in big tech and the U.S. National Security Agency (NSA). The agent is also fine-tuned to provide career advice including detailing the different types of security roles, certification study plans, and how to prepare for interviews.

Below are some of the additional features of the TCP GPT:

• Learning Made Simple: Complex concepts are broken down using analogies and relatable language, making them easy to grasp.

• Interactive and Friendly: TCP GPT encourages users to ask questions, seek clarifications, and engage in meaningful learning.

• Up-to-date Information: With access to the internet, the TCP GPT stays updated with the latest trends and information, ensuring you're learning the most current content.

• Historical Context: Learn from the past to understand the present. TCP GPT provides historical context on major cyber attacks, enriching your understanding of the cybersecurity landscape.

What Can You Do With The TCP GPT?

There are very few limits to what you can learn or do with the TCP GPT. You can leverage it to generate hands-on labs for cloud security; you can use it to dissect a novel attack; or you can use it to help you bolster your LinkedIn profile to help you land your dream role in cybersecurity. While the possibilities are seemingly endless, it’s sometimes tough to land exactly on what you’d like to ask or learn so here are some ideas to get you started:

1. “I’m a construction worker with no IT experience. How should I approach getting into cybersecurity? What are the core skills I should develop and what core concepts should I understand?”

2. “I’m intrigued by nation-state threat actor activity and dissecting the latest cyberattacks. What role(s) fit best with my interests and what should I learn in order to land that role. How should I go about learning these things?”

3. “Explain the difference between symmetric and asymmetric encryption. Please use a relatable analogy.”

4. “What are some key Linux commands that I should know for cybersecurity purposes?”

5. “Can you give me a couple of project ideas to get my hands dirty with Python and network security?”

   • TIP: As you go through these projects, use TCP GPT as a guide whenever you get stuck. Create a GitHub account and host the code to the tool and/or project(s) that you’ve worked on.

6. “Provide me with a high-level explanation of how Stuxnet attack was carried out.”

7. “What are the most important principles in identity security?”

8. “What are 5 interview questions I should be prepared for for a Junior SOC Analyst role? How would you answer them if it were you being interviewed?”

9. “Provide me with a study plan for the CompTIA Security+ certification.”

10. “How can I bolster the security of my home network?”

How to Access the TCP GPT

• ChatGPT Plus required ($20/month). Worth the investment due to early access to new features, GPT Marketplace, and more.

• Once you’ve got ChatGPT Plus, you can access it by clicking this link.

• You can also find it on the OpenAI marketplace by clicking “Explore GPTs” on the left-hand panel and type in “The Cybersecurity Professor” and the GPT will pop up as shown below:

What Makes TCP GPT Better than ChatGPT?

Fine-tuned GPT agents are often better than general-purpose ChatGPT because they focus on specific topics, avoid irrelevant details, and are less prone to errors like hallucination, ensuring more accurate and relevant responses. For the TCP GPT, I rigorously tested and fine-tuned it to have he following characteristics:

• Specialized Training: Fine-tuned with an extensive collection of cybersecurity-related data, covering historical incidents, technical methodologies, and industry trends.

• Expertise Emphasis: Strong focus on real-world scenarios and specific roles within cybersecurity, such as SOC and GRC Analysts, to offer relevant and practical advice.

• Interactive Learning Design: TCP is configured to foster interaction and encourage questions, enhancing the engagement and effectiveness of the learning experience.

• Accessibility Focus: Tuned to place special emphasis on the ability to demystify complex topics, utilizing analogies and relatable language to make cybersecurity concepts accessible to learners at all levels.

Blooper🫠

While I would’ve LOVED to add diagraming and visual capabilities to the TCP GPT, the DALL-E integration is simply not mature enough as you can tell from the example above. Funny enough, this was after I tried tuning the agent to provide simpler and more accurate visuals.

However, I have no doubt that the DALL-E integration will eventually be advanced enough to generate accurate visuals and when it does, you can count on me to add it to the TCP GPT. This feature will be helpful for generating architecture diagrams, infographics, walking users through attack flows and more.

That’s All… For Now!

If you know someone that is interested in starting their career in cybersecurity or is at the beginning stages of their security career, please share this post with them! It has the promise to help streamline and demystify their process. Even if you’re a veteran in cybersecurity, but are considering a role change or would like to brush up on your fundamentals, TCP GPT is here for you! Lastly, if you have any feedback that can make the GPT better, please do share!

Share

Subscribe now

Subscribe now

Cybersecurity Beyond GenAI

Over the past year, Generative Artificial Intelligence (GenAI) has stolen the show as the most widely adopted type of AI in history. GenAI has had an undeniable impact on society and has changed the world forever. In cybersecurity, the introduction of GenAI has been a double-edged sword. It has enabled malicious actors to carry out sophisticated phishing campaigns at higher rates1,2 while acting as a force multiplier for criminal hacker groups. On the other hand, GenAI has seen numerous use cases for defense, including security advisors, code review, and Natural Language Processing (NLP) to code generation. I wrote a post earlier this year that dives into more use cases if you'd like to dive further into this area.

However, GenAI is just the appetizer. As AI and Machine Learning (ML) become increasingly integrated into cybersecurity, they open doors to even more groundbreaking possibilities. This may sound like something out of a sci-fi novel, but imagine a world where ultra-intelligent autonomous agents could single-handedly stop cyber attacks, conduct threat hunts, and/or harden your systems based on new intel.

This is where Autonomous Cyber-defense Agents (ACA) come into play. ACAs are self-sufficient agents capable of whatever they’re trained and fine-tuned to do. Given the time, cost, and talent constraints in our industry, this is an extremely attractive proposition. The burning question is whether we have the technical capability to build commercial, production-grade autonomous agents.

This is what we’ll explore today, and spoiler alert: it seems we're getting closer and closer to a major breakthrough.

What is Deep Reinforcement Learning (DRL)

"Cyber-defense agents will stealthily monitor the networks, detect the enemy cyber activities while remaining concealed, and then destroy or degrade the enemy malware. They will do so mostly autonomously, because human cyber experts will be always scarce on the battlefield. They have to be capable of autonomous learning because enemy malware is constantly evolving. They have to be stealthy because the enemy malware will try to find and destroy them. At the time of this writing and to the best of our knowledge, autonomous agents with such capabilities remain unavailable." - Source: Autonomous Intelligent Cyber-defense Agent Reference Architecture (AICARA) Release 2.0 - 20193

Fortunately, the last sentence in the above statement is becoming less and less true every day due to advancements in machine learning, specifically in DRL.

DRL is an advanced area of machine learning that combines deep learning and reinforcement learning principles. In this approach, an agent learns to make decisions by interacting with its environment. The agent receives feedback through rewards or penalties based on its actions. This feedback helps the agent to understand which actions lead to better outcomes.

In cybersecurity, DRL becomes a game-changer as it is what makes ACAs possible. It forms the foundation that will eventually enable systems to autonomously detect and respond to threats by learning from their interactions with network and system logs, telemetry, threat intel. etc. For example, a DRL agent can learn to identify patterns of different attacks, adapt to threats, and take actions to mitigate them without human intervention. Without DRL, there would be no ACA.

