Breaking Vulnerability Management's 30-Year Logjam: Two Cyber Veterans Attack It With AI

Joe Patti (00:13) Welcome to the Security Cocktail Hour, I’m Joe Patti.

Adam Roth (00:16) I’m Adam Roth.

David Warshavski (00:16) I will.

Joe Patti (00:17) Adam, we have not one but two guests today, so we’re gonna have a lot of fun.

Adam Roth (00:21) You mean you’re gonna have a lot of fun editing the podcast.

Joe Patti (00:24) Yeah, that’s right. It means more work for me. As our regular listeners know, we know a lot of Israeli folks. And we have two of our good friends on today. well, I can just say they’re pretty hardcore. So let me introduce everyone.

we have Sharon Isaaci Sharon, welcome to the show.

Sharon Isaaci (00:44) Thanks a lot, Joe, Adam. Thanks for having me. As you said, I’m Sharon Isaaci I’m the CEO and co-founder of Tonic Security. Excited to be here.

Joe Patti (00:54) And you know what? I’m not even going to talk about your background. mean, you’re ex-IDF and everything. But I mean, you’re so scary. I’m afraid to even say anything for your buddies coming after me or something. So we’ll keep it simple. man.

Sharon Isaaci (01:09) Yeah, no, we

don’t do that anymore, Joe. So just a few words about my background. So as you alluded, about 25 years of experience in the cyber industry. The first part of my career was in the military sector. spent about 20 years in the military intelligence, a variety of cyber intelligence and operation roles.

And then ⁓ about five years before starting Tonic, I joined Israel’s number one incident response company, which does also a variety of cybersecurity services, including offensive cybersecurity services,

And I think that that’s when our paths first crossed.

Joe Patti (01:54) Right, yeah, you did the purple teams with us that Adam just talks about constantly, which is fantastic. ⁓ And we also have with us…

Adam Roth (02:04) Well, they had a… They had a profound

effect on me, I sleepless nights, threats of coming after me, my first sextortion, coincidentally, kinda weird. You know how it is.

Joe Patti (02:08) You know what?

David Warshavski (02:16) With it,

I promise a life-changing experience.

Adam Roth (02:19) Yes.

Joe Patti (02:20) Yeah, I thought you were going to say something like spiritual or whatever.

Adam Roth (02:23) No, no, there’s

nothing spiritual here. There’s pure… …compativeness, you know, stuff like that.

Joe Patti (02:27) Pure terror, I don’t know.

So we also have David Warshavski, our friend who is one of our first guests. I looked it up from way back in episode 15. It’s been a while since we had you on. We’re glad you’re back.

David Warshavski (02:42) Has. Has.

Glad to be here.

Joe Patti (02:47) And back then we had you down as Cyber Warrior. I know your background is in a lot of offensive stuff and in a lot of IR too, which is really how we met you in doing things.

David Warshavski (03:00) Yeah, so that’s true. ⁓ similar to Sharon, I’m also a graduate of the intelligence corps in the IDF. We did a lot of interesting things back in the day. Some of that was offensive. Some of that, a lot of that was defensive. And many of the folks I had a privilege and honor of serving with. ⁓

joint forces together working at a company called Sygnia which you all know is the premieres of response company in Israel. And we’ll probably talk a bit about this during the podcast, but it really was our formative years for Sharon and for myself, I guess. Also, first, this is where I met Sharon. And again, a privilege to have worked with him and still is, obviously. And many of the really life-changing events for both of us happened during that time.

Also, you mentioned cyber warrior, now like a cyber dad. I’m but I’m fighting diaper changes and sleepless nights. ⁓ Less cyber adversaries. I like it that way.

Sharon Isaaci (04:02) Yeah, and actually, David’s formal position in Tonic is it’s CPO, it’s Chief Product Officer, but in practice, it’s more Chief Poop Officer. that’s… ⁓

David Warshavski (04:14) Exactly.

Chief Poop Officer, you’ve heard it first here, it’s new role in cyber security. People will come up with some interesting ideas and I will poop all over them because we want to be innovative but we also want to be laser focused.

Adam Roth (04:28) So Joe,

want to add to this Joe, like I never had the honor of working with Sharon as part of Sygnia directly, you know David was on offense and let me tell you, he offended me pretty often. So I just want to bring that out there.

David Warshavski (04:47) Well, there’s a lot to offend. There’s a lot to offend, Adam. You know this?

Sharon Isaaci (04:47) Well, yeah, yeah, yeah.

Joe Patti (04:50) Yeah.

Sharon Isaaci (04:52) You have an opportunity to reciprocate now.

