¶ Welcome and Harry's Background
Unsupervised Learning is a podcast about trends and ideas in cybersecurity, national security, AI, technology and society, and how best to upgrade ourselves to be ready for what's coming. All right, Harry, welcome to Unsupervised Learning.
Hey, great to be here.
Yeah. So, uh, I understand you're doing some cool stuff with, uh, AI and vulnerability management and stuff like that. Can you tell me what you're working on?
Yeah, sure. So just over a year ago, I co-founded with a couple of others, a company called maze. Um, we just came out of stealth, maybe like, two months ago now. Uh, so, so really quite recent, but super experienced team. And what we've been doing is building basically a series of AI agents that can deeply interrogate and understand the vulnerability. Um, so kind of can go off and do the kind of analysis that, like, really experienced security engineer might be able to do into a vulnerability,
do it completely automatically. And by doing that, we can do it over like hundreds of thousands or millions of vulnerabilities all at once. And therefore, we can get people
¶ The Real Problem: Remediation vs. Prioritization
out of this like constant hell that we found ourselves in, in our old jobs. And I know plenty of others have been where you're just constantly firefighting, like an endless backlog of vulnerabilities with kind of no, no hope in sight. Um, yeah. Hopefully we're starting to help people out of that, out of that mess. Um, so yeah.
Okay. Interesting. So yeah, I've got some thoughts around this. So are you, um, are you focused on the vulnerability or are you focused on, like the context of the org? Like where do you think you're going to get the most, like, um, signal or benefit, uh, when it comes to the actual remediation? Because, um, I've done a whole bunch of management in my career as well, and it seems like the problem is always remediation, uh,
as opposed to, like, the prioritization of the vulns. What are your thoughts?
Yeah. So one of the interesting things that we've we've found along the way. And I've got going into this was like the volume of vulnerabilities is so ridiculous. And it's like, as people know, like it's climbing crazy like year on year. At the moment, the volume is so high. The problem doesn't make sense because the volume is just so high. So people end up with all these different approaches to it, prioritization and scoring. And can we use
SPSS and Kev and all these different approaches. And the premise that we've come at it from is if you go and chat to and I'm sure maybe you are one of these people once upon a time like go chat to a team that's dealing with this day in day out and say, okay, if you were to go look into like, start with the top of your list. If you were to go into look into it for like 2 or 3 hours in the context of your environment,
what would you find? Right? And then theoretically, if you could do that over every single one, what would you find and how big would that list be relative to your current list? Right. And invariably, maybe you disagree with this, but like most of the time when we ask people that question, they're like the answers range from like it would be 80% bigger to like the most extreme one ever was like 99.99% bigger. I think I've seen one true positive ever, which I think was a bit bold to be honest.
But um, yeah, yeah.
But the the premise is basically like if you spend time with them and if you try and actually deeply understand what the attacker would need to have to do to exploit it and what your environment is actually like, a huge proportion of the time the vulnerability isn't there. Like it is not in any way, shape or form exploitable. And so when we've been building all these prioritization criteria over the years, we've been like shuffling this pack of cards where most of the pack of cards should never
have been in the first place. Right? We should have just been removing, you know, 48 of the 52 cards or whatever, and focusing on those four rather than trying to figure out how to sort them 1 to 52. Um, so that's a lot of the premise of why we think this world can go, which is if you can build tools that are intelligent enough to do that really deep technical analysis, you can actually remove most of the deck of cards rather than trying to figure out how
to prioritize it all. Because I agree with you. It doesn't matter if we can prioritize them. If we can't remediate, it's literally irrelevant that we've got a prioritized list if we can't actually act on them. But the only way that you can figure out how to use your limited remediation resources to act on them is to figure out which ones you can throw away and which ones you actually need to keep, and maybe which ones you need to like, fix like today. Um, so that's one side
of it. We also think there's a bunch of use cases for AI to actually help with remediation. So just take like everything from I figured out I want to fix something to it is fixed and see how much of that you can get AI to help you with. I think like running all the way to fully automating it. I think we're a little bit despite what some people are hoping at the moment. I think we're still like a little bit away from it. Like just AI going
in and changing our environments day in, day out. But like,
¶ Breaking Down Vulnerability Context and Threat Intel
I think we can do we can take people a lot further than they are today. Um, so when you stick all that together end to end, you get like much, much smaller list and then you get much faster remediation and then you start being able to work on the stuff that matters, um, much, much quicker, uh, we think.