The History of ACAs

The concept of ACAs has been around for a long time. Back in 2016, the same year AlphaGo beat the world's best human player, DARPA organized the Cyber Grand Challenge. In this event, computers independently engaged in attack and defend scenarios. However, the competition saw very little use of machine learning. The strategies used were mostly human-directed and lacked true machine autonomy.4

Since then, it seems like the U.S. military and its allies have been hard at work in developing ACAs, which is evidenced by the 154-page AICARA report released by NATO Research Task Group (RTG) IST-152. In this report, the research group highlights ACAs applications for cyber warfare and goes in depth on the architecture and technical capabilities they found necessary to be able to create highly intelligent cyber defense agents. However, they concluded that military-grade (pun intended) ACAs were not feasible back in 2019 due to technical limitations.

Fast forward to 2023…

Are We There Yet: The Latest Research on ACAs

Earlier this year, researchers at the Department of Energy's Pacific Northwest National Laboratory (PNNL) made significant strides in cybersecurity by constructing an abstract simulation of the conflict between attackers and defenders within a network by using an OpenAI gym sandbox and DRL. They trained four different DRL neural networks, with the primary objective of the networks being to maximize rewards by preventing compromises and minimizing network disruptions.

In this simulation, the attacker agents were programmed to use a subset of tactics and techniques from the MITRE ATT&CK Framework, including seven (7) tactics and fifteen (15) techniques. The defender agents were equipped with twenty-three (23) mitigation actions to counteract the attackers' moves and contain the attack. The defender agent’s focus was not on preventing initial access, but instead, it was programmed to assume the attacker had already infiltrated the network (aka assume breach). This allowes the defender agent to focus on preventing further attack progression, such as lateral movement, execution, defense evasion, and exfiltration, among other tactics.

A bit more on how the two agents were programmed and trained:

1. The Adversary Model was designed to simulate the behavior of cyber attackers. It outlined a step-by-step progression from initial recon to its ultimate goal of causing negative impact to critical systems or extracting data (exfiltration). In this model, each successful technique executed by the attacker enabled them to advance to the next phase. The model was flexible and adapted its approach in response to the defensive tactics they encountered. Central to this model was the assumption that attackers must exploit vulnerabilities that are either yet to be discovered or cannot be patched to advance their attack. The model also accounted for the possibility of an attack being terminated if the attackers could not bypass effective defensive measures. In short, the adversarial model was highly intelligent and always considered the various forward paths available to it.

2. The Defense Model’s main objective was to proactively prevent the attackers from achieving their impact or exfiltration goals while ensuring minimal disruption to legitimate system operations. This model emulated some challenges faced by defenders, such as the difficulty in predicting the attackers' next step and operating with imperfect or incomplete information. To address these challenges, the defense model incorporated the use of systems that monitor API calls to determine the attackers' current position within the network. The model was trained not to take this information at face value because it might not be entirely accurate or comprehensive as is similar to the real-world limitations of today. In short, the defender agent considered a number of key factors, including the fact that it may have an incomplete picture before making its next move.

The performance of the defender agent and the different DRL variants tested highlight that we’re getting closer to production-grade ACAs. The Deep Q-Network (DQN) variant of their agent performed best out of the 4 DRL algorithms they tested. For the least sophisticated attacks, DQN stopped 79% of attacks midway through the attack stages while stopping 93% by the final stage. It stopped 57% midway and 84% by the final stage for the most sophisticated attacks. These results are fairly astounding considering that most of today’s breaches would fall under the “least sophisticated” bucket, for which this ACA would stop 93% of attacks on which it was trained. I’m not sure how this compares to humans in the same scenario, but I’d assume that ACAs take the cake on this one.

Samrat Chatterjee of PNNL says that the team's goal is to "create an autonomous defense agent that can learn the most likely next step of an adversary, plan for it, and then respond in the best way to protect the system,”.5 This sounds eerily similar to what the NATO RTG IST-152 described in their cyber warfare scenario in stopping malware from spreading.

The report concludes by stating that “future work will include developing DRL-based transfer learning approaches within dynamic environments for distributed multi-agent defense systems.” Given that these agents may be ephemeral and can be effectively neutralized by attackers, it makes a ton of sense for them to focus their next phases of research on real-time knowledge transfers between agents.

Looking Ahead

The world has changed a lot since the AICARA report came out in 2019, and there have been significant technological advancements since then, as evident by the PNNL research. Though purchasing a few ACAs for distinct use cases to augment your security teams may be 3-5 years away, it’s important to keep an eye on this space as it will truly change the cybersecurity landscape forever. I won’t enumerate them here, but the potential benefits are endless. However, we must also consider the adverse effects and how attackers may leverage such agents to carry out even more sophisticated attacks.

References

Below are my footnote references:

I recently turned 27 years old which led me to pause and reflect on all I've learned in my years of living and more specifically, my time in the cybersecurity industry. I wanted to distill this into some of the things I’ve learned and advice I would give my younger self. Before we dive in though, here's a bit about me:

• I've spoken at 7-8 security conferences including DEF CON, fwd:cloudsec, Texas Cyber Summit, and Security Weekly Unlocked. I've attended probably ~50 more.

• Thanks to internships, my network, and the dynamic nature of consulting, I've spent time as a red teamer, IoT blue teamer, cloud security consultant, security public policy, GRC, business continuity, detection engineering, and most recently, product management across a slew of industries.

• I've dissected tens of thousands of security articles and research reports for fun, educational purposes, and the TCP newsletter. I've also worked at 9x RSA award-winning podcast, Security Weekly.  Shout out to Paul, Sam, Johnny, Tyler, Larry Et. Al.

• I started the cybersecurity club at my uni and taught 60+ students how to use tools like Nmap, Wireshark, and coached them for 3 seasons for the National Cyber League (NCL) competition.

• Certs. I have a few including the Certified Kubernetes Admin (CKA), Azure Security Engineer (AZ-500), HITRUST Certified CSF Practitioner (CCSFP), AWS CCP, CCSK, AZ-900, Security+, FEMA ICS-000100,  and FEMA ICS-000200.

• I've scaled the TCP newsletter to 1.7K+ subscribers in 9 months. You can subscribe below if you haven’t already.

  Subscribe now

In short, I've seen a lot, done a lot, and have a few takeaways that can hopefully help you wherever you are in your journey whether you're a VC, CISO, GTM, practitioner, or someone looking to land a security role.

The Cybersecurity Practice🥷

1. The hacker mentality is not something that only serves offensive security professionals. As a security practitioner, you have to be able to put yourself in the shoes of an attacker and understand how they may be able to infiltrate your environment, hide their traces, exfiltrate data, etc. For malicious actors, nothing's off the table so while the MITRE ATT&CK Framework is awesome at providing an understanding of attacker tactics and techniques, it's not a catch-all. Use your creativity and curiosity especially when testing out detection hypothesis and threat modeling.

