Transcript
Hi Mike Matchett with Small World Big Data and I am here today talking about cybersecurity and AI. This is a pretty hot topic for most people. We're hearing about AI being used for good, being used for evil. How do you get ahead of that? How do you make sure your enterprise, your company, your organization is coming up on the right side of using AI to protect themselves against everything that's accelerating against them. We've got Synack here today. Just hold on a second. We're going to dive right into something that you're going to find pretty interesting. Hey, welcome, Mark. Welcome to our show. Hi, Mike. Thanks for having me. So yeah, so the topic today is obviously cybersecurity and what you guys do, which falls in that bucket of pentesting. But before we even get to that, how did you, uh, get into the cybersecurity realm? What's sort of your background? What drew you to this facet of of it? Well, I started out as a computer science major in college and realized I really wasn't the best programmer. And I got, I started taking some security courses to learn about forensics and, and hacking and exploit development. And then before I know it, I picked up an internship with the National Security Agency and ended up starting my career there on the offensive side of things. And, and that kind of got things going and in this direction. I've been doing this for, for my whole career. Now. I know better than to ask you about what the NSA is doing offensively in cyber security. Uh, just from my background as well. So we're not going to go there, folks. You have to do your own research on that. Uh, but what can you do? Uh, today, uh, is what we're going to talk about. So tell us a little bit about Synack just from a high level, you guys do pentesting, you do some other cybersecurity stuff. What? How should we think of the Corporation of Synack? Sure, a quick overview. Synack is about 13 years old. I started it with my co-founder, Jay out of the NSA, and when we were there at the NSA, we realized that, you know, commercial companies have to defend themselves against these nation state adversaries that have immense amount of resources. And we said, well, is there a different way to do this from the point in time consulting models that we're seeing in, in security testing or pen testing? Um, and so we, we came up with an alternative model that involves recruiting hackers from all over the world, bringing them onto this centralized platform and employing them as 1099 freelancers to find vulnerabilities for a bounty payment. Um, so we built a very large private bounty, um, testing company. Um, and this has morphed over time into various levels of penetration testing from one researcher to hundreds deployed. Uh, it has really set the stage for us being a leader in the artificial intelligence game of genetic testing as well. All right. So we're definitely diving into AI here. Just one more question about pen testing. Uh, maybe describe a little bit about what pen testing looks like, what it is for people who maybe sort of a little confused by some of the terminology we're using? Sure. Pen testing is like hiring a burglar to break into your house and then have them tell you how he got in. So, you know, these are these are authorized services where people are using attacker techniques and tools to find ways into your enterprise or get at your private data or break into your servers, whatever it may be, whatever the scenario could be or the target. Um, it's really taking, taking that into your own hands and bringing an expert firm in to, to provide that in a safe way. All right, so white hat penetration testing, hiring, the hiring some people who can try to hack you, uh, from a good perspective and then tell you what they found rather than until the bad guys break in. Got it. Okay. So, uh, AI, uh, everyone, I think who's probably watching this, uh, has seen what's going on in AI today. We know the bad guys are using AI. We know there's, uh, mythos or mythos out there that's being controlled on things. Uh, AI comes along. How have you guys been preparing for this onslaught of, of AI? Well, it's really interesting when you start to work with like we do with lots of large enterprises, uh, you notice that they have, they have an immense complexity inside their businesses. They have a lot of legacy architecture, a lot of older applications combined with newer ones. Uh, but the attack surface is very vast and they usually employ people in so many different countries. It just creates a complex set of circumstances to perform solid security. Um, and, you know, you start to look at scaling human testing across that kind of attack surface and you quickly realize that resource constraints are still a problem. You know, typical consulting firm, if you were to, you know, ask them to perform a pen test, it would take 3 to 4 months to align resources and have someone assigned in a model where it's more of a freelance, scalable model. It doesn't nearly take that long. It takes, you know, maybe a couple of days. Um, but the pace of the adversary is, is getting much faster with the invention of, of these very capable frontier LM models. Um, you know, from, from the big model providers like OpenAI or Anthropic or Gemini from Google. Um, this is all been, you know, kind of culminating into, you know, better models that perform reasoning, better models that understand workflows and that can take in skills and be trained on specific human workflows. And one of those that has been, you know, developed out in the last couple of years has been penetration testing as a workflow. And, and these agents with the right tooling, with the right understanding of what's important to the end customer in the penetration test can be quite effective as both a copilot to an expert human, but also as a standalone improvement over just automated scanning. That's just using software for for finding vulnerabilities. So we've been preparing to really, you know, embrace this change and, and have very capable agentic AI agents that operate alongside our research team, um, that can accelerate the time to discover critical vulnerabilities. So you're using AI as well, and you're trying to power that up. So you've got kind of a race between the bad guys and the good guys here. Absolutely. Super powering themselves with AI. But in any event, I'm just going to say this, any individual enterprise or corporation out there who thinks they can keep up with a world full of bad guys is probably fooling themselves. Right? It's very hard. Yeah, it's it's it's an asymmetric threat, right? It's, it's really difficult for internal teams to keep up with that kind of pressure from the outside world, especially