A (11:33)

And now a word from our sponsor, arcova, formerly Morgan Franklin Cyber. Arcova is A global cybersecurity and AI consulting firm. Built by practitioners who've been in the seat, they work directly with enterprise teams to solve complex security challenges, building secure by design programs that hold up as technology and threats evolve. From focused engagements to long term partnership, arcova delivers outcomes that endure because no one should navigate complexity alone. Learn why leading global enterprises trust arcova@www.arcova.com that's a R C O V A.com.

B (12:25)

No, it's not your imagination. Risk and regulation really are ramping up and these days customers expect proof of security before they'll even do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're getting ready for a SoC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth. For me it comes down to this. Over 10,000 companies, from startups to large enterprises, trust Vanta to help prove their security. Get started@vanta.com cyber. Justin Kohler is Chief Product Officer at Spectrops. I recently got together with him at the RSAC 2026 conference for this sponsored Industry Voices interview discussing identity attack path management.

D (13:44)

I think the the interesting thing on the AI side is we are seeing what we call nation state level tradecraft come down to the masses, right? You don't like, it's really easy for us to launch really advanced attacks now. It's kind of easy for a lot of people. I think the other fear of AI is not just launching super advanced attacks, but a lot of mediocre attacks and just starting a fire over here so that people, you know, distracted. The reason why that's relevant to us in Bloodhound is you're not going to really be able to keep up with this from a detection and response scenario. I mean maybe you can throw another AI agent and have them get into a race condition and race each other. But from our perspective, you need to shut the door. You need to shut down the opportunity because I think people, no, nobody today wants to look at another alert. They want to make the problem go away.

C (14:36)

Well, thanks for joining us once again. Here we are on the floor at RSAC 2026 and it is my pleasure to be joined by Justin Kohler. He is the Chief product officer at SpectreOps. Justin, thanks so much for joining us.

D (14:50)

Yeah. Pleasure to be here. Just the hum of the hall is getting over it.

C (14:55)

Before we dig in, how's the show been for you so far?

D (14:57)

Awesome. It's been a blur. Really exciting, but yeah, crazier every year.

C (15:02)

Absolutely. I want to dig into some of the things that I've been hearing coming out of SpectreOps this week and recently. This whole idea of identity attack path management. I want to make sure I get that right. Can we dig into that? What is that and why does it matter?

D (15:18)

Yeah, so we kind of realized that we were doing this for the last decade and then we put a name to it. So if you don't know SpectreOps, our history started with penetration testing and Red TV and the way that we would accomplish our objective. We stopped throwing exploits and just taking over boxes. We usually took over an identity. And historically that was an active directory because that's where people had their identities. But as organizations have evolved their identities in more hybrid environments. So like it could be Entra ID or AWS or GitHub or you name it, there's identities everywhere. And if we can take control over those identities, not only can we operate as them, but we can hide under the radar, if that makes any sense. So we just use your permissions against you. And that's what we mean by an identity attack path. Basically. How can I turn my initial access victim so who might click on the wrong link or whatever could be a non human identity. We take over from a repo and then turn that into more and more access. And importantly, it's not about the initial identity we take over, it's about how I can cascade that into like control over my account leads to. Control over your account leads to a control over an admin account. And then I can do whatever I want. So that's what an identity attack path is.

C (16:30)

Help me, can we dig into some of the details of how that plays out in the real world? Can you walk me through if, if I start out with, I don't know, I purchased some, something from an initial access broker or something to get into a system.

D (16:43)

Yep.

C (16:44)

What's my plan then for lateral movement through someone's organization?