2. As a security practitioner, grasping your engineering and business counterparts' goals and language is essential. Deep knowledge of the industry, the applications you're building, architectural decisions, tech stack, etc. is crucial. Understanding each team's motivators enhances your role as a team player and leader, ultimately leading to better-informed risk-based decisions and increasing your value.

3. Becoming a strong security practitioner is not easy and there are no shortcuts. You must get the fundamentals down first and understand that if there's something you're avoiding to learn, it's almost certainly something you need to dissect and master. Otherwise, you're sabotaging your progress. For example, I avoided learning how to program for the longest which was 110% removed from being considered for tons of roles I applied for. On the other hand, I doubled down on cloud + Kubernetes security and it gave me an advantage.

4. Whether you're a red teamer or blue teamer, being resourceful and adaptable are superpowers. It's 2023. You have the power of Generative AI, web-based virtual labs, Google, YouTube, podcasts, newsletters, books, and direct access to industry leaders on X and LinkedIn. Nothing is off-limits. There's almost no excuse for what you should be able to learn and achieve.

5. Though you need not be a master of all security domains, it's crucial to understand their purpose and how they relate to each other. For example, understanding how identity and access management ties into endpoint, IaaS, PaaS, and SaaS security + the impact it has on the compliance frameworks that govern your organization. This is why GRC is a great starter role, it provides you with a bird’s eye view of how the different security domains make up the bigger picture.

6. Never take security findings from solutions for face value, especially if the app's logic is a black box and it's a serious issue. Go to the source of truth, the logs, the said-to-be-impacted system(s), and the systems that have access to those systems. Perform your root cause analysis before jumping the gun. Many products produce false positives especially as it pertains to reachability. An API may be flagged with a critical severity vulnerability but it lives within a segmented private network with strict access controls meaning only authorized services can communicate with it. With this context, you help prevent whiplash in your team and can coordinate a more appropriate response.

   Products are getting better at providing context on reachability, exploitability, and impact but there will always be blind spots and as a security practitioner, it's key to live off the land.

The Cybersecurity Industry 💼

1. Most startups that have been formed over the past decade are nothing truly groundbreaking nor solve an entirely new problem. Most, not all, try to solve a problem better than an incumbent and if they're able to execute well, they can carve out enough market share to be successful.

2. While many vendors say they provide a "single pane of glass" across the security domains that their offerings cover, some, sadly, do not correlate the findings from those different sources to give the user a true, comprehensive view of their security posture. This is part of the reason why best-of-breed and data-driven security is continuing to become the favored security approach.

3. Security marketing has gotten better but it's still broken. Traditional marketing approaches that are fear-based do not work here and it's gotten a lot of vendors bad feelings in the community.

4. Our industry is different than most. For one, it's still fairly small compared to other industries and we also have a strong sense of community. CISOs, practitioners, and founders congregate amongst each other in private slack groups, cigar lounges, etc., and share their war stories, lessons learned, and talk about other things humans talk about. In short, reputation in this community is more important than in other communities, whether as an individual or as a vendor.

5. The best resources I know of for cybersecurity industry news and opinions are Security Weekly, , Hacker Valley Media, and .

6. Paying large ticket prices for a booth at the major security conferences doesn't reap the same rewards that they used to. For startups, that money is much better invested elsewhere.

7. Data-driven security strategy is truly a game changer. IF implemented correctly, think about all of the possibilities that having all of your identity-related data funneled into one place and in a common model/schema can provide you. You can ask the most pinpointed questions, maintain a continuous pulse on posture via dashboards and metrics, and you can prime and leverage that dataset for unique AI/ML use cases.

The Cybersecurity Career 👨🏽‍💻

1. The best ROI I've gotten on my time and efforts while in security is attending conferences and being part of the security community and its micro-communities.

2. This probably goes without saying but for every new technology and underlying advancements, our industry will be the one that has to secure that technology. For career advancement, it's crucial to stay on top of the latest tech such as Gen AI, ML, Quantum, Data Science, etc.

3. You must give back as you learn and grow in your career. Our industry is small, understaffed, and changes every day. We need more practitioners and your knowledge + experience can help close this gap. Mentoring, sponsoring, and being active with non-profits are just some of the ways you can give back to those coming into our industry. It's also an extremely fulfilling pursuit.

4. Personal branding is icky but regardless of what you call it, you should somehow showcase your body of work whether it be on LinkedIn, Github, Substack, YouTube, etc. The sooner, the better.

5. O'Reilly Safari Learning Platform is the best $500 you can ever spend. Live courses, labs, 35k+ books, and videos on various topics. Next to this, is TryHackMe. Thank me later.

6. Build and break stuff. It's one thing to learn, it's an entirely different thing to do. When you do things repetitively, the grooves in your brain become deeper and it eventually becomes second nature. When you solely read or watch videos about things but don't actually do them or do them sparingly, that knowledge flees you soon and you won't be able to solve problems or speak about them as well as people who are doing them do.

7. Certs. They help especially depending on your learning style but after the first ~2 years of your security career, they rarely matter.

Building Products ⚒️

1. Attention to even the smallest details is part of what makes a great product.

2. Your ability to influence leadership, engineering, and design is crucial. Use data, user feedback, and market intel to aid in your decision-making and influencing abilities.

3. Think about user journeys and jobs to be done by the respective user persona. It'll make things much clearer.

4. Day-to-day operations are a grind but never lose sight of the bigger picture and always make time to think about new features or enhancements that can give you an asymmetrical advantage in the market.

Life ⏳

1. Health is wealth. You can bang out 60-80hr work weeks but nutrition, fitness, and mental stability should rarely fall on the back burner. 

2. Life is short and can be gone tomorrow. Think about the people who passed suddenly. Think about how unexpected events like war and COVID-19 can severely limit what you can do for extended periods. Travel, take risks, spend time with the people you love, and do stuff that you've always wanted to do.

3. Self-confidence is everything. I know geniuses who lack it and have limited their opportunities and impact on the world because of it. Of course, be humble and understand emotional intelligence but never doubt yourself or your abilities to accomplish something. You should be your #1 supporter.

Subscribe now

Share

Introduction

It's August 1st and for many of us in the security community, that means it's time for our annual trek to Las Vegas for "Hacker Summer Camp". A jam-packed week of four major cybersecurity conferences: The Diana Initiative, DEF CON, BSides LV, and BlackHat. If you’d like to learn how it all got started and what’s at the core of Hacker Summer Camp, check out this DEF CON documentary!

While each conference offers its own unique perspective and value, it's crucial to approach the week with intention. Whether you’re a founder looking to source leads and get product feedback, or you’re a student excited to learn about the latest security research, the key to maximizing your experience is having a solid game plan.

With this being my 5th time attending Hacker Summer Camp and having attended around 50 conferences in total, I believe I've gathered some insights that could help anyone—from a first-timer to a seasoned attendee—make the most of their conference experience. So without further ado, let's dive in!