Yeah. Yeah, that makes sense. I feel like as you're talking there, I mean, there's there's multiple steps, right? There's understanding the bone deeply. And then, um, I guess there's the threat Intel component as well. And you've seen like, CVS, like try to try to capture all these in different fields of the Volm. So there's like an active threat Intel for like how many people know about this? How easy is it to exploit? Then there's the Volm details itself.
Like how bad is it? Like what is the attack surface that it actually impacts? And then there's the thing of like, okay, do we have that here at the company? Is that installed? Where is it installed? Um, what versions? And how does that relate to the vulnerable version. Um, and then given all of that now what is the prioritization? And I feel like those are all like, uh, individual components. Um, and then the thing I've been thinking a lot about
is like, okay, but where are the developers? Um, if
¶ Connecting Vulnerabilities to Developers and Workflows
you find the vuln in like some readout somewhere in some report, and it's in this particular piece of code, what app is that code part of? Um, who actually, uh, is responsible for that app? And then, um, when you go to create a patch or a fix or whatever, um, how do we get that to the right person in the form that requires the least amount of effort for them? So I feel like those are all the pieces, and it's almost like you can have multiple companies working on
each one of those pieces. Um, but somebody who could do, like, all of them pretty well, that's going to be a massive win.
Yeah. So that that's, that's that's our concept as well, which is basically if you think of all these different moving pieces, you kind of want a series of agents like AI agents, not not the old school type tackling each of those component pieces. Right. So like you mentioned there, like who owns the thing? That's a great use case for AI and particularly agents because like there is information
out there to help you solve that problem? Yes, but for a human, it's just like it's a, it's a like a it's like one of those long tail problems where, like, you could go find the answer. It's going to take you often a long time to like go figure it out. And then going and figuring it out for every single ball and every single day becomes really annoying. But for AI, that's actually pretty. Like if you've got the right data sources,
it's actually quite, quite a tolerable problem. Um, so then you imagine, like putting an agent on all of those different places, like you mentioned, prioritization. Well, before you before threat Intel becomes relevant at all, you have to figure
out whether it can be exploited or not. And that's got to be your first agent, because if it can't be exploited, it's irrelevant whether it's got threat Intel associated with it or whether the business context is is bad, or whether the outcome could be bad or how to fix it, like everything else becomes irrelevant because you just need to stop there. So you, like, start there with that agent and then build out like agent by agent
for each part of that flow. And as you said, like figuring out who owns it, um, what action they need to take, what would be the most efficient action. And then you can go all the way through to like starting to generate those actions for them. Right? Which is like, yes, I don't think we're quite there with
just taking the action. But if we've done enough work intelligently to figure out what the problem is, how it's fixed, what the ramifications could be, then we can start to generate actions for people and saying like, look, hey Sarah, I found this vulnerability. I proved it could be exploited.
¶ Why Traditional Vulnerability Management Fails
I proved it could be bad. I actually figured out what the right thing to do would be. I generated it for you. Do you want to do it? Yes or no? That's a hell of a lot better experience than, like, here's ten findings, of which one of them's probably maybe bad good luck. Which is kind of like today's situation oftentimes.
Yeah.
Um, so yeah, that's the idea.
Yeah. No, I really love that. I mean, if you're inside of their tool, let's say it's, it's, um, GitHub or whatever it is, and it's just like, here's a PR that I've submitted. You can see the diff right here. And like this is what she does every day, all day anyway in this exact tool. So she's like yes, I accept. Boom. That's way, way easier than the thing that just doesn't work. Which is Witches. They received a
report which had like 480 things in it. And and now it's her job to figure out if any of those apply to her. And then when she looks inside, the vulnerability description is just like this wall of text, which came from like a generic vulnerability description. And so she's left trying to figure out like, okay, like what exactly is this saying? And guess what? That's why management like hasn't been doing so well over the last like 25 years.