D (16:48)

Yeah, so you read about it a lot. I mean, there was a really cool story about, from Google two weeks ago now where, where they had some initial access into a GitHub repository and through chaining permissions in GitHub they were actually able to take over the CICD pipeline and AWS and then routed through AWS to take over the AWS account and all the S3. So basically like. And you see that more and more. I mean, phishing is getting better, but also phishing controls are getting better. So now it's like you mentioned, like initial access brokers. You just need somebody to like set the beacon early or give you a way in. And then we just route through all the controls. I'll give you an example from way back when in Active Directory. If you land in Active Directory and if you ask the directory for all the information, it just gives you all that information. That's how it functions. That's why these attack paths are so hard, because you can't patch them out. There's nothing to patch. This is how the system functions. And so we get, basically we get the map of your environment by just asking the question. Then it's just a matter of time of routing through all those misconfigurations you put in over the last 20 years. And it's not just Active Directory. I mean, it's every cloud system. They're so complex. And nobody can make sense of this in their head, at least not without visualizing. That's where Bloodhound comes in. That's probably like the most popular way that people understand attack paths. I mean, it's used in 95% of penetration tests. And Bloodhound Enterprise is now helping enterprise customers handle that at scale.

C (18:14)

Let's talk about Bloodhound. How does that come into play? People are using it in regard to Open Graph.

D (18:22)

Yeah, yeah. So Bloodhound. So again, a little bit history here. We created Bloodhound because we were just penetration testers and red teamers and we wanted a faster way of doing our job. And instead of storing all these, you know, this cascading permissions and identities, instead of storing that all in Excel, we just threw it in a Graph database and created Bloodhound. So we basically created Google Maps for attacking an organization. And then that was awesome. But then we created another problem and it was like, well, now we can find all these attack paths. What can we do to shut them down? It's like, well, we just break things. We don't know how to do that. So then we worked for like four or five years to figure out how we would solve that problem. And Bloodhound Enterprise kind of flips that on its head and says, okay, forget about all these attack paths. Let's focus on your most critical assets, understand all the paths that could lead to them, and then shut them down one by one. So think of it like, I'm going to wall off a city I understand all the roads that go into that city, I'm just going to block them off. And that sounds potentially esoteric and bad, but what that really is doing is just separating your unprivileged identities from your privileged identities. So it's basically just giving you the visibility to do the thing that we've been saying we should do for 20 years. People have said Active Directory should have shipped with Bloodhound. I think any identity system should ship with Bloodhound. Opengraph is our pivot. Not a pivot, but just an opening of the aperture. So we used to be always focused in Active Directory and Enter ID and a Microsoft centric world, which is good because you know, again, that's kind of where everybody started. But we have aws, we have gcp. So last week we announced our first open graph extensions for the new bloodhound enterprise with Jamf, Okta and GitHub. So it's really interesting. We've been attacking those systems for years and now we can show everybody what we see when we land on the inside.

C (20:05)

So when you say visibility.

D (20:07)

Yeah.

C (20:07)

What are we talking about? What is the customer get to see?

D (20:10)

So you, let's say as an admin, as an identity team, or as a security professional, there's all these configurations that you're making, right. And in isolation, maybe they look benign. So think of like a user access request. I need access to this resource. Cool. Here you go. And then more, and then more, and then more. We show you the culmination of that. So you didn't realize that that permission you granted four years ago to this help desk user or whatever actually ends up connecting every low privileged identity in your environment to take over the entire environment. I mean, it's a bunch of cascading. It's like the, you know, it's like the domino meme. It's like you start this thing and then you take over the organization. That's exactly what we're showing.

C (20:52)

Okay.

D (20:52)

So it can be really eye opening for people. I actually had this funny blog post that I created when I, when we first launched the product. It was, is everybody this bad? Because I kept getting that question because they would deploy and they'd be like, oh my gosh.

C (21:06)

Oh, I see.

D (21:07)

Yeah, sure. And I was like, please tell me

C (21:10)

it's not just us.

D (21:11)

Yeah. And I was like, yes, it is. And, and that's why, like, I think a lot of security, I mean, let's pick on, not pick on the CISOs, but give them some credit to their fear. They're like we're, we're, we're living in fear of getting punched in the face. So it's just a matter of time. And I don't know where it's going to come from. And I can answer that question. I can map your next breach, I can show you exactly how it's happening, and then I can show you how to fix it. More importantly, so, and the numbers are against us. I mean, the attack paths are usually measured in the millions, if not billions. But the good thing is again, the different approach we have is if you're focusing on your critical assets, you're really only talking about maybe 10 to 12 different roads in. And so you can shut off millions of attack paths if you know where to focus.

C (21:54)

So we're here at RSAC 2026, which means we would be AI. You saw me coming from a mile away.