Tip #1: Plan Ahead

While BSides, the Diana Initiative, and BlackHat are held in a single venue, DEF CON is not. It’s spread across three venues with over 30K attendees in the sweltering summer Las Vegas heat. For each of these conferences, there are numerous talks, workshops, villages, parties, and other activities happening simultaneously. It’s easy to get FOMO, it’s easy to become socially drained, and it’s easy to feel lost and confused. All of this can be mitigated with a plan.

Review the schedule ahead of time and prioritize the sessions you want to attend. People are releasing cutting-edge research, tools and sharing confidential hacker stories. If you’re like me, there are some talks that you just can’t miss! Planning helps ensure that you don’t. Lastly, realize that you won’t be able to do it all and leave space for impromptu meetups, networking, and rest.

Tip #2: Carry Essential Gear

What to carry on your person varies on who you are and what you're keen on doing at the conference. I always make sure to carry a backpack with a few essentials including my laptop, a notebook, pens, light snacks, a battery pack, and device chargers. I also make sure to wear comfortable clothes and shoes. Most importantly, I always keep a refillable water bottle. Staying hydrated is key, especially in the dry Las Vegas desert.

Tip #3: Network

In today’s remote-first work environment, we very sparingly get the opportunity to connect with like-minded people in person so don't be shy about introducing yourself to others. Exchange ideas, discuss the latest trends in cybersecurity, ask the presenter questions, go out for dinner with a group, go to networking events, etc. You never know, you might meet your business partner, future employer, or mentor at DEF CON. If you’re an introvert, check out this post for more tips.

Tip #4: Buddy Up

Hacker Summer Camp can be a whirlwind, especially for newcomers. Having a buddy along for the ride – someone to grab a meal with, check out talks, or explore events – can really elevate the whole experience. It's about enjoying good company, feeling safe in the Las Vegas madness, and sharing those memorable 'aha!' moments. On the flip side, if you see someone roaming alone that looks lost, don’t be afraid to strike up a conversation and ask if they need any help. Again, summer camp can get overwhelming and if you can help others out, please do. This is the core of the buddy system for me.

Tip #5: Explore Vendor Areas

Take time to visit the vendor areas. I know that it can be super salesy with people jumping at you from seemingly every booth to scan your badge but It's a great opportunity to learn about innovative cybersecurity products and tools. You can guarantee yourself that you’ll meet great people, pick up some nice swag, and my favorite of all, score some discounts on NoStarchPress books @ DEF CON :)

Tip #6: Explore Beyond the Conferences

If you have the time, check out what Las Vegas has to offer. My personal favorites are visiting Omega Mart in Area 15 and fitting in a trip to the spa for some decompression. This year, I’m really looking forward to seeing The Sphere light up at night.

Tip #7: Follow the Code of Conduct

While yes, there’s a lot of fun to be had at Hacker Summer Camp, people should always follow the code of conduct for each conference. DEF CON, for example, has a strong community ethos and a code of conduct that attendees are expected to follow. They have goons who enforce these policies with a stiff hand. At the core of their code of conduct is respect for others' privacy and a commitment to creating a harassment-free environment. Simply put, don’t be an asshole.

Bonus: Arsenal and DEF CON Villages

BlackHat Arsenal is where researchers and the open-source community release and showcase their latest open-source tools and products in an interactive way. This is a great opportunity to learn about new tools, meet the creators, and see the tools in action. Learn more about BlackHat Arsenal here.

While the DEF CON main tracks have amazing talks that often make the news headlines, I think the magic really happens in the villages. There are 20+ villages that span a variety of industries and technologies, you can find the full list here.

This year I’m really looking forward to the AI hacking event at the AI Village. Anthropic, Google, HuggingFace, Meta, NVIDIA, OpenAI, and Stability, have all provided models for some of the world’s top red teamers and pen testers to attack and find vulnerabilities. This will be the largest AI red team effort ever and there will be observers from the White House, NIST, NSF, and the EU. I’m really looking forward to this one.

Conclusion

Prepping for Hacker Summer Camp can be exhilarating and overwhelming at the same time. There’s so much to learn, do, see, and experience and if you go in without a plan, you may not get the most out of the experience. That said, do your research, pack well, and get out of your comfort zone! I’ll be in town just for DEF CON this year so if you see me, come say hello!

Subscribe now

Table of Contents 📚

• Introduction

• Intelligent Security Issue Management

• User Experience

• Case Management

• Onboarding

• Integrations

• Comprehensive Coverage

• Scalability

• User Community

• Documentation

• Customizability

• Automation

• Collaboration

• Security and Privacy

• Pricing Transparency

• Conclusion

Introduction

Security teams often find themselves drowning in security alerts and issues across a slew of products while struggling to identify what should be prioritized. We hear it all the time and many of us have experienced it. This often leads to serious risks going unaddressed for months until the inevitable breach happens. While factors like understaffing and burnout certainly contribute, I’d say that a significant amount of this thrash stems from security products that overpromise and underdeliver, failing to provide the robust support that teams critically need. In my opinion, the best security products not only tackle their designated challenges but also function as force multipliers, effectively serving as a crucial "Sixth man/woman" on the team.

In my journey as a security practitioner and consultant, I’ve been at the forefront of onboarding, fine-tuning, and operationalizing a variety of security tools across a broad spectrum of environments. From highly regulated environments to large-scale greenfield environments, I’ve worked with CSPMs, SIEMs, firewalls, container runtime, and K8s network security solutions. This has allowed me to develop a solid filter (hopefully) on what separates great security products from mediocre ones.

In this post, I'll highlight the top 14 features, capabilities, and characteristics that I consider crucial in security products. A few caveats before we kick off though, this isn’t a one-size-fits-all list. Security products serve diverse purposes; comparing a SIEM to a firewall is like comparing apples and oranges. Also, this list is filtered through my lens, shaped by my 6 years in the industry. These are the qualities that, in my experience, distinguish the security products that security practitioners love from the ones that they merely tolerate. My goal with this post is to provide founders, product managers, and others in the security product realm with insight into what security practitioners need from their products. Without further ado, let’s dive into the list!

Note: Security issues is a catch all term that includes alerts, vulnerabilities, findings, misconfigurations and more.

Intelligent Security Issue Management

Not all security issues are the same. Only a small fraction of them pose significant risks to production environments and/or sensitive data. The Datadog 2023 State of Application Security Report actually found that only 3% of critical vulnerabilities were worth prioritizing. Having a solution that does the leg work of deciphering what's worth prioritizing and actioning makes all the difference in the world. Not only does it save security teams an inordinate amount of time but it also enables them to zero in on and remediate actual risks and threats. A security product with an in-depth contextual understanding of an environment can be a force multiplier, enabling security teams to focus on keeping the organization out of the news.

