TWiT Events 19 - RSAC 2026 Transcript
Please be advised that this transcript is AI-generated and may not be word-for-word. Time codes refer to the approximate times in the ad-free version of the show.
00;00;00;03 - 00;00;07;29
Leo Laporte
If it's March, it must be the RSAC conference. We're here in San Francisco's Moscone Center, ready to talk to some big shots in security. Let's go.
00;00;08;02 - 00;00;21;00
TWiT.tv
This is TWiT
00;00;21;03 - 00;00;41;23
Leo Laporte (Voice Over)
Every year the RSAC Conference gets bigger and bigger and bigger. Of course, security is a bigger and bigger deal when it comes to technology. First stop had to be one of our favorite sponsors. We've been talking about the Thinkst Canary for ten years now. I've never met Haroon, the founder. This was exciting.
00;00;41;26 - 00;00;49;06
Leo Laporte
I am so glad to meet you. After ten years of doing things Canary commercials to finally meet you guys. It's great. It's a South African company.
00;00;49;06 - 00;00;54;14
Haroon Meer | Founder, Thinkst Canary
Yeah. So we're based in South Africa. We've got people all over the world, like we've got people in the US, we've got people in.
00;00;54;14 - 00;00;56;22
Haroon Meer | Founder, Thinkst Canary
Europe, but fundamentally a South African company.
00;00;56;26 - 00;00;59;04
Leo Laporte
And where did the idea for this come from?
00;00;59;05 - 00;01;00;29
Haroon Meer | Founder, Thinkst Canary
So some of us have been security.
00;01;01;00 - 00;01;01;24
Haroon Meer | Founder, Thinkst Canary
Pin testers.
00;01;01;24 - 00;01;03;05
Haroon Meer | Founder, Thinkst Canary
And red teamers for a really.
00;01;03;05 - 00;01;04;00
Haroon Meer | Founder, Thinkst Canary
Long time.
00;01;04;02 - 00;01;04;27
Haroon Meer | Founder, Thinkst Canary
And we were looking.
00;01;04;27 - 00;01;06;28
Haroon Meer | Founder, Thinkst Canary
For what actually catches us.
00;01;07;00 - 00;01;08;06
Haroon Meer | Founder, Thinkst Canary
And so Canary is the.
00;01;08;06 - 00;01;12;19
Haroon Meer | Founder, Thinkst Canary
Thing that if you're on a network, if you're an attacker, if you're a pin tester, there's some things.
00;01;12;19 - 00;01;14;04
Haroon Meer | Founder, Thinkst Canary
You've just got to do.
00;01;14;07 - 00;01;15;15
Leo Laporte
Yeah. You can't ignore.
00;01;15;16 - 00;01;17;03
Haroon Meer | Founder, Thinkst Canary
Exactly. And so one of the things.
00;01;17;03 - 00;01;20;27
Haroon Meer | Founder, Thinkst Canary
That worked out really well with Canary and Canary tokens is even if, you know.
00;01;21;01 - 00;01;25;08
Haroon Meer | Founder, Thinkst Canary
Maybe it's a canary, what are you going to do? You still have to touch it.
00;01;25;14 - 00;01;35;16
Leo Laporte
I love it that you actually have the Mac address that you have. Everything looks so real. But do you think a smart hacker will know? That's got to be a canary.
00;01;35;16 - 00;01;36;05
Haroon Meer | Founder, Thinkst Canary
Yeah. So?
00;01;36;05 - 00;01;42;23
Haroon Meer | Founder, Thinkst Canary
So it's an interesting trade off, right? If you're an attacker. So. So firstly there is this arms race. Maybe the attackers get smart enough.
00;01;42;26 - 00;01;47;16
Haroon Meer | Founder, Thinkst Canary
But but for some of these things, like if you take one of our Canary tokens, we give you a real.
00;01;47;19 - 00;01;49;05
Haroon Meer | Founder, Thinkst Canary
AWS API key.
00;01;49;07 - 00;01;51;03
Haroon Meer | Founder, Thinkst Canary
And you put it on your machine and.
00;01;51;03 - 00;01;55;22
Haroon Meer | Founder, Thinkst Canary
We say API key stored on the AWS machine. So an attacker breaks onto your machine.
00;01;55;23 - 00;01;58;20
Leo Laporte
It's coming to my IP address, not AWS.
00;01;58;21 - 00;02;06;10
Haroon Meer | Founder, Thinkst Canary
And the attacker has to try that key. Like even if he thinks maybe it's and the moment he tries it, you get a message saying the key.
00;02;06;10 - 00;02;07;12
Haroon Meer | Founder, Thinkst Canary
That was only on the AWS.
00;02;07;12 - 00;02;08;07
Haroon Meer | Founder, Thinkst Canary
Machine just got.
00;02;08;07 - 00;02;08;15
Haroon Meer | Founder, Thinkst Canary
Used.
00;02;08;21 - 00;02;11;28
Haroon Meer | Founder, Thinkst Canary
So even if they know or suspect it's a trap.
00;02;12;00 - 00;02;12;24
Leo Laporte
How can they avoid it?
00;02;12;25 - 00;02;22;06
Haroon Meer | Founder, Thinkst Canary
Exactly. That's what they did before. And so it's one of those things we got lucky with. Like when we started building this, we didn't know how well that would work. But even the attackers who.
00;02;22;06 - 00;02;22;24
Haroon Meer | Founder, Thinkst Canary
Know it so.
00;02;22;24 - 00;02;30;04
Haroon Meer | Founder, Thinkst Canary
So in fact, some people joke and say that our entry level packet should just be a sticker saying I run Thinkst Canary, because if you.
00;02;30;04 - 00;02;34;27
Leo Laporte
Dare, it's like me. I put an ADT alarm sign in front of my house. I don't have an alarm system.
00;02;34;27 - 00;02;35;19
Haroon Meer | Founder, Thinkst Canary
Exactly right.
00;02;35;20 - 00;02;37;27
Leo Laporte
And so I mean, I do I do have an alarm.
00;02;37;27 - 00;02;55;15
Haroon Meer | Founder, Thinkst Canary
So we have an so now an attacker. Everything that they find on your network, they find your network Edmonds kids. But they thinking is it a canary like. And that's what you want right. You can't outrun the bear. You just have to outrun the guy next to you. And so now they go to some other network because maybe it's going to be easier.
00;02;55;17 - 00;02;58;04
Leo Laporte
That's awesome. You open sourced it too.
00;02;58;06 - 00;03;07;05
Haroon Meer | Founder, Thinkst Canary
So we've got an open source version. So we do a free version. So Canary tokens are completely free and open source. And that's used by literally millions of people.
00;03;07;07 - 00;03;08;22
Leo Laporte
I think that's so great that you did that.
00;03;08;25 - 00;03;09;17
Haroon Meer | Founder, Thinkst Canary
It works out.
00;03;09;22 - 00;03;12;05
Leo Laporte
We don't talk about it in the ad, but it's so great that you did that.
00;03;12;06 - 00;03;15;07
Haroon Meer | Founder, Thinkst Canary
Yeah. Like we get mails, we don't get a week that.
00;03;15;07 - 00;03;25;09
Haroon Meer | Founder, Thinkst Canary
Goes by without a mail from someone saying the saved us the saved on network discord detectors. And for us it's you know, we come from the open source world. It's it makes sense.
00;03;25;09 - 00;03;29;08
Leo Laporte
And it's nice because the token works better if it's phoning home instead of phoning out. Right. Yeah.
00;03;29;08 - 00;03;29;29
Haroon Meer | Founder, Thinkst Canary
Exactly. Right.
00;03;29;29 - 00;03;31;25
Haroon Meer | Founder, Thinkst Canary
And we keep adding new tokens.
00;03;31;25 - 00;03;38;12
Leo Laporte
So what I saw you had a wire guard. One. I thought that was hysterical. A wire guard configuration. How can you avoid that? Right. Exactly.
00;03;38;15 - 00;03;42;23
Haroon Meer | Founder, Thinkst Canary
Well, one of them that's really fun and cool is we give you a real working credit card.
00;03;42;25 - 00;03;43;23
Haroon Meer | Founder, Thinkst Canary
So you come to us.
00;03;43;23 - 00;03;45;05
Haroon Meer | Founder, Thinkst Canary
And we give you an actual.
00;03;45;05 - 00;03;54;20
Haroon Meer | Founder, Thinkst Canary
Credit card. You store it somewhere, and when that credit card gets it on, you get a message saying, listen, the card that was only on my mom's PC just got won.
00;03;54;22 - 00;03;58;05
Haroon Meer | Founder, Thinkst Canary
And that's what we go for is really easy to deploy.
00;03;58;07 - 00;04;00;13
Haroon Meer | Founder, Thinkst Canary
But really high quality signal of bet.
00;04;00;14 - 00;04;02;05
Leo Laporte
That's super smart. Yeah.
00;04;02;07 - 00;04;05;07
Haroon Meer | Founder, Thinkst Canary
It's so far it works well. So Canary Tokens is really like.
00;04;05;07 - 00;04;08;02
Haroon Meer | Founder, Thinkst Canary
30 products bundled under that name.
00;04;08;04 - 00;04;10;06
Haroon Meer | Founder, Thinkst Canary
And we keep working on it. Like we literally.
00;04;10;06 - 00;04;13;06
Haroon Meer | Founder, Thinkst Canary
Just released one. That's the CrowdStrike API key.
00;04;13;11 - 00;04;15;08
Haroon Meer | Founder, Thinkst Canary
So if you're a big enterprise.
00;04;15;10 - 00;04;27;15
Haroon Meer | Founder, Thinkst Canary
Someone finds your CrowdStrike key. Like now they can use that to command and control all of your hosts. So now they find this fake key. They try it and you get a message saying listen, the key that.
00;04;27;15 - 00;04;30;03
Haroon Meer | Founder, Thinkst Canary
Was only on your staging server just got used.
00;04;30;05 - 00;04;32;17
Haroon Meer | Founder, Thinkst Canary
So again, really high quality signal.
00;04;32;17 - 00;04;34;03
Haroon Meer | Founder, Thinkst Canary
Really easy to deploy.
00;04;34;05 - 00;04;34;22
Haroon Meer | Founder, Thinkst Canary
And it just.
00;04;34;22 - 00;04;35;11
Haroon Meer | Founder, Thinkst Canary
Works. Yeah.
00;04;35;11 - 00;04;46;13
Leo Laporte
And the cool thing is you get information when somebody attacks you, you get a password or you get a log and you learn what they know, you kind of can get some more information about who's in there. Exactly.
00;04;46;13 - 00;04;47;07
Haroon Meer | Founder, Thinkst Canary
Right. So, so the.
00;04;47;07 - 00;04;59;23
Haroon Meer | Founder, Thinkst Canary
First place for us is just, hey, there's something going on that you got to check up on, but then there's a thread that you can pull on that says, look, they used Bob's credentials. So Bob is clearly compromised. And you can you can draw that line.
00;05;00;02 - 00;05;01;00
Haroon Meer | Founder, Thinkst Canary
What we're looking for.
00;05;01;00 - 00;05;06;24
Haroon Meer | Founder, Thinkst Canary
Is high quality signal. A lot of the stuff, like there's lots of noise and you can't really tell.
00;05;06;27 - 00;05;09;10
Haroon Meer | Founder, Thinkst Canary
But when a canary chirps, you know, you've got a problem.
00;05;09;10 - 00;05;15;23
Leo Laporte
Yeah, that's a bad that's a bad thing. Right. And but also you never hear from it. Maybe you're wondering why am I not hearing from it.
00;05;15;29 - 00;05;16;09
Haroon Meer | Founder, Thinkst Canary
Yeah.
00;05;16;16 - 00;05;22;06
Haroon Meer | Founder, Thinkst Canary
And so that's all the thing. We aim to be silent the rest of the year until it absolutely matters. Yeah.
00;05;22;08 - 00;05;28;29
Leo Laporte
How hard do you work to keep it secure? Because that's always something people worry about. I'm putting a device on my network. Exactly how secure is it?
00;05;29;05 - 00;05;42;26
Haroon Meer | Founder, Thinkst Canary
So? So it's something we obsess over, like we were all offensive security people at some point. So we've got a link on our page, which is pretty unusual, called security, which talks about the stuff we've done to make sure that this is not going to be the weakest.
00;05;42;26 - 00;05;46;19
Haroon Meer | Founder, Thinkst Canary
Link on your network. And we do a whole bunch of stuff, including.
00;05;46;19 - 00;05;48;05
Haroon Meer | Founder, Thinkst Canary
Some features that would be cool.
00;05;48;05 - 00;05;49;04
Haroon Meer | Founder, Thinkst Canary
That we never ship.
00;05;49;04 - 00;05;51;07
Haroon Meer | Founder, Thinkst Canary
Because we think actually puts your.
00;05;51;07 - 00;05;53;07
Haroon Meer | Founder, Thinkst Canary
Network at risk. And so.
00;05;53;07 - 00;05;53;21
Haroon Meer | Founder, Thinkst Canary
If people.
00;05;53;21 - 00;05;54;25
Haroon Meer | Founder, Thinkst Canary
Check out slash security.
00;05;54;25 - 00;05;55;11
Haroon Meer | Founder, Thinkst Canary
You'll see.
00;05;55;18 - 00;05;58;18
Haroon Meer | Founder, Thinkst Canary
But but essentially everything that runs on it is fake.
00;05;58;23 - 00;06;00;27
Haroon Meer | Founder, Thinkst Canary
Even though it looks really genuine.
00;06;00;29 - 00;06;04;07
Haroon Meer | Founder, Thinkst Canary
When you connect to it's ADP. It's an ADP.
00;06;04;07 - 00;06;05;20
Haroon Meer | Founder, Thinkst Canary
That we've written in a memory.
00;06;05;20 - 00;06;08;04
Haroon Meer | Founder, Thinkst Canary
Managed language running in a sandbox.
