Dave Bittner (12:32)

And now a word from our sponsor, arcova. Formerly Morgan Franklin Cyber, arcova is a global cybersecurity and AI consulting firm built by practitioners who've been in the seat. They work directly with enterprise teams to solve complex security challenges, building secure by design programs that hold up as technology and threats evolve. From focused engagements to long term partnership, arcova delivers outcomes that endure because no one should navigate complexity alone. Learn why leading Global Enterprises Trust Arcova at www.arcova. that's a R C O V A dot com.

Podcast Host / Announcer (13:24)

No, it's not your imagination. Risk and regulation really are ramping up and these days customers expect proof of security before they'll even do business. That's where Vanta comes in. VANTA automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're getting ready for a SoC2 or managing an enterprise governance risk and compliance program, VANTA helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth. For me it comes down to this. Over 10,000 companies, from startups to large enterprises, trust VANTA to help prove their security. Get started@vanta.com cyber. Ted Shorter is CTO and co founder of Key Factor. I recently got together with him to discuss the advent of quantum computing at scale known as Q Day.

Ted Shorter (14:41)

There's been a ton of research. It's a term I probably heard first maybe 30 years ago when I was working for the government. But it's been this sort of nebulous, you know, may happen, may not sort of thing for, you know, research project for a very long time. But a lot has been happening that's made it much more real of late. And I think, you know, first off, there are multiple organizations building quantum computers of various strengths and continue to improve them. And I think, you know, a number of things are on the cusp of happening. One is I think we are getting to a point where sometime, likely within the next year or two, we're, we're going to reach a point where quantum computers are able to perform computations that conventional computers are simply unable to do in any reasonable amount of time.

Podcast Host / Announcer (15:29)

I've seen some stories about moving some schedules up when it came for organizations being quantum ready when it comes to their cryptography. Do you suppose that's a Quiet signal that maybe things are happening on an accelerated schedule, Perhaps.

Ted Shorter (15:47)

I think it's a louder signal, maybe in some cases. I think just to go beyond the quantum computing part, the while quantum computers can have a lot of promise of doing lots of computations and tremendous benefits to society that we've not been able to achieve yet, they also potentially have this potential threat of being able to break two of the most commonly used cryptographic algorithms that are used in the world today, that being RSA and acc. Those literally underpin pretty much every digital interaction that we have today. So anytime the lock icon shows up in your browser, anytime you receive a software firmware update, every identity that's on a blockchain, Bitcoin, Ethereum, so forth, all those identities are ecc. If something was able to break RSA or ECC today, that would be absolutely catastrophic. So the deadline you're referring to really is the notion that the US Government, and actually governments around the world have come up with new algorithms that can replace RSA and ECC and actually use different mathematics that are widely believed to be immune to the powers of quantum computing. And this deadline is about getting a transition from away from everything that uses those algorithms today to using the new algorithms. And that, of course, is a massive, massive change.

Podcast Host / Announcer (17:16)

Do you think that breakthroughs in quantum computing will be shared publicly, or is this the sort of thing that nation states might keep secure?

Ted Shorter (17:26)

Some have shared publicly. There's certainly been announcements in the private sector from many places. The us, IBM is, Google, Microsoft. There's been announcements even from China. That said, I think there's this idea of Q Day, the point where a quantum computer is able to break RSA or ecclesiastical. When that happens, it's likely going to be internal to some nation state and it probably will not be announced.

Podcast Host / Announcer (17:58)

Perhaps a strained analogy, but you think about something like nuclear weapons with nuclear proliferation, right? Will quantum capabilities. Will we have a world of haves and have nots?

Ted Shorter (18:10)

Well, if we switch away from RSA and ecc, then the haves should only be beneficial. The quantum computing, I guess, just to level set a little more. Quantum computers, don't think of them as a really, really fast conventional computer. They're actually very good at certain types of calculations, but they're actually not very good at all at all types of calculations. So that's why it's possible to create new algorithms with new mathematics that is not susceptible to quantum computing. Unfortunately, RSA needs ecr, and that's where the issue is.