Different security products aid in prioritization in various ways, depending on their nature. Examples include:

• Asset relationship graphs

• Ingesting key metadata from the cloud provider such as resource tags

• Conditional logic rules and alerts such as Splunk's risk-based alerting (RBA) or Wiz's Toxic Combinations

User Experience

I've dealt with products with great user experience (UX) and ones with horrendous UX. The latter often consists of clunky design that requires lots of clicking around to find the information that I'm looking for or even worse, it's hidden in plain sight amongst a cluttered dashboard.

Regardless of what kind of security product we're talking about, it's easy to know what information and functionality users need from a product. Whether it's a CSPM, DSPM, KSPM, ZTSPM, or LLMSPM, it doesn't matter, the product should aim to surface the most crucial details for a security issue in a simple fashion while providing options to resolve the issue.

Below are some considerations that I think about when assessing the UX of a security product:

• Is it easy to action/remediate security issues? I.e., Can I click a hotlink that will bring me over to the cloud provider and show me the resource that is at risk?

• Can I share alerts, findings, and issues with my teammates?

• Integrations. How easy is it to create a Jira ticket or Slack message? Does it take 1-2 clicks or 7?

• Is the product presenting irrelevant or excessive information or is it summarizing and surfacing the important details that I need to address the security issue?

• A great filtering experience

Case Management

This one is pretty straightforward. Can users assign the finding to a teammate within the app? Can notes and status updates be added to the living security issue? Can you mark the issue as remediated? What’s the security issue lifecycle look like?

Sure, many organizations use ticketing systems like Jira or ServiceNow to achieve much of this but that requires pivoting and maintaining status across to platforms which is inefficient. If you can provide some of this functionality in-app, you save users time, headaches and aid with the remediation phase of the lifecycle. I haven’t used Cortex XSOAR in 2-3 years but it’s one product I can think of that really nailed case management. I particularly loved the ChatOps feature.

The reason why I have this functionality so high on the list is that I can't tell you the number of times I've seen security issues unresolved for weeks because one team has to get approval from another stakeholder because the remediation may impact production and by the time the next meeting comes around, nothing has been resolved and there’s another fire to put out. This happens more than you think and if a security product can do even just a smidge to mitigate this then that's a big win.

Onboarding

I once had a very crappy on-boarding experience with a Kubernetes network security solution and it drove me crazy. The documentation was unformatted and outdated which led to me reaching out to the product manager every other day. To cut them some slack, the solution was recently ingested through an acquisition but there is no reason that the end user, me, should have felt the thrash.

While product demos are the first impression that users get, onboarding and implementation are where the rubber really meets the road. If there are significant issues in these first few steps then the product is taking away time that practitioners could be using focusing on true security efforts and this inevitably leaves a bad taste in the user’s mouth.

Integrations

Security products should support integration with an organization's existing tech stack. In a world where the average organization leverages 100+ SaaS solutions, the modern security team is forced to lock down and monitor a myriad of apps and infrastructure. The last thing a security practitioner wants is for a product to exist in a silo to the point where we have to build custom API solutions to get the data we need where we need it then properly format it and ensure that the data is getting there as comprehensively and quickly as possible. We expect out-of-the-box integrations and functionality that remove the need of having to engineer custom solutions. Supported integrations should include ticketing systems, data lakes, and best-of-breed security solutions.

Comprehensive Coverage

Many solutions lack comprehensive coverage and support for the not-so-common or newly released cloud services. Examples include AI/ML, IoT, and data-focused services such Amazon Security Lake or the Azure OpenAI service. These services are being used in many production environments today but I would bet that a majority of security solutions are not providing coverage for them. This creates a blind spot that leaves security teams to have to come up with alternatives.

While comprehensive threat and risk coverage for critical services like computing, storage, and networking is essential, I believe there are several other service types that equally warrant in-depth protection.

Scalability

Isn’t it lovely when you onboard a product on one AWS Account or Azure Subscription and everything is working fine and dandy but then you implement it across your entire multi-cloud estate and begin having latency issues? Or even better, the data displayed in the product is incomplete or inaccurate?

I’ve experienced this in the past and it led to a wild goose hunt with the product team which is the last thing security practitioners need. I can imagine that this has caused a number of issues for incident response teams in the past, specifically when they’re not able to find the logs for a certain timeframe. Please don’t be this vendor! Stress test your stuff in as many ways as possible to ensure that it is battle ready.

User Community

Another key factor that I look for from a security product, and am thrilled when I find it, is a thriving user community. This often looks like active public community forums with support and engagement from the product’s support team. These forums are often found on Reddit, GitHub, StackOverflow or are hosted on the company site.

I can’t tell you the amount of joy I get when I run into an issue and find a forum where someone else had the same issue, and the solution is made public for all to see. I also think this aspect is key for product managers because it allows them to identify where users’ biggest and most common pain points are.

Documentation

This one goes hand in hand with the section above but goes beyond it. Ensuring that product-related documentation and instructions are always maintained up to date is crucial. Having product training materials and how-to videos is the cherry on top as it often removes the need for users to reach out to their point of contact within the vendor organization or from having to figure it out on their own.

Customizability

Customizability is one of those characteristics that can make or break the product experience for a practitioner. Are users stuck with only out-of-the-box functionality or can we build our own dashboards, detection rules, data connectors, etc.?

Every environment is different and will have unique use cases that the product team may have not identified or solved for yet. If security practitioners aren’t able to solve for that edge case themselves, they will inevitably be pulled toward a product that will allow them to.

Lastly, having the capability to create our own dashboards and graphs based on our own parameters is crucial. If security leadership or an auditor wants to see how many issues we’ve remediated in the EU regions over the past 3 months, then we should be able to answer this via a customizable dashboard in minutes.

Automation

This should be a table-stakes feature for any security product looking to be successful in today’s saturated and hyper-competitive security landscape. Automation should be sprinkled across the user journey whether it’s automated threat response/containment, being able to auto-remediate a batch of security misconfigurations, or automagically detecting anomalous activity that deviates from a continuously auto-recorded baseline. Automation saves time and if a product requires tons of manual labor to get value from it then security practitioners will find another way to solve their challenges.

Collaboration

Some of the best security products that I’ve worked with enable collaboration between and across teams. For example, they allow users to save and securely share threat-hunting queries and their results with teammates. They also have great exporting and reporting options such as Excel spreadsheets with raw data, streaming data via API, or a prettified PDF that is presentable in meetings. The latter is key because it helps with reporting status and assigning security issues across teams that may not have access to the product. It also gives users the flexibility to work with the data programmatically.

Security and Privacy

Not so long ago it was commonplace for security products to require admin-level permissions to properly operate in an environment. After a few security incidents and tons of shaming from the security community, most vendors no longer require these excessive permissions that they didn’t need in the first place. However, there are still a few vendors out there that do and you’ll probably see them getting roasted on Twitter, BlueSky, Threads, or whatever the kids are using these days.

At the end of the day, a security product should be helping organizations become more secure, not less. This means they should have fine-grained access controls, require limited permissions, employ data encryption, provide audit logs, and should comply with required standards and regulations such as SOC 2, HIPAA, or whatever else is applicable.