00;06;08;07 - 00;06;10;13
Haroon Meer | Founder, Thinkst Canary
So communities should never be the weakest.
00;06;10;13 - 00;06;11;10
Haroon Meer | Founder, Thinkst Canary
Thing on your network.
00;06;11;10 - 00;06;13;00
Haroon Meer | Founder, Thinkst Canary
And what you're looking for again.
00;06;13;00 - 00;06;15;21
Haroon Meer | Founder, Thinkst Canary
Is that one alert that says there's badness.
00;06;15;23 - 00;06;19;12
Leo Laporte
All right. You don't have to tell me this, but what was your hacker name?
00;06;19;15 - 00;06;21;04
Haroon Meer | Founder, Thinkst Canary
Always been legit. That's.
00;06;21;04 - 00;06;29;14
Leo Laporte
Oh come on. Yeah, he's always been legit. Haroon, I am so pleased to meet you after all this time. It's really great. And thank you for your long term support of us.
00;06;29;14 - 00;06;31;01
Haroon Meer | Founder, Thinkst Canary
Have been great for us. Yeah.
00;06;31;07 - 00;06;35;17
Leo Laporte
Really good. It's a mutual benefit. That's what I like to say.
00;06;35;20 - 00;06;38;12
Leo Laporte (Voice Over)
From Thinkst we went to see Bob Boyle at Torq.
00;06;38;12 - 00;06;44;18
Leo Laporte (Voice Over)
They just hit unicorn status. They are one of the fastest growing names in AI powered security operations.
00;06;44;24 - 00;06;51;17
Leo Laporte
Tell me about Torq now. You said the death of the security and analysts. There's a lot of skulls around here. Yeah, yeah. You trying to kill people?
00;06;51;21 - 00;06;56;23
Bob Boyle | Product Marketing Manager, Torq
No. Absolutely not. We're trying to help people work better in security operations.
00;06;56;23 - 00;06;58;20
Leo Laporte
Now, you started with automation, right?
00;06;58;23 - 00;07;04;17
Bob Boyle | Product Marketing Manager, Torq
Yeah, we're hyper automation. Engine and an AI, SoC platform built on top of that hyper.
00;07;04;20 - 00;07;07;08
Leo Laporte
But you saw an opportunity with security.
00;07;07;10 - 00;07;28;19
Bob Boyle | Product Marketing Manager, Torq
Yeah. I mean, we've always been a security focused company, right? What the hyper automation allows us to do is not just triage and analyze using agents, but actually investigate and respond to threats, completely autonomously. So we have that ability to take action, versus just filter and prioritize your immediate right. Absolutely. Yeah. Yeah. So what.
00;07;28;19 - 00;07;31;05
Leo Laporte
Models, your own models.
00;07;31;08 - 00;07;50;24
Bob Boyle | Product Marketing Manager, Torq
We have our AI SoC analyst Socrates. We allow bring your own model. You can use, ChatGPT. Gemini and the hyper agents that you build directly into our a genetic workflow. So turning deterministic workflows, into AI agents that are doing a lot of that, repetitive work. So you have the custom ability or custom, the ability to customize.
00;07;50;27 - 00;07;52;00
Bob Boyle | Product Marketing Manager, Torq
And,
00;07;52;03 - 00;07;54;08
Leo Laporte
This is why I get you early in the conference.
00;07;54;11 - 00;07;55;01
Bob Boyle | Product Marketing Manager, Torq
I appreciate.
00;07;55;08 - 00;07;59;15
Leo Laporte
It. Very good. So good. Socrates, did you did you train it?
00;07;59;17 - 00;08;09;09
Bob Boyle | Product Marketing Manager, Torq
Socrates is our in-house AI SoC analyst that you chat with in natural language and use it to enrich cases? Trigger Remediations.
00;08;09;12 - 00;08;11;05
Leo Laporte
Did you do your own training or where did where did it.
00;08;11;05 - 00;08;13;26
Bob Boyle | Product Marketing Manager, Torq
Come from? Oh, you're asking the the deep technical question. I want.
00;08;13;26 - 00;08;14;25
Leo Laporte
To know the good stuff.
00;08;14;25 - 00;08;15;16
Bob Boyle | Product Marketing Manager, Torq
For a demo.
00;08;15;16 - 00;08;20;24
Leo Laporte
God, it's good stuff. It's good. But it's it's tuned for this particular use.
00;08;20;24 - 00;08;23;08
Bob Boyle | Product Marketing Manager, Torq
So yeah, focus on security operations.
00;08;23;11 - 00;08;25;20
Leo Laporte
And compliance is a big part of it sounds like with SoC.
00;08;25;22 - 00;08;36;11
Bob Boyle | Product Marketing Manager, Torq
Sure. Yeah. I mean, with AI in security operations, you need the right guardrails in place, the, the ability to trust and see why AI agents are making the decision.
00;08;36;11 - 00;08;42;05
Leo Laporte
Aren't people nervous about letting I make these decisions? Yeah, I would say people are.
00;08;42;06 - 00;09;01;08
Bob Boyle | Product Marketing Manager, Torq
Looking for a platform that uses AI agents in a way that they can see. Okay, well, why is this decision being made? They can follow that logic. They can see the planning and reasoning behind every decision that's being made. So we open up the curtains on that. You can't have a black box. AI decision making model or it's not going to be a security analyst isn't going to trust that.
00;09;01;08 - 00;09;04;16
Bob Boyle | Product Marketing Manager, Torq
Right. So you can see all of the, you know, planning.
00;09;04;18 - 00;09;06;23
Leo Laporte
You know, you don't have a YOLO mode, that.
00;09;06;25 - 00;09;07;11
Bob Boyle | Product Marketing Manager, Torq
YOLO.
00;09;07;11 - 00;09;08;11
Leo Laporte
Mode. Yes.
00;09;08;13 - 00;09;08;20
Bob Boyle | Product Marketing Manager, Torq
No.
00;09;08;27 - 00;09;10;22
Leo Laporte
No.
00;09;10;25 - 00;09;12;05
Bob Boyle | Product Marketing Manager, Torq
Absolutely.
00;09;12;07 - 00;09;17;26
Leo Laporte
That's what I would use. Okay. You you look like you know what you're doing. Go ahead. Have fun. Why not? Why not?
00;09;17;27 - 00;09;25;15
Bob Boyle | Product Marketing Manager, Torq
We want to make sure that the the right guardrails are in place, that AI is, is taking the action that you want it to take. But, making life easier for the security analyst.
00;09;25;16 - 00;09;27;14
Leo Laporte
And I love this guy. Absolutely.
00;09;27;17 - 00;09;28;14
Bob Boyle | Product Marketing Manager, Torq
Five feet tall.
00;09;28;14 - 00;09;40;13
Leo Laporte
Thank. 55ft tall, I heard 60. Wow. I haven't measured it myself, but could be could be pushing 65. So on Thursday you get somebody up there and jump on it. Just just just a squish of that. Yeah absolutely.
00;09;40;13 - 00;09;47;08
Leo Laporte
go. Go go go.
00;09;47;10 - 00;09;47;26
Leo Laporte
Awesome!
00;09;47;26 - 00;09;51;05
Leo Laporte
Oh, I like it. That's good.
00;09;51;07 - 00;10;13;01
Leo Laporte
I love you because here's Yubico in the YubiKey. I can't tell you how many you. Because I have. I have, I can't tell you. No, I got the Type-C. I got the lightning one. I got the one that's both lightning and type. I got the ones on my keychain right now. I got a YubiKey, holding my sop's age key so that I can decrypt my environment variables on my eye.
00;10;13;07 - 00;10;22;10
Leo Laporte
And then I pull the key, and I'm safe. I don't have to worry about exfiltrating. It. There's lots of uses for a YubiKey. What's the latest right now? Are you still is Fido two is still the biggest.
00;10;22;12 - 00;10;43;18
Juan Quesada | Solutions Engineer Manager, Yubico
Fido is still the the biggest, the most secure way to authenticate. The latest thing we have, it's not necessarily a YubiKey, but a service that goes around the YubiKey, which is, you can get the YubiKey registered, for the end user right out of, manufactured.
00;10;43;20 - 00;10;47;07
Leo Laporte
Oh. That's nice. So it can't be modified. It's built. It's actually burned into it.
00;10;47;15 - 00;10;54;28
Juan Quesada | Solutions Engineer Manager, Yubico
It's not it's not burned into it. But basically you get, What? Same case when you get, credit card, your house that you can use.
00;10;54;28 - 00;10;56;16
Leo Laporte
So you track the serial number.
00;10;56;16 - 00;11;08;23
Juan Quesada | Solutions Engineer Manager, Yubico
Yeah, exactly. You get a YubiKey, at your home address with your credentials in it, so you can log into. Right. Doctor or Microsoft or Bengay. The. We don't necessary to register that you became.
00;11;08;29 - 00;11;13;18
Leo Laporte
That smart, because now you're making it available to more people, less sophisticated people.
00;11;13;21 - 00;11;14;22
Juan Quesada | Solutions Engineer Manager, Yubico
A lot easier.
00;11;14;24 - 00;11;15;10
Leo Laporte
Turnkey.
00;11;15;14 - 00;11;16;11
Juan Quesada | Solutions Engineer Manager, Yubico
Yes. Exactly.
00;11;16;11 - 00;11;21;21
Leo Laporte
Yeah. I've been storing my passkeys on YubiKey. You're adding memory all the time to you. Because.
00;11;21;23 - 00;11;22;16
Juan Quesada | Solutions Engineer Manager, Yubico
What do you mean, what do.
00;11;22;21 - 00;11;25;16
Leo Laporte
I actually get? Store passkeys like 20 passkeys on that, right?
00;11;25;16 - 00;11;27;13
Juan Quesada | Solutions Engineer Manager, Yubico
You can you can get up to 100.
00;11;27;15 - 00;11;28;16
Leo Laporte
100 now. Yes.
00;11;28;16 - 00;11;29;26
Juan Quesada | Solutions Engineer Manager, Yubico
Well, I guess you know one thing.
00;11;29;26 - 00;11;32;01
Leo Laporte
At some point, do you want to increase that number?
00;11;32;04 - 00;11;51;14
Juan Quesada | Solutions Engineer Manager, Yubico
I don't know, we we went from 24 to 100. Yeah. A few years ago. For now, it's still up 100. I think 100 is more than enough. Honestly, I am very technical, and I have never reached that number. Not even close to that. Like, for now, I think 100 is plain enough.
00;11;51;14 - 00;11;54;27
Leo Laporte
Be nice to store them there. Do I need to use some special software to do that?
00;11;55;00 - 00;12;09;10
Juan Quesada | Solutions Engineer Manager, Yubico
You do not need any type of drivers. It's, the all the mechanism to use a YubiKey are built in the browsers. So you don't need any type of any type of drivers. Any anything I need to install? Nothing.
00;12;09;10 - 00;12;16;03
Leo Laporte
It's it's just I was just checking to see if I had my YubiKey with me. I, I don't because I don't want to carry it around. That's my.
00;12;16;10 - 00;12;17;03
Juan Quesada | Solutions Engineer Manager, Yubico
Should.
00;12;17;05 - 00;12;19;19
Leo Laporte
I should carry one and then keep the other one home safe.
00;12;19;19 - 00;12;21;00
Juan Quesada | Solutions Engineer Manager, Yubico
Yes you should.
00;12;21;02 - 00;12;33;03
Leo Laporte
Everybody buys two. Hey, it's really nice to talk to you. I really appreciate what you guys have done. We know Stena well and it's great to see you back here. All right. Thank you. Thanks for your time. Appreciate it. One,
00;12;33;06 - 00;12;46;05
Leo Laporte (Voice Over)
Next up, ThreatLocker, our sponsor. I was really thrilled to be able to talk to Rob Allen, his chief product officer. But he does have a t shirt that says Chief Podcast Officer. I asked him, when did people start thinking about zero trust?
00;12;46;07 - 00;12;52;13
Rob Allen | Chief Product Officer, ThreatLocker
you could argue that some of what we do has been an idea for some time. It's just been a rather challenging idea to implement.
00;12;52;13 - 00;12;52;25
Leo Laporte
Is hard to.
00;12;52;25 - 00;12;53;27
Rob Allen | Chief Product Officer, ThreatLocker
Do. It's hard to do.
00;12;53;28 - 00;12;57;19
Leo Laporte
It came out of Google as I remember. Yeah, but they were among the.
00;12;57;19 - 00;13;18;02
Rob Allen | Chief Product Officer, ThreatLocker
First thing that as a concept, has been a thing forever. But as just as I said, it's been really hard to do. Which meant it wasn't as commonly, implemented as it might have been. And I think that's what the ThreatLocker does differently. It makes it achievable. It makes it attainable. It makes it easy for even large organizations to implement.
00;13;18;03 - 00;13;22;13
Leo Laporte
And, I had affordable. I was shocked when I went over there. You guys should charge more.
00;13;22;15 - 00;13;39;15
Rob Allen | Chief Product Officer, ThreatLocker
Yeah. Yeah, absolutely. That is music to our ears and the music to our ears. But, Yeah, I mean, the look, there's a lot to it, and there's a lot more to it than just blocking by default, right? I mean, as Danny, RCA would say, it's really easy to block stuff. What's not so easy is allowing the things that are required right?
00;13;39;15 - 00;13;47;09
Leo Laporte
We've always said there's a tradeoff between convenience and security. And of course, if you don't care about convenience at all, you can be a lot more secure.
00;13;47;12 - 00;13;49;24
Rob Allen | Chief Product Officer, ThreatLocker
You just take your server, you plug it out, you take it into the.
00;13;49;25 - 00;13;51;00
Leo Laporte
Air gap, everything.