Yeah. Yeah. Well the worst thing is though like for Sarah there a lot of places now have got to the point where they like one of the easiest applications of AI was throw a list of existing findings in and like get some suggested actions out because it was just like literally like single call. You could like throw a finding in, give you some code, give you something. And that's where a lot of like our auto fix
suggestions kind of come from today. The problem is that because they started there, rather than starting right at the root of the problem, which is like most of the findings don't mean anything. Yeah. We end up with, let's say we have a list. Your list of 480 findings turns into 480 auto fixes. And so we've got a lot of work getting generated that doesn't need to be there in the first place. And also, most of them lack a lot of the context about, like, how this
thing exploited what would be the most appropriate fix. So we've kind of like started at the end in a lot of cases now. And we need to go, I think like back to the start, get back to the root of the problem, figure out how bad these things like figure out what like if they can be exploited, how bad they are, what the context is around them, and then feed all of that into our remediation efforts. And suddenly Sarah gets not only like a shorter list, but like a way more intelligent list of, of of
actions you could take. And then, as you said, she gets away from, you know, just getting that like blank report with a vague description to you just need to do this thing now. Okay, great. Like click uh, and that's hopefully like, honestly it's kind of why we started
¶ Startup Lessons and The State of AI Agents
the company is we used to lead like the PM and engineering teams at various places. And it just it just annoyed us because because the teams were spending so much so long like, uh, spinning their wheels around the problem. And it was just annoying. So we just thought like, this can't be right. Um, and so, Yeah, here we are.
Yeah. That's it from my experience. That's absolutely the best place to have a startup is like, the founders are familiar with the pain of the problem, right? And it's like they just wish that they had this in the past for their problem. And, like, it's just a really pure way to start a company. Um, so what can you say about the, um, the current state of agents, um, with all the hype and what, like what works? Uh, and as much as you can share about about your, like,
approach to the agents, like how many are there? Are they, are they working on different things all at the same time? Are they coming back and like unifying into one context, that kind of stuff?
Yeah. Good question. I was actually just I was just talking to a CSO about this earlier today, and we have quite a funny chat about it of where people's expectations sometimes of what agents can do are and like the reality and some of the like. They sometimes they look so impressive when you first start using them that you kind of imagine that they're capable of just tackling like all sorts of tasks with limited guidance. Right? You're just a bit like imagine, like you're working with like
a really senior colleague. You can give them a really vague instruction and they'll just like figure it out and probably get a good result. The agents can sometimes feel a bit like that. So people end up being like, cool, we're going to build this platform and agents are going to do all these like 100 different things, right? And I see some security companies starting to, like, fall into this trap a little bit where they're like, we use agents now. We use agents for like this and this
and this and this and this. And having worked with them for the last over a year now, my perception of them is they're much more like very knowledgeable, like 16, 17 year olds, right? In that like they're knowledgeable, they're capable of getting a task done. But they need a ton of like clear instructions, guidance, guardrails like training back and forth with a manager again and again and again and again. And then you can get them a bit like teaching a grad how to do a specific job.
You can take your like 17 year old and turn them into someone who is pretty capable at that job day in, day out, but they still need to be doing it in like a relatively narrow, confined space. And they still need a lot of guidance and training and oversight. And that, I think, is where we currently are with a lot of agents. But that doesn't mean for security, because we have so many tightly well-defined problems, lots of data and lots of ways to give guardrails to these things.
If you spend enough time honing them, they can just start doing incredible stuff. But it's really not a case of like, cool, I'll just throw this problem into Claude and just like, see what it comes out with. Because a lot of a that's gonna be very expensive a lot of time if you do it without any optimization, B you're gonna end up with like, such an unpredictable result that you're going to go off the idea entirely. Um, and I run into teams like that all the time
¶ DARPA's AI Cybersecurity Competition
where they're like, oh, yeah, I tried this for like a day, and it didn't quite work. It's like, well, you need to spend so long, like getting them there. So that's kind of my perception of it. They I don't know what you're seeing. I'm sure you're playing around with them in your own world, but like, they can do incredible things. It just takes work basically would be the summary.
Yeah, yeah, very much agree with that. Yeah. I just got done talking to, uh, Matthew Brown, uh, who led the AI sec competition. Are you following that whole thing?
Yes. Yeah, vaguely followed it.
Yeah. The this, uh, DARPA competition and it's open source project, and basically, they'll all release their things. I'm not sure, um, if anyone's messed with them yet, but the idea was to just go and find vulnerabilities on GitHub, and then you have to be able to fix them. So that's this multi-year competition from DARPA. So I was talking to him about this agent design thing, and he was like, yeah, the first, most important thing is like break the problems
into categories. And the category is, um, should you even
¶ System Design: Deterministic Code vs. AI
be using AI at all for this? Right. So, um, and try to do as much with regular deterministic code is possible and like it because too much. Intelligence is the thing. Too much creativity is a thing. Um, and especially if you ask a model, does this look vulnerable to you? They will try to find a way to say yes. Right. So it's like it's this weird balance between deterministic, uh, deterministic code and then using intelligence where you have to, for example, does this look like a cat.