Adam Roth (04:55) Yeah, those days were over, I think. I’m more about kumbaya, let’s work together, let’s make things work. ⁓ Those days of me being on offense, I think are gone, right Joe?

David Warshavski (05:10) Almost, almost believable. Almost believable.

Joe Patti (05:10) Yeah.

Yeah, well, I think you found David offensive because he kept beating you. That was the thing. But anyway.

Adam Roth (05:17) That’s okay.

Let me tell you something. He should be beating me at the level he’s at. I’m just a lowly, small, new, cyber guy.

Joe Patti (05:25) So you guys have got a long history, been in consulting, doing a lot of things at a pretty high level, some tough stuff. And you started up a company now, But you’re not doing, I’d say, what is completely obvious. You’re not doing IR.

You’re not doing offensive stuff and pen testing. You’re doing something very different. So why don’t you tell us a little bit about, well, basically the road that you’ve taken to get you there, because it’s really interesting. And I think it also is kind of reflecting, how products come about in security from people who are using what they’ve seen.

Sharon Isaaci (06:08) you know, any great innovation is born out of necessity, right? And this is really how Tonic came to be. And it started in the front lines of incident response when in our Signia days. So I was also a former CISO and we did a lot of incident response engagements with many Fortune 500 companies and others. And one thing became increasingly clear as we did the…

We were fighting the bad guys in the battlefield. And that’s that most breaches that we responded to when we did the forensic investigation. ⁓ We understood that they didn’t start because vulnerabilities were unknown or undetected. They happened because vulnerabilities were mismanaged. They were detected by the different tools of the organization. And yet, despite this disability, ⁓ bad things were happening.

And we dug a little deeper into it and we saw that according to almost all industry studies, consistently vulnerability exploitation is still ranked the number one or number two, a main cause of breaches. And so we were faced with a kind of a paradox. have more visibility, more tools, more technology, more data, better alerts.

And yet security teams continue to fall behind the attackers. And that was really an aha moment for us, for David and myself. And with the advent of Gen AI we understood that this problem, which is just getting worse, is now solvable. ⁓ And that is really when we decided to set sail and start on it.

Adam Roth (07:59) I had a conversation with somebody the other day, friend of mine, but he has a legal background. And I think a lot of people still don’t understand everything is vulnerable. They don’t have that mindset. So unless you’re in that industry, unless you’ve lived it, unless you fought it, unless you’ve been on that battlefield, people don’t understand. They don’t have the mindset to go from A to Z.

Joe Patti (08:07) you

Adam Roth (08:22) on how something can be compromised. I just want to bring that up for everybody who’s listening. Everything is vulnerable. You need tools. You need expertise. You need to have the mindset that just because a door is locked and has a pad lock and has another lock and has an alarm and has a camera on it, that door is still vulnerable.

Joe Patti (08:42) Well, everything’s always vulnerable, but being what’s really infuriating is exactly what you’re talking about. Why I was so interested when I first learned about what you guys were doing. Because I mean, I was recently on my fourth company where I came in and vulnerability management was still an issue. And it’s just so tough. And you’re right. You know about the vulnerabilities, but we can’t fix it. It’s production. We don’t know where it is. This is old.

David Warshavski (08:42) I

Joe Patti (09:10) And then when you see you get popped, you’re like, oh man, this shouldn’t have happened.

David Warshavski (09:17) Who could have foreseen it except everyone? Yeah, it’s… Remember, we had discussions a lot, Sharon and I. It’s like, ⁓ yes, ⁓ the writing was on the wall and the folks at security would say, yeah, but we didn’t have time to fix this. We had so many other things to do. It’s almost tragic. But you could avoid it. It’s a strategy had you had the context that you need to get a better handle on things and…

Joe Patti (09:20) Yeah.

David Warshavski (09:45) I like that you asked, previously you also asked about how several companies are born these days. And one of the aha moments we had was if you just sort of zoom out and generalize how several companies are born or created or ideated in cyber, there are only a couple or two and half ways for that to happen. One is there’s a new tech, new tech surface that needs to be protected, mobile, cloud, now AI, or

there’s a new technological shift that opens up an abundance of possibilities. And AI, if you transpose, hey, there’s a new attack surface called AI, but if you transpose this and say, what can I now solve leveraging this new and amazing technology? We’re talking about the end of 2022, ChatGPT breaks out into the world. And wow, there are so many problems that now can be fixed. And for Sharon and for myself, it was very clear.

that there are problems that are now can be solved and should be solved. We’re uniquely positioned to solve them because of the pain and the hurt that we felt during those days, during the initial response.