00;13;51;02 - 00;14;03;00
Rob Allen | Chief Product Officer, ThreatLocker
Yeah. Nobody will ever get near it, but it's not really practical. So it is. It's always a trade off. But as I said, we hopefully the way we implement what we do means that it's less of a trade off than it otherwise might be. Right.
00;14;03;07 - 00;14;08;12
Leo Laporte
And there's this huge compliance angle to now, which is kind of a secondary add on effect.
00;14;08;12 - 00;14;14;04
Rob Allen | Chief Product Officer, ThreatLocker
Right. Yeah. There's a lot of, and a lot of full disclosure. I'm not a compliance guy. I know a lot of compliance.
00;14;14;05 - 00;14;14;26
Leo Laporte
Neither am I.
00;14;14;27 - 00;14;17;03
Rob Allen | Chief Product Officer, ThreatLocker
Yeah, but I know there are. Certainly.
00;14;17;08 - 00;14;19;01
Leo Laporte
I'm a YOLO guy myself.
00;14;19;04 - 00;14;28;26
Rob Allen | Chief Product Officer, ThreatLocker
Yeah, there are certainly benefits. And implications in lots of different compliance frameworks in terms of what we do, helps organizations achieve those compliance.
00;14;28;28 - 00;14;33;16
Leo Laporte
Because, you know, what happened, who did what when. Because you have to give them permission.
00;14;33;17 - 00;14;36;00
Rob Allen | Chief Product Officer, ThreatLocker
Total control. Yeah, yeah.
00;14;36;02 - 00;14;39;17
Leo Laporte
What's the smallest company that uses ThreatLocker? You know.
00;14;39;19 - 00;14;47;09
Rob Allen | Chief Product Officer, ThreatLocker
That's a really good question. I would be fairly confident that there are literally one and two user mom and pop shops who we look after.
00;14;47;10 - 00;14;48;19
Leo Laporte
Wow. And there's huge.
00;14;48;22 - 00;14;56;03
Rob Allen | Chief Product Officer, ThreatLocker
You know, indirectly because we use MSPs. MSPs. Absolutely. So I I've no doubt that there are 1 or 2 user mom and pop shops that we look after.
00;14;56;03 - 00;14;58;11
Leo Laporte
And the biggest enterprises.
00;14;58;14 - 00;15;04;11
Rob Allen | Chief Product Officer, ThreatLocker
Hundreds of thousands of Em points. Yeah, yeah, it's it's the whole gamut. Like literally from tiny to huge.
00;15;04;14 - 00;15;11;29
Leo Laporte
To do you get pushback from CISOs and others when you come and you say, hey, we can do this.
00;15;12;01 - 00;15;13;09
Rob Allen | Chief Product Officer, ThreatLocker
Not typically. No.
00;15;13;09 - 00;15;15;19
Leo Laporte
It's a no zero trust now, right? They know.
00;15;15;21 - 00;15;32;26
Rob Allen | Chief Product Officer, ThreatLocker
They all know it's a good idea. They just don't know where to start. I mean, the the point is. And if anybody asked me for advice, the point is start somewhere. Right. It's. I know it's going to sound really cheesy, but it's not a destination. It's a journey. It's a series of steps. It's things that you can choose to do.
00;15;32;28 - 00;15;34;12
Rob Allen | Chief Product Officer, ThreatLocker
And the point is to start somewhere.
00;15;34;16 - 00;15;38;04
Leo Laporte
You lock the front door, and eventually you lock the back door, and finally you lock the barn.
00;15;38;04 - 00;15;39;06
Rob Allen | Chief Product Officer, ThreatLocker
Absolutely. Yeah.
00;15;39;07 - 00;15;41;03
Leo Laporte
Yeah, but you don't have to do it all at once.
00;15;41;04 - 00;15;55;24
Rob Allen | Chief Product Officer, ThreatLocker
No. Absolutely not. And again, we have such an extensive platform at this point that there is so many different boxes that we can take and so many different organizations. Very often we'll just start with 1 or 2. I mean, I just had a conversation with the prospects. Who's going on the trial in a week or so is time.
00;15;55;27 - 00;16;13;13
Rob Allen | Chief Product Officer, ThreatLocker
And they literally they're interested in application control to allow listening and ring fencing. They don't at this point needs all of the other amazing things that we do. But I have zero doubt that at some point in the future they will realize that. Hang on a second, we've got an agent running that we're managing through another portal that we could be doing through ThreatLocker as well.
00;16;13;16 - 00;16;38;04
Rob Allen | Chief Product Officer, ThreatLocker
I spoke to somebody quite recently and they mentioned that they at one point were using our logging into, on a daily basis, 12 different portals to manage the cyber security, 12 different portals. Now they do it in two. One of them being ThreatLocker’s. I, I can't remember what the other one was, but it just shows the benefit of the power of having everything in one place, one agent, one platform, one tool that you need to train people on and fundamentally humble to pay as well.
00;16;38;10 - 00;16;40;29
Rob Allen | Chief Product Officer, ThreatLocker
As you said, one very reasonable that.
00;16;41;02 - 00;16;51;28
Leo Laporte
Very nicely done. Actually, that's always the thing that puzzle I'm doing the and I'm saying a 30 day trial. Isn't that a lot to repair and repair, replace and put it all in. But but it is it really is just putting the lock on the door.
00;16;51;29 - 00;17;16;11
Rob Allen | Chief Product Officer, ThreatLocker
Absolutely, absolutely. I mean, we've had customers and to be honest, we, I'm not going to contradict the 30 day trial, but we've the degree of flexibility, obviously, in what we do. We've had companies push out 3000 agents, 3500 agents on trial, just to see what it looks like under there literally is no limit. There's a lot that can be gained, even for somebody has no interest in implementing that locker push an agent out.
00;17;16;11 - 00;17;38;08
Rob Allen | Chief Product Officer, ThreatLocker
Put it on all your machines. You've got visibility of what's there. One of the great things about it is the result was a surprise somewhere in the environment that people don't know about, whether it be a random remote access tool that's running or network traffic going to China or whatever it happens to be. There's always surprises there. There's always eye openers for people, and that very often can be enough to get them from.
00;17;38;09 - 00;17;43;03
Rob Allen | Chief Product Officer, ThreatLocker
I'm not really interested in this, but I do want visibility to oh, I actually really need what this tool does.
00;17;43;04 - 00;17;45;01
Leo Laporte
We had no idea this guy had access.
00;17;45;08 - 00;18;00;25
Rob Allen | Chief Product Officer, ThreatLocker
You know, it's unbelievable. Invariably, any new implementation we do, any reasonably sized deployment, there is always surprises there. There's always things that people didn't know about and don't want. Right. That's something that we can help them with straight away.
00;18;00;26 - 00;18;05;27
Leo Laporte
I can see how that happens as you grow, you know things you forget to turn off of these access.
00;18;05;28 - 00;18;22;20
Rob Allen | Chief Product Officer, ThreatLocker
It's easy. That's the thing with when you don't have control over what runs, you don't have control over what's running. I mean, I've spoken to I've worked with the guy once, and, they wanted me at the time. They wanted me to go into the environment to basically show them all the bad things, show us all the bad stuff that's here.
00;18;22;20 - 00;18;37;20
Rob Allen | Chief Product Officer, ThreatLocker
And I was like, well, we don't really. At that point, we didn't really get into too much about what's good and what's bad or, you know, what's allowed and what's not. But what I did instead was I said, look, let's have a look for remote access tools. Let's see how many remote access tools are running on your machines right now.
00;18;37;22 - 00;18;59;04
Rob Allen | Chief Product Officer, ThreatLocker
Seven, seven different distinct remote access tools running in this relative. There was only 200 machine environment. It was relatively small, but seven different tools. They had for us, they had log me in. They'd go to meetings. They had over the other day, tiny desk running. The really interesting one is they had TeamViewer running on almost a quarter of their machines.
00;18;59;06 - 00;19;01;20
Leo Laporte
Somebody just probably put it there because it's free. Right.
00;19;01;23 - 00;19;05;23
Rob Allen | Chief Product Officer, ThreatLocker
But it's not even that they didn't the organization didn't use. No, no. Nobody consciously put.
00;19;05;23 - 00;19;07;05
Leo Laporte
TeamViewer shadow it.
00;19;07;07 - 00;19;24;25
Rob Allen | Chief Product Officer, ThreatLocker
This is exactly the point. At some point in the far distant past, some third party said, hey, I need your on your machine to fix a problem for you. It gets installed and it sits there forever as a potential way into the network. And that was a really interesting example of just that, multiplied by seven different tools, seven different ways into that environment.
00;19;24;25 - 00;19;25;20
Leo Laporte
That's terrifying.
00;19;25;27 - 00;19;53;19
Rob Allen | Chief Product Officer, ThreatLocker
It really is. And and look, that's one simple example. There's so many other ones. I mean even the like we do have network control, to the firewall component as well. We had a, there was a guy I worked with who had his basically his own data center, his own infrastructure in the data center, a couple of hundred servers, and we turned it on one day in the following week, we basically went back in to see what was there, and I said, look, how many machines in your environment do you think have had inbound or incoming RDP connections?
00;19;53;21 - 00;20;01;28
Rob Allen | Chief Product Officer, ThreatLocker
And he said with absolute confidence, two it's only two. That's all that's possible. It's all firewall down. Look at the logs. 17 oh.
00;20;01;28 - 00;20;02;14
Leo Laporte
My God.
00;20;02;14 - 00;20;24;00
Rob Allen | Chief Product Officer, ThreatLocker
18 different machines with incoming already connections getting misconfigured his firewall. And he had no idea. He had no visibility of that prior to deploying throughout Docker. So as I said, I'd very much encourage anybody on trial, deploy as many agents as you can get it out there, get the visibility, see what's going on. And once you get that, you will then say, oh, now I want to take the next step, which is to control.
00;20;24;03 - 00;20;34;20
Leo Laporte
We're talking to Rob Allen, chief product officer at ThreatLocker. I'm going to put you you've probably done this a million times, but, put you on the spot. One sentence. What is zero trust?
00;20;34;23 - 00;20;42;09
Rob Allen | Chief Product Officer, ThreatLocker
One sentence. I'll do one better. I'll give you four words. I'll say it's in breach. And I'll also say default tonight.
00;20;42;11 - 00;20;43;16
Leo Laporte
Does that work? That's perfect.
00;20;43;19 - 00;20;44;00
Rob Allen | Chief Product Officer, ThreatLocker
Thank you.
00;20;44;05 - 00;20;50;23
Leo Laporte
So nice to see Rob. Pleasure. Thank you so much for all you've done for us. We appreciate it. Had a great time in Orlando. I look forward to going back next year.
00;20;50;29 - 00;20;51;15
Rob Allen | Chief Product Officer, ThreatLocker
Thank you very much.
00;20;51;15 - 00;20;54;15
Leo Laporte
They are zero trust world. It's good
00;20;54;18 - 00;20;58;00
Leo Laporte
a lot of fun. It's fun. This is fun too. I've never been asked.
00;20;58;00 - 00;20;59;25
Rob Allen | Chief Product Officer, ThreatLocker
This is why it's a different kind of fun.
00;20;59;29 - 00;21;03;11
Leo Laporte
this is all out of nowhere to. Right. Ten years ago.
00;21;03;14 - 00;21;06;19
Rob Allen | Chief Product Officer, ThreatLocker
Ten years ago, technically, ThreatLocker didn't exist.
00;21;06;22 - 00;21;15;27
Leo Laporte
Yeah. And and I mean, people knew about security having been doing security now for 20 years, but it wasn't at the level it is now. This is a booming business.
00;21;15;29 - 00;21;26;24
Rob Allen | Chief Product Officer, ThreatLocker
Yeah. But it's equally it's a multi billion approaching $1 trillion business for attackers as well. So it's business business for them. It's big business to stop them as well.
00;21;26;27 - 00;21;29;16
Leo Laporte
Is it Bitcoin that really. That's when it really took off
00;21;29;23 - 00;21;50;04
Rob Allen | Chief Product Officer, ThreatLocker
So somebody asked me a question. I can't remember the context. But they basically said look if if one thing what one thing could we do that would stop cyber attacks today? I don't mean obviously apart from by ThreatLocker. The answer is, do away with crypto. Yeah. If there's no cryptocurrency, there would be no reason nobody's ever got paid.
00;21;50;04 - 00;21;57;14
Leo Laporte
Yeah, well, we started security. Now people were they said, go down to the convenience store and buy, you know, 20 money cards. Like there was no good way.
00;21;57;17 - 00;21;59;28
Rob Allen | Chief Product Officer, ThreatLocker
That's not scalable. That's not scalable.
00;22;00;02 - 00;22;02;07
Leo Laporte
But all of a sudden Bitcoin woo. Yeah.
00;22;02;07 - 00;22;18;29
Rob Allen | Chief Product Officer, ThreatLocker
It opened the floodgates. Absolutely. And unfortunately or fortunately depending on how you look at it there's no putting that genie back in the box. You know what I mean. It's not something that you can just say, okay, we're not going to do this anymore. It's not going to be a thing anymore. And look, realistically, as long as the bad guys get paid, they're going to continue to do it.
00;22;19;03 - 00;22;24;28
Leo Laporte
It's also the rise of, sophisticated hacker class and economies that are crashing like Russia.
00;22;24;28 - 00;22;29;18
Rob Allen | Chief Product Officer, ThreatLocker
Well, that and they also don't have to be that sophisticated nowadays.
00;22;29;18 - 00;22;30;25
Leo Laporte
They don't do them.
00;22;30;27 - 00;22;37;07
Rob Allen | Chief Product Officer, ThreatLocker
Literally with vibe coding and the ability for people to just go online and, say, look, I want something to do.
00;22;37;07 - 00;22;39;26
Leo Laporte
This ransomware as a service.
00;22;39;28 - 00;22;46;21
Rob Allen | Chief Product Officer, ThreatLocker
It's not even ransomware as a service. I mean, if you if you are so inclined and have access to tools like, you know, call code or.
