The conversation explores how AI is shifting the entry path for new security practitioners, why deep research and critical thinking remain essential skills, and how experienced testers are embedding their knowledge into agent workflows using tools like Claude Code. Jason also discusses practical experimentation with AI assistants such as OpenClaw, including prompt-injection defenses, guardrails, and the operational risks of running autonomous systems.

The episode also addresses the growing debate around AI-generated code and AI-driven vulnerability discovery, highlighting the difference between marketing claims and real-world results. It closes with a discussion on why the industry needs better benchmarks and evaluation methods to measure whether AI security tools actually find meaningful vulnerabilities.

00:00–02:14 — Introduction to Jason Haddix and how his journey from bug hunter to Arcanum founder shapes his perspective on AI in security

02:14–08:00 — How AI agents are beginning to automate penetration testing workflows while still relying on expert methodology

08:00–10:45 — Why human expertise remains critical even as security automation improves

10:45–17:10 — How AI is changing the learning curve for the next generation of pentesters

17:10–25:27 — How agent frameworks and skills are transforming security tool building

25:27–35:41 — Security risks and defenses when running AI assistants like OpenClaw

35:41–40:32 — The rise of AI-powered personal assistants for research and security workflows

40:32–42:55 — Why the cybersecurity community is rapidly adopting AI tools

42:55–46:42 — How AI improves security coverage and turnaround time at scale

46:42–50:31 — Why newer models like Opus 4.5 unlocked practical AI security workflows

50:31–56:48 — The debate on whether AI should generate secure code or detect vulnerabilities

56:48–01:01:18 — Why AI security needs better evaluation benchmarks and real-world testbeds

Tune in for a deep dive!

Connect with Jason Haddix:

LinkedIn: ⁠⁠⁠⁠https://www.linkedin.com/in/jhaddix/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠ anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

For years, application security has operated on a familiar model: siloed reviews, tool-driven findings, and periodic assessments that struggle to keep pace with modern development. AI doesn’t eliminate those pressures, it amplifies them. Code is generated faster, systems are more interconnected, and the surface area of change expands weekly.

The conversation explores agent-based workflows through tools like OpenClaw, not as novelty, but as a signal of a broader shift: from manually operating tools to orchestrating fleets of agents. As AI interfaces move from chat windows to terminals to messaging environments, security teams must reconsider where workflows live and how context is preserved across them.

For decades, AppSec has struggled to build a reliable understanding of what systems exist and how they connect. Large language models may finally make it possible to construct living maps of components, data flows, and trust boundaries enabling assessments that talk to each other instead of existing in isolation.

The discussion also revisits threat modeling, not as a compliance artifact, but as a foundation for system-wide reasoning. If AI can automate baseline coverage and reduce repetitive toil, security teams may return to their original purpose: high-leverage risk judgment on critical systems. This leads to a broader debate whether AppSec as a distinct function evolves, shrinks, or dissolves into engineering itself and what the enduring “maker–checker” model of risk management demands in an AI-native world.

Finally, the episode reflects on the role of large AI labs in security: the gap between ambitious claims and shipped products, and what that means for founders and security leaders navigating change.

00:00–02:15 — Why this is a no-guest episode & what’s changed since last year

02:15–06:30 — AI co-authoring, productivity gains, and writing workflows

06:30–10:20 — OpenClaw architecture, agent risks, and prompt injection realities

10:20–14:00 — The shifting UI of AI: chat → terminal → messaging agents

14:00–18:30 — Agent orchestration vs siloed security tooling

18:30–23:00 — Context graphs and assessments that “talk” to each other

23:00–27:30 — Threat modeling’s evolution and system-wide visibility

27:30–31:00 — Why inventory is still AppSec’s hardest problem

31:00–34:30 — Personal AI stacks: Obsidian, memory layers, and query tools

34:30–37:30 — Open source in the age of AI-generated PR spam

37:30–40:00 — AI labs: what they ship vs what they say

40:00–44:00 — Will AppSec disappear? A serious debate

44:00–48:00 — Maker–checker risk models in an AI-driven org

48:00–51:00 — Where AI replaces toil — and where humans stay critical

51:00–End — 2026 predictions for AI security and product security

Tune in for a deep dive!