Joe Patti (10:56) Yeah, but that focus on real solutions is really important because the other thing we’ve seen since the gen AI has come out everywhere, but especially in the security industry, people say, ⁓ now with AI, now with AI. We’re not a security company. We’re an AI company now. Just slapping it on because they have to have it without much thought given to it.

Adam Roth (11:17) The good news is that with the proliferation of all these LLMs, all this AI, people can do vibe coding, people can do a lot of different things and accelerate what they’re looking to do. However, you still gotta have the mindset that everything is not 100 % when you do this. You still gotta be a human and look into it. You can use the power of LLMs, the power of AI,

but you still have to be conscientious of what those results are. You got to evaluate it. And I think the mindset is a lot of times when people do post mortems or after action reports or whatever you call it, whether military government or civilian and commercial, you always end up finding that vulnerability, that thing that there was always an issue there that could have been solved. And I get it. Not everybody has the budget. Not everybody has the people to do things.

but you end up finding out somebody was aware of what was going on and didn’t take action on it.

Sharon Isaaci (12:20) Yeah, look, it’s no small wonder that this is the case when today security teams literally face millions of findings. And this is not just the case in the huge enterprise, also in midsize companies. And the numbers is growing exponentially all the time. And it’s not just a question of volume. It’s also a question of variety that different types of findings are.

Joe Patti (12:31) Mm-hmm.

Sharon Isaaci (12:47) velocity that these findings are coming in is also growing. And the more attack surfaces we are, then the findings are multiplying more and more. And at the same time, not only us are leveraging AI, but the attackers and one of the advantages that they are getting from industrializing the exploitation of vulnerabilities through AI is shortening the exploitation time.

So at the time when we are faced with more more findings, which is making us slower, they’re becoming quicker. And so this kind of inherent symmetry has almost become a cliche that we talk about between the attackers and defenders in this realm, in this context is getting worse unless we revolutionize the way we do vulnerability management, where I’ve been doing it for many, many years.

Joe Patti (13:44) Yeah, the thing I’ve always found about vulnerability management is not the finding of things. Finding of things is easy. It’s figuring out how to take care of them. I’ve sat on the show and I’ve said for years, because of the industrial scale of what the bad guys are doing and the scanning, the techniques they have, if you’ve got a vulnerability, ⁓ people are going to find it. They’re going to find it. It’s not a question of can they pop it. It’s do they want to? Are they picking on you this day?

Has their automated tool decided you’re the right one they need to hit today? ⁓ So when you see these things hanging out there, to me it’s just like almost like a sign, like an invitation to say, hey, come get us.

Adam Roth (14:26) ⁓ So Joe, I think it’s fair to say you and I have had this conversation many times ⁓ and vulnerabilities are not two dimensional, they’re three dimensional. And what I mean by that is it’s always like, ⁓ there’s a vulnerability in this switch. Meanwhile, this switch is three layers deep within the corporate network. And everyone’s like, no one can get to it anyway. But what they don’t realize is that somebody who’s understanding the attack surface says, well, yes, it might be

three layers deep behind a firewall, know, routed, you know, through three different networks. But guess what? The management layer, let’s say VLAN 1, is actually exposed because that VLAN 1 is trunked all the way to the network that’s closest to the upstream. And they don’t realize that. They don’t think about how an attacker thinks.

So you have to not only understand where the vulnerability is, but how that product can be exploited through another means. So there are software out there that does that, right? But you’ve still got to think about it.

Sharon Isaaci (15:35) Yeah, there’s several levels I would say to the problem. And one level is visibility. And I think, like you said, finding that it’s yesterday’s problem. Today, where we’re able ⁓ with commercially off the shelf tools, ⁓ it’s been commoditized. We’re able to have pretty good technical visibility. I think that’s a challenge that has been solved. ⁓

Joe Patti (15:57) Alright.

Sharon Isaaci (16:06) In many cases, this visibility, it’s shallow, it’s superficial. You understand the technical details. You see the trees, you don’t always see the forest or you don’t always see the business context or the organizational context or like Adam, you said the adversarial context of that visibility of those assets. What is the risk to those assets?

Joe Patti (16:10) Hmm.