You can't use deterministic code for that. You have to use ML or AI or whatever for that. But like this whole system design thing is really fascinating to me.
Yeah. Your example of like, does this look vulnerable to you is a great example of where, like, the agents aren't at that level of competency, it's too broad and too vague for them. Like they like a human may not even be able to answer that. Like, you line up ten humans and they might give you a bit different answers anyway, let alone what agents would give you.
So yeah, you're right. I think like the nature of it is how do you distill it down to smaller and smaller and smaller questions and like make it impossible to get it wrong, given the knowledge that it has and like the ability that it has? And again, much like, like imagine you're like leading a team of like new grads, like you're not going to just ask them vague stuff at the start of the day and see how they get on. Like a week later. You're going to give
them all very like tight, refined tasks. You got to keep checking in on them. And then you're probably going to like, you know, aggregate their work at the end and then you're going to come out with something useful, hopefully. Um, and I think that's much more like where we are.
Yeah. So, so what is, um, the product that you have?
¶ How the Product Works and Data Sources
What does it do? Like, how does the work, like, what sources are you pulling from? Are you aggregating other sources? Are you finding yourself, uh, like, what is the workflow look like for somebody using it?
Yeah. So in essence, it's really just a way of going from like, I have a potential risk. I need to investigate it and figure out how bad it is. I need I need help fixing it. Like that's the really the workflow that it does at the moment. It does that all with cloud CVS. It's basically like cloud infrastructure, um, VMs, containers, etc. pull in the vulnerabilities that are found by scanners. Investigate every single one of them. Come away with that you
know 10% as long list. And then within that list prioritize the very, very, very small number that are going to lead to something bad happening and then help people fix them. Um, so that's the flow at the moment. Like cloud vulns in um, like human level triage, I guess in the middle and then like, fixes come out the other end. And as you can imagine, then as we build out that platform, it gives us more and more potential to throw more and more different types of
data at that same platform. But for now, very kind of focused on on just cloud CVS.
Yeah, that makes sense. And so, um, pretty much the top products that are out there, like when they're emitting vulns, you can just consume from them, you can connect to them and get their phones, uh, a list essentially.
Exactly. Yeah. Because it's always been a very integrated kind of like area of VM was, you know, probably probably. No. And so, um, so yeah, I think people are very used to kind of like aggregating data from scanners and
bringing it around and stuff like that. This is a a big twist on that, because rather than aggregating it and putting some kind of score on top of it or something, you're aggregating it and then letting AI kind of like, investigate everything like a human would have done, and then coming away with a very different answer on
the other side. Um, but yeah, we basically pulled from API's, uh, pulled from the cloud environment, gather all the context, pull from other systems if we need to, sometimes to like gather more context to help us with our assessments and then, um, you know, create actions at the other end. But it's
¶ AI as "Extra Eyes and Hands" in Security
meant to as I said, the analogy is just always like, what would what would, like Daniel four years ago or something have done, like trying to solve this internally? Like, what would you have gone in if you had the time? Like, what would you have gone and looked at? What data would you have gathered? How would you put it all together? And then how do we do that automatically?
Basically, yeah, I really love that framing of AI. Like, um, I try to discourage people, especially who are negative about AI, from thinking of it like as some special tech and just imagining it as extra eyes and hands. And to your point right now, 16 and 17 year old eyes and hands. Right. So it's like.
Yeah, yeah.
Um, what what would you have done if you had 10,000 people to put on every given day to go and look? And it's like, well, I would go and collect them and I would go and analyze them. I would dig into the details and all the things that you just said. That's what we would do be doing manually. So that's what we should try to get the agents to do. It's like it's not complex. It's like not special tech. It's just you've got extra eyes and hands. What do you do with them?