if they're protecting very valuable data. Um, it's, it's incredible to see the kind of creativity that goes into some of these hacks as well. And I'll just say, like, that's still the, the differentiator for human testing. You know, humans are much more creative than the AI agents will ever be. They understand context a lot better as well. And so, you know, we really believe that the combination of agentic, uh, pen test solutions and human testers that are of a very, very high caliber can be a great combination to mitigate the threat. All right, so you, you guys are firmly going down this path of, of providing this counter hacking service that's both AI powered and still using your, your awesome crowdsourced kind of concept there for, uh, getting this out there and bringing that together people. What does that look like in practice? What are the actual pieces that that someone can can obtain and plug into their enterprise. So the first thing is people need to evaluate whether moving to a continuous testing model is right for them. Um, right now a lot of people are doing point in time testing. And it's our feeling that this is not sufficient for the amount of attack surface change or the risk profile that that we're seeing from, from adversaries. Um, threat actors are very determined. And being able to continually assess your attack surface is going to be increasingly important to protect yourself. And so we've introduced a system we call Sara autonomous red agent AI pen testing to complement our human testers and bring to bear this agentic testing model for large enterprises in a safe way. And the idea is that you have a continuous model where the agent is looking at all the changes across your attack surface. It's trying to exploit those vulnerabilities and giving you a very clean signal on what it was successful about, but also, importantly, layering in human testing team so that they can go further, go deeper and use their minds to be more creative. Um, and in the comparison studies between agents and humans, we're seeing this in the real world. We're seeing that agents are very good at finding a lot of vulnerabilities that, that don't require a lot of creativity. Um, and it's winning on volume. However, the human operators are still finding the most severe vulnerabilities. Uh, and, and the ones that require complex setups. Right? So, and there's a, there's a, there's a time as well involved in this, a time element that's we don't have 30 days necessarily to look for something. We have to be faster about it. There's this volume element where once we start using AI to produce or any sort of scanning tool that's producing huge volumes of things, we need help going through those and prioritizing them. Uh, and then there's the a cost element to fixing those things as well. So it gets a little bit deeper on this. But you're looking at, you know, how you can apply AI to all those phases, I understand. Yeah, absolutely. I mean, this is not a problem we're going to solve just with more staffing. We have to we have to take a technology forward approach. Um, and the reality is that, you know, new vulnerabilities will be discovered faster than ever. Um, and if you read the research on mythos from anthropic, it's very effective at writing exploits, uh, for vulnerabilities. And we have to assume that adversaries will get their hands on those types of capabilities. Um, and so if we can think about forecasting the amount of vulnerabilities in a year, just things that had CVEs labeled on them, it went from, you know, 40,020 25 projected to be 100,000 this year. Let's say it goes to 500 000 in the next couple of years. Um, that's a lot more to patch than we've ever done before, and we're not going to solve that with hiring more people. So we have to layer in agentic solutions that can find the issues, quickly, narrow down which ones are actually exploitable, and then prioritize for our defenders and our engineering teams, the fixes that make the most sense, or the mitigations if we can't fix it. And that cycle, that loop has to be done, not in 30 days or weeks. It needs to be done in hours. And that's the change that's happening right now across, across businesses. Right. And so people that are watching this think, hey, I just solved this problem last year. I, I got compliant because we hired someone once a year to do pen test is now going, oh, wait, we are way out of, out of line. We need to be doing this continuously. I'm going to use the word continue to monitor. Compliance testing companies. They're going they're going to move to continuous compliance. So everything's going to move to continuous compliance continuous assessment continuous patching and mitigation. Um so this whole cycle is going to going to rapidly increase. And and we tried to do this the last decade with all the talk around DevSecOps, where developers were going to push code faster, and then security was going to detect issues faster and update. We never really got to realize that dream. Um, and I think with the addition of these agents on the, on the pen testing side and agents on the software development side, we can finally realize that goal of, of accelerating not only developers pushing code out, but security engineers finding issues faster and patching them. This is awesome. Um, I, we haven't even scratched the surface of your AI itself. Like, what are we doing with the details? Maybe not important because it's going to change by next week. You know, like, you know, we're, we're the CVEs are and how you're sharing information and your partner ecosystem and all sorts of things. But what's really fascinating, I think just to take away from this is you are on top of creating sort of the best kind of hybrid solution between AI and human creativity for good, for the good side of things, right? So we're keeping up with that. Um, so Mark, if someone wants to find out more information in more particular dive deeper, go to the next step on research with Sinek. Where would you point them out? What would you recommend they start? Yeah, I would add, we're we've been doing this for over a decade. We have a lot of experience in human pen testing, and we're bringing all that knowledge to bear into our authentic pen testing solutions. We call Sara AI Pen Test. To learn more, just go to w w w dot dot com and and we'll show you a full demo. And we'll also give you a free trial. All right. That's the AI pen test you should be asking for, uh, to get on top of your future here and be cyber secure. Thank you, Mark, for being here today. Please come back and show us what you've got coming up next. Thanks so much for having me, Mike. All right. Take care, folks, and check it out. Bye.