Podcast Host / Announcer (18:46)

So what are your recommendations for organizations to prepare for this.

Ted Shorter (18:51)

Well, I think, you know, there's a number of things you can do. Making a change like this is massive. Literally everything that communicates on a network or accepts a firmware update or software update is going to need to get updated. A lot of that is going to happen for you by your vendors. But it's very important to, I guess there's a number of steps. One is, first of all, figure out, if you don't know already, what the keys to your kingdom are and the things that you most vitally want to protect. That's a really good place to start. You want to make sure that you get an inventory of the cryptography and algorithms and so forth that are being used in those environments. That is not always easy to do. Sometimes there's not a lot of things that will come out and tell you that there are tools that can go a long way in helping you get that, get that inventory. And then it comes down to talking to your vendors. Because really, all the software that you use that communicates on the network is going to have to get updated. And so that means you're going to need to get updates from Microsoft and Google and Apple and any other vendor of any software, firmware, hardware, so forth in your environment. Your quantum roadmap as an organization effectively is subject to theirs. So you need to be talking to your vendors, understand what their plans are, when they plan to transition, and then plan accordingly so that you can start moving, build out automation so that you can move as quickly as you can once you're able to. I guess that's the challenge is right now there aren't really a lot of operating systems or software out there that is ready for quantum. That's going to start changing as we get through 2026. But that's the game we're in. You can move the timelines up. And this is, I think, what scares me the most. You mentioned Google moving the timeline up. It's such a massive transition. I'm not sure even if everyone started today and went as fast as they can, that you'll be able to move everything. So it's just a massive, massive amount of work that needs to happen here.

Podcast Host / Announcer (20:45)

I hear people say that it's a possibility that we could have a Sputnik moment where suddenly it's revealed that our adversaries or perhaps one of our allies have these capabilities and things are kind of different from that point on.

Ted Shorter (21:00)

If that happens. Yeah, I mean, that would be. That's why everyone, they're talking about wanting to move. Right. I think we want try to avoid that as much as possible.

Podcast Host / Announcer (21:12)

How do you go about coming at this in a rational way without falling into kind of a Chicken Little mode? Because it feels so. It's been in the future for so long. And so I think it's hard for folks to wrap their head around any kind of realistic timeline for this.

Ted Shorter (21:34)

Yeah, yeah. I think some of it goes back to what I mentioned earlier. I mean, I think the first step is focus on the things that are most important to you. There are other things you could be doing today. For example, I guess maybe I can give some good news. There's this talk about capturing now, decrypt later.

Elad Coren (21:50)

Right.

Ted Shorter (21:50)

Which is definitely a risk.

Elad Coren (21:51)

Right.

Ted Shorter (21:52)

The idea that adversaries could be capturing today's Internet traffic, for example, that's being encrypted with RSA or UCC and just store it even though they can't decrypt it. And then once the quantum computer is available, to be able to then decrypt it and sift through to find relevant pieces of information and so forth, there are some good things that are happening. So the standards have been out for a little while and there is some support. So there was a Cloudflare announcement that came out at the end of last year. That's I think it was something like 43%, something in the 40s% of Internet traffic was actually already quantum resistant. And that's because browser vendors like Google and network infrastructure vendors like Cloudflare did create implementations of those new algorithms. And so for a lot of folks, you may not know it, but your Google browser can negotiate to use MLChem, which is one of the quantum resistant encryption algorithms for the transport layer to encrypt data back and forth between your browser and websites that you visit. If the websites on the other end also support MLChem, you're actually good. And that's where that 43% comes from. So there is actually some progress in this. I guess that's maybe the good news. The bad news is there's a whole lot left to do. And getting that 43% up to 100% is going to be a lot of work. And that's just Internet traffic. When you go internal to organizations, it probably gets a lot more scary.

Podcast Host / Announcer (23:21)

That's Ted Shorter, CTO and co founder of Key Factor. On today's segment from the Threat Vector podcast, David Moulton speaks with returning guest Elad coren. They're discussing AgentIQ First Security and what it actually looks like in practice.