Yeah, exactly. And they don't get bored. Um, and they can use as many of them as you want within within reason. Um, and that's why I think a lot of people get wrong sometimes is like they're trying to they try and like. Yeah, they try and just think like, okay. Like there is like human jobs today. And there is what AI can do. And like it's just a one
for one fight. But it's not. It's more like, it's more like, what is all the long tail of stuff that like four years ago, I couldn't write software to help me with. But now I can use software to help me with and like, what's that long tail of stuff that I'm never, ever going to get time to do, but would be useful if I do enough of it and I can aggregate it all up like that's where
the value is today. And this insecurity, like security, is absolutely full of use cases like that where like theoretically we would like to go and look at a bunch of stuff, read a bunch of different data points, pull it all together, come up with conclusions, etc. but we just don't have the time. So yeah, I think hopefully, hopefully people are starting to figure that out, which is like it doesn't have to be just like a 1
to 1 with what a human is doing. It's more like a yeah, what's what's the list of stuff you would do if your day was 100 times longer or something?
Yeah, yeah. That's right. And yeah, I've been thinking about this, uh, limitations of creativity. Um, like, I call it a type three limitation, um, because there's two others. But the limitation is basically not realizing because we grew up in the past, obviously,
¶ Breaking Barriers: Rethinking Scale with AI
that's the way time moves is forward. And it's like, Um, we just have blocked out a million different things that we could be doing in life. Life and at work or whatever. And so I kind of think of, like how many logs are actually streaming in to, into a given organization, right? Let's say terabytes per day, depending on the size of the company. And like the natural assumption over the last 20 years is, well, we could look at, you know, 0.01%. So let's try to find that 0.01%.
And so we we without even knowing it, we have these invisible barriers on us. And what AI is like forcing me and like, you know, us in general to do is like, think outside of that. Think what could you do potentially if in that case, it wouldn't be like if I could double my team because it would
still be 0.01%. But if you had a million agents that could read logs or whatever, and maybe some of them can help you whittle down how many logs are being generated or whatever, but it's like I find it strange that we have these artificial barriers on ourselves about what is possible, based on the fact that we grew up in tech in the past.
Yeah, I see that all the time, but that's a great way of phrasing it. I think one one good way of breaking out of that, which I think you can use outside of security. But it's interesting in security is fast forward like five years, right? Yeah. And AI is way is way progressed. And I'm sure we're going to go through like peaks and troughs with AI during that time, you know, of, of of success and failures
and stuff like that. But over five years you'd expect it to get pretty far and it's spread pretty wide and change a lot of how we do all that stuff. You got to think in that scenario. What is competition from people using AI more heavily than you are going to change about your behavior by then? Right. And so in security, the competition there is not necessarily other companies. It's actually attackers. And I'm always like, remiss to like, say too much of this because you don't want to
feel like I'm scaremongering or anything like that. But if you think about what we've what we're now seeing, like you and I are working with AI agents and stuff like that, and we're seeing what they can do and how they're starting to scale into like pretty complex security tasks.
Just like imagine that on the flip side. And so if teams are kind of like slower to to think creatively and think out the box of like how much they could get out of this in the short term, they're going to be forced to in the long term because eventually attackers are not like they're not going to like hang around. They're just going to be like ruthless
in terms of figuring out how to do it. And they're gonna, um, and they're going to start forcing our hand to actually think, okay, well, it's not it's not just a nice to have anymore to, like, be able to go and tackle those 10,000 other, like, things that you might do if you had the time. Like it starts to become a must have, because suddenly the stuff that used to be easy to defend against starts to become hard to defend against, and all our behaviors have
to change. I think actually applies across a bunch of industries. Like, you can apply that to all sorts of different products, which is like if you're struggling to think creatively about
¶ Building World Models for Defense (and Attack)
where this could all go, think five years forward. Think about what the competitive landscape around you looks like. If everyone else is really heavily using AI. And then work backwards to like what you probably need to do. And I think a lot of security is probably like that today, although it's going to take a bit of time for it to all shake out.