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠ anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

Drawing parallels to DeFi exploits and smart contract failures, he explains why agent identity, short-lived delegated authorization, and zero trust aren’t optional add-ons, but the foundation for safely running autonomous systems.

We also dive into context compression as both a performance and security challenge, the real difference between MCP and skills, and a future where humans may stop reviewing code altogether. As agents become the primary actors on the internet, even writing itself begins to change in an AI-scraped world.

If agents are non-deterministic by design, the real question becomes: where do we reintroduce determinism?

00:00 — AI agents as the next security reset moment. History repeating: automation + composability = new attack surfaces

03:25 — Challenges of context compression in AI

07:39 — Access control in a non-deterministic system and compaction issues

11:22 — MCP vs skills: horizontal infrastructure meets vertical execution logic

18:06 — Agent identity and security practices. Static credentials collapse under autonomous agent behavior

30:06 — The future of coding with AI agents

31:31 — DeFi attacks, composability issues, and how non-determinism multiplies risk

35:14 — Writing for humans vs writing for LLMs. Content, authenticity, and the economics of scraping

44:42 — Transition from academia to startup founder

Tune in for a deep dive!

Connect with Jens Ernstberger:

Website: https://ernstberger.xyz/

LinkedIn: https://www.linkedin.com/in/jens-ernstberger-phd-96b0ba14a/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠⁠⁠anshumanbhartiya⁠⁠

X: ⁠⁠⁠⁠⁠⁠https://x.com/anshuman_bh⁠⁠

Website: ⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠

⁠⁠⁠⁠Instagram: ⁠⁠anshuman.bhartiya⁠

⁠⁠⁠Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠⁠⁠anandsandesh⁠⁠

X: ⁠⁠⁠⁠⁠⁠https://x.com/JubbaOnJeans

For decades, security has relied on a comforting assumption: systems are predictable, and control flows are deterministic. Generative AI breaks that assumption. It introduces non-determinism and dramatically increases the speed and volume of change; security teams face a scaling problem that traditional workflows can’t keep up with.

We explore how AI can act as a force multiplier for defenders, boosting individual productivity and automating high-toil workflows, while also forcing a hard rethink of “human in the loop” models that add friction without real control.

The conversation goes deep into context engineering, decision traces, and explainability and why understanding why a system acted is becoming as important as what it did. We close by exploring how security leaders should evaluate tools in this new era: moving away from process-driven checklists toward outcome-based measures, and preparing for an industry on the brink of meaningful structural change.

00:00–02:49 — Introduction to AI security and Ankur’s platform-security journey

02:49–05:27 — What changes (and what doesn’t) in AI security fundamentals

05:27–09:18 — Scaling security in a probabilistic, AI-generated code world

09:18–10:30 — Embracing AI as defenders

10:30–13:46 — Productivity gains from LLMs for security engineers

13:46–20:06 — Human-in-the-loop vs autonomous agents in security workflows

20:06–22:25 — Context graphs, observability, and decision traces

22:25–32:01 — Explainability, mechanistic interpretability, and security trust

32:01–35:36 — How security teams evaluate tools, platforms, and outcomes

35:36–42:42 — Measuring security outcomes, velocity, and cost trade-offs

42:42–46:46 — False positives, false negatives, and revealed preferences

46:46–50:16 — LLMs as triage engines and force multipliers for security

50:16–52:51 — Underlying fears in the security industry

52:51–55:05 — Context engineering, platforms, and the future of security teams

Tune in for a deep dive!

Connect with Ankur Chakraborty:

LinkedIn: https://www.linkedin.com/in/ankurchakraborty/

Substack: https://machinesagainsthumanity.substack.com/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠⁠⁠anshumanbhartiya⁠⁠

X: ⁠⁠⁠⁠⁠⁠https://x.com/anshuman_bh⁠⁠

Website: ⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠

⁠⁠⁠⁠Instagram: ⁠⁠anshuman.bhartiya⁠

⁠⁠⁠Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠⁠⁠anandsandesh⁠⁠

X: ⁠⁠⁠⁠⁠⁠https://x.com/JubbaOnJeans

We also discuss where agent identity is headed, how insurance may play a role in managing AI-driven risk, and what security teams need to rethink as AI systems become active participants rather than passive components.

