B (6:17)

And the with this, actually I have a son who's working for an AI app. The problem is malicious actors that are creating apps that do bad things and putting them out there and people downloading them unsuspecting or is the problem apps AI based apps that have security flaws that bad actors can exploit? Which are you focused on?

A (6:51)

We are focused on security of the AI applications, which bad actor can focus on. And I'll give you some really basic insight, right? So if you look at any applications in your desktop today, your Chrome, like If you open ChatGPT in your Chrome or Perplexity in your Chrome, I mean you can use their desktop application as well. But let's say this application is accessing your location information. Now Chrome has its own permission system which kind of pops up saying that hey, do you really want to share your location? But if you look at applications in mobile, those are a little bit more restrictive, like while you're installing the application, it kind of tells you these are different permissions with this application requires and it's just a one time grant and you don't care about it once you go ahead and install applications. Right now, GPT in mobile application does have access to your location, but you had no idea about it unless you actually go inside settings, go inside the application, figure things out. The reason I'm saying this is not because ChatGPT is a problematic app, but the reason I'm saying this is because any actor, any attacker can actually create a malicious ChatGPT wrapper, keep it for free and say, hey, you don't have to pay a monthly cost like a monthly subscription for ChatGPT. Why don't you use this for free and you go ahead and download that application from these stores and then you realize that oh yeah, I'm able to, you know, use the chat reputed models. But behind the scene, these applications are actually sending so many sensitive information. And if you compare your desktop with your phone holds much more very sensitive information to you. It has your financial records, it has your credit card information, you pay your grocery stores using your phone, using your devices nowadays with you know, Apple Wallet or Google Wallet, it has all your SSN certificate, SSN information, it has your healthcare information and so many more, right? So now these applications suddenly have an access to such incredible data pertaining to you, right? And just imagine what happens if such application has suddenly access to those data and a malicious actor can actually steal those data in it. In 2025 starting we started this thing called finding out figuring out fake applications in the stores in the app stores and play stores. I'm talking about not, not third party stores. And what we found was we found a couple of applications which are there in the app store and which we helped them to take down those Application which was not a legitimate application. It had the logo of ChatGPT, it had a logo of WhatsApp, it had a logo of valid brands and it talked about the same thing. But internally it was leaking so many things. Internally we were able to find or figure those applications out. Thankfully we were able to figure those applications out with the help of AI itself internally, because again, at scale, security at scale, scale is where AI kind of wins the race. Unfortunately for human at scale you still need time. Time is the most complex complexity in terms of doing a security testing. So that kind of happened, that kind of helped us to start validating this idea about figuring out fake applications in the App Store, Play Store or even in third party stores and figure things out. So that's where we kind of focus on now. The other part of the focus is where we cannot focus on it is, but I'm hoping OEM providers like Google and Apple does, is to educate the users themselves to make sure that they don't go ahead and fall a victim or a prey to actually downloading those applications. So that responsibility lies with the OEM or the vendor, unfortunately. But all we can do is making sure the OEM platforms, the marketplaces are secured enough to make sure those fake application doesn't go inside those application stores.

B (11:03)

Yeah, and how does it, how do they get in the stores? Because presumably, I mean I've been through this app submission process with Apple's App Store and it's fairly rigorous. Is it because the app reviews are now being done by AI and they just miss this or, or is somebody that Apple not paying attention?

A (11:30)

Yeah, I think that's a very good question. So just to understand what is the motivation for these marketplaces like the Play Store and the App Store to publish applications? Their motivation is to make sure that it does not actually go ahead and affect the users. Which means they look for if the application is not acting. In the classic security world, we call it a virus or a Trojan attack, it basically checks for that. It checks if the application is not doing things which it shouldn't be doing. But then these fake application which goes into the store, it is a very benign kind of an app. It does not actually affect, it does not actually hack into your account and do a payment for you. But it is more of a data farming kind of an application. So there are a couple of different kinds of fake applications which are there so which we had defined. One is a simple wrapper kind of an application which are more towards focused towards earning ad revenues. So I'm going To let's say I'm going to say hey chatgpt Lite and I'm going to try to, you know, put it in a Play Store and an app store or in an alternative store and say that hey, this is a valid application, it's a benign application, it does gives you, it does work. It's just that it's an ad where a lot of ads are there and just so that if you use it, I'm going to give it for free. Just you need to click on the ads and I'm going to earn some money out of that. So that's one category of fake application. The other category of fake applications are application which actually do data farming. It tries to gather as much data as it is from the devices, it'll download all the contacts, it'll try to figure out what are the wifi it is connecting to. And it still seems benign. So even for a Play Store and App Store review process, it feels like yeah, this app actually requires a camera access to actually click pictures so that you can send it to the EI to analyze image. But behind the scene it is like, hey, I'm not only going to send this image to the AI to analyze it, but I'm also going to send this image in my own server and I'm going to just create a profile of whoever has installed my application. Right. And the third one is the most dangerous one and that is the one which is most of this Play Store and App Store kind of tries to look for where these application actually is attacking the users who are using it. Right? They're trying to actually succumb in the protection the OEM has placed into the devices and those are the application which gets flagged more often than not. If you look at some of the data last year 2024 and it has nothing to do with AI. The most fake application from a category is a banking application, right? These are all application which gives you lo which kind of, you know, you download this application, you can get a quick $10,000 loan just before you get your salary paid. And these application has access to your SMSs, has access to your phone book and address book and everything. The reason they state the reason is because I want to build a credit score. How much of the loan can I give to these people? But just imagine if I come up with another application mimicking a similar behavior. But I'm not going to use those data to actually give you loan, but I'm going to do it for something completely different. That's fair play. Store and app store review process kind of feels in there. And I mean if you look at the data, every year almost, almost 200,000 to 200 to 250,000 applications are taken down from both app stores and Play Store for a reason. Almost 50 to 60% of the reason is it is violating the safety norms for those devices. And that's why they have been taken down. Yeah.