Sharon Isaaci (16:35) in your specific circumstances. And so the next layer is that layer of context to be able to contextualize that technical reality. And once you have a deeper visibility, then you can go to the next layer, which is focus or prioritization. And that means taking all of these millions of findings and then focusing on those that are really

risky in your environment, not based on generic technical security scoring, but what really poses a risk in your organization. Like you said, Adam, what is really exposed to the internet or exploitable ⁓ or what is a critical asset or a crown jewel? Today, most organizations ⁓ can theoretically do this, but manually.

that obviously doesn’t scale and it leaves a lot of loopholes. And then the next layer, would say this is tomorrow’s ⁓ problem, if prioritization is today’s problem, ⁓ mobilization of action is ⁓ tomorrow’s problem, or some might say it’s already today’s problem, is once you’ve narrowed down that ⁓ target on those that are really impactful findings,

How do you get them fixed, solved as soon as possible and as smoothly as possible? facing, we said that there is an asymmetry between the defenders and the attackers. There is also an inherent misalignment or friction or tension when we fix issues between the security team and the people who actually do the fixing, which are usually not the security team. It’s the IT operations.

IT infrastructure, the developers, the security team, have the responsibility to get things fixed, but they don’t really, in many cases, have the authority. So how do you navigate that kind of landscape and make sure that things are getting fixed fast? Because again, it’s a race against time. It’s not enough to prioritize well, you got to fix them fast as well.

Adam Roth (18:56) I got a funny story talking about visibility. was at a function recently and somebody introduced themselves to me and we were talking and I said, ⁓ I used to work for a company called Gigamon. I know you never heard of it. I’m like, of course I heard of Gigamon. And then because the people I was with maybe necessarily didn’t understand Gigamon. And I was like, ⁓ I like because I understand that the visibility is there.

You can get 100 % visibility besides the fact that the packets are encrypted, but you can really get understanding of bandwidth. But the point I’m going to make here is even though you can have 100 % visibility into what’s going on, not necessarily see every encapsulated packet, but see the bandwidth and the speeds and everything else of maybe data being exfiltrated. At the end of the day, you can have really good products and some of these products are very intuitive, but you still got to have somebody that understands what the ask is, what the techniques are.

what they need to do. yes, the best possible product is gonna make someone’s life easier, but you still have to have the individual have an understanding of what they need to do. And sometimes we don’t mentor those people. We don’t give those people guidance. We don’t give them the experience they need. And they really do need that. Otherwise they’re like, they might as well jump overboard on a ship.

Joe Patti (20:17) OK, so I have to point out here that ⁓ for anyone who doesn’t know, a gigamon makes basically very fancy taps to pull traffic out of networks. And they’re typically used for things like full packet capture. And because Adam just made a reference to full packet capture, anyone playing the security cocktail hour drinking game, that’s a shot right there because Adam got a reference in.

Adam Roth (20:42) I don’t know, I love packet capture, mean, but you really gotta be on your A game to use packet capture.

Joe Patti (20:47) okay guys, so what’s the real way to fix this? Because we know what we’ve been doing doesn’t work or is pain or is excruciatingly painful at best. ⁓ What else have you cooked up?

David Warshavski (20:58) So one of the things that we’ve, when we set out on this journey, we, so the hypothesis was, and we knew this to be a fact because of our years of experience as sponsor working with all these companies, that the knowledge required to answer many of these questions, solve some of these challenges.

is there. It’s just highly, highly distributed across multiple systems and most of it is unstructured, which was like an aha moment for us. I’ll give you an example and I can talk about this freely because this is very much public. We had an opportunity to spend some time at the Maersk IT office after what happened there in Apec.

Joe Patti (21:46) And just to remind everyone, Maersk got hit with a big attack and came back by the skin of their teeth,

David Warshavski (21:53) And kudos to the Maersk team. They did an amazing job. Heroes, really. Like the amount of time that they were there, 24 hours after that. We came there a short time after that. we saw an organization that was able to be like Lazarus They were highly, highly impacted. ⁓ maybe just to make sure the real ones are. I remember what it was. Napechia.

An attack by Russia against Ukraine that’s horribly backfired. Many Russian companies were attacked as well. It was one of the largest, not the largest, actually the largest applied to an attack in history, not counting SolarWinds, but SolarWinds was very focused and very targeted. And it was a wiper, not an anvil. I’m like, why not? It was a wiper in disguise with no decryption keys, just encryption.

Some companies were almost completely destroyed. Maersk obviously operating worldwide, operating in Ukraine as well. They were hit by this wiper and they lost a lot of infrastructure. There’s some, as you can find it online, it’s very public. There’s some great stories of war stories about how they managed to recover. ⁓ What’s interesting and what’s relevant here is that I was, that we were very much struck by how many.

of the business critical operations were so heavily dependent and intertwined with many, many, many, many other systems. It was not an easy task to map the dependencies between the critical applications, the underlying supporting infrastructure, the dial tone services. And so even more, could it still be a that managed to recover their critical operations, if you remember that ships could not.

no manifest, no ability to dock and unload cargo. And that sort of, in 2017, which was sort of the opening shot for what we call the golden age of ransomware, where in almost every other incident we responded to, we saw the same. It’s not easy for an organization to understand how the underlying tech support the critical business obligations of business operations. And so…

given this premise, how can you even begin without business context or without operational context? How can you even begin to prioritize what to deal with first? Nevermind the response in an incident, in day-to-day operations, one-building management is one example. How can you begin to prioritize what you need to deal with, right? What you need to focus on. Now, we knew, we knew that the information existed, exists. It exists, but again, highly distributed in collaboration tools.