00;22;46;22 - 00;22;47;27
Leo Laporte
It'll write it for you.
00;22;48;00 - 00;23;02;09
Rob Allen | Chief Product Officer, ThreatLocker
Pretty much right to sleep. So the barrier of entry now is so low. Really, if it were once upon a time you needed skills. You need the knowledge you needed. I mean, there was a a relatively limited number of people worldwide who had the requisite skills to be, right.
00;23;02;13 - 00;23;05;15
Leo Laporte
They used to make fun of script kiddies. Now everybody's a script kiddy.
00;23;05;18 - 00;23;12;19
Rob Allen | Chief Product Officer, ThreatLocker
This is the whole point. I mean, realistically, nowadays, all you need is bad intentions. Which is which is pretty scary. Which is pretty scary.
00;23;12;22 - 00;23;13;23
Leo Laporte
That could be a good slogan.
00;23;13;28 - 00;23;14;27
Rob Allen | Chief Product Officer, ThreatLocker
Oh, yeah.
00;23;15;00 - 00;23;17;12
Leo Laporte
It is bad intentions, not the.
00;23;17;15 - 00;23;28;05
Rob Allen | Chief Product Officer, ThreatLocker
Intent. It's really interesting. So, like, what's the difference between Expedia's offer and ransomware intent, right. That that is literally what is created.
00;23;28;05 - 00;23;28;24
Leo Laporte
Yeah, that's a good way.
00;23;28;24 - 00;23;30;18
Rob Allen | Chief Product Officer, ThreatLocker
Good intention demonstrated with patterns you have.
00;23;30;20 - 00;23;40;27
Leo Laporte
Means, you have motive, you have, ability and you have I mean, it's just it's been a perfect storm. Yeah. And we're in a hell of a storm.
00;23;40;28 - 00;23;55;14
Rob Allen | Chief Product Officer, ThreatLocker
Absolutely. I can there's so many companies around us now, and they're all, for the most part, time to trying to do the same thing. They're all trying to detect everything that's bad. Yeah. And the sad fact is you can't. It's.
00;23;55;20 - 00;24;00;08
Leo Laporte
Well, that's the elegance. Zero. Trust is so elegant. It's such a simple concept.
00;24;00;11 - 00;24;17;14
Rob Allen | Chief Product Officer, ThreatLocker
Once you get your head around it, it is unbelievably simple. It's instead of basically trust but verify. I mean, what we've been doing secure cyber security for 20 years has been trust but verify upside down. Allow this thing to run on unless we know what to be about or allow this thing to happen on, we know it to be bad.
00;24;17;16 - 00;24;36;06
Rob Allen | Chief Product Officer, ThreatLocker
In which case we want to detect that, respond to it. But as I said, it's been proved time and time again that you can't detect everything. And if you can't detect everything, you can't respond to everything. So that approach, as I said, it's been proved time and time again, at least it if not to be not effective, not to be effective all the time.
00;24;36;09 - 00;24;39;01
Rob Allen | Chief Product Officer, ThreatLocker
And it doesn't matter if you're ineffective 0.1% of.
00;24;39;01 - 00;24;40;00
Leo Laporte
The time is once.
00;24;40;00 - 00;24;41;22
Rob Allen | Chief Product Officer, ThreatLocker
Correct. That's exactly the point.
00;24;41;24 - 00;25;00;23
Leo Laporte
You know, I think, it's really cool to see how somebody could turn on ThreatLocker and discover that they were not as secure as they thought they were. Yeah. That's a I didn't really even think about that. But it's just a very quickly, almost a litmus test.
00;25;00;25 - 00;25;04;28
Rob Allen | Chief Product Officer, ThreatLocker
There's just as I said, there's always some surprises. There's always something special about it.
00;25;04;28 - 00;25;11;17
Leo Laporte
Yeah, yeah, yeah. In fact that's really I think we should pitch that as if nothing else you want to know.
00;25;11;18 - 00;25;27;00
Rob Allen | Chief Product Officer, ThreatLocker
What's the point? Like again, you asked about you know, where to start with zero trust. Step one is visibility. Step one is knowing what you have, what you're running. And then from that you can get to a point. Well, okay, I don't know what's there. I now know I don't want Cooper the the coupon cyber from China.
00;25;27;00 - 00;25;37;11
Rob Allen | Chief Product Officer, ThreatLocker
I don't want random remote access to wants to be running. And all I need to do is flick a switch and say right. That is now not allowed. That is now not allowed. That's now not allowed. And those problems are now. So for me.
00;25;37;13 - 00;25;45;21
Leo Laporte
And I think there's this definite tendency to put your head in the sand and say, I don't, I just don't want to know. I don't want to know. I don't tell me there.
00;25;45;21 - 00;25;46;20
Rob Allen | Chief Product Officer, ThreatLocker
May be a tendency to.
00;25;46;20 - 00;25;47;14
Leo Laporte
Do that. Not anymore.
00;25;47;14 - 00;25;49;00
Rob Allen | Chief Product Officer, ThreatLocker
Now. Yeah, that that's only.
00;25;49;04 - 00;25;50;03
Leo Laporte
As you will find out.
00;25;50;03 - 00;25;53;26
Rob Allen | Chief Product Officer, ThreatLocker
Yeah. You will find that one way or the other, right. Absolutely. Yeah.
00;25;53;29 - 00;25;58;01
Leo Laporte
You were advertisers for a long time on the podcast network. So we're kind of familiar with right up.
00;25;58;03 - 00;25;58;11
Arun Signh | CMO & New Products GM, Drata
Yeah.
00;25;58;17 - 00;26;00;14
Leo Laporte
And I learned to say. Try to not try to.
00;26;00;15 - 00;26;01;29
Arun Signh | CMO & New Products GM, Drata
I'll try, but that's very important.
00;26;02;00 - 00;26;03;23
Leo Laporte
Tell us about product.
00;26;03;26 - 00;26;19;27
Arun Signh | CMO & New Products GM, Drata
It's a five year old company. We have about 8000 customers. We are in the trust management side of things. So we do, as you can see, a GRC, third party risk assessments. Talk about risk management as well as customer share compliances.
00;26;19;27 - 00;26;21;16
Leo Laporte
All of a sudden the biggest thing.
00;26;21;16 - 00;26;23;04
Arun Signh | CMO & New Products GM, Drata
Isn't it compliance is.
00;26;23;05 - 00;26;28;29
Leo Laporte
Why is it why is it so important all of a sudden? Is it SoC. Is it the legal requirements?
00;26;29;02 - 00;26;46;17
Arun Signh | CMO & New Products GM, Drata
I think that is just a part of it. The main thing, like what businesses run on is trust, right? So every business that's interacting with another business needs to know, can I trust you? That's why trust management has become more important. Compliance is just a part of it. But customers want to know I. Can I trust you?
00;26;46;21 - 00;26;56;11
Arun Signh | CMO & New Products GM, Drata
Talk to compliance. Just gives one part of it. Can I ask you, can I see your trust center? Can you answer my question is. So it's kind of like a whole 316 of trust management.
00;26;56;11 - 00;27;05;03
Leo Laporte
Does that make sense? And nowadays in the landscape that we're in, it's really important that if you're going to give a company your trust, your data, you better trust them.
00;27;05;07 - 00;27;08;05
Arun Signh | CMO & New Products GM, Drata
Yeah. It's the bedrock of every business interaction that happens.
00;27;08;07 - 00;27;15;27
Leo Laporte
That makes a lot of sense. Well, it's so nice to meet you. We love data. It's a great product. And Lisa did a to the thing. Have you done it?
00;27;16;01 - 00;27;19;05
Arun Signh | CMO & New Products GM, Drata
I did. What do you think? It's great.
00;27;19;08 - 00;27;19;27
Leo Laporte
Did you.
00;27;19;29 - 00;27;24;15
Arun Signh | CMO & New Products GM, Drata
I mean, I, I bit more than I could chew, but it took me like a to be 60.
00;27;24;16 - 00;27;27;15
Leo Laporte
Yeah. Yeah, she did the same thing she says. Was I upside down?
00;27;27;17 - 00;27;34;27
Arun Signh | CMO & New Products GM, Drata
Yeah, she
00;27;35;00 - 00;27;44;06
Leo Laporte (Voice Over)
One of the real risks those of us who use AI agents face is the accidental, unintentional, and disastrous exfiltration of our API keys.
00;27;44;09 - 00;27;47;13
Leo Laporte (Voice Over)
Well, Keycard Labs has come up with a pretty clever solution.
00;27;47;13 - 00;27;50;09
Leo Laporte
You got open. Oh. Nice. Cloud code running. All right.
00;27;50;11 - 00;27;59;04
Jelmer Snoeck | Founding Engineer, Keycard Labs
Oh, yeah. Oh, open. So our front of care protects, like cloud, for example, with, key card run. We just went it.
00;27;59;09 - 00;28;15;15
Leo Laporte
I can't tell you how many times I've just barely not committed my tokens to my GitHub. You know? I mean, it's really easy to to have your off. I have to off all the time. Yep. This is always an issue. Yeah. So how do you solve this.
00;28;15;21 - 00;28;39;27
Jelmer Snoeck | Founding Engineer, Keycard Labs
So key card run our implementation for, coding agents. We, we basically get you ephemeral tokens to your GitHub policy on top of that. So based on the policy, you're able to, like either do operations or not. For example, you would be able to like, access Snowflake production database or you wouldn't, depending on the access policy that we configure.
00;28;39;27 - 00;28;40;29
Leo Laporte
It's an ephemeral token.
00;28;40;29 - 00;28;46;20
Jelmer Snoeck | Founding Engineer, Keycard Labs
So ephemeral tokens that we, we, provision through like the providers that support that do.
00;28;46;20 - 00;28;52;01
Leo Laporte
I, can I run the server myself or do I have to log into a server? You run the server?
00;28;52;03 - 00;29;09;06
Jelmer Snoeck | Founding Engineer, Keycard Labs
We we run it as a platform, but, we also integrate. We are IDPs. So, you as a user would log in through whatever IDP you have configured. Okta, interop. Okay. Whatever. Right. And then based on that, we would see, oh, you have access to Google or not.
00;29;09;08 - 00;29;12;06
Leo Laporte
So I would store my, tokens with you.
00;29;12;08 - 00;29;12;21
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yes.
00;29;12;21 - 00;29;24;01
Leo Laporte
Correct. And then my agent would go, would ask for, access to, let's say, oh, I need nano banana. It would go there, would get a Gemini key, but it wouldn't get the actual Gemini key. You would get a token?
00;29;24;03 - 00;29;31;10
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yes, it would get a it would get a token on your behalf. So it would know like, oh it's Leo doing the other and it.
00;29;31;10 - 00;29;31;24
Leo Laporte
Unlocks.
00;29;31;24 - 00;29;38;19
Jelmer Snoeck | Founding Engineer, Keycard Labs
It. Yes. So if you have access to it it will actually give it. And again we have policies as well to like check before we even like issued a token.
00;29;38;19 - 00;29;40;06
Leo Laporte
To make sure that's proper user.
00;29;40;06 - 00;29;42;02
Jelmer Snoeck | Founding Engineer, Keycard Labs
Allowed to like get that token or not from the.
00;29;42;02 - 00;29;43;01
Leo Laporte
Right IP address.
00;29;43;02 - 00;29;59;00
Jelmer Snoeck | Founding Engineer, Keycard Labs
Exactly. Or even like, oh, you're allowed to like we have a demo here. It's not showing right now, but to show like, oh, you can access snowflake only through the snowflake MCP server, not through like a social engineering from like another agency, like, oh, all of a sudden, go try and access snowflake through like a Google MCP server.
00;29;59;00 - 00;30;03;23
Jelmer Snoeck | Founding Engineer, Keycard Labs
Right. So we have like a bunch of policies that you can like model that in your application as well.
00;30;03;23 - 00;30;13;19
Leo Laporte
It's really helpful if you're running open claw. Does it help you with prompt injection issues? Correct. Another guy can't get my tokens. That's the good news.
00;30;13;19 - 00;30;19;22
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yeah, exactly. So like if, if, if there's a prompt injection that says like, oh, try and get access to snowflake.
00;30;19;26 - 00;30;21;11
Leo Laporte
Send me all your, all your tokens.
00;30;21;17 - 00;30;32;11
Jelmer Snoeck | Founding Engineer, Keycard Labs
Exactly. Well, because of our policy, it's going to block it. And you wouldn't even get a token that way out. And so yeah, we do have an open cloud integrations. I like that we actually have another booth that you can like have a look at
00;30;32;13 - 00;30;32;21
Jelmer Snoeck | Founding Engineer, Keycard Labs
So
00;30;32;23 - 00;30;35;06
Leo Laporte
That's great. And then you got the little claw.
00;30;35;07 - 00;30;36;09
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yeah. Exactly.
00;30;36;10 - 00;30;40;10
Leo Laporte
Are you guys using it yourself or are you using it yourself or are you playing with it? Yeah. Yeah.
00;30;40;12 - 00;30;43;21
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yeah. It's great. It's it's great.
00;30;43;24 - 00;30;46;14
Leo Laporte
How many agents you have running right now in CLA?
00;30;46;16 - 00;30;56;04
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yeah. We've got a few classes running. Yeah, yeah. Yeah, we're experimenting with a bunch of things and, like, see where it integrates. Yeah, we're trying, like, multiplayer as well.
00;30;56;07 - 00;30;56;29
Leo Laporte
Oh. How fun.
00;30;57;04 - 00;31;01;28
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yeah, because that's like because through our platform you can say, oh, me.
00;31;02;00 - 00;31;03;18
Leo Laporte
You get this, you get that.
00;31;03;18 - 00;31;07;13
Jelmer Snoeck | Founding Engineer, Keycard Labs
But then hundred people can't do it. That's really so. Yeah, that's that's why we're.