00:00–02:15 — Beyond AI hype: why security and agent identity matter

02:15–09:18 — Understanding identity in the age of AI agents

09:18–13:41 — Why service accounts and OAuth break down for agents

13:41–20:11 — Granular permissions, least privilege, and agent intent

20:11–25:55 — Security risks in agent workflows and prompt-driven systems

25:55–28:34 — Data security, IAM, and the agent exfiltration problem

28:34–30:47 — Non-determinism and rethinking how we secure systems

30:47–32:14 — The agent identity problem on the public internet

32:14–35:10 — Why the internet still lacks real application identity

35:10–39:12 — The future of authentication for agents and bots

39:12–40:28 — Emerging standards, AIUC, and insuring agents

40:28–43:09 — Liability, insurance, and accountability for autonomous systems

43:09–45:51 — How security roles evolve in an agent-native world

45:51–49:23 — Technical attack surfaces: MCPs, poisoned tools, and confusion

49:23–51:32 — Trust, contracts, and responsibility in software ecosystems

51:32–54:28 — Why AI adoption is top-down and what it means for security

Tune in for a deep dive!

Connect with Ian Livingstone:

Website: https://www.ianlivingstone.ca/

Twitter: https://x.com/ianlivingstone

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠⁠⁠anshumanbhartiya⁠⁠

X: ⁠⁠⁠⁠⁠⁠https://x.com/anshuman_bh⁠⁠

Website: ⁠⁠⁠⁠⁠⁠https://anshumanbhartiya.com/⁠⁠

⁠⁠⁠⁠Instagram: ⁠⁠anshuman.bhartiya⁠

⁠⁠⁠Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠⁠⁠anandsandesh⁠⁠

X: ⁠⁠⁠⁠⁠⁠https://x.com/JubbaOnJeans

We discuss why modern security is becoming platform-first, why much of the security vendor market optimizes for finding problems rather than fixing them, and why Kane believes security teams need more engineers and fewer manual processes.

The conversation also digs into AI security, shadow IT (and shadow AI), and the real-world trade-offs between usability and control, especially as low-code and no-code tools become more common inside companies.

00:00–03:25 — Kane’s journey from law enforcement to platform security, shaped by our time at Atlassian

03:25–06:37 — Why enterprise security becomes platform-first faster than AppSec

06:37–09:26 — Why security teams fail when they fight company culture

09:26–13:36 — Platforms vs best-of-breed tools: trade-offs, not ideology

13:36–17:45 — Why most security startups are built to be acquired

17:45–22:16 — Open source agents, and business-specific vulnerability research

22:16–27:09 — AI security, prompt injection, and the access-control problem

27:09–31:29 — Build vs buy in the AI era. Speed is easy, and why maintenance remains the real bottleneck.

31:29–40:42 — Agents, MCPs, and why stopgap solutions dominate today

40:42–48:57 — Shadow AI, low-code automation, and familiar security failures

Tune in for a deep dive!

Connect with Kane Narraway:

LinkedIn: https://www.linkedin.com/in/kane-n/

Blog: https://kanenarraway.com/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

• AI for Secure by Default: AI tools provide the best injection point to shift security “all the way left” and move past the reactive “whack-a-mole” approach, because developers are already motivated to use these highly effective tools.

• Changing AppSec Strategy: AI dramatically changes the nature of AppSec by making previously unscalable strategies, such as threat modeling, applicable. AI can generate architecture diagrams on demand by tracing through code.

• The Compliance Bottleneck: The dramatic consolidation of cloud security vendors reflects how compliance-minded the security industry remains. Critical infrastructure misconfigurations (like public databases being left open) often go unaddressed because they are not measured by compliance standards.

• Platform vs. Point Solutions: Travis argues against platforms that are often amalgamations of poorly integrated acquired tools. He suggests buying the single best point solution for a high-leverage problem and using AI capabilities to operationalize and wire it into internal systems, thereby simplifying integrations that platforms traditionally provide.

• The Skeptical Coder: A fundamental limitation of Large Language Models (LLMs) is their desire to “make you happy,” causing them to provide answers even if they are incorrect. Therefore, engineers must use AI output only as a starting point and only consider the code finished when they understand it fully end to end.

• Prompt Injection Defined: Prompt injection is confirmed as a legitimate vulnerability, essentially a rehash of old issues like cross-site scripting and SQL injection, arising from the improper separation between the LLM instruction and the user instruction.
  