Adam Roth (24:24) you

David Warshavski (24:44) knowledge systems, teams, Slack, Notion, conference, email. If something is important to the business, someone is talking about it somewhere. And we set out to pull this up our office and we did. And essentially we managed to find out a way to extract this context and provide it to the defenders in a way that allows them to understand, okay, I understand what’s business critical. I understand why this is business critical. And not only it’s important, I know who to talk to.

think about it in a large organization is a big, big, challenge to solve.

Joe Patti (25:19) that’s always the big thing. You know, you ask ⁓ for the application. Who’s the guy for this? Who’s the AD guy? Who’s the, you know, whatever guy, the firewall guy, whatever it may be. Yeah. That alone is burns up a lot of time unnecessarily. Put it that way in the real world.

Adam Roth (25:36) Yeah, but Joe

and then when you when you when you know, you know who the guy is or who that woman is ends up not being them because they say no, it’s not me. It’s them. And then they say, no, it’s not me. It’s them. It’s always it’s always this.

Joe Patti (25:47) Yeah.

Sharon Isaaci (25:50) Yeah, and in some cases this person has already left the organization. Or you found him, but he’s not responsive.

David Warshavski (25:55) to do it.

Sharon Isaaci (26:02) and you to chase him. And then once you find him then or her, there is some convincing that has to be done. Again, they’re not in the org chart in many cases of the security analysts or the vulnerability management team. So you have to persuade the person in the IT infrastructure operation that this vulnerability has to be patched. It has to be patched urgently.

and it won’t have a very deleterious ⁓ collateral damage.

Adam Roth (26:37) So, Sheryl,

I’m sorry, I was gonna say Sheryl, you know, like I went through that exercise with Joe where we were doing application security and I’m asking people, I’m interviewing them, what ports, what does it connect to, what are your dependencies? I don’t know, I was just given this. And I’m like, really? And I would get frustrated because not that I don’t wanna help, of course I always wanna help. I always wanna be a problem solver. But I find it sometimes that people end up,

Joe Patti (26:54) Yeah.

Adam Roth (27:05) not participating because it’s too complex for them, that they’re free to be exposed, they’re free to be found out, and it ends up being my job or somebody else’s job to figure that out, what those real dependencies are, what those ports are, what that source IP address, what that destination IP address is, and that becomes complex.

Sharon Isaaci (27:25) Yeah, yeah. And the more complex it is, the less actionable it is and the harder it is to secure. And people make better decisions when you simplify information to them and when they are really intelligible, when they understand why they need to do something. And context is a big part of that.

Joe Patti (27:36) you

Yep.

Yeah, but it’s so difficult because, again, looking at the real world, like you say, David, the information is there. It typically is there. And people even know where it is. But it’s in so many different places, and it’s not brought together. Or you say something like, well, and there are systems that have tried it already, ⁓ simulation systems, config management, all sorts of things. And you say, well, this would be really easy if just we had an asset management system that worked. And it ends up you do.

David Warshavski (28:17) Yeah. ⁓

Joe Patti (28:19) Or you have more than one, and none of them works completely. Same thing with configuration. Same thing with network visibility, all that. Making sense of it and doing it quickly and in a way that’s meaningful to the people who need to know. That’s the challenge. And you’re right. You spend a lot of time when you’re a security officer explaining to people who you would think, know yes, this is a problem. This is why.

can be a little frustrating.

David Warshavski (28:50) It is, it is. And I tell you one of the, some of the more happier moments in Atonic is where we see some of that frustration go away. Some of our customers truly, wow. Did you fetch that information? Yes, we did. wow, now I understand what this is. wow, now I can act immediately, or not act, because I know it’s meaningless, or it’s not relevant, or it’s just important.

And this was, we derive great pleasure in removing some of the frustration.

Joe Patti (29:22) Well,

if you can remove those frustrations without resorting to felonies, that’s good.

Adam Roth (29:34) Hey David and Shimon, are there any wins you can share? Or you can’t share yet?

Sharon Isaaci (29:34) Yeah.