Yeah, I very much agree with that. Um, the way I characterize it for the future is essentially, um, in, in the, uh, the head of DeepMind thinks this way as well, is like this, um, it's all about building world models of the things you care about. So in the case of of what we're doing, it's like understanding the, um, the it stack perfectly understanding the business, perfectly understanding the people there and the developers and the projects they're working
on and their spend. And just like having a perfect picture of that company, or in the case of attackers, which is guaranteed to be using the same tech against you, they have a world model of a world model of their target. And we are the target. So we better have a better world model of ourselves than they have of us. Because in a way, it's just dueling banjos of their AI system against our AI system. Who has
the most up to date data now? Um, and, and I basically say that attackers are going to win first because they could just start shipping with this quick. Right? And right now, everyone's like trying to figure out what's going on. So attackers are going to move first. But ideally and for somebody like Google already, they are so organized that they should have more up to date internal information coming out of these platforms to feed to their
agents to keep that context more up to date. Um, but I very much agree with your your characterization here. It's like, look, just imagine that your attacker knows everything about you and they can sense changes in your environment. So you added this new company because there was a
¶ Attackers Move Faster: Why Context Matters
merger and acquisition which they learned about from from Crunchbase. Okay. So now they're going to profile that entire company, and they're going to assume that what Vulns are there are going to now be your vulns for a period of time. So they're going to start attacking those things. And it's like, well, how fast are you making that adjustment? Because they're going to make it pretty fast. And it really is this that's the game. That's the competition is who has a better system.
Yeah. And it's not it's not like superhuman stuff I don't think. We may occasionally see some pretty, pretty wild attacks, but it's just going to be the stuff that we kind of think is kind of hard and therefore kind
of rare today. Right? It's just going to happen way more frequently, I think is the most sensible thing that like your example there of like that's kind of rare for an attacker to have the sense and the timing to be like, okay, we're now going to go after you because we've got this acquisition, but that just becomes 10 to 100 times cheaper to do in the New World, and therefore theoretically becomes a lot more common. Um, and we saw this I used to work in, uh, in
fishing and pre like lem era. We saw some similar types of effects where basically there was this period of time where people went from, they figured out that like, you know, the Nigerian prince email didn't work anymore, like the mass mail phishing email didn't work anymore. And so they started working on more targeted stuff. And that worked. And then they realized it worked. And so they built a load of phishing kits like phishing as a service and all this kind of stuff, and they made it
really cheap for each other to do it. And suddenly we saw this insane spike where it went from like business email compromise and similar types of emails being like kind of there, but not that common to suddenly they were unbelievably common because the attackers made it cheap for themselves. And so like as soon as attackers make stuff cheap
¶ Phishing at Scale with AI Agents
for themselves, you see the volume go up. I feel like we're kind of nearing the precipice of that starting to starting to happen. I don't know whether it'll happen like this year or next year or something, but as you said, they'll be pretty ruthless with it. They won't they won't hang around and chat about it. Uh, they'll, uh, they'll just get to work and it starts working.
Yeah. Yeah. And going back to your previous point that you made, um, that we were talking about with, like, the extra eyes and hands, um, and how this is just kind of like it. It's not superhuman stuff. It's stuff that you could do with more scale if you had more people. Um, and since you're talking about fishing, one of my greatest examples of this is like, what if you could just create a perfect dossier on every employee at the target? So, um, and I've already got
a tech stack that does this, actually. So I could just give someone's name and it will build me, like a six page CIA background thing and like, including, like, likely personality analysis or whatever. Well, I could then feed that to a thing that writes spearfishing. So so here's the question if if you had um, if you used to be an attacker outfit with like a 19 people and like four of them were really smart or whatever. You have 19 people and you're barely able to. You
have to focus on a very specific vertical. 1 or 2, uh, attack, um, you know, targets at a time. And, like, you're really effective, but you can only do so much as opposed to saying, hey, these 250 companies are the ones I want to go after. Um, create dossiers on all of them, then go find all their social media posts. Uh, find any time they're complaining or talking about the internal tech stack, or they mention an acquisition, or they do anything and use that to
customize your spearfishing. How many people do you have to hire? Like this is all 100% possible. This is not special tech. It just requires so hundreds or thousands of people because do it every hour. Do it every day. Right? Yeah. And so so now it's just like you're just you just need more skill. And to your point about, um, Doing it internally. It's the same exact thing. You. You
just need more eyes and hands to do this. And I'm just fascinated by the fact that, um, I mean, one way to characterize this is just imagine all your attackers who had 20 employees now have 20,000 employees. That that is your problem.