  Tune in for a deep dive!
  
  Connect with Travis:

  LinkedIn: travismcpeak

  Company Website: https://cursor.com/

  
  Connect with Anshuman:

  LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

  X: ⁠⁠⁠⁠https://x.com/anshuman_bh

  Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

  ⁠⁠⁠⁠Instagram: anshuman.bhartiya

  
  Connect with Sandesh:

  LinkedIn: ⁠⁠⁠⁠ anandsandesh

  X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

  Boring AppSec

  E1-27: Getting the Boring aspects of AppSec right E28+: All aspects of building AppSec products

  By Sandesh Mysore Anand

  
  

LinkedIn: myneedu

Company Website: https://www.navan.com

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: ⁠⁠anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans ⁠⁠⁠⁠

Key Takeaways

• AIVSS for Non-Deterministic Risk: The OWASP AIVSS project aims to provide a quantitative measure for core agent AI risks by applying an agent AI risk factor on top of CVSS, specifically addressing the autonomy and non-deterministic nature of AI agents.

• Need for Task-Scoped IAM: Traditional OAuth and SAML are inadequate for agentic systems because they provide coarse-grained, session-scoped access control. New authentication standards must be task-scoped, dynamically removing access once a specific task is complete, and driven by verifying the agent’s intent.

• A2A Security Requires New Protocols: Agent-to-Agent communication (A2A) introduces security issues beyond traditional API security (like BOLA). New systems must utilize protocols for Agent Capability Discovery and Negotiation—validated by digital signatures—to ensure the trustworthiness and promised quality of service from interacting agents.

• Goal Manipulation is a Critical Threat: Sophisticated attacks often utilize context engineering to execute goal manipulation against agents. These attacks include gradually shifting an agent’s objective (crescendo attack), using prompt injection to force the agent to expose secrets (malicious goal expansion), and forcing endless processing loops (exhaustion loop/denial of wallet).

Tune in for a deep dive!

Connect with Ken:

LinkedIn: kenhuang8

Company Website: https://distributedapps.ai/

Substack: https://kenhuangus.substack.com/

Paper (Agent Capability Negotiation and Binding Protocol): https://arxiv.org/abs/2506.13590

Book (Securing AI Agents): https://www.amazon.com/Securing-AI-Agents

AIVSS: https://aivss.owasp.org/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠ anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

Key Takeaways

• From Hacker to CEO: Aryaman discusses the transition from an attacker’s mindset, focused on quick exploits, to a CEO’s mindset, which requires patience and long-term relationship building with customers.

• A New Kind of Threat: AI applications introduce a new attack surface built on prompts, knowledge bases, and probabilistic models, which increases the blast radius of potential security breaches compared to traditional software.

• Automated Red Teaming and Defense: Repello’s platform consists of two core products: Artemis, an offensive AI red teaming platform that discovers failure modes , and

• Argus, a defensive guardrail system. The platforms create a continuous feedback loop where vulnerabilities found by Artemis are used to calibrate and create policies for Argus.

• Threat Modeling for AI Agents: For complex agentic systems, a black-box approach is often insufficient. Repello uses a gray-box method where a tool called AgentWiz helps customers generate a threat model based on the agent’s workflow and capabilities, without needing access to the source code.

• The Challenge of Non-Deterministic Vulnerabilities: Unlike traditional software vulnerabilities which are deterministic, AI exploits are probabilistic. An attack like a system prompt leak only needs to succeed once to be effective, even if it fails nine out of ten times.

• The Future of Attacks is Multimodal: Aryaman predicts that as AI applications evolve, major new attack vectors will emerge from new interfaces like voice and image, as their larger latent space offers more opportunities for malicious embeddings.

Tune in for a deep dive!

Connect with Aryaman:

LinkedIn: aryaman-behera

Company Website: https://repello.ai/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠ anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

Key Takeaways

• Reducing AppSec Toil: The primary focus of using AI in AppSec is to reduce repetitive tasks (toil) and surface meaningful risks. With AppSec engineers often outnumbered 100 to 1 by developers, AI can help manage the immense volume of work by automating the process of gathering context and assessing risk for findings from SCA, SAST, and secrets scanning.