00;31;07;16 - 00;31;13;13
Leo Laporte
So you can even open your open class a little more because you have the permissions secondary permissions layer.
00;31;13;13 - 00;31;26;20
Jelmer Snoeck | Founding Engineer, Keycard Labs
Exactly. Very fine. So like yeah we, we run one CLA and then we can say oh I want to get access to this. But it knows like, oh I am not allowed to, to have access to Peter's banking account, for example. And it will block that.
00;31;26;21 - 00;31;32;24
Leo Laporte
I love this idea. Yeah. Is it, how much? I mean, you charge per token. How do you.
00;31;32;26 - 00;31;38;01
Jelmer Snoeck | Founding Engineer, Keycard Labs
We we charge per transaction. So what we call it. So like token issuance and, verification and, policy checks. Nice.
00;31;38;06 - 00;31;47;16
Leo Laporte
So when I'm talking to anthropic and I, I give them my oh do you root the token. How do they get the token.
00;31;47;16 - 00;31;59;00
Jelmer Snoeck | Founding Engineer, Keycard Labs
Because obviously they don't get the token. They don't if it's an MCP server to NCP server. So we have SDK for example that integrate and it's the MCP server that would like request access to key card.
00;31;59;03 - 00;32;01;01
Leo Laporte
Set up, and it's your MCP server.
00;32;01;01 - 00;32;01;24
Jelmer Snoeck | Founding Engineer, Keycard Labs
Or it could be.
00;32;01;24 - 00;32;06;24
Leo Laporte
Whatever MCP servers. But they are smart enough to say, oh, I got a I've got a thing, I.
00;32;06;24 - 00;32;19;29
Jelmer Snoeck | Founding Engineer, Keycard Labs
Have to access Snowflake Google and then it'll ask key card, like, can I get a token for it? And then based on like who is running to that MCP server? Like if it's you, if it's me, if it's Carl, it will figure out whether.
00;32;20;01 - 00;32;25;05
Leo Laporte
Are you are or who actually has the authentication. Must be you, right?
00;32;25;08 - 00;32;25;25
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yes.
00;32;25;28 - 00;32;33;06
Leo Laporte
Guy has to be. Yes. So then they their token gets routed back to you and then you provide the, the API key. Yeah.
00;32;33;08 - 00;32;41;13
Jelmer Snoeck | Founding Engineer, Keycard Labs
Like we dynamically provision that token with the provider. So like if it again if it's Google like we can like request the token that's on behalf of whoever is.
00;32;41;13 - 00;32;46;07
Leo Laporte
Oh okay. So I don't even have to provision it. Now you get the token for me. Yes.
00;32;46;07 - 00;32;56;24
Jelmer Snoeck | Founding Engineer, Keycard Labs
Correct. Oh nice. Yeah. Yeah that's great. Yeah. And again like it'll be like a fully delegated access chain that you can see and then, it will come up in a bit. But you can also see like the audit logs right now.
00;32;56;26 - 00;33;04;22
Leo Laporte
So all of these, all these people, are they understood to just do they have to have an understanding of, you know.
00;33;04;26 - 00;33;05;13
Jelmer Snoeck | Founding Engineer, Keycard Labs
No, they just.
00;33;05;13 - 00;33;07;04
Leo Laporte
From their point of view, it looks like.
00;33;07;10 - 00;33;17;14
Jelmer Snoeck | Founding Engineer, Keycard Labs
It's a namespace user. Yep yep yep. And they'll just connect to their agents. We will do like an authentication down to them. And then off they go. And they we have like consent as well.
00;33;17;14 - 00;33;20;29
Leo Laporte
So like if how do you handle two factor.
00;33;21;01 - 00;33;24;25
Jelmer Snoeck | Founding Engineer, Keycard Labs
Two factor. We like we actually have integration with some other step here, but.
00;33;25;00 - 00;33;29;04
Leo Laporte
We send it back to me. Sorry. Do you send it back to me. How do I.
00;33;29;07 - 00;33;45;00
Jelmer Snoeck | Founding Engineer, Keycard Labs
Oh for, for, that for Google and stuff, you mean. Yeah. So we actually go through consent flows and that's where you do the two factor. And so like we would say oh, you need access to Google at that point. We like had to do like an auto consent flow. And that's where yeah. You would have to do it.
00;33;45;01 - 00;33;47;03
Leo Laporte
I would then give it that second factor.
00;33;47;05 - 00;33;54;01
Jelmer Snoeck | Founding Engineer, Keycard Labs
And that's again where you say, oh, this agent can actually access this, or you can also say, this agent can access this, right. And that's where we and.
00;33;54;01 - 00;33;56;15
Leo Laporte
The permissions are all done on the website. On your website. Yeah.
00;33;56;15 - 00;34;03;10
Jelmer Snoeck | Founding Engineer, Keycard Labs
Or. True. Like, like it's all API driven as well. So, like, you could even have your l n like, like it's all cedar based. So you could even have your LMS say.
00;34;03;11 - 00;34;04;29
Leo Laporte
Yeah, the cloud fix this up.
00;34;04;29 - 00;34;05;17
Jelmer Snoeck | Founding Engineer, Keycard Labs
Exactly.
00;34;05;23 - 00;34;09;25
Leo Laporte
And so I'm have to try it. Yeah. But mean affordably enough for I'm not enterprise.
00;34;10;01 - 00;34;10;23
Jelmer Snoeck | Founding Engineer, Keycard Labs
Free tier as well.
00;34;10;24 - 00;34;13;07
Leo Laporte
Oh you have a free tier. Oh definitely.
00;34;13;07 - 00;34;14;16
Jelmer Snoeck | Founding Engineer, Keycard Labs
Using this. Yeah. Yeah.
00;34;14;18 - 00;34;28;08
Leo Laporte
It's a pain in the ass. I tell you. I've been using SOPs and age, and I have a YubiKey with my key on it. Yeah, it's just a pain in the ass, and I just, you know, I at least everything's encrypted. Yeah, but, but I would much prefer some something like this because the tokens get much more finer.
00;34;28;11 - 00;34;29;03
Leo Laporte
Yeah.
00;34;29;05 - 00;34;36;07
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yeah. And like, in our demo like that, we'll show up here in a bit. Like the moment your session ends, the tokens get revoked. Yeah, that love agent can't even.
00;34;36;09 - 00;34;41;28
Leo Laporte
I have to rotate my key any time I have to rotate, it keeps like, oh, I don't want to do this. Yeah, exactly. But you would do all of that.
00;34;41;28 - 00;34;43;15
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yeah. So, like, loving them was exactly.
00;34;43;15 - 00;34;44;24
Leo Laporte
Like incident help.
00;34;44;26 - 00;35;03;02
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yeah. This is like just a demo. Right. So this demo accesses, Datadog and, GitHub and as you can see, like in the beginning, doesn't even have access to any of those. And then what key card run it like, automatically has access. Because you've like you've gone through the offloads already. And as you can see, it just figured out some of the issues.
00;35;03;02 - 00;35;17;28
Jelmer Snoeck | Founding Engineer, Keycard Labs
It went through it, it pushes it pull request. And then you can see it went by. But yeah, I got it. Tried merging it to main immediately and then that failed because of policy. And that's what you can see here like access all the other things through it. And then yeah, once the session ends it everything gets revoked.
00;35;17;28 - 00;35;19;05
Jelmer Snoeck | Founding Engineer, Keycard Labs
And the agent doesn't have access anymore.
00;35;19;10 - 00;35;22;14
Leo Laporte
What are the limits on the free tier? Is it a number of tokens? Is it the number of users?
00;35;22;14 - 00;35;23;02
Jelmer Snoeck | Founding Engineer, Keycard Labs
Yes. Number of
00;35;23;02 - 00;35;24;03
Jelmer Snoeck | Founding Engineer, Keycard Labs
token exchanges basically.
00;35;24;03 - 00;35;26;11
Leo Laporte
Very cool. I'm signing up tonight.
00;35;26;14 - 00;35;37;19
Leo Laporte (Voice Over)
There's another interesting solution to the same problem, and it comes from another sponsor of ours, Bitwarden. They're proposing an open standard for using password managers to keep those secrets secret.
00;35;37;19 - 00;35;39;00
Leo Laporte
you has something this morning?
00;35;39;01 - 00;35;43;08
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yes, we did. We announced the Agent Access SDK from Bitwarden.
00;35;43;09 - 00;35;53;18
Leo Laporte
Now, I'm very interested in this because I have my agent running right now. In fact, he's listening right now. So tell us and Ed about the access ad SDK.
00;35;53;19 - 00;35;56;23
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah, absolutely. So it's more of an open standard.
00;35;56;25 - 00;35;58;00
Leo Laporte
Oh, there is a standard for it.
00;35;58;01 - 00;36;26;14
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah. So it's, an open standard. Basically is designed to be a toolkit for developers, and an open standard for the industry to use. So not just Bitwarden users, but to ensure that AI agents are accessing credentials with end to end encryption and always keeping the human in the loop. Right. You don't want the AI agent running amok accessing things that you don't necessarily want them to access, especially if it's already in your env file.
00;36;26;15 - 00;36;32;28
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
So really helpful if you're already running AI agents and want them to have access to credentials securely.
00;36;33;01 - 00;36;35;29
Leo Laporte
This is kind of like what you were doing with secrets already, right?
00;36;35;29 - 00;37;03;07
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah, a little bit. Right. And so you can probe, what you can do with secrets Manager is programmatically inject secrets into development workflows. Right. And so very similar with the Agent Access SDK where you can programmatically inject these, credentials within, AI agent workflows. But the real difference is that the AI agent will always have to ask the person permission before they access that credential.
00;37;03;10 - 00;37;05;14
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
So really big difference there.
00;37;05;16 - 00;37;07;11
Leo Laporte
Can I use it with MCP servers, too?
00;37;07;14 - 00;37;08;20
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah, absolutely.
00;37;08;22 - 00;37;10;05
Leo Laporte
You have your own MCP server.
00;37;10;07 - 00;37;11;24
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
You have our own MPC server.
00;37;11;24 - 00;37;22;23
Leo Laporte
So and that's the same kind of similar idea, right, where the credentials stay in my Bitwarden vault. But they are accessible but safe. They don't. I never, ever leave my machine.
00;37;22;25 - 00;37;30;29
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah, exactly. They're never exposed by plaintext. Right? A lot of people use AI agents and have their, credentials exposed in plain text.
00;37;30;29 - 00;37;33;19
Leo Laporte
Oh, tell me about files.
00;37;33;21 - 00;37;50;14
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Or via chat conversations with AI agents. So what you're really doing is ensure one that their end to end encrypted too, that they're only accessed by humans, or only access with human approval. And then, the plaintext credentials never exposed to the actual agent.
00;37;50;16 - 00;37;54;12
Leo Laporte
How? But how does my Claude know that that's where the credentials are?
00;37;54;14 - 00;37;58;09
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Oh, you, set up a, kind of conversation in the beginning.
00;37;58;09 - 00;37;59;26
Leo Laporte
So you you tell it?
00;37;59;28 - 00;38;02;20
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah, you tell it. Yeah, exactly. Easy.
00;38;02;23 - 00;38;07;21
Leo Laporte
I keep forgetting I can talk to it. Yes. Oh, the credentials they're in here. Just ask Bitwarden.
00;38;07;27 - 00;38;08;13
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Exactly.
00;38;08;13 - 00;38;09;13
Leo Laporte
And then it just happens.
00;38;09;15 - 00;38;10;03
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yep.
00;38;10;06 - 00;38;11;04
Leo Laporte
Wow. That's fantastic.
00;38;11;04 - 00;38;11;17
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah.
00;38;11;20 - 00;38;40;17
Leo Laporte
You know, one of the things we love about Bitwarden, because you're open source, you always are adding new features. I was really impressed last year. We we'd spent a lot of time talking about, key, derivation and, PBC, CDF and PBC Df2. And we were saying, you know, we really better if they used, s crypt or they used to Argonne somebody I think one of our listeners did a pull request, gave you an argon two implementation.
00;38;40;19 - 00;38;41;20
Leo Laporte
You started using it?
00;38;41;20 - 00;38;50;16
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah, exactly. So that's one of the real big benefits. A bit ordered, right? We have a really active community that is constantly auditing our code but also contributing to it.
00;38;50;16 - 00;38;55;20
Leo Laporte
So and how are careful you about pull requests. What do you do. You have a whole process I imagine.
00;38;55;20 - 00;39;03;23
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Oh absolutely. Yeah. It's a very thorough process where our security engineers are reviewing every single pull request. And every single community contribution.
00;39;03;23 - 00;39;10;24
Leo Laporte
But it's nice because it does give your users a chance to say, hey, I would like to add this feature and they can.
00;39;10;26 - 00;39;12;04
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah, absolutely.
00;39;12;06 - 00;39;18;09
Leo Laporte
Fantastic. You just added I want to know more. I don't know if you know about this, the Bitwarden. Like tell me about that. Do you know anything about it.
00;39;18;09 - 00;39;28;17
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah, absolutely. So Bitwarden Lite is a different, self-hosting option for Bitwarden. Right. So that word is one of the few password managers out there that offers free self-hosting.
00;39;28;21 - 00;39;46;25
Leo Laporte
Plus, there's all these third parties, versions of it, because you have an open standard. I love that, there's a rust. What's it called? Something vault. I can't remember, but there are third party solutions. But now I'm interested in light. So you. I put the server on my on my home server. Yeah.
00;39;46;27 - 00;40;08;07
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah. So Bitwarden Lite is really the option to self-hosted, but what you're doing is you're putting it all in one Docker container. So it's really helpful for those who are new to self-hosting, maybe want a more flexible solution, wants it easier to deploy, as opposed to multiple Docker containers. And you can use whichever database that you want for that self-hosting option.