Dave Bittner (23:46)

Foreign

David Moulton (23:49)

I'm David Moulton, host of the Threat Vector podcast. What you're about to hear is from my latest conversation about the future of security. Something strange is happening inside of security operations centers right now. The analysts sitting at the consoles aren't losing to attackers because they're outgunned. They're losing because they're outnumbered by machines. In my latest episode, Elad created, Peratt, vice president of product management for Cortex Cloud, told me something that stopped me cold. Adversaries can already spin up an attack infrastructure from a single prompt. Your team is still triaging alerts by hand. That's not a future problem. That's now. Elad, welcome back to Threat Vector. Good to have you here again.

Elad Coren (24:43)

Hey, David, thank you. Great to be here again.

David Moulton (24:47)

Talk to me a little about what's changed since we last spoke. You know, last time we were digging into why reactive security was breaking down. What shifted in how you're thinking about the problem?

Elad Coren (24:58)

I think the biggest thing that changed is that there's an acceptance of this gap. It's no longer a question. Right. I think everyone knows that manual triage is basically dead. I think what stayed in the game is more of the fact that leaders, they understand that it's no longer a staffing shortage. I think the industry has widely adopted the concept that it's more about the signal processing shortage and hiring more will not solve the problem. I think that is the fundamental change from that point. And that means that we're seeing more receptiveness and more wide understanding that to fight AI and to fight machines, you need the proper machines on your side as well. I think that is the biggest thing.

David Moulton (25:51)

Well, let's dig into that a little bit. I keep hearing this phrase, the agentic first analyst experience really rolls off of my tongue. That's the kind of term that I think could mean anything or nothing, depending on who's using it. And, and maybe you can help me understand what does that actually mean in the context of what you're building here. And, and what does it, you know, why does that matter for the experience, for those defenders that are out there looking to grow their capacity?

Elad Coren (26:26)

Great, great question. I think, I think a good way to think about it is probably a good analogy would be cars for a second, right. When we think of agentic first environments or agentic first systems platforms, you should think a self driving car type of thing, right? It's not just that bolted AI or integrated AI on top of something that is more of a lane assist or cruise control. That is something, you know, adaptive cruise control. You measure the speed from your car in front of you and you can, you can adjust the speed accordingly or lane assist as well. But if you think about self driving cars, that means that somebody thought of the entire process. You need to navigate, you need to plan, you need to have like the traffic analysis. This is the Gentec first experience. You're thinking on the agents as part of the architecture. You're not building this on top of that. This is where we flipped the order of things. Instead of taking existing systems and just applying AI on those systems, we thought AI first and being agentic first be it saw cloud exposure management, what have you. You're thinking of how you can automate things with AI agents and help them do things in a more efficient way to increase the virtual size of any customer's team, any company's team that's using that. And I think that is the fundamental change and difference between just AI bolted on or integrated with agentic first experience.

David Moulton (28:16)

So help me understand something I'm imagining. I'm a SOC analyst. I'm sitting in front of my console today. Normally I'd be handling triage or correlation or even initial response, but now that's something that I've said yes or maybe I don't. Maybe there's some of those things where what you're imagining is I've seen you do this, would you like me to take care of it? And there's some autonomy with the human, but imagining that you've offloaded some of that work, maybe all of it, what's left for the person to do? And what is that job? Is it better? Is it, is it just very different? I'm trying to paint that picture.