• Making LLMs More Deterministic: To achieve consistent and high-quality results from non-deterministic LLMs, the key is to use them “as sparingly as possible”. Instead of having an LLM manage an entire workflow, break the problem into smaller pieces, use traditional code for deterministic steps, and reserve the LLM for specific tasks like classification or validation where its strengths are best utilized.

• The Importance of Evals: Continuous and rigorous evaluations (”evals”) are crucial to maintaining quality and consistency in an LLM-powered system. By running a representative dataset against the system every time a change is made—even a small prompt modification—teams can measure the impact and ensure the system’s output remains within desired quality boundaries.

• Context is Key (CAST): Ghost Security is pioneering Contextual Application Security Testing (CAST), an approach that flips traditional scanning on its head. Instead of finding a pattern and then searching for context, CAST first builds a deep understanding of the application by mapping out call paths, endpoints, authentication, and data handling, and then uses that rich context to ask targeted security questions and run specialized agents.

• Prototyping with Frontier vs. Local Models: The typical workflow for prototyping is to first use a powerful frontier model to quickly prove a concept’s value. Once validated, the focus shifts to exploring if the same task can be accomplished with smaller, local models to address cost, privacy, and data governance concerns.

• The Future Skill for AppSec Engineers: Beyond familiarity with LLMs, the most important skill for the next generation of AppSec engineers is the ability to think in terms of scalable, interoperable systems. The future lies in creating systems that can share context and work together—not just within the AppSec team, but across the entire security organization and with development teams—to build a more cohesive and effective security posture.

Tune in for a deep dive into the future of AppSec with AI and AI Agents!

Connect with Brad

LinkedIn: / bradgeesaman

Company Website: https://ghostsecurity.com/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠ anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

We discuss the evolving landscape of offensive security in the age of AI. The conversation covers the practical application of AI agents in red teaming, a critical look at industry standards like the OWASP Top 10 for LLMs, and Ad’s hands-on approach to building and evaluating autonomous hacking tools. He shares insights from his work industrializing offensive security with AI, his journey as a self-taught professional, and offers advice for others looking to grow in the field.

Key Takeaways

• AI is a “Force Multiplier,” Not a Replacement: Ad emphasizes that AI should be viewed as a productivity tool that enhances the capabilities of human security professionals, allowing them to scale their efforts and tackle more complex tasks. Human expertise remains critical, especially since much of the data used to train AI models originates from human researchers.

• Prompt Injection is a Mechanism, Not a Vulnerability: A key insight is that “prompt injection” itself isn’t a vulnerability but a method used to deliver an exploit. The discussion highlights a broader critique of security frameworks like the OWASP Top 10, which can sometimes oversimplify complex issues and become compliance checklists rather than practical guides.

• Build Offensive Agents with Small, Focused Tasks: When creating offensive AI agents, the most successful approach is to break down the overall objective into small, concise sub-tasks. For example, instead of a single goal to “find XSS,” an agent would have separate tasks to log in, identify input fields, and then test those inputs.

• Hands-On Learning and Community are Crucial for Growth: As a self-taught professional, Ad advocates for getting deeply involved in the security community through meetups and CTFs. He stresses the importance of hands-on practice—”just play with it”—and curating your information feed by following trusted researchers to cut through the noise and continuously learn.

Tune in for a deep dive into the future of security and the innovative approaches shaping the industry!

Connect with Ads:

Ad’s LinkedIn: adamdawson0

Ad’s website: https://ganggreentempertatum.github.io/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

We discuss the evolving landscape of AI security, focusing on the Model Context Protocol (MCP), Enhanced Tool Definition Interface (ETDI), and the AI Vulnerability Scoring System (AIVSS).

We explore the challenges of integrating AI into existing systems, the importance of identity management for AI agents, and the need for standardized security practices. The discussion emphasizes the necessity of adapting security measures to the unique risks posed by generative AI and the collaborative efforts required to establish effective protocols.

Key Takeaways

• MCP simplifies AI integration but raises security concerns.

• Identity management is crucial for AI agents.

• ETDI addresses specific vulnerabilities in AI tools.

• AIVSS aims to standardize AI vulnerability assessments.

• Developers should start with minimal permissions for AI.

• Trust in the agent ecosystem is vital for security.

• Collaboration is key to developing effective security protocols.

