Federico Kirschbaum

You're listening to the Cyberwire Network, powered by N2K.

Dave Buettner

Welcome to Cyberwire X. I'm Dave Buettner. For decades, vulnerability management has operated on a simple assumption. Defenders would have at least some time between discovering a weakness and seeing it exploited. That assumption is rapidly breaking down. Advances in AI are changing the economics and speed of offensive security. Today's frontier models can identify vulnerabilities, connect attack paths and surface exploitable conditions at a pace that challenges traditional security workflows. Processes built around quarterly assessments and human LED validation are being pressured by systems that can operate continuously and at machine speed. So what happens when the bottleneck is no longer finding vulnerabilities, but confirming and fixing them fast enough? Joining me today is Federico Kirschbaum, head of Expo Security Lab. Federico brings more than two decades of experience in cybersecurity and is also the co founder of Faraday Security and Eco Party, one of Latin America's most influential hacking conferences. We'll discuss autonomous offensive security, the growing gap between machine discovery and human validation, and how organizations are redefining what it means for an application to be truly tested in the age of AI. Stay with us.

Federico Kirschbaum

Just by seeing the news, we can tell that not only the finding of vulnerabilities has changed, but also the exploitation and the time to exploit those vulnerabilities. So, yes, we're living quite special times in how AI. It's increasing our discovery, the reporting and even the validation in an automated fashion. So we are living special times indeed.

Dave Buettner

Can we touch on AI here? I mean, obviously it helps find the vulnerabilities, but I think people often think about incremental improvements. How significant is this shift compared to previous advances that we've seen in security tooling?

Federico Kirschbaum

Security tooling has been trying to mimic hackers and how vulnerabilities are found just for the scale. This idea of creating scanners or deterministic tooling that can help us find a vulnerability in a system, it is what the industry has been trying to pull to increase our breadth and our capabilities. But LLMs and AI, it's not about increasing that tooling. It is about synthesizing the questions and the methodologies that hackers have to find and create this new tooling. So we're not talking about a next generation scanner, or we're talking more on how we can create an AI version of a thing that can find and create the tooling to find vulnerabilities. So we are redesigning how vulnerability discovery is actually performed.

Dave Buettner

You've been at this for a while now. I'm curious, how does this particular moment rank among the major changes that you've witnessed over the time of your career?

Federico Kirschbaum

Yeah, definitely. So I'm currently reading a book called Conquistadors of the Useless and it's about the story about continuing in the 60s, post war. And I was reading this part where the first pioneers in this sport, you know, they would go with little insurance and their equipment was quite basic. To be honest, it was pretty dangerous. And in a moment it starts comparing with the modern mountaineering where you can have nylon ropes, lighter equipment. And I'm having the same thoughts on the exploitation and the bull discovery that we have so far. The first people that were doing this, it was manual work, it was intense, deep knowledge and learning and now you have this fast pace, machine speed that can help you understand topics faster than ever. So indeed it's challenging as a practitioner, how this is going to change my everyday work. But at the same time it's quite exciting because this gives us the tools to change things that we have been trying to change for so, so long. So it is a bit nostalgic that this practice is changing, but at the same time it's definitely exciting because we have a lot of ideas on how we can improve this thanks to AI and LLMs.

Dave Buettner

Well, help me understand this new reality. I mean, I think it's fair to say that security teams have never had more findings. But more visibility doesn't necessarily make organizations feel more secure. Is that an accurate assessment?

Federico Kirschbaum

Yes, I think, and this is not new. Teams have been trying to survive on the amount of findings and this is just pre LLMs, pen testing edits, at least in my vision, the ultimate way of having prioritization. Currently discovery has become cheaper than ever. Teams from all over can access and have pretty cool findings by using these models. But right now the bottleneck for me it's how from all these findings are you going to invest time in fixing them? So that's where in my experience, pentesting comes handy. It's proving the exploitability and prioritizing what actually matters. This idea that we are trying to discover all this amount of vulnerabilities has been something that the teams have been struggling a bit for quite a bit. But if we are able to provide these teams with our vision on which of these vulnerabilities are actually useful for an attacker, we are giving them a perfect way to invest their time, which is also limited.

Dave Buettner

What does this do? This, this increase in volume and speed, how does that affect a security team on a day to day basis.