00;40;08;07 - 00;40;26;18
Leo Laporte
Oh that's fantastic. So that's always been my conundrum. I love the idea of self-hosting, but I figure you guys know a lot more about keeping a server secure than I do. But if you do it in Docker and maybe a lot of the risky things that people might do aren't going to be so risky. Yeah, absolutely. Yeah. That's very smart.
00;40;26;19 - 00;40;35;11
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah. It's all about data sovereignty. Right. And so ensuring we have cloud hosted options for those who aren't familiar with self-hosting. So like people like yeah.
00;40;35;11 - 00;40;35;25
Leo Laporte
That's what I.
00;40;35;25 - 00;40;45;15
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Used to I don't need to sell post. But for those who are really, excited about having ownership of their own data and where it lives, then self-hosting is a really good option.
00;40;45;18 - 00;40;56;11
Leo Laporte
Fantastic. Casey, thank you so much. Thank you for Bitwarden. We love Bitwarden. I switched to it well after the LastPass fiasco and I'm couldn't be happier. I really love it.
00;40;56;15 - 00;40;58;08
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Oh, I love to hear that. Yeah, that's.
00;40;58;08 - 00;41;06;06
Leo Laporte
Really a great solution. And the secrets have been great. I use it for my ssh. I'm going to move all my, my tokens over to a bit. Work.
00;41;06;06 - 00;41;07;14
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Okay, I love it.
00;41;07;17 - 00;41;12;18
Leo Laporte
Fantastic. So it's the is the industry standard called agents SDK.
00;41;12;19 - 00;41;16;28
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yes. The Agent Access SDK. And so, it works open.
00;41;16;28 - 00;41;17;13
Leo Laporte
Standard.
00;41;17;13 - 00;41;34;24
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
It's an open standard. It is a toolkit that is really designed to help, you know, people, ensure that AI agents can access credentials securely, from whatever password manager vault that you have, so doesn't have to be Bitwarden. And we actually encourage, competitors to use it as well.
00;41;34;25 - 00;41;38;11
Leo Laporte
Yeah. And currently I just have it in an env file, and that's not so good.
00;41;38;14 - 00;41;41;15
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Yeah. Even whenever you tell the AI agent not to look at.
00;41;41;15 - 00;41;43;24
Leo Laporte
The data as it does, it keeps wanting to.
00;41;43;26 - 00;41;44;24
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
Absolutely. Yeah.
00;41;44;25 - 00;41;45;16
Leo Laporte
So annoying.
00;41;45;17 - 00;41;47;07
Kasey Babcock | Senior Product Marketing Manager, Bitwarden
That's really the problem we're trying to solve.
00;41;47;14 - 00;41;52;26
Leo Laporte
Perfect. Yeah. Yay. Thank you Jason. Yay! I'm going to go home and turn it on. Thanks.
00;41;52;29 - 00;42;00;26
Leo Laporte (Voice Over)
Next up, Aikido Security. The fastest European cyber security company ever to reach $1 billion valuation.
00;42;01;02 - 00;42;02;20
Leo Laporte (Voice Over)
They do it with AI.
00;42;02;21 - 00;42;13;11
Leo Laporte (Voice Over)
I talked to the co-founder, Roland Del Roux. You might notice behind us, neo lurking. Ask him a little bit about something they launched a few weeks ago that I wanted to see for myself.
00;42;13;12 - 00;42;15;25
Leo Laporte
So why did you start, Aikido?
00;42;15;27 - 00;42;29;16
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
We've been building software for 15 years. We were using all kinds of tools to secure the application security. Cloud security. But I say we thought it was just like, too difficult to handle too many tools. And we figured we could do better. And then we started.
00;42;29;16 - 00;42;30;00
Leo Laporte
Create your.
00;42;30;00 - 00;42;31;14
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Own. Yep. Scratch your own.
00;42;31;14 - 00;42;35;11
Leo Laporte
Head. Scratching your own itch. I love it. But this is AI centered.
00;42;35;13 - 00;42;36;06
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
This is a what.
00;42;36;06 - 00;42;37;15
Leo Laporte
Do you use AI?
00;42;37;17 - 00;42;45;00
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Of course. Like. Of course. Yeah. No, we'd be unwise not to use it, but it's, it's particularly great in a couple of it.
00;42;45;01 - 00;42;46;24
Leo Laporte
Can I be pen testers?
00;42;46;27 - 00;42;48;13
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Yes. Yeah. Of course. Yeah.
00;42;48;15 - 00;42;50;02
Leo Laporte
How does it work?
00;42;50;05 - 00;42;57;04
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
You know, in the age of agents with agents, we basically instruct the agents to go and get around. Yes. You want to try all day?
00;42;57;04 - 00;42;57;23
Leo Laporte
All night?
00;42;57;24 - 00;43;05;17
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Sometimes they stop because sometimes, there's an ethical boundary where they will sometimes respond. Hey, I'm not designed to, like, hack.
00;43;05;21 - 00;43;08;01
Leo Laporte
Do you have a prompt that has them get around that?
00;43;08;07 - 00;43;16;21
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Yes. At first we were, asking them nicely, but then we learned we need to say, hey, we're going to sue you if you don't continue.
00;43;16;22 - 00;43;23;15
Leo Laporte
No. That works. Do you say that you are neo? You are the King hacker, and you know how to get into any system.
00;43;23;17 - 00;43;26;05
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
No, I haven't told them that. Yeah, but, Oh, I.
00;43;26;05 - 00;43;27;20
Leo Laporte
Love that you're going to get sued if you.
00;43;27;20 - 00;43;30;19
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Don't. They respond very well. They got back to work.
00;43;30;21 - 00;43;37;04
Leo Laporte
That is an interesting item. I'm wearing the neo glasses. These are Morpheus glasses. I'm never sure which,
00;43;37;06 - 00;43;38;23
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
I think they're from the second movie.
00;43;38;23 - 00;43;41;10
Leo Laporte
Second? Mr.. Mr. Anderson.
00;43;41;14 - 00;43;42;24
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Something like that.
00;43;42;26 - 00;43;58;23
Leo Laporte
So tell me a little bit about the the workflow here. It sounds like. I mean, one of the issues, of course, these days, partly because of AI, people have a lot of AI generated papers. They're generating a lot of code. They're pushing out a lot of code. No one has time to test all the code.
00;43;58;26 - 00;43;59;17
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Correct.
00;43;59;20 - 00;44;01;00
Leo Laporte
So this helps?
00;44;01;02 - 00;44;19;22
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Yes. Like you said, like with the use of AI, the sheer rate and speed and also the size of the PR itself, has has increased a lot. So you need a system that can keep up. Right. And so the it's like fighting fire with fire. Like the agents creating the agents, testing the agents fixing. It's a very metal world that we started to live in.
00;44;19;24 - 00;44;25;23
Leo Laporte
Do you code anymore? I see anybody code anymore?
00;44;25;25 - 00;44;33;03
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
They sure do. I personally know the coder. So, But, no, people started. Definitely code, but a lot more assistance.
00;44;33;04 - 00;44;47;22
Leo Laporte
Yeah, it's really interesting to see the speed with which we can build products. But then there's always this issue of trust, right? How do you tell your customers you can trust our pen to AI pen testers?
00;44;47;24 - 00;45;11;18
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
We tried to be as transparent as possible, meaning we will show all the endpoints that were tested, all the request logs coverage will show literally the logs of the agents, literally step by step by step. So like we we expose as much as we can so that it can be inspected as much as people want to. Yeah. And that typically creates a trust because then they can see it with their own eyes, like okay, they literally did everything that a human tester would do.
00;45;11;23 - 00;45;13;03
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
But even more and faster.
00;45;13;03 - 00;45;16;03
Leo Laporte
And do you how effective are they compared to humans?
00;45;16;05 - 00;45;18;06
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
95% of the time they find more issues.
00;45;18;07 - 00;45;18;23
Leo Laporte
Wow.
00;45;18;29 - 00;45;34;09
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
The reason being is because these agents have access to the code base. And so for humans, it's like impossible to like read the code base as you point us. Right. And so that's an unfair advantage that I have that I can take up the logic and some of the code. Right. Understand what's going on and then does that.
00;45;34;11 - 00;45;39;07
Leo Laporte
This has been a kind of interesting result for me that they can actually read code quite well.
00;45;39;10 - 00;46;00;06
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
They are very good at reading code and understanding. So basically for the people that know something about, security, the world used to be open sourced and they're static and dynamic. And so the agents kind of do is like they go static dynamic, static dynamic because they go at the code base, then they immediately try to explode to go back to the code base and exploits.
00;46;00;08 - 00;46;04;03
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
And it's like, system that's of like merging the two of us.
00;46;04;08 - 00;46;12;07
Leo Laporte
And it's so much faster. It's so much more powerful to do it that way. That's really impressive. Yes. So 95% more effective. Yes.
00;46;12;09 - 00;46;15;12
Leo Laporte
Do you have humans doing pen testing, too, or is all I.
00;46;15;15 - 00;46;26;10
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
All I we I've always been a product company. In the past we used to sell pandas, but then it was with a partner network that we leveraged. But now it's, like, fully autonomous. No human in the loop.
00;46;26;12 - 00;46;30;11
Leo Laporte
Completely self-service. Tell me about your models. Are they custom? What are you using?
00;46;30;11 - 00;46;31;02
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
We use frontier.
00;46;31;02 - 00;46;37;15
Leo Laporte
Models. So just like everyone else, you're using the frontier models. Do you do have some special skills and prompts that you use?
00;46;37;15 - 00;46;44;15
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Or all the all of the IP is in the architecture, the guardrails. You know, it took us like months to figure out that we need to say that we're going to sue them.
00;46;44;15 - 00;46;46;06
Leo Laporte
Like there's that's brilliant.
00;46;46;09 - 00;47;07;21
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
All these little reasons why they stop or where they can fall off the track. And, like, if you were to just unleash an agent tomorrow, say, go, but it's going to fail for 100 different reasons. And so the IP is literally in like making it very effective, making sure they cover all the things, make sure that they validate enough that they try to bypass their own fixes and all of that stuff.
00;47;07;21 - 00;47;15;02
Leo Laporte
Yeah, it's it's always a moving target. But as of today, March, what is this, 24th. Yeah. Which model is the most effective for you right now?
00;47;15;05 - 00;47;21;15
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
We switch, between models. So we because it's, because we don't train the models.
00;47;21;18 - 00;47;23;27
Leo Laporte
Oh, yeah. You can use the same prompts with either one.
00;47;23;27 - 00;47;31;20
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
And then then we we have a whole internally built benchmark, basically. So it's quite easy for us to like swap out a model, see how it performs.
00;47;31;26 - 00;47;35;07
Leo Laporte
Will you have multiple models working on the same problem? Sometimes.
00;47;35;10 - 00;47;54;09
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Yes, that as well. Or just to give a very specific example, like sometimes we'll use GPT five for something, but then for certain follow up test we'll use the five many. But then for fixing issues we'll use some of the anthropic models. So there's different vendors, different models, different versions of models as well. So yeah.
00;47;54;12 - 00;47;58;29
Leo Laporte
If you found any of the open weight models or any of the Chinese models to be as effective.
00;47;59;02 - 00;48;01;20
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
They are not lagging that far behind.
00;48;01;23 - 00;48;03;28
Leo Laporte
That's what's really interesting, isn't it? Yeah.
00;48;04;00 - 00;48;27;25
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
So I mean, I don't have a crystal ball, but we believe that in like 6 to 12 months, some of these might be good enough, even if the frontier models might not have moved on even further, that these open source ones, whether they're Chinese or not, could, could do similar, performance level or a good enough performance level, but it's can achieve all of our goals where you don't need all of the newest frontier stuff.
00;48;27;25 - 00;48;29;25
Leo Laporte
Yeah, right. Saves a lot of money.
00;48;29;27 - 00;48;31;10
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
That as well. Yeah.
00;48;31;12 - 00;48;37;20
Leo Laporte
Hey, it's really exciting to talk to you. I'm very interested in what you're doing, Roland. Thank you very much. How old is Aikido? You said five years you've been doing this.
00;48;37;25 - 00;48;38;21
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Three years and a half.
00;48;38;21 - 00;48;42;26
Leo Laporte
Oh, brand new relative, relatively. Yeah, yeah. That's great. And it's been a success.
00;48;42;29 - 00;48;44;01
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
Yeah. So far as new.
00;48;44;03 - 00;48;46;14
Leo Laporte
SMEs, large enterprise.
00;48;46;16 - 00;48;52;08
Roeland Delrue | Co-founder & CRO/COO, Aikido Security
We start out in SMB, then we went to Mid-Market and now we're doing low enterprise and already few bigger enterprises.
00;48;52;09 - 00;48;56;11
Leo Laporte
That's great. Congratulations. Very nice to meet you. Yes. Thank you. Roland,
00;48;56;13 - 00;49;07;11
Leo Laporte (Voice Over)
Semperis has been around for a long time, a decade old identity security company. But they've got a new project to talk to, Bill Keeler from Semperis, about a documentary they'll be debuting at Blackhat.
00;49;07;11 - 00;49;18;01
Bill Keeler | Senior Director Global PR/Comms, Semperis
We are producing. Yeah. Midnight in the war room. First ever cyber security company to invest in this type of a project. Looking at cyber war and the.
00;49;18;04 - 00;49;19;02
Leo Laporte
Very time.
00;49;19;02 - 00;49;45;20
Bill Keeler | Senior Director Global PR/Comms, Semperis
Of CISOs. Right. The thankless ness of being a CSO. The stress, the long hours. A CEO who will say to a CSO, why did you let this hack happen? And that's the worst day that a CSO can have. We've interviewed reformed, former hackers who are now reformed. Jen Easterly is in the documentary CEO of RSA conference. Chris Inglis, first ever U.S. National cyber director general.