• Security fundamentals still apply in AI integration.

Tune in for a deep dive into the future of security and the innovative approaches shaping the industry!

Connect with Vineeth:

Vineeth’s LinkedIn: vineethsai

Vineeth’s website: https://vineethsai.com/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

The conversation delves into the concept of agentic AI, the importance of context engineering, and the hurdles of achieving enterprise-grade reliability in AI systems. Harry also reflects on the inflection points that led to the founding of Maze and the role of LLMs in transforming security practices.

Key Takeaways

• Introduction to Maze and Harry’s Journey: Harry shares his background in AI and machine learning, emphasizing the persistent challenges in vulnerability management and the founding of Maze to address these issues.

• Agentic AI and Context Engineering: The discussion highlights the shift from static rules to agentic AI, where AI agents autonomously investigate vulnerabilities, and the critical role of context engineering in tailoring solutions to specific organizational needs.

• Challenges in AI Reliability: Harry talks about the engineering hurdles in making AI systems reliable and consistent, focusing on the importance of tight reasoning loops and human-AI symbiosis.

• Pricing Strategies: In AI-native security solutions, clear and fixed pricing is preferred, as it simplifies budgeting and aligns with traditional models, while vendors should manage costs to ensure predictability for customers.

• Future of Security with AI: The conversation concludes with insights into the future of security, where AI agents work in the background to provide innovative solutions, and the importance of human feedback in refining AI systems.

Tune in for a deep dive into the future of security and the innovative approaches shaping the industry!

Connect with Harry:

Harry’s LinkedIn: harrywetherald

Maze: https://mazehq.com/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

Key Takeaways

• The traditional model of security tools is being challenged.

• Pixee aims to automate not just detection but also remediation.

• AI agents can help scale coverage in application security.

• The role of AppSec professionals will evolve with AI integration.

• Trust is crucial for developers to accept automated fixes.

• Developers want tools that reduce their workload, not add to it.

• Contextual understanding is key for accurate vulnerability triage.

• The security market is not saturated; there are still many unsolved problems.

• Integrating security into design specifications is the future.

• A comprehensive approach to security is necessary for effective risk management.

Tune in to find out more!

Connect with Surag & Arshan:

Surag’s LinkedIn: suragpatel

Arshan’s LinkedIn: arshan-dabirsiaghi

Pixee: https://www.pixee.ai/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

Key Takeaways

• DryRun Security utilizes AI to enhance code security.

• Context engineering is crucial for effective AI applications.

• LLMs can augment security practices but require careful orchestration.

• Consistency in LLM outputs is a significant challenge.

• Ethical considerations in AI are becoming increasingly important.

• Finding the right balance in using LLMs is essential.

• Community collaboration is vital for advancing AI solutions.

• Orchestration is a key factor in AI performance.

• AI will not replace jobs but will change how we work.

• Tune in to find out more!

Connect with Ken:

LinkedIn: cktricky

DryRun Security: https://www.dryrun.security/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

Casey shares his personal journey through health challenges and his insights into the cybersecurity landscape. He discusses the evolution of the bug bounty industry, the importance of secure design, and the role of AI in both enhancing and complicating security measures.

Casey emphasizes the need for accountability and the potential of crowdsourcing in security, while also addressing the challenges of implementing effective standards. The conversation concludes with reflections on the future of AI in security and the necessity for focused problem-solving in the industry.

Key Takeaways

• The bug bounty industry has transformed lives and created new opportunities.

• Founding a company involves learning from both successes and failures.

• The cybersecurity industry often focuses on quick wins rather than fundamental problems.

• Secure by design is essential for addressing root causes of vulnerabilities.

• Crowdsourcing can enhance accountability in security practices.

• Standards like ASVS are important but can be complex to implement.

• AI is both a tool and a threat in the cybersecurity landscape.

• Focusing on specific problems is key to leveraging AI effectively.

Tune in to find out more!

Connect with Casey:

LinkedIn: caseyjohnellis

Bugcrowd: https://www.bugcrowd.com/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

Vivek shares his journey in cybersecurity, discussing the evolution of content creation, the importance of building for a global audience, and navigating the Indian cybersecurity market. He emphasizes the need for browser security, the challenges of local markets, and the significance of personal relationships in business.