Elad Coren (29:02)

Yeah, I think it's a great, great discussion because I think many people out there are thinking oh so you know, what will we do if AI agent, will they replace us? Are they complimenting us? I think what people tend to forget is that and I think anyone encounter that if not encountering that as we speak. We never get to the more complicated higher level tasks that we want to do, right? Those that require deep thinking because we are caught in the day to day answering hundreds of emails or doing all the regular things. Think about security analysts analyzing so many data, data points and trying to connect the dots and trying to make sense of certain things. Tri Ash what if all the AI agents could do all these basic things for all of these analysts and they would actually turn a Tier 1 analyst to a Tier 2, Tier 3 analyst just by being there for them and allowing them to identify the patterns that they are Required to identify what if the tier 3 analysts could orchestrate all of those and to say, hey, what about those new MOs or what about this potential new threat that I have? I think this is where specifically in security, but also generally in software. We're enabling with the AI agents or the AgentIC era AgentIC first platforms. We're enabling humans to do more not just by using the agents. That's, that's given and they'll do more things. It's allowing them that, that, that mind share or that attention span that many, many times is not something we can achieve. To do the more complex things, to invest and investigate those things that require the human mind because, well, let's face it, we are still very much needed in the process. I think now we can utilize our brains to the right task. That's, that's how I view this.

David Moulton (31:14)

So a lot you talk to analysts, maybe not their managers, but the analyst themselves. And I'm curious, what's, what's their emotional response to this picture you're painting? You know, is it, is it relief? Is it maybe some skepticism? I've noticed that in our industry. Is it fear?

Elad Coren (31:34)

I think you see a mix of all of those and heavily relies on or dependent on their state of mind, where they are in their career, where they are in the way they see how AI complements what they do. I think in general, the more common reaction that I see is curiosity. It's the understanding that something's going to change. Some of them adopt change really fast, some of them don't. I think ultimately what we are seeing with analysts is that they need to trust the system. They need to become more familiar with the new ways of operating. There's an interesting thing that happened this one time. We were interacting with a customer and one of their lead analysts said, well, I need all of these things to be, you know, to be done in, in your system. And all of the things that they listed are things that they've done with the old system that was a legacy system, right. That they did things manually, they built rules and they said, well, where can we do all of these things in your, in your platform? And, and I was looking at them and smiling and, and saying, you don't, you don't have to. You understand it's, it's already done for you. Yeah, you can review all of these things here. So some of them are looking at those things and the smart policies created the behavioral indicators of compromise that are available in the system and they're looking at that and they understand that all the things that they've done in the past, building this in a very specific way, you need to maintain those. And now they're going into a system that many of the things they did in the past is doing that for them. So I could see that inflection point of realizing, hey, I can become more efficient now, I can do more. And once you turn around someone that is very fixed on how they used to do things, that's the biggest win. So I see a lot of that and I'm excited about that. Foreign.

David Moulton (34:04)

This episode is live in your Threat Vector feed. It's called Attackers have Agents. Do you? Thanks for listening. Stay secure. Goodbye for now.

Podcast Host / Announcer (34:46)

Be sure to check out the complete Threat Vector podcast wherever you get your favorite shows. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave. And with threatlocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose Threat Locker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of. Org organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. And finally, it's World Quantum Day, and while it's unlikely you'll find the perfect greeting card for your favorite quantum engineer at the local Hallmark store, the folks at qsicor gently suggested that organizations stop staring at the quantum horiz like amateur astronomers waiting for a comet and start migrating to post quantum cryptography. Now, the company argues the real risk is not guessing when quantum computers will break today's encryption, but how long it takes to replace the encryption once everybody agrees they will. Recent signals from Google, Cloudflare, and India, all pointing toward 2029. Migration timelines reinforce the message that the clock is already ticking, even if no one agrees exactly when Midnight arrives. Q Secure says large enterprises often need up to a decade to complete migration, which makes wait and see less strategy and more procrastination with paperwork. It also warns that inventory exercises without pilot deployments waste time and that crypto agility is becoming essential as threats evolve quickly. In short, the future may be uncertain, but the migration backlog is very real. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzston. Our contributing host is Maria Vermazes, our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Dave Bittner (39:35)

Today we'll attempt a feat once thought impossible overcoming high interest credit card debt. It requires merely one thing a SOFI personal loan. With it, you could save big on interest charges by consolidating into one low fixed rate monthly payment. Defy high interest debt with a SOFI personal loan. Visit sofi.com stunt to learn more. Loans originated by SoFA Bank NA member FDIC terms and conditions apply. NMLS 696891.