00;49;45;20 - 00;49;55;28
Bill Keeler | Senior Director Global PR/Comms, Semperis
David Petraeus, professor Mary Aiken, world renowned cyber psychologist, and about two dozen CISOs. Wow. Premiering at Blackhat on the 5th of August.
00;49;56;00 - 00;49;56;27
Leo Laporte
That'll be exciting.
00;49;57;04 - 00;49;57;27
Bill Keeler | Senior Director Global PR/Comms, Semperis
Yeah, we think so.
00;49;57;28 - 00;50;00;08
Leo Laporte
Are you going to get distribution? Afterwards.
00;50;00;09 - 00;50;17;14
Bill Keeler | Senior Director Global PR/Comms, Semperis
We will be doing a number of different things about, with distribution. More more info to come on that. Nice. Including screenings in a, in a number of cities in the US in the fall in Europe and Asia. And some interesting details on a streaming partner.
00;50;17;16 - 00;50;21;22
Leo Laporte
I think there's a lot of interest in this. I think it would actually be a broad general interest.
00;50;21;23 - 00;50;42;07
Bill Keeler | Senior Director Global PR/Comms, Semperis
We've had more, support here in the booth on day one of RSA than than we would have imagined. And there's generally a lot of support for what we're doing, because at the end of the day, warfare has changed dramatically in the past 5 or 10 years. And everything that is being done militarily has a cyber component, right?
00;50;42;09 - 00;50;46;17
Bill Keeler | Senior Director Global PR/Comms, Semperis
And never before have the true stories of CISOs been told in this fashion.
00;50;46;22 - 00;50;49;16
Leo Laporte
So you're going to focus on nation state attacks.
00;50;49;18 - 00;51;11;05
Bill Keeler | Senior Director Global PR/Comms, Semperis
Focusing on China, Russia, North Korea, Iran and other nation states. Very interesting. The colonial pipeline attack, the WannaCry attack, change health care, Ascension health. All the big cyber attacks that are in the news have profound impact on society, right? And we'll be sharing some of those stories in the documentary.
00;51;11;11 - 00;51;15;15
Leo Laporte
Very interesting. And what it is Semperis a security company as well.
00;51;15;18 - 00;51;36;07
Bill Keeler | Senior Director Global PR/Comms, Semperis
Semperis sells hybrid identity security solutions and crisis response solutions. Active Directory, entra ID, Okta, and Ping Identity. Combining that with a ready one platform which helps companies to better prepare for crises and to better be able to respond in a timely fashion.
00;51;36;10 - 00;51;38;25
Leo Laporte
Have you seen an uptick in business?
00;51;38;27 - 00;51;40;26
Bill Keeler | Senior Director Global PR/Comms, Semperis
Yeah, the company's growing tremendously.
00;51;41;03 - 00;51;43;23
Leo Laporte
There's a lot of scared people out there, scared people.
00;51;43;23 - 00;52;08;09
Bill Keeler | Senior Director Global PR/Comms, Semperis
There's a lot of real identity risk, and companies are still struggling and and how to keep the bad guys out of their environment. Once the identity system goes down, the company goes down. And there are very few, organizations in the cybersecurity space that help with recovering identity. We feel like we do it the best. We've been in business for over ten years now.
00;52;08;16 - 00;52;21;06
Leo Laporte
Well, you got, like, celebrities here. Nobody's here. Marcus, just want to shake your hand. Nice to meet you. We covered when you were arrested. We, covered that whole story. You did? Oh. Nonstop. So I'm surprised to see you in the United States, to be honest.
00;52;21;11 - 00;52;24;07
Marcus Hutchins | MalwareTech.com
I'm surprised even me here, too. And I know with you.
00;52;24;07 - 00;52;29;03
Leo Laporte
As with TWiT, it's a podcast network. Oh, security now is Steve Gibson we talked about.
00;52;29;05 - 00;52;31;10
Marcus Hutchins | MalwareTech.com
Yeah, yeah, yeah, I would actually watch your episodes.
00;52;31;11 - 00;52;31;28
Leo Laporte
Oh, nice.
00;52;31;29 - 00;52;36;19
Marcus Hutchins | MalwareTech.com
Because I was like, it was just interesting seeing you guys talk about the case and see your takes on it.
00;52;36;20 - 00;52;39;06
Leo Laporte
Well, and thank you for saving the world.
00;52;39;11 - 00;52;40;02
Marcus Hutchins | MalwareTech.com
Thank you so much.
00;52;40;03 - 00;52;47;18
Leo Laporte
I'm sorry you didn't really get credit with it for it. I got enough credit. Yeah. It's good. It's very nice to see you. What brings you here?
00;52;47;20 - 00;52;55;13
Marcus Hutchins | MalwareTech.com
For the conference or this visit? So I got a couple engagements. We're doing, a promo for a documentary that's coming out soon.
00;52;55;14 - 00;52;58;16
Leo Laporte
Yeah, we just talked to Bill about it. Yeah, it sounds exciting. Are you in it?
00;52;58;17 - 00;53;12;08
Marcus Hutchins | MalwareTech.com
I am in it. Yeah. So we. I'm here for that. I've got a couple of things from my day job. We just. Honestly, I come every year, but I usually don't actually come into the vendor hole. This is my first time. It's, it's.
00;53;12;08 - 00;53;14;20
Leo Laporte
It's like the a lot of spooks around.
00;53;14;22 - 00;53;19;23
Marcus Hutchins | MalwareTech.com
I thought they pulled them this year. They used to be an FBI booth, but I haven't found.
00;53;19;25 - 00;53;20;17
Leo Laporte
I haven't seen it.
00;53;20;19 - 00;53;28;17
Marcus Hutchins | MalwareTech.com
Yeah, because my my my joke every year was I would go and I'd post by the FBI booth, and I couldn't find that spot.
00;53;28;17 - 00;53;31;18
Leo Laporte
The fed. Yeah. Nice to see you, too. Are you having fun?
00;53;31;22 - 00;53;35;05
Caitlin Sarian | cybersecuritygirl.com
Yeah. I mean, it's RSA. We always have fun. Yeah, it's always great. Yeah.
00;53;35;07 - 00;53;36;23
Leo Laporte
So tell me what you're doing.
00;53;36;25 - 00;53;45;19
Caitlin Sarian | cybersecuritygirl.com
I mean, I just I'm a cybersecurity influencer, but I specialize in focusing on everyone else outside of tech, so I just make sure everyone's safe online. I handle cybersecurity, girl.
00;53;45;21 - 00;53;47;02
Leo Laporte
You protect influencers?
00;53;47;03 - 00;53;57;15
Caitlin Sarian | cybersecuritygirl.com
No, I protect everyone. The general public. So there's more people like John Hammond and Marcus that are more technical. I kind of take tech and dissect it into very basic stuff that everyone can understand.
00;53;57;18 - 00;53;58;24
Leo Laporte
It's much needed. Yes.
00;53;58;26 - 00;54;00;21
Caitlin Sarian | cybersecuritygirl.com
Yeah. So I love it. Thank you.
00;54;00;24 - 00;54;15;09
Leo Laporte
Yeah. So nice to see you both. Thank you. Marcus. Yeah. Great to see you. We missed you. We missed you. We were at, ThreatLocker in Orlando, and we missed. We had to leave before your keynote. So we missed you. That would have been great. But, yeah, I would have loved to have seen you. So I'm glad I got to see you here.
00;54;15;11 - 00;54;18;09
Leo Laporte
Very nice to see you both. Thank
00;54;18;11 - 00;54;31;03
Leo Laporte
You know, amidst all the stress and strain and anxiety of RSAC. It's nice. Every once in a while to take a moment for some serenity.
00;54;31;05 - 00;54;41;12
Leo Laporte (Voice Over)
AI was certainly one of the biggest stories at RSAC this year, both defending against AI generated threats and using AI as a defense. Zenity is one of the companies that saw this coming.
00;54;41;12 - 00;54;45;22
Leo Laporte (Voice Over)
Earliest. I talked to Chris Hughes about their AI agent governance
00;54;45;27 - 00;54;57;04
Leo Laporte
I wanted to talk to you, in fact, before you made these announcements this morning. But I wanted to talk to you about agentic security. Yeah. Securing your open claw, things like that. Tell us about the announcements you made. This morning.
00;54;57;09 - 00;55;15;06
Chris Hughes | VP of Security Strategy, Zenity
Yeah, just this morning, we had an announcement of a partnership with ServiceNow. Right. The big, you know, operations guy of the ecosystem. What we're finding is our security operations teams, stack ops teams. They want get visibility on where agents are running, whether it's in the cloud or in, endpoints, open core cloud code, etc.. It can't take, browsers.
00;55;15;09 - 00;55;20;25
Leo Laporte
Is this the latest shadow it like. Oh my God, my employees are running open clawed hours on our network.
00;55;21;00 - 00;55;35;18
Chris Hughes | VP of Security Strategy, Zenity
Yeah. I mean, we also we've seen this or they were cloud and SAS and like it's you know it's the same thing here with endpoint coding agents like anyone can download and run open cloud code etc. with a credit card or free versions. Things of that nature spin up things in cloud environments. And we've seen this cycle before.
00;55;35;18 - 00;55;45;15
Chris Hughes | VP of Security Strategy, Zenity
It's like security tends to be a blocker or introduce friction. People work around it and, you know, see the same thing with agents. Right now. A lot of people are just trying understand, what do I have? Where is it running? What does they have access to?
00;55;45;19 - 00;55;55;03
Leo Laporte
Yeah, they call me yellow Guy, at home because I, I dangerously skipped permissions the whole time. But obviously that's not the way to operate in a business.
00;55;55;05 - 00;56;01;12
Chris Hughes | VP of Security Strategy, Zenity
Yeah. Definitely not. But, I mean, it is a real it's tempting. It's a challenge, right? You get you get fatigued, you're hitting approver. I don't want you.
00;56;01;17 - 00;56;02;19
Leo Laporte
To just do it.
00;56;02;20 - 00;56;08;12
Chris Hughes | VP of Security Strategy, Zenity
Yes. People just want. And even today actually called code introduced. What is the auto approve mode I think it's.
00;56;08;17 - 00;56;09;12
Leo Laporte
Something like yeah.
00;56;09;18 - 00;56;12;01
Chris Hughes | VP of Security Strategy, Zenity
It's like, I wonder if you wonder what could go wrong there.
00;56;12;02 - 00;56;14;10
Leo Laporte
They know. Yeah. So how can you help?
00;56;14;12 - 00;56;45;16
Chris Hughes | VP of Security Strategy, Zenity
Yeah. So our company is a full, you know, life cycle from the time you create agent through Bill time all the way through runtime visibility. And we have, coverage of all the major deployment patterns. So endpoint coding agents against browsers on the endpoint, SAS environments, Salesforce, ServiceNow, where they're running, you know, agents in those SAS environments or custom home grown, you know, people are creating agents in AWS, Azure, GCP, we provide coverage of all those environments, giving you coverage from you know, time you build the agent or organization or policies, processes, you know, best practices all the way through runtime.
00;56;45;16 - 00;56;54;13
Chris Hughes | VP of Security Strategy, Zenity
What's running versus have access to what data is it touching. And then actually introducing, enforcement mechanisms if they start to, you know, act out of, act out of alignment there.
00;56;54;15 - 00;56;58;05
Leo Laporte
How do you do it? You watch network traffic. Are there signatures are the things you look for.
00;56;58;08 - 00;57;13;09
Chris Hughes | VP of Security Strategy, Zenity
It really depends on the deployment model. Right. Like the SAS, and and homegrown like cloud environments, more API nature, endpoint coding agents. That's more of an agent that gets deployed on the endpoint that way you can see the, agents that are deploying the endpoint, the activities.
00;57;13;11 - 00;57;14;24
Leo Laporte
You can see the traffic.
00;57;14;26 - 00;57;20;14
Chris Hughes | VP of Security Strategy, Zenity
Yeah. Or the actions on the system. Right. What files is it accessing? What data is it accessing? What source code is it?
00;57;20;14 - 00;57;24;03
Leo Laporte
Is it kind of a fingerprint. Is it. You could kind of tell that that's not a human.
00;57;24;06 - 00;57;41;16
Chris Hughes | VP of Security Strategy, Zenity
It can definitely start to behave in a way that's anomalous. Right. And then it is tricky though, right. Because what we're seeing is a lot of organizations are taking those identities from humans and just inheriting those permissions to the agent. And it can be different, you know, difficult to kind of attribute a certain activity to what is it, a human within humans agent who's responsible, who's accountable.
00;57;41;23 - 00;57;45;04
Chris Hughes | VP of Security Strategy, Zenity
These are things I think the industry is trying to work their way through. Honestly.
00;57;45;07 - 00;57;51;07
Leo Laporte
Yeah. So do you have agents running around looking at this stuff? Is it agents finding agents?
00;57;51;14 - 00;57;52;19
Chris Hughes | VP of Security Strategy, Zenity
That's definitely part of it's.
00;57;52;19 - 00;57;53;21
Leo Laporte
Agents all the way down.
00;57;53;28 - 00;58;11;06
Chris Hughes | VP of Security Strategy, Zenity
Yeah. Throws all the way down. Right. That's definitely part of it, you know? Yeah. Some people may call Lem as a judge or, you know, I walking, I or we've, kind of adopted the phrase guardian agents, right? Because it says to your point about the approval, like. Like we simply cannot, you know, humans cannot watch every alert, every notification, every environment.
00;58;11;06 - 00;58;33;24
Chris Hughes | VP of Security Strategy, Zenity
Right. But you can't simply rely on, you know, the fox guarding the henhouse either. You can't just, you know, fully rely on the AI. You gotta have deterministic architectural type controls in place, humans involved, depending on the sensitivity of the data or the credit quality of the systems and things like that. But we are leveraging AI and, you know, kind of Guardian agents as well, especially to bring context because it's difficult to know from a build time for runtime.