Federico Kirschbaum

Most teams are overwhelmed with vulnerabilities. And there is a threshold where you have to say, I'm not going to fix this, or this is not going to be a priority. It's an unwinnable game. You keep playing because if you don't play, you're going to lose. This amount of influx of vulnerabilities that are in your infrastructure, in your applications, in the technology that makes your company run, it is pretty difficult to solve it even by using all the LLMs that are currently available. So it's a matter of making a decision of what we are going to fix in a urgent matter. And in our case, we're providing that help by finding the problems that actually be exploitable in a really faster fashion. So discovery has been like this for a long time. But if we can give more people the ability to exploit their own systems in ways they can understand how their defense is actually working and it's a way to prioritize their fixing.

Dave Buettner

Help me here with the human element of this because obviously everyone talks these days about things running at machine speed, but what I'm hearing you say is that there's an element of, let's call it wisdom or experience that is irreplaceable. Do I have that right?

Federico Kirschbaum

Yeah. Security teams don't need more unverified alerts. I think what they need is proof like, is this real, Is this reachable, can be exploited? These are all questions that can be provided by offensive teams, but most companies don't have one. Or if they do, they get to talk to them a couple times a year. So providing this evidence, it is for me the strategy to get the signal out from the noise.

Dave Buettner

Can you give us a little peek behind the scenes? I mean, how do you go about prioritizing your findings and deciding what things you're going to pursue?

Federico Kirschbaum

There are many vulnerabilities and there are multiple classes. And with the modern systems, there are ways to mitigate these bugs. So the question is when a bug, it's a security bug, and when that security bug is actually exploitable. So at the end of the day, it becomes if I can use this bug for my own benefit as an attacker, if I can prove you that using this set of problems or a chain of problems, can I actually get access to somewhere that I shouldn't have access to or see information that I was not supposed to. That for me is the ultimate way of making a prioritization, understanding the impact and blast radios of a vulnerability or a bug.

Dave Buettner

What do you say to people who Feel like they are having a lot of anxiety over moving too slowly. They feel as though things have gotten so fast that the level of risk is there and they're afraid of being left behind.

Federico Kirschbaum

It is a challenging times for everyone in this industry and I mean not only the cybersecurity one, but in technology in general. Technology, the ground where we're standing, it's moving quite fast and at least security has been for a long time. Sort of a gatekeeper of change when things are changing. Normally security had a strong opinion on how we change or should not change part of our workflow. But nowadays everyone is becoming a software Engineer. Most company CEOs are finding themselves creating new products from their own machines. And the change is here and it is changing whether we like it or not. So sometimes cybersecurity, it's about keeping up and how we can provide a better guardrail for this enhancement. Personally, I find it extraordinary because yes, it is challenging to keep up. It is difficult to see all these things changing every single day. But at the same time, as a fan of technology, I feel an excitement of all these new endeavors that now we can do with technology. Definitely the future. It is a bit unknown, but I think me personally, I'm finding this moment quite right.

Dave Buettner

To what degree do you think organizations need to rethink their validation workflows? I think in the past people have thought about things like quarterly assessments or annual penetration tests. Are those cycles no longer adequate?

Federico Kirschbaum

I think big part of our threat model has been model around humans and the limitations of humans of attention span, time that someone would dedicate to a target. And that has changed. And it's normally we would discuss this, you know, human defenders versus human attackers and each of them would have its own attack points and defense points. But right now AI is such a force multiplier that even the smallest attackers can have not only the breath but but also the depth of a larger attacker. Humans are creative, they have good instinct, I think they have good taste. But AI, it's relentless. It's going to help attackers to find things that even the attacker is not aware of. So having companies understanding this in terms of, I think most companies have a security debt and right now that debt, it's becoming really, really visible for people who want to attack. I think most people didn't thought they would need security because of their size or the location. But thanks to LLMs, attackers are becoming more sophisticated and they are deploying a speed in terms of discovery and exploitation that we haven't seen before. So we need to Redesign our threat models in terms of what would happen if now attackers are way more sophisticated. So it's no longer the model of human defenders facing machine speed offense. I think we need to think on how defenders also need to think at machine speed to triage, prioritize and ultimately fix the problems.

Dave Buettner

So there's been a lot of discussion about autonomous offensive security. To you, what does that mean? How do you define that and what part can it play in an organization?