Yeah. Yeah, that is quite literally. And and as I said, it's not like they're now doing stuff that they never did before. They're just doing it at they can just afford to do it a way bigger scale like your fishing example. The worst bit about that is that they don't even need to stop at writing the emails today. Like they can actually just build agents that can take
your like dossier of them, right? Understand some stuff about them and then kick off a flow of actions that's actually gonna be way more effective than that single email, right? You know, uh, gently warm up the email recipient calls, whatsapps LinkedIn messages. Um, uh, real like real sounding voice calls. Like, if they really want to get into it. Fake, fake, fake web pages like that is all now in the remit of stuff that used to take a single person
dedicated on that task, right? Like days at a time to get all that stuff done repeatedly to if you can at least give agents like a certain level of guidance around how to do it. That could be, you know, maybe not that cheap yet, but like reasonably cheap relative to what it used to be. And so, yeah, I think your analogy of what imagine you're attackers are now 10 to 100 times in size each, each outfit, which
they are like a lot of them are just businesses, right? Um, and so they're going to use AI in the same way we are. Like make us more efficient. Um, so yeah, I think security as an industry has to work backwards from there. Like imagine that that's the the current state or the future state and then work backwards from there. And what does that change about our current perceptions? Because I think a lot of our, a lot of our current ways of dealing with problems are, well, this will
kind of be fine in today's world, right? It's like, you know, like I can deal with this many like back to initial conversation. I can deal with this many open vulnerabilities or I can deal with this slower way of responding to something, or I can deal with this slower a speed to get myself back online in the worst case scenario, whatever it might be. It's like, oh, we can deal with that. That's probably within the bounds
of okay. But if all the attackers get 10 to 100 times bigger, in your words, like, um, by by
¶ Shrinking Windows of Vulnerability: From Days to Minutes
getting more leverage, then which of those things are still okay and which are not okay? And then how do we start adapting what we do today in response to what that's going to look like? Um, and as I said, I don't know how quickly all that's going to happen, but, um, it's very hard to make a good argument why it's not why it's not going to happen.
Yeah. Totally agree. And I guess one of the most tangible ways of thinking about this is like, how how large can you tolerate for a window of vulnerability? Uh, right. Like maybe previously it was like, you know, ten years ago or whatever, it was like a week or whatever. And let's say it was half a week, let's say it's a day. And I think we start to move towards a world and, and who knows how fast. But you start to move to a world where hours and
minutes really matter. Um, where if you have an exposed S3 bucket before it. I mean, it takes time for the tech and very few people who were automating that stuff to actually find that exposed bucket or whatever. I think that goes down to minutes. You know, eventually, potentially even seconds. So yeah, I, I find the whole thing, uh,
really fascinating. Um, what what are you guys doing? That's that's exciting right now, um, you're looking to put out soon or you're excited about you just released?
Yeah. I mean, we're we're like, um, we're we're so new still that we're just getting out there into the world, really. So, like, we're, um,
¶ What's Next for Harry's Work
we're I'd say we're like, hitting the point now where we are close to making some pretty big announcements about about where we are with the product and stuff like that. Um, but yeah, I think what we are excited about in particular at the moment is we've kind of like cracked a lot of the triage side of the problem of like, how do I understand which vulnerabilities matter? Where we're excited a lot at the moment is like, how do we how do we start helping people more and more with
the remediation side? As I said, I think for now that's more about like cutting down all the human work to a smaller window as possible. But if we do theoretically need to get to a point of minutes, then you need to cut out humans entirely eventually. Um, but I think you've got to go like step by step by step. But yeah, we are we're super excited about some of the stuff that we're seeing so far in that world because, yeah, it's a super complex problem, obviously,
and it's something you can get very wrong. Right. If we're like taking down people's prod environments on a daily basis or something. But, um, done right, like it can actually take us from this. We're just like shuffling big lists of red around, which is kind of what it feels like sometimes last few years, uh, to a point of, okay, we actually feel like we're making tangible progress day in
and day out without a ton of effort. And then maybe all those engineers and SREs and all the other people involved can suddenly go and spend 5% more of their time or something like that, to shipping product, and then hopefully everyone wins at that point. So yeah, we're really excited about getting more into that side. and also just excited about having the the initial, uh, you know, version of the product now out there in the world and, you know, people starting to use it.
No. It's awesome. And where can people learn more about it?
¶ Closing Thoughts
Um, they can catch up with me online, my LinkedIn or Substack. Um, feel free to, like, reach out to me there. We also have a website where you can kind of catch up a bit more on what we're up to.
Well very cool Harry, thanks for the chat. Very, uh, very cool conversation.
I really enjoyed it.
All right. Take care. Unsupervised learning is produced on Hindenburg Pro using an Sm7 microphone. A video version of the podcast is available on the Unsupervised Learning YouTube channel, and the text version with full links and notes is available at Daniel. Com newsletter. We'll see you next time.