00;58;33;26 - 00;58;46;11
Chris Hughes | VP of Security Strategy, Zenity
You know, same thing in app sac. Like, what do I really need to be concerned about? There's just so much volume, so much noise. So using AI to bring clarity to that and, you know, kind of a correlation engine if you want to call it that, to bring, you know, clarity to like, what are we what should we focus on?
00;58;46;14 - 00;58;47;23
Leo Laporte
You can fight fire with fire.
00;58;47;23 - 00;59;06;11
Chris Hughes | VP of Security Strategy, Zenity
Yes. I mean, that's the only way. And you're you walk the floor here. It's not just, you know, aquatic AI security. You're hearing that apps. Zach ops GRC, you know, offensive security. There's tons of that. Everyone's looking to say. The only way we're gonna keep pace with this is leverage. This technology being early adopter. Be an innovator with this technology in cyber, just like the businesses.
00;59;06;11 - 00;59;09;15
Chris Hughes | VP of Security Strategy, Zenity
Because I think malicious actors are like, we have to leverage.
00;59;09;17 - 00;59;13;18
Leo Laporte
You were very early on this. How did you know that this was coming?
00;59;13;20 - 00;59;31;18
Chris Hughes | VP of Security Strategy, Zenity
So I'm I'm relatively new to the team, so I don't want to take full credit because I've only been here for a few months, but I've been watching the company and they got their roots in Low-code no code, right? Citizen developers. And we heard, like, you know, phrases like a democratizing development that sounds incredible until you think everyone's actually running fast with scissors, and they don't know that you can get hurt when you fall.
00;59;31;21 - 00;59;50;04
Chris Hughes | VP of Security Strategy, Zenity
So they got their roots in that low-code no code, which is a great way to get oriented around the SAS agents and, embedded agents and such. But then we saw the industry start to move, you know, custom agents, right? Endpoint agents, coding agents against browsers and you start to expand coverage accordingly. But, you know, right place, right time, having foresight to see where the industry is going.
00;59;50;10 - 00;59;51;19
Chris Hughes | VP of Security Strategy, Zenity
Definitely a credit to the founders.
00;59;51;19 - 00;59;53;17
Leo Laporte
It's amazing how fast this is moving.
00;59;53;17 - 01;00;02;21
Chris Hughes | VP of Security Strategy, Zenity
Yeah, it's I mean this technology adoption curve as you see it, it's faster now in the capital in the build out and all those kind of things. But the adoption curve is faster than anything we've ever seen.
01;00;02;21 - 01;00;03;13
Leo Laporte
It's exponential.
01;00;03;13 - 01;00;18;10
Chris Hughes | VP of Security Strategy, Zenity
Yes. It's, it's nothing. Nothing we've seen like it, like open claws. A great example, like fastest, you know, project on GitHub in history gets acquired rapidly, right? It's, you know, and we simply the security never. Yeah. It does a great job keeping up. But I feel like we are learning lessons of the past.
01;00;18;10 - 01;00;19;07
Leo Laporte
Where were you before?
01;00;19;13 - 01;00;32;18
Chris Hughes | VP of Security Strategy, Zenity
I had a, services company called Acquia doing, public sector, cyber security. I was on the services side. But, you know, I saw the problem starting to come around with agents and things like that. And I wanted to be somewhere. Is building a solution that can address that systemically across the ecosystem.
01;00;32;18 - 01;00;34;19
Leo Laporte
You're in the hot seat. You're right in the middle of it.
01;00;34;23 - 01;00;42;16
Chris Hughes | VP of Security Strategy, Zenity
Yeah. I mean, it's a great place to be not only for the company, but like, professionally. Like, I get to I get to do this thing that is defining the future of our career field. So I love it.
01;00;42;16 - 01;00;44;11
Leo Laporte
I love do you have a cloud running at home?
01;00;44;14 - 01;00;44;26
Chris Hughes | VP of Security Strategy, Zenity
What's that?
01;00;44;29 - 01;00;46;11
Leo Laporte
Do you have a clock running at home?
01;00;46;14 - 01;00;46;29
Chris Hughes | VP of Security Strategy, Zenity
I do not.
01;00;47;00 - 01;00;47;28
Leo Laporte
Know. Lobster's in your.
01;00;47;28 - 01;00;52;01
Chris Hughes | VP of Security Strategy, Zenity
House? No, I haven't been that brave because I'm afraid of if they break loose.
01;00;52;03 - 01;00;56;14
Leo Laporte
I did the same thing. I spun it up in about in the middle of the night. I went, oh, no, I.
01;00;56;17 - 01;00;57;01
Chris Hughes | VP of Security Strategy, Zenity
Shut it down.
01;00;57;01 - 01;00;59;13
Leo Laporte
I got I deleted the account with God.
01;00;59;15 - 01;01;03;20
Chris Hughes | VP of Security Strategy, Zenity
Not only that, but, you know, you're in the space like us. If you have something to happen, you look even more foolish.
01;01;03;20 - 01;01;04;07
Leo Laporte
Yeah, that's a good.
01;01;04;07 - 01;01;16;22
Chris Hughes | VP of Security Strategy, Zenity
But at the same time, you got to explore. You got to, like, tinker with it or you won't even know how it works. So we do have researchers on the team that have done an incredible job of that, exploring what can happen, what can go wrong, how can you securely use it or at least try to secure they use it the best you can.
01;01;16;24 - 01;01;19;02
Chris Hughes | VP of Security Strategy, Zenity
And it's amazing to watch it all. It's happening so.
01;01;19;02 - 01;01;25;29
Leo Laporte
Fast. That's my excuse as well. I've got to find I gotta learn. How am I going to learn if I don't break the glass a little bit?
01;01;26;07 - 01;01;29;06
Chris Hughes | VP of Security Strategy, Zenity
Yeah. You can't secure something you don't understand. So that's a critical part of it for sure.
01;01;29;12 - 01;01;32;05
Leo Laporte
I really thank you for your time. I hope you have a great show.
01;01;32;05 - 01;01;34;16
Chris Hughes | VP of Security Strategy, Zenity
Likewise. Good luck with the rest of the conversation.
01;01;34;18 - 01;01;36;02
Leo Laporte
All right. Appreciate
01;01;36;05 - 01;01;43;03
Leo Laporte (Voice Over)
all the way out. The door. I had to thank my friends at Tail Scale. I know I love it and use it. You may too.
01;01;43;05 - 01;01;46;02
Leo Laporte (Voice Over)
And they told me something. I was very happy to hear.
01;01;46;07 - 01;01;52;22
Leo Laporte
Everybody who listens to Twit and Security Now tail scale fans, but we use it as home users. It's free. Yep.
01;01;52;22 - 01;01;54;22
Jillian Murphy | Product Marketing Manager, Tailscale
It's free. It will stay free forever.
01;01;54;24 - 01;01;56;26
Leo Laporte
Okay, that's my first question. Really?
01;01;56;26 - 01;02;06;03
Jillian Murphy | Product Marketing Manager, Tailscale
Yes, yes, we are committed to having a free tier. I mean network effects. We have more people using it, enjoying it, and it will help improve infrastructure all around.
01;02;06;03 - 01;02;11;00
Leo Laporte
And once you use it, you go, oh, that was easy. Yeah, I tried to set up WireGuard myself.
01;02;11;06 - 01;02;19;18
Jillian Murphy | Product Marketing Manager, Tailscale
Yeah. You don't want to be managing different tunnels and ports, and, I'm on a battle to get my husband to stop just using WireGuard himself. And he's.
01;02;19;21 - 01;02;25;09
Leo Laporte
It's so much easier. I worker I've a Ubiquiti router. It's built into my router, but so much easier.
01;02;25;12 - 01;02;38;11
Jillian Murphy | Product Marketing Manager, Tailscale
So much easier. I'll handle the connectivity, handle the redundancy. We have a network of fallback servers as well to handle your connectivity, if you need to, but it's faster, lighter weight, and it takes just five minutes to connect.
01;02;38;11 - 01;02;43;11
Leo Laporte
So let's help you keep this free. Yeah. Let's plug the enterprise product that does pay the bills.
01;02;43;11 - 01;02;44;00
Jillian Murphy | Product Marketing Manager, Tailscale
Yeah, yeah.
01;02;44;01 - 01;02;48;14
Leo Laporte
So you said you have some AI, stuff that you do. What? Tell me how that helps.
01;02;48;18 - 01;03;12;03
Jillian Murphy | Product Marketing Manager, Tailscale
All right, so first I just wanted to, like, cover that. It's building on top of the telco architecture so you can build a lot of different applications. And people are building observability solutions, monitoring solutions. I see the next open source replacement. I heard someone build, Percy Scaler. Sorry, I came from his ADX. And so there's a number of different use cases that you can apply this to.
01;03;12;03 - 01;03;25;29
Jillian Murphy | Product Marketing Manager, Tailscale
And so one of the things that we built internally was in, securing AI products called aperture. So aperture is managing, API key sprawl. It's a gateway for all of your agent and user traffic.
01;03;25;29 - 01;03;27;23
Leo Laporte
So they go through aperture.
01;03;27;24 - 01;03;43;18
Jillian Murphy | Product Marketing Manager, Tailscale
Going through the aperture gateway. Yes. Whereas all of your other traffic will be still point to point encrypted traffic. But you can designate that this traffic based on these APIs or having that traffic go inbound and outbound to through this gateway.
01;03;43;18 - 01;03;54;02
Leo Laporte
So right now I ssh through Teo scale to my agent, my car running at home when I run the cloud through aperture, the cluster aperture. Is that the idea?
01;03;54;04 - 01;03;55;22
Jillian Murphy | Product Marketing Manager, Tailscale
It could be. It's going to be more.
01;03;55;22 - 01;03;57;24
Leo Laporte
For its enterprise station.
01;03;57;27 - 01;04;01;26
Jillian Murphy | Product Marketing Manager, Tailscale
Yeah. So I think it's really to manage API keys for all and.
01;04;01;28 - 01;04;03;08
Leo Laporte
155 million.
01;04;03;08 - 01;04;18;21
Jillian Murphy | Product Marketing Manager, Tailscale
Tokens. Yeah, yeah. Hopefully you're not doing that. I'm not. Yeah. Yeah yeah. And so yeah, it monitors the number of requests across all of your different tools, number of tokens. There's also it can monitor and your financial output too. So this is how much you spend within a quarter or month.
01;04;18;23 - 01;04;20;16
Leo Laporte
Does it have a security angle too.
01;04;20;18 - 01;04;39;28
Jillian Murphy | Product Marketing Manager, Tailscale
Yeah. Well I mean this is part of the security angle. So in terms of giving that visibility to and assurance of these new AI tools that you're implementing within your organization, we also integrate with partners such as. Oh, so to actually provide guardrails so you can block access or hit if you hit a certain cap, you can manage access.
01;04;40;05 - 01;04;57;05
Jillian Murphy | Product Marketing Manager, Tailscale
And then there's deep session level logging that lets you identify and troubleshoot exactly what went wrong and how it went wrong. Yeah. If it's, you know, an excessive output of tokens, if there's any issue in that sense.
01;04;57;07 - 01;05;15;20
Jillian Murphy | Product Marketing Manager, Tailscale
And then this is going to be a single dashboard for all of your tools. So you're not just hopping between your different tools. I think one thing that's really useful about it is not only being able to tell performance between different tools, but also like at Tesco, we've probably rolled out ten different AI products this year just within our organization.
01;05;15;26 - 01;05;35;05
Jillian Murphy | Product Marketing Manager, Tailscale
And are all them really being used? Yeah, for that. So it can help with tool sprawl in general and just consolidation. So both the security angle on like how is this performing. Is this actually, you know, are the agents performing as expected. Are the users performing as expected both in terms of if there's an anomaly or an issue.
01;05;35;10 - 01;05;39;16
Jillian Murphy | Product Marketing Manager, Tailscale
But then also, can we just, use the tools that we think are the most effective.
01;05;39;23 - 01;05;42;00
Leo Laporte
And stop paying for the ones we're not? Yes, exactly.
01;05;42;00 - 01;05;42;25
Jillian Murphy | Product Marketing Manager, Tailscale
Exactly.
01;05;42;28 - 01;05;56;20
Leo Laporte
Well, I just want to thank you. Scale is so great. And when you made me very happy because the one thing I'm going, I love this too much. If they ever stop doing it or they stop, start making me pay for it. I'm going to be scared free forever. You're never be.
01;05;56;21 - 01;05;57;05
Jillian Murphy | Product Marketing Manager, Tailscale
Forever.
01;05;57;05 - 01;05;58;21
Leo Laporte
Ever stopping. Here we have you.
01;05;58;23 - 01;06;01;23
Jillian Murphy | Product Marketing Manager, Tailscale
Yes, free. Yes, I.
01;06;01;26 - 01;06;02;29
Leo Laporte
We have her commitment.
01;06;03;01 - 01;06;19;26
Jillian Murphy | Product Marketing Manager, Tailscale
I have Avery, the CEO say free forever. So I'm all right holding him. We also have an open source version called Head scale. So, like, we're very committed to the internet. Was built on open source protocols. We want to maintain that it only works if everyone is working with one another.
01;06;20;00 - 01;06;31;28
Leo Laporte
God bless you. Thank you so much. That's great. I really appreciate it. Thank you Jillian. Thank you. Thank you. Tail scale. I get my little task, key. I'm gonna replace the windows key with that. Look at that.
01;06;32;01 - 01;06;36;13
Leo Laporte (Voice Over)
We had a lot of fun this year at the RSAC conference. I hope you enjoyed our little sampler.
01;06;36;13 - 01;06;55;25
Leo Laporte (Voice Over)
Just a little taste of the many thousands of people there and the many hundreds of booths there. I even got an autograph from Hacker Market such as? Look at that. On behalf of, Anthony Nielsen, our photographer, Lisa Laporte, our producer. Thank you for watching. And we'll see you next year at RSAC.