Pricing Transparency

This is especially important given the economic times we find ourselves in. Pricing should be clear and easy to find. I shouldn’t have to contact sales or go through an extensive Q&A just to get pricing. The pricing breakdown should also have a clear delineation of what features and levels of support are provided for each pricing tier.

Conclusion

In summary, today's security teams need products that act as force multipliers in their ever-evolving complex environments. The standout features of the best security products include intelligent issue management, a user-friendly interface, smooth onboarding, wide-ranging integrations, scalability, robust community support, customizability, automation, collaboration capabilities, strong security and privacy, and transparent pricing. These are necessities, not “nice to haves”. In conclusion, it's time to redefine our expectations of security products. We need to push for tools that are more than just features on a checklist, but rather smart, intuitive partners in defense that help bridge the security gap we’ve been experiencing for decades.

Subscribe now

Table of Contents 📚

• Introduction

• Context

• Themes

• Security Vendor Use Cases

• Cloud Provider Implementations

• Additional Use Cases to Consider

• Metrics

• Conclusion

Introduction

Over the past several months, the generative AI hype train has spiraled out of control across every industry it seems. In the cybersecurity industry, this has manifested in an influx of vendors and cloud providers harnessing Large Language Models (LLMs) like ChatGPT, and even developing their own LLMs (i.e., Google Sec-PaLM LLM and BigID’s BigAI). Although these implementations aren't a silver bullet, they’ve become promising as force multipliers, increasing operational speed and efficiency, enhancing threat and incident response, identifying vulnerabilities in code, and more. However, we're merely at the dawn of this transformative journey, and it's natural that there is skepticism among the security community, especially after generative AI seemed to steal the show at RSA. We must remember that no single technology is a panacea, and the complexity of cybersecurity still demands significant human intervention.

In this post, we’ll navigate the themes and different use cases seen in recent implementations of generative AI and the use of language models in security products. This post aims to demystify the recent uptick of generative AI implementations in security products while providing you with a mental framework on how to evaluate the significance of these solutions and whether they can help your organization out.

In a follow-up post, I’ll be covering the promising potential of custom in-house autonomous security agents. Now let’s get onto the fun!

Setting the Stage

AI and Machine Learning (ML) have been part of the cybersecurity landscape for a while, with early implementations like Cognitive Security's behavioral analysis tool dating back to 2013. However, it's been challenging to separate the wheat from the chaff, with some vendors making lofty claims about their AI-powered solutions. This has understandably led to some skepticism in the industry.

Despite our inherent skepticism of security vendors as security practitioners, the recent surge in generative AI applications in security solutions is encouraging. And while no single security solution will ever be a cure-all, there are several tools that can boost security posture and enable teams to work more efficiently and confidently.

Commonly Used Terms

• Generative AI: This subset of artificial intelligence uses machine learning techniques to create new content. It can generate text, images, or sounds that mirror the data it was trained on. In the context of cybersecurity, Generative AI can be used to simulate cyber attacks for testing purposes or to generate phishing emails for training exercises.

• Large Language Model (LLM): This is a specialized form of generative AI that's trained on extensive text and code datasets. Language models (LMs) can understand, summarize, generate, and predict content. In cybersecurity products, LMs can be used to analyze and predict potential security threats based on patterns in large datasets. For example, they can help identify suspicious activities or behaviors by analyzing network traffic or system logs.

Criteria

There are endless ways in which a security solution can leverage AI, therefore, it's essential to discern the type of AI at play. The focus of this post is on generative AI, but how do we distinguish it from other types of AI? Here's the lens we'll use:

1. Content Generation: If the product generates new content, it's likely using generative AI.

2. Data Analysis: If the product solely analyzes data for pattern identification, correlation, and/or predictive analytics, it's likely using another form of AI.

3. Functionality: If the product is primarily creating content such as generating phishing emails for training, simulating cyber attacks for testing, crafting detailed incident reports, or even translating natural language commands into executable code, it's likely using generative AI. If it's primarily analyzing data, identifying potential threats, or making decisions based on data analysis, it's likely using another form of AI.

For example, Dataminr's Pulse for Cyber Risk service uses deep learning and real-time detection models to analyze a wide range of data formats, including text, image, video, sound, and sensor data. It can understand text in over 150 languages, recognize images and logos, process audio, and detect anomalies. Their solution focuses on physical and cyber threats. Impressive, right? However, this isn't generative AI. The type of AI leveraged here is more about gathering, analyzing, and correlating existing data. Generative AI might create new threat scenarios based on analyzed data or write detailed reports summarizing detected threats.

This is the kind of scrutiny I applied when looking at security products claiming to use generative AI. This is the approach I used to identify the themes and use cases discussed in this post.

Themes

In this section, we'll explore the five key themes that have emerged in the integration of generative AI into security products. Themes are the broad areas where AI can make a significant impact. Within each theme, there are specific use cases - these are the actual real-world applications where we can leverage generative AI to solve real security challenges. Think of the themes as the big picture strategies, and the use cases as the specific tactics used to achieve those strategies and objectives.

Summarizers, Explainers, and Advisors

Generative AI and LLMs can be used to provide concise summaries, detailed explanations, and expert advice. This can greatly enhance the efficiency and effectiveness of incident response and vulnerability management.

• Incident Response Post-mortems: Generative AI can analyze the details of a security incident and generate a concise, easy-to-understand summary of what happened, why it happened, and what the impact was. It can also suggest remediation steps and preventative measures to avoid similar incidents in the future.

• Vulnerability Explanation and Remediation Step Advisor: Generative AI can provide detailed explanations of identified vulnerabilities, including their potential impact and the conditions that make a system susceptible to them. Furthermore, it can suggest the most effective steps to remediate a vulnerability, taking into account the specific context and constraints of the situation. This dual role of explaining and advising makes it a powerful tool in vulnerability management.

Natural Language Processing (NLP) to Code Generation

Generative AI can translate natural language (plain text) commands or descriptions into executable code, streamlining the implementation of security policies and enhancing threat detection.

• Policy Enforcement: Generative AI can generate code to enforce specified security policies, translating human-readable policy descriptions into machine-executable code.

• Threat Detection Rule and Query Generators: Generative AI can generate rules and queries for threat detection systems based on natural language descriptions of threats, improving the speed and accuracy of threat detection.

Code Review and Vulnerability Detection

Generative AI can scrutinize source code to identify potential vulnerabilities, bugs, or violations of coding standards, enhancing the security and quality of software.

• Bug Detection: Generative AI can analyze code to find bugs that might have been overlooked during manual code reviews. It can also generate suggestions for bug fixes, improving overall code quality.

• Vulnerability Identification: Generative AI can scan code to identify potential vulnerabilities and generate patches or suggest modifications to rectify these vulnerabilities.

Reverse Engineering

Generative AI can be used to deconstruct and analyze compiled code or hardware, often in the context of malware analysis. It can generate detailed reports on how a piece of malware functions and how to defend against it.

• Malware Analysis: Generative AI can analyze malware to understand its functionality, identify its command and control servers, and determine its impact. It can also generate remediation strategies, helping to develop effective defenses.