Well, we can share some. I just wanted to also double click on what David just said. David, he’s a hacker at heart. in our consulting days, he was responsible for the offensive security team. And it wasn’t through a felony. It was through lawful offensive security operations, you ethical hacking.

A lot of the times, a lot of the time, yeah, essentially, exactly. A lot of the time we would mimic the attacker and go after that context. So we would go into the, when we did the red teaming, into the tribal knowledge or the organizational knowledge base of the company that asked us to attack them. And we would from that understand where the crown jewels are.

David Warshavski (30:07) concept.

Joe Patti (30:09) All consensual, that’s right.

Sharon Isaaci (30:37) What is more exploitable? Who are the people that have higher privileges? ⁓ And we’re leveraging that.

Joe Patti (30:45) And

you’re doing that manually through your expertise, experience,

Sharon Isaaci (30:50) Exactly.

Exactly. And so, you know, we’re leveraging that attacker’s mindset, automating it, obviously, with the GEN.AI, which means ⁓ we have no coverage limitations. We cover the entire state. We have no issue of motivation of the analyst or the attacker. And so we can very easily answer those questions, which was in the past.

⁓ And going back to your question, Adam, about wins, often the first wins or the quick wins that we get from our customers is when we do two things. We dramatically downgrade a lot of findings that they would waste their time on, which essentially you can consider them as false positives.

These are findings that the original scanner flagged as something that could be high or critical, but in fact, they’re not. And so they don’t need to worry about that. So we’ve really reclaimed expert time. So as we said before that, you know, we need the human in the loop to bring meaning and to make sure we’re just focusing on technical realities. We are actually

Joe Patti (31:54) You ⁓

you

Sharon Isaaci (32:16) enabling the security analyst and security expert to spend most of their time on those meaningful tasks, on judgment, and on what really moves the needles for their organization by letting them not worry about those 90 % of the findings that are really false positive. And then the other side of the coin is to focus them on findings that went under the radar.

Joe Patti (32:24) you

Sharon Isaaci (32:45) they were unknown or they didn’t understand the risk because the original score, that generic score was maybe medium or even low, but in the context of their specific organization could be very, very risky. But this is something you can only know by contextualizing the finding for the animal. And sometimes, ⁓ David, I remember this in a couple of cases.

We would even get into a kind of an argument with the security team. would tell us, no, no, wait a second. This is not a critical asset or it’s not exposed to the internet. Where did you get this from? And so we of course walked through them and that was a nice way.

David Warshavski (33:27) Thank

Adam Roth (33:32) Well,

I can say this. He was adversarial, not with I would never argue with him what was critical and what’s not. Well, I think one of the most amazing things about a red team or purple team overall is that you as the red team are able to discover things that even the vendors didn’t even know zero days. If I recall, David discovered zero days.

in some of these engagements and that was beyond amazing. ⁓ You do learn a lot and I have no doubt in my mind. Tonic has a wealth of experience. Sounds like I’m almost like a sales guy, but knowing the engagements we had, you’re able to contextualize things that people don’t really understand. And that’s what’s amazing about it because you see, you know, you

you don’t see this 10 feet ahead of you, you guys are able to see 100, 200, 300 feet ahead of you and see what needs to be done.

David Warshavski (34:36) ⁓ Thanks. Yes. ⁓ It’s already our experience as well. I want to double click on something or triple click maybe. Right now it’s something that Sharon said about how dramatic it is that that the security teams have so much less to deal with on a daily basis. If you remember the most ⁓ transformative article, science, research.

that ever came out, came out in the past decade was the 2017 Google research paper, Attention for Unity. That this was the research paper that articulated, came out with the transformer architecture and basically said we know how to fix the, solve the attention problem in a way for, and it was the beginning of large language of life. Now, and it’s so true, there is a constant battle.

for attention, for the security team, IA security teams, and they’re losing the battle. So many tools coming at them, critical, critical, critical, hi, critical, you gotta fix this now, and vendors are sort of in this escalating, stupid, almost arms race, and we’re gonna give you more of what we’re gonna this deal with, and why? This is not the case. We need less findings, not more, and we know, and you know this very well.

Joe Patti (35:54) Yes.

David Warshavski (36:03) Most of the stuff that vendors shout at you is like, nah, that’s bullshit. Pardon my, not necessarily, and it’s suitable for work. ⁓ It’s bullshit. Most of these vulnerabilities should not be dealt with at all. At all, not even, like, okay, this is the back-build. Don’t even know, they won’t be exploited not in a million years. Who cares? ⁓ And you know, it takes some guts to say this, especially in industry.

that is very much driven by fear, uncertainty, ⁓ It takes some guts to say, stop it. We don’t need more vendors that shout, this is critical, and now, now, a thousand vulnerabilities you need to deal with today. And we really felt this pain. It led to real tragedy in some very ⁓ serious, heavyweight incidents. Really shouldn’t be the case.