Federico Kirschbaum

Sure. So I think for a long, long time the skill was a scarcity. Right. How a company can hire hackers to help them with their vision and knowledge and ultimately their tradecraft into finding these problems. And I think now when we talk about autonomous AI security, we are talking about that specific judgment and reasoning of a hacker, but synthesizer through an LLM. So can we use this to help our teams that might not have the specialty to see that through the eyes of a hacker? And when we talk about autonomous, it is not longer this idea that we have a human in the middle using tools, but having this reasoning machine finding the problems for us, or even building the tooling to find the problems for us. So what we are seeing, at least at Expo, is this capability of helping companies that might already have some pen testing program on, but on a calendar that is maybe once a month or even once every six months, but the company is going way faster. So if we can provide this tooling and this set of glasses to help these companies find and exploit their vulnerabilities in a faster pace, I think we're ultimately allowing them to be able to see more problems, but at the same time fix the problems that are really important for them. So, yeah, right now it's not the lack of hackers, it's how we can provide this tooling to more people and help them fix faster.

Dave Buettner

What sort of elements do you see in organizations that are finding success here? Are there things that they have in common, the ones who are doing well?

Federico Kirschbaum

The companies that are doing well on this or who are using this technology to improve is first companies who think about defense in depth, which it's no longer about just one bug, it's about how you contain a class of vulnerabilities. And that is a lot of decisions in your architecture, in your infrastructure, and how you decided to build the application. So if we have companies that are as mature as many of the companies that we have the pleasure to work with are companies that have already a pen test program in place. But there are many applications in many sectors of their companies who didn't have the privilege of getting a pen test maybe because of know scoping reasons or maybe they they couldn't pay as much attention to everything because you know, the time of pentest companies is quite limited. But now with the full scale of agents that's no longer a problem. So companies can allocate time for more internal systems or even staging areas. And to be honest, those are the companies that I found that they're becoming more successful, which is not just testing the same, but allowing themselves to test more attack surface but with the expertise of the product that we are building that provides verification as an output.

Dave Buettner

What is your advice to the people out there who feel as though they want to do a big better job with their validation and their testing? Maybe they're not quite sure where to start. Maybe they're a little intimidated by all the changes that we're seeing these days. Any words of wisdom?

Federico Kirschbaum

There are many ways where we can improve and depending on the size of the team and the expertise of the team. But first I would suggest everyone to have some sort of vulnerability management program. Findings are becoming sort of a laundry list or a technical debt. So we need to understand what vulnerabilities we currently own, what's the pace of ingestion of these vulnerabilities, but also the remediation rate. And once we have this idea, we need to understand where these vulnerabilities live. Normally companies get a bit lost on where their assets are living, who maintains those systems. So that it's kind of what I call security hygiene moments, right where companies need to have the basics a little bit on a program. And thanks to LLMs I think that it's becoming easier if you're a system admin or you're a pen tester in a company, even a red teamer. Everyone in my area of colleagues are using LLMs in one way or the other. Most of them are just trying to get the basics done, the reporting, the tracking. It doesn't need to involve what we do at Expo, which is the most offensive part of detection and exploitation. Most of the things that teams are drowning are in everyday task, not just sophisticated exploitation. So my tip to everyone is what is getting your time from the day and how can you improve this cycle from identification, classification and ultimately fix. And I think agents for that are the perfect answer. So if you can get those basics done, you can have a more healthy security program. The challenge is if you are not doing the basics of having this program on point, you will start getting new and new alerts and you will get the fatigue and you eventually will lose track. So if you have that program set, I think the next step is getting the proof on your program.

Dave Buettner

Do you suppose we're headed towards a time when organizations will have continuous autonomous PEN testing? That it'll just happen automatically in the background?

Federico Kirschbaum

Totally. I think we are getting quite close to having that. As someone who has spent a fair amount of time, his professional time finding, exploiting and reporting vulnerabilities to companies having the continues in the picture, I find it super interesting because we get in the past we got maybe once or twice, or maybe in the most mature company three times a year, the moment in time to go and find those problems, report them. But I think now our companies are close to having that part of their cycle, such as when we start including application security testing in the development. I think PEN testing it is going to be part of that pipeline and we're going to be able to find problems faster than attackers.

Dave Buettner

Our thanks to Federico Kirschbaum, head of Expo Security Lab, for joining us. As AI accelerates offensive security capabilities, organizations are being forced to rethink long standing assumptions about testing cycles, risk prioritization and what constitutes adequate security coverage. The pace of change is raising new questions about how defenders allocate resources and how security programs evolve to operate in a world where discovery happens continuously. My thanks to Federico for joining us and sharing his perspective. I'm Dave Buettner. Thanks for listening to Cyberwire X. We'll see you back here next time.