Prioritization

Generative AI can analyze large volumes of data to identify the most important issues or threats, generating detailed reports that help security teams focus their efforts where they're most needed.

• Data and Log Sifting: Generative AI can analyze large volumes of logs and other data to identify potential threats or anomalies. It can generate alerts or reports that highlight these potential threats, effectively finding the "needle in the haystack."

• Vulnerability and Patch Management Prioritization: Generative AI can assess the severity and potential impact of identified vulnerabilities, generating prioritized lists of issues to address and patches to apply.

Real-World Use Cases & Implementations

The use cases below showcase the applications of generative AI and LLMs in cybersecurity and align with the key themes identified. However, this isn't an exhaustive list. Also, I'm not affiliated with any of these vendors, nor have I tested all of these solutions. This overview is to illustrate real-world applications, not to endorse specific products.

When evaluating AI security solutions (or any solution), you should be critical of the robustness of the solution. Ask the vendor questions about accuracy, memory recall, data training and model quality, regulatory compliance, scalability, integration, compatibility, etc. This will help you root out the weaker contenders and identify solutions that leverage robust AI practices to solve real-world security challenges.

As with any security solution you onboard, you’ll want to continuously validate the findings and alerts to test the quality and accuracy of the solution. You’ll also want to ensure that your security teams have the knowledge and skills needed to get the highest ROI possible out of the solution. Now, let’s take a look at some use cases!

Threat Detection and Analysis

Generative AI and LLMs can be trained to understand and predict patterns in network traffic or user behavior. By processing vast amounts of data, they can identify unusual patterns, potential threats, or breaches, often more quickly and accurately than traditional methods. They can also generate reports on potential threats, explaining their potential impacts and suggesting mitigation strategies. This falls under the themes of Summarizers, Explainers, and Advisors, NLP to Code Generation, and Prioritization.

SentinelOne

• SentinelOne demonstrates AI-powered threat hunting with their release of Purple AI. It enables analysts to use prompts such as “Is my environment infected with SmoothOperator?”, or “Do I have any indicators of SmoothOperator on my endpoints?” to hunt for activity and Indicators of Compromise (IoC) related to a specific named threat. You can read more about their implementation in this article.

Nozomi Networks

• Nozomi Networks has implemented AI-powered insights with an Insights Dashboard where alerts are automatically correlated, prioritized, and supported with root-cause information. They also offer AI-based queries and analyses, allowing users to leverage natural language queries and get answers to common questions about vulnerabilities, network assets, and other environmental details. Advanced predictive monitoring provides early warnings about system behaviors that deviate from the norm. You can read more about their implementation in this article.

Software Supply Chain Security

Generative AI and LLMs can be used to read and understand software code, potentially identifying areas of vulnerability that human analysts might miss. They can also generate patches or suggest modifications to rectify these vulnerabilities. This falls under the themes of Code Review and Vulnerability Detection and Prioritization.

Veracode

Veracode Fix is another example of AI application in software supply chain security. Veracode Fix uses a generative pre-trained transformer engine to provide automatic code suggestions on how to remediate security flaws discovered after scanning software. It has been trained using Veracode’s already existing knowledge base of more than 140 trillion lines of code and its 17 years of security research. This article provides more details on their implementation.

Codium AI

TestGPT from Codium AI is an IDE extension that enables an iterative process of generating tests and then tweaking code based on the outcomes of those tests. This interaction with the developer helps the tool understand the code better and generate more accurate and meaningful tests while guiding the developer to write better code. More about their implementation can be found in this VentureBeat article.

GitLab

GitLab has introduced a new security feature that leverages AI to explain vulnerabilities to developers, streamlining the process of identifying and remediating security risks in code. You can read more about their implementation in this TechCrunch article.

Threat Intelligence

Generative AI and LLMs can be used to analyze vast amounts of threat intelligence data, identifying key threats and providing detailed, real-time assessments of the threat landscape. This falls under the themes of Threat Detection and Prioritization, and Summarization and Explanation.

Fletch AI

Fletch AI's solution aims to sift through the entire threat landscape to identify major threats before they appear in the news. It correlates threats to a company’s tech stack, geolocation(s), and industry exposure, and then acts as an early warning system by delivering a daily report of the threats most relevant to an organization. It also delivers personalized advice to prevent, fix, understand, and communicate threats. You can find more about their solution here, and here.

Recorded Future

Recorded Future recently released what it claims to be the first AI for threat intelligence. This tool uses OpenAI's GPT model to process threat intel and generate real-time assessments of the threat landscape. The model was trained on more than 10 years of insights taken from Recorded Future's research team and 100 terabytes of data from various sources. Their tool enriches threat intel by providing human users with generated reports they can use to gain more context around security incidents that may impact their organization and how to respond effectively. You can read more about their implementation here.

Incident Response

In the aftermath of a cybersecurity incident, generative AI and LLMs can be used to generate detailed, understandable reports, helping stakeholders to understand what happened, how it was resolved, and what steps need to be taken to prevent a similar incident in the future. This falls under the theme of Summarizers, Explainers, and Advisors.

Microsoft

• Microsoft introduced Microsoft 365 Defender Automation Attack Disruption which can scan multiple endpoints, quickly identifying red flags such as suspicious email locations. Once a threat is detected, it can isolate the compromised account and halt all transactions. This tool enhances incident response by automating the detection and containment of threats, reducing the time and effort required by human analysts.

Data Security

Generative AI and LLMs can help identify, classify, and safeguard sensitive data by monitoring access, leveraging data classification, encryption, and anonymization, ensuring robust protection for highly sensitive data. This aligns with the Prioritization theme because of course, you want to prioritize security for sensitive data.

BigID's BigAI

• BigID has launched BigAI, a privacy-by-design LLM designed to discover and protect sensitive data. BigAI scans structured and unstructured data, whether stored in the cloud or on-premises, using a mix of ML-driven classification and generative AI to suggest titles and descriptions for data tables, columns, and clusters so they’re easier to locate via search. More about their implementation can be found in this article.

Cado Security's MaskedAI

• Cado Security has debuted MaskedAI, an open-source library that enables the use of Large Language Models (LLM) APIs, such as OpenAI/GPT-4 more securely without sending out sensitive information. Masked-AI replaces sensitive data with a placeholder and sends the masked request to the API. The solution stores a lookup table locally to then later reconstruct the API output to include the sensitive data for the user to consume. More about their implementation can be found in this article.

Cloud Provider Implementations

Cloud providers are perfectly positioned to tap into the game-changing potential of Generative AI and LLMs. With their vast computational resources, treasure troves of data, and teams of PhDs, they are uniquely positioned to bring to market advanced security solutions that can reach a global audience. In this section, we dive into the work of Google and Microsoft, two titans that are leveraging Generative AI and LLMs to redefine the landscape of cybersecurity.