Joe Patti (36:44) Thank

So I’ve got to ask you this because that very much gets to the real world of doing security. Getting rid of false positives, obviously, wonderful. Finding the things, bubbling up the things that are more important than they look like at the surface, ⁓ great. Obviously, very important. The bad guys will find that too. But David, you’re just talking about the things that aren’t important. One of the things that’s a struggle for a lot of people, and it’s been a struggle for me,

is you find something, you get the context, and you say, ⁓ OK, these are really not important. Let’s deprioritize them. Let’s even risk accept them. We don’t want to worry about it. But then you have the auditors come in, and they say, you have this many percent of highs or mediums or whatever that you didn’t fix. ⁓ I mean, how are you doing with that, basically? Because that’s always a

Tough nut to crack.

David Warshavski (37:51) You

know what it reminds me of? There’s this meme or comic where you see like a bunch of browsers and you have Google, Firefox, Safari, things are happening quite fast. Something is happening and they update you about this. And then a couple of hours later, Explorer comes in. Hey, there’s this thing that I just saw. And it’s basically a jab at the slow, how slow Explorer is. And I was reminded of this because

mentioned auditors. Some auditors do important work and there’s some important things that happen in our own compliance. And that’s some good for the industry. But there’s also, you know, it’s fair to say that sometimes auditors talk about innovation, cyber, sometimes they relate to the problem. And sometimes… Good, you said it first. And so to that end, it’s not a…

Joe Patti (38:40) I’ll say it, they’re behind. They’re not up on the latest stuff. It’s that simple. Yeah.

David Warshavski (38:49) battle against auditors. Therefore, ⁓ depending on region and regionality, the love of auditors may differ. But it is true to say that there needs to be something that bridges our ability to help security teams deprioritize and reclaim expert time. I love this, reclaim expert time. And then when someone comes in, yes, but you have this.

TLS misconfiguration in an internal website that you really shouldn’t worry about. And now that becomes a high.

Adam Roth (39:23) think it’s safe to say, yeah, definitely. I think it’s safe to say there is never downtime for anybody on a security team. If there is, I want to work there because I want to be able to have some free time. let’s be honest, right? There are, there’s always risks. There’s, and even the risks that the auditors bring up, they’re bringing them up, not because they’re the ones that are

David Warshavski (39:23) This is a industry job. ⁓

Joe Patti (39:37) You

Adam Roth (39:51) creating that template, probably because they were handed that template that said, go through the list of these risks and see what you can get rid of. And it’s all about priority. Sometimes it’s risk versus reward. And if they tell you, have to, you know, you have to plug up this risk, you have to plug up this risk because if you don’t do it, you’re not going to get the business from that organization. Those third party auditors that we’re talking about, for those who don’t know, a lot of the time,

They’re not about compliance as much as they are about a company doing business with your company. And if you don’t plug that up, they’re going to say, we don’t want to do business with them. And you run the risk of not getting that revenue. So sometimes it’s an unfortunate, you know, stick your tail between your legs or bite your tongue and do what you got to do in order to be compliant. Then there’s other risks that really are

Joe Patti (40:28) Yeah.

Adam Roth (40:47) extremely important that make your vulnerability exposed that can also be highly detrimental to your organization. So yes, sometimes you don’t get the chance to choose and sometimes you do, but you really got to prioritize based on what that risk is to your organization. Sometimes it’s not risk of exposure as it is as risk of revenue. I hate to bring that up.

David Warshavski (41:13) All right, let’s move.

Sharon Isaaci (41:13) No, you’re

absolutely right. you know, in way compliance is another risk, just another risk that needs to be managed. But it doesn’t have to be mutually exclusive to be secure and to be compliant. In many cases, ⁓ it can go hand in hand ⁓ to a large extent. And I think once you are able to explain

David Warshavski (41:36) you

Sharon Isaaci (41:42) the logic behind the reprioritization and maintain a full auditory for the governance and reporting. Ensure that the AI that is leveraged to reprioritize the findings is explainable and is transparent. And then that should meet most ⁓ auditors ⁓ metrics and ⁓ parameters.

for meeting audit.

Joe Patti (42:16) Yeah, totally.

Yeah, totally. I don’t mean to pick on auditors, but good auditors see that and do it and say, well, you know what? You mitigated this. You’re in good shape. You’re focusing your resources. ⁓ Unfortunately, there are some, well, not everyone’s a rocket scientist.