D (22:06)

Oh yeah. Oh yeah, yeah.

C (22:08)

So, yeah.

D (22:09)

So AI. So we see AI in a couple different ways as Spectre Ops and at Blowdown. So number one, AI has to use identity in some form or fashion. So it's either going to be provisioned a specific identity that it uses for its role, or it's going to assume the user's identity to accomplish the objective. The cool thing here is we have that mapped already. So if you're provisioning identity, we do not discern between an AI identity or a user identity. They are all just identities to us. So if we can use an AI identity or a non human identity or a user identity to attack the organization, we're going to show you the same thing. I think the interesting thing on the AI side is we are seeing what we call nation state level tradecraft come down to the masses. Right? You don't like. It's really easy for us to launch really advanced attacks now. It's kind of easy for a lot of people. I think the other fear of AI is not just launching super advanced attacks, but a lot of mediocre attacks and just starting a fire over here so that people get distracted. The reason why that's relevant to us in Bloodhound is you're not going to really be able to keep up with this from a detection and response scenario. I mean, maybe you can throw another AI agent and have them get into a race condition and race each other. But from our perspective, you need to shut the door, you need to shut down the opportunity. Because I think people, nobody today wants to look at another alert. They want to make the problem go away and that's where we can help. A lot of people have Been throwing a lot of detection focused workflows on this problem, but it's saddling too much of the burden. We need to remove it and make detection more effective, if that makes any sense.

C (23:49)

How does the background of your organization, your pedigree, the history of, as you say, pen testing, how does that give you all a unique view, a unique lens on all of these problems?

D (24:03)

I would say. We're very lucky in that sense. I mean, we work with a lot of very large, very interesting organizations. We're the red team for OpenAI and Palantir. So we get exposed to a lot of different new problems. And I think that's the way that we think as a company. We don't think like, we don't think as a product company trying to create a product to sell a product. We were like, we're attacking organizations and we're getting in every time. How can we stop ourselves? So. Because everybody was asking that. Yeah, it's like, I mean, it's frustrating. I mean, to a certain extent, we almost felt like we were doing our clients a disservice. We'd come in and kick them in the face and then, you know, the next year we'd come in and kick them in the face again. And it's like, well, this isn't helping you. How can we actually help you solve this problem? And so that's why we created Bloodhound Enterprise.

C (24:55)

Well, Justin Kohler is chief product officer at SpectreOps. Justin, thanks so much for joining us.

D (25:00)

Thank you.

B (25:04)

There's a lot more to this conversation than we have time to share here, so please check out the full unedited interview. You can find a link to that in our show. Notes.

D (25:19)

Foreign.

B (25:27)

Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose Threat Locker? To minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. When it comes to mobile application security. Good enough is a risk. A recent Survey shows that 72% of org organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. And finally, in a piece for Wired, Lily Hay Newman reports that governments keep trying to shut down industrial scale scam compounds across Southeast Asia, but the operations often linked to Chinese organized crime and forced labor, continue to thrive with stubborn efficiency. The FBI says Americans alone reported $17.7 billion in cyber enabled scam losses last year, likely an undercount. U.S. officials argue a key obstacle is uneven cooperation from China, which has cracked down on scams targeting its own citizens while foreign victims remain fair game. Researchers say that approach has quietly encouraged syndicates to pivot toward Americans and other international targets. Meanwhile, the United nations notes scam centers are expanding their multilingual workforces to match their global ambitions. Analysts compare the dynamic to squeezing a balloon. Pressure in one place simply bulges elsewhere. The result is a familiar pattern in cybercrime diplomacy. Everyone agrees scams are bad, just preferably someone else's problem first. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian Show. Every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

E (30:18)

Ryan Reynolds here from Mint Mobile with a message for everyone paying Big Wireless way too much. Please, for the love of everything good in this world, stop with Mint. You can get premium wireless for just $15 a month. Of course, if you enjoy overpaying, no judgments. But that's weird. Okay, one judgment anyway, give it a try@mintmobile.com Switch upfront payment of $45 for three month plan equivalent to $15 per month required intro rate first three months only, then full price plan options available, taxes and fees extra. See full terms at Mintmobile. Do.