Notice how I didn’t include AWS. The reason is that they’ve been slow to move on this front and haven’t publicly announced any security features that leverage these technologies. Were they caught off guard or are they waiting to see what’s worth their investment? 🤔

Google Cloud

Google Cloud launched the Google Cloud Security AI Workbench at RSA, a new platform backed by the Sec-PaLM LLM which is specifically fine-tuned for security use cases. The model leverages Google’s massive trove of insights into the security landscape paired with Mandiant’s threat intelligence from being out in the trenches for nearly two decades. What stood out to me the most is that they may soon allow customers to privately connect their own data to the LLM. Below are the use cases covered in their release, broken down into themes:

• Summarizers, Explainers, and Advisors

  • Chronicle AI: Uses generative AI to summarize query results and provide an interactive interface for exploring security events.

  • Mandiant Threat Intelligence AI: Summarizes key insights and Indicators of Compromise (IoCs) across threat intel reports, providing a concise overview of potential threats.

  • Security Command Center Attack Path Simulation: Generates human-readable summaries and explanations of attack paths, providing a clear overview of potential threats and vulnerabilities.

• Natural Language Processing (NLP) to Code Generation

  • Chronicle AI: Transforms natural language into actionable queries and detections, allowing users to interact with billions of security events.

  • Assured OSS: Enhances Google Cloud’s OSS vulnerability management solution by adding more coverage for open-source software (OSS) packages.

  • Mandiant Threat Intelligence AI: Employs generative AI to quickly find, summarize, and act on threats relevant to your organization, translating natural language descriptions into actionable insights.

• Reverse Engineering

  • Malware Analysis: VirusTotal’s Code Insight leverages Google Cloud’s Security AI Workbench and the Sec-PaLM LLM to deconstruct and analyze potentially harmful files. It then describes the findings in simple human language. A task that would previously take an experienced reverse engineer at least a couple of hours depending on the complexity of the file.

Microsoft Azure

Microsoft introduced a new tool called Security Copilot. This tool is powered by OpenAI's GPT-4 generative AI and Microsoft's own security-specific model, marking a significant stride in Microsoft's ongoing efforts to incorporate AI-oriented features for end-to-end defense. Below are some of the features introduced in Security Copilot:

• Natural Language Processing (NLP) to Code Generation

  • Threat Detection Rule and Query Generators: Security Copilot allows users to ask about suspicious user logins over a specific time period in plain language. This feature leverages generative AI to translate natural language into queries, enabling the system to sift through vast amounts of data and identify potential security threats.

• Summarizers, Explainers, and Advisors

  • Incident Response Post-mortems: Security Copilot can be employed to create a PowerPoint presentation outlining an incident and its attack chain. This feature uses generative AI to analyze the details of a security incident and generate a concise, easy-to-understand summary of what happened, why it happened, and what the impact was.

• Code Analysis

  • Threat Analysis: Security Copilot can accept files, URLs, and code snippets for analysis. This feature leverages generative AI to scrutinize the provided code or content, identify potential vulnerabilities or threats, and provide detailed reports on the findings.

• Reverse Engineering

  • Malware Analysis: Security Copilot has the capability to reverse engineer exploits. This feature uses generative AI to deconstruct and analyze potentially harmful files or code, providing detailed insights into how a piece of malware functions and how to defend against it.

Also, it’s key to note that Microsoft’s 3-day developer conference, Microsoft Build, kicks off today and while it’s not security-focused, you can bet your top dollar that generative AI will be a key theme. The show starts at 12PM ET with a keynote from CEO Satya Nadella, you can watch it live here. Maybe we’ll see some cool new stuff for Security Copilot and/or GitHub Copilot? 🤔

Other Use Cases to Consider

This next section quickly covers a number of potential use cases that I didn’t touch on in the previous section.

Red Team Use Cases

1. Penetration Testing: LLMs can be used to automate parts of the penetration testing process. This could involve anything from identifying potential attack vectors to actually executing the attack, such as by exploiting known vulnerabilities or launching brute-force attacks.

2. Social Engineering Attacks: Generative AI can be used to craft convincing phishing emails or other types of deceptive communication. It could also potentially be used for vishing (voice phishing), by mimicking a person's voice to trick a victim into revealing sensitive information.

3. Automating Exploit Generation: LLMs could potentially be trained to generate new exploits based on known vulnerability types. This could allow a red team to quickly develop a wide range of attacks for testing purposes.

4. Password Cracking: LLMs can be used to generate lists of potential passwords based on patterns identified in previous data breaches. This could make brute-force attacks more efficient by focusing on the most likely passwords first.

5. Automating Reconnaissance: LLMs could automate the process of gathering and analyzing publicly available information about a target, which is often the first step in planning an attack.

Miscellaneous Use Cases

1. Security Awareness Training: Generative AI can create realistic phishing emails, spoof websites, or other potential security threats for training purposes. This can help employees to recognize and respond appropriately to these threats, thereby reducing the risk of successful cyber attacks.

2. Policy and Compliance Management: LLMs can be used to read, understand, and summarize complex regulatory documents, helping organizations to ensure that their cybersecurity policies and practices are in compliance with relevant laws and standards.

Metrics

Before we close out, I’d like to talk to you about your car’s extended warranty. Kidding. Metrics. If you can’t measure it, you can’t track it. Most mature security and product organizations heavily rely on metrics to make better-informed decisions and to let them know whether they are headed in the right direction. Keep in mind that the impact that any solution will have on metrics will vary on implementation, the context in which it is used, and most importantly, the adeptness of the people leveraging the technology.

Below are 7 metrics generative AI security solutions can help with:

1. Time to detection

2. Time to remediation

3. Time to threat containment

4. Time to production

5. Time to recover

6. False Positive/Negative Rates

7. Incident response time

Conclusion

If you're feeling a bit skeptical about Generative AI and LLMs, I get it. After all, they're not perfect and can sometimes produce results that aren't quite up to scratch. But don't let that deter you because you’ll inevitably end up leveraging these types of solutions. There's a lot of work being done to prevent AI "hallucinations", for example, NVIDIA's NeMo Guardrails. And when it comes to data privacy and security, as long as you're following the right protocols, these technologies can be a powerful asset. Team8 has come up with a great guide on how to manage generative AI risks in the enterprise.

Generative AI-backed security solutions are by no means a magic wand, but they can help in a number of ways. They can help with SecOps, Incident Response, Offensive Security, and Software Supply Chain Security, and they help bridge the skills gap in cybersecurity. And let's not forget, our adversaries are already using these technologies. So, why shouldn't we? 🤷🏾‍♂️

In a follow-up post, I'll be diving into the world of custom in-house autonomous security agents and why I believe they're the future of cybersecurity. But I'd love to hear your thoughts. What do you think about all this? Have I missed anything important? Your feedback is always welcome. I’d love to keep the conversation going!

Enjoyed this post? I'd be thrilled if you could subscribe and share it with your network. I create these posts in my spare moments, and seeing the reader community expand truly fuels my motivation to write more. And if you're feeling particularly generous, you could even buy me a coffee ☕ . Thanks for reading, your support means a ton!

Subscribe now

Share