Before we wrap it up, Sharon, David, any final thoughts?

Sharon Isaaci (42:39) I think we’re living in very exciting times. ⁓ Luckily, the field of vulnerability management or sometimes we call it vulnerability mismanagement, it’s ⁓ undergoing a revolution ⁓ with agentic AI. And today we’re really able to ⁓ leverage LLMs and agents to

expedite that end-to-end process of collecting the information, contextualizing it, prioritizing and getting the issues fixed in a much smarter and faster manner. And ⁓ it’s really taking a well-known old problem ⁓ that has just been exacerbating for many years and finally being able to solve it. ⁓

And when we started out, Joe, we were met with some skepticism because we didn’t have to sweat too much to make the business case for the problem. It’s a problem that everybody feels, but they’ve been so much disappointed by previous attempts at connecting assets with business context or prioritizing the findings.

not by generic scores or accelerating their mediation, that they were, they were sceptic. They were even cynical, some of them. And I think today, today there’s hope. There’s hope. And the more and more of the people we speak with and the companies that we work with are seeing that it’s possible to bridge that gap between ⁓ business contexts.

Joe Patti (44:16) Sure.

Sharon Isaaci (44:37) and assets and digital assets ⁓ and leveraging both the business context and that adversarial context to ⁓ prioritize and treat risk in a much smarter manner. And so I’m very hopeful and excited about the future of agentic exposure management.

Joe Patti (45:01) That’s great because I may have at times been one of those cynical people who say we’re never going to solve this or anything. But the one thing I will point out is you say that there is hope. something we could do another show on entirely is the whole thing of seeing a lot of tough things, holding out that hope.

and looking for solutions and not giving up, which is really important that we need in this industry and in lot of other places too. So that is just great to see.

Sharon Isaaci (45:29) Absolutely.

Joe Patti (45:30) OK, David, what’s on your mind as we close out?

David Warshavski (45:34) I was thinking, we talked a lot about how we can, how we are now, we’re seeing this and I agree with Sharon, the future is bright here. Solve some of these pain points and challenges of also thinking about cyber, the industry in general. As we’re building some of these amazing capabilities, I’m looking left and right and saying, what an amazing time to build in this space. What a fairly small team.

Consider the larger companies, the big behemoths of the world. What a fairly small team was able to accomplish in what, 18 months. And we’re seeing this with other startups, friends that built startups in past 18 months, two years. I think it’s a testament not just to what technology can do, but to what small, highly focused teams, highly resourceful teams.

can do as well. And so I’m very much excited and I can’t wait to show you what we’re cooking. It’s really some really fantastic stuff. It’s not everyday that you get to innovate in this domain and we innovate on a daily basis.

Adam Roth (46:44) I’m one I was gonna say I want to add something here. I’m gonna be like the downer person here. I have to be but No, no, no way, but wait, but wait so so We do need these tools. These tools are more important than ever as we realize all politics aside Civilian infrastructure is now considered attack surfaces with 2017 was it 2017 Estonia?

Joe Patti (46:49) you

Let us end on the hopeful notes.

Adam Roth (47:13) Ukraine and Russia and now Venezuela It behooves every company to ensure their vulnerabilities are managed Because what has become typically cyber attacks is now morphed into hybrid cyber warfare So yes, we live in an exciting times Yes, we are we are an incredible innovation But I tell anybody on a security team today

Be the solution. Be aware. Use the tools. Keep your eyes open because it’s time to really make sure that your infrastructure is as the hygiene of your infrastructure as best as it can be possible.

Joe Patti (48:00) Sharon,

David, thanks so much for joining. You’re doing really, really interesting work. Adam and I, we haven’t seen it, but hopefully we will at some point. It sounds very exciting. And I know I would love to see, before I check out of this world, some big improvements in vulnerability management personally. So I’m very cool about it.

Adam Roth (48:21) Well, ⁓

I’m waiting to meet up with Sharon and David and do a swag ⁓ swap. know, get some jerseys, get some cups, we’ll give them stuff of ours. I can’t wait.

Joe Patti (48:29) Yeah.

Sharon Isaaci (48:31) It’s a date. It’s a date. We’ll set it up. Like football teams, yeah?

Joe Patti (48:35) Okay, great. We’ll see you then.

Adam Roth (48:38) Yes.

Joe Patti (48:40) yeah, that’s right. Okay.

All right. Well, thanks again. It’s been great seeing you and great having you on and thanks to everyone for listening.

Sharon Isaaci (48:50) Thanks a lot.

David Warshavski (48:50) Thanks. Pleasure to be here. Thank you.

Joe Patti (48:51) Bye.