In this conversation, Vivek Ramachandran shares insights on the challenges faced by founders, particularly in breaking into the U.S. market. He emphasizes the importance of building a strong advisor network and engaging in technical conversations. The discussion also delves into the evolving landscape of cybersecurity, highlighting the impact of AI on both attackers and defenders. Vivek offers valuable advice for new startup founders, stressing the need for patience, understanding the responsibilities of fundraising, and focusing on fundamental skills.

Key Takeaways

• The browser is now considered the new endpoint for security.

• Pentester Academy was born out of a need to share knowledge.

• Content creation has evolved significantly over the years. Today’s audience prefers bite-sized, impactful content.

• Founders should think globally from the start.

• Cybersecurity in India is often driven by compliance rather than necessity.

• Technical founders must adapt to market needs and customer relationships.

• Design partnerships can help startups gain traction in local markets. Founders often give up after a few rejections.

• Building an advisor network is essential for success.

• AI is changing the dynamics of cybersecurity.

• Raising funds is a responsibility, not a success metric.

• Focus on fundamentals to stay relevant in tech.

• Learning by doing is becoming too easy with AI.

• Engage with your target market to build credibility.

Tune in to find out more!

Connect with Vivek:

LinkedIn: vivekramachandran

SquareX: https://www.sqrx.com/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

We discuss the evolution of security tools, the importance of customer validation, and the role of AI agents in enhancing security practices. Ali shares insights on building a positive security culture within organizations and how Amplify Security differentiates itself in a competitive market. The conversation emphasizes the need for collaboration between security and development teams, the challenges of addressing known and unknown vulnerabilities, and the future of AI in cybersecurity.

Key Takeaways

• Amplify helps coders secure their code effectively.

• Customer validation is crucial for startup confidence.

• Security tools should enhance developer experience.

• AI agents can automate security fixes intelligently.

• Contextual understanding is vital for security solutions.

• Developers should approve code changes for security fixes.

• A positive security culture fosters collaboration.

• AI can help prioritize and manage vulnerabilities.

• The future of security involves AI-driven solutions.

• Security issues must be addressed in a timely manner.

Tune in to find out more!

Connect with Ali:

LinkedIn: amesdaq

Akto: https://amplify.security/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans

Ankita shares her unique journey into the cybersecurity space, discussing her diverse background and the inception of her API security company. She emphasizes the importance of understanding customer needs, the role of co-founders in a startup’s success, and the surprising maturity of buyers in the cybersecurity industry.

Ankita also delves into marketing strategies for cybersecurity startups, highlighting the need for differentiation and continuous iteration in messaging. In this conversation, Ankita discusses various aspects of marketing strategies for enterprise SaaS, the challenges of building a brand in a competitive market, and the importance of API security. She emphasizes the need for startups to identify specific problems within their target market and how LLMs can significantly enhance API security. The discussion also touches on the necessity of experimentation and iteration in integrating AI into products.

Key Takeaways

• Understanding customer needs is crucial for product development.

• A strong co-founder relationship is vital for startup success.

• Buyers in cybersecurity are more mature than in other industries.

• Marketing should focus on product differentiation.

• Iterate marketing positioning continuously based on feedback.

• Networking is important, but building a customer base is essential.

• Cybersecurity tools are often purchased through structured processes. Social media is crucial for enterprise SaaS marketing.

• Branding requires a clear representation of the product’s value.

• API security is a growing concern that needs addressing.

• LLMs can revolutionize the way API security is approached.

• It’s essential to iterate and experiment with AI technologies.

• The market for API security is significant, even if not immediately recognized.

• Startups should not shy away from basic use cases with LLMs.

• Tune in to find out more!

Connect with Ankita:

LinkedIn: ankita-gupta

Akto: https://www.akto.io/

Connect with Anshuman:

LinkedIn: ⁠⁠⁠⁠anshumanbhartiya

X: ⁠⁠⁠⁠https://x.com/anshuman_bh

Website: ⁠⁠⁠⁠https://anshumanbhartiya.com/

⁠⁠⁠⁠Instagram: anshuman.bhartiya

Connect with Sandesh:

LinkedIn: ⁠⁠⁠⁠anandsandesh

X: ⁠⁠⁠⁠https://x.com/JubbaOnJeans