B (15:27)

And the people putting those apps up, they're harvesting data. Is that is what's their business model then they just sell that data to data brokers or is there some other use?

A (15:39)

Absolutely. So these datas are being sold in data brokers. These datas are being sold in dark web as well. So again, as I mentioned, there are three kinds of fake applications. Right. You have the adware application that is completely revenue model where I want to write the hype of whatever the new launch which has happened to make sure as many installs can happen and I can earn some ad revenue out of that. So that's the number one kind of application. Second is the data farming application of these applications. They go ahead, sell the data to data brokers and they kind of try to sell it to competitors like I'm sure are. If OpenAI has launched something today, the anthropic is also trying to look for getting the user base of OpenAI to come and install their application. Right. So there, there will be data brokers who would be like hey, you know, I know how many people have used this, why don't you use, you know, use kind of this or things like even these data are also sold to banks and financial institution to target people who has better, who has a lot more spending capacity and power so that you can target more ads and you can reach out to them and have a lot cold calling in progress to do it. So that's the second type and the third type as I talked about, those are very strategic, kind of attacking the user itself. It's far more like a malware or a virus. In the cybersecurity domain. That's what we call and that is a very malicious intent that has nothing to do with earning money or anything, but to do damage and harm to the user.

B (17:12)

And these are apps that are engineered for those purposes. But what about, I mean AI is being embedded into everything, all apps now and the apps are starting to include agents, intelligent agents that adopt and evolve as you use them. So what how much of the problem is, for example, I build an app, I have API call, it's an a, it's a quote, unquote AI app. How much of the problem is just I'm not careful in my security and that becomes a vector for bad actors to reach the app users.

A (17:58)

That's a great question, actually. So how we should look at it is two perspective to this. It is AI for security and security for AI. That's what I keep talking to people as well, right? So AI for security is how do we leverage AI to make sure the security of the applications are and the other way around is how secure is the AI itself in terms of acting on those devices? What we have seen is in terms of security for AI, whenever we are embedding these AI models into these applications, what we have seen is it requires a lot of testing in these models to make sure that these agents do not go haywire and do not start collecting data which it should not be collecting data on and things like that. And we have seen a lot of instances where, I mean, recently this came out and it has nothing to do with mobile, but this has come out that cloud code. Like I love cloud code, right? So cloud code has started. I mean, there was an incident where cloud code went ahead and started deleting sensitive directories, right? How do you prevent agent to actually, actually stop doing dangerous actions on behalf of the users? And that is a very important thing in the mobile realm. This is all the more important because now we have this set of very sensitive data and then you have AI which has access to these very sensitive data. How do you put in guardrails in the model and the AI to make sure that even if they have access to the data, they know exactly how to access it, or you should not access those data. I mean, whatever the guardrails are, so are those guardrails good enough to make sure that doesn't happen? The other way around is actually using AI for security. A decade ago in cybersecurity world, there was a term called script kiddies. Script kiddies are nothing but who are entering into the cybersecurity world and they see some script by which you can hack into a couple of things. They just run the script, they don't understand anything and it kind of tries to get into the system. And they are like in hacking or in a vulgar world, we say noobs in security people who kind of does that. And now that has changed completely. You can use this AI model. You can use Claude code to actually go ahead and try to hack into system. You can instruct a cloud code agent to go ahead and say, hey, Claude, can you just observe this Android application, decompile this application and figure out if there are issues and or things like that. The power of AI is the reasoning cycle, how it reasons out the situations, right? And that changes everything. So now these script kiddies who are also called noobs during our time, are no more script kiddies now because now they are more like a prompt engineer or a security prompt engineer. Now all they have to do is make sure they instruct the AI model to do something which is very offensive and which goes ahead and does it on behalf of them. And that kind of changes because the attacking part now has become so easy, the barrier to entry is so less that the defending part has become more and more problematic. That's why we come in as well. Like at appnox, we are the defending side of it, right? We have to cover all the bases, right? Even one single point of failure is problematic for attackers. They just need to find that one single point of failure. They don't need to do everything. So for a defending kind of a situation, it becomes very difficult to use the old methodology which we used to do it in the cybersecurity world. It's no longer those algorithmic way of figuring vulnerabilities out, but it's more about using the AI, the reasoning cycles, to actually block these attacks which are happening via attack. I'm sure that this world is not going to be too far where we're going to see two AI agents trying to fight against each other, one trying to defend, the other trying to attack. And that's going to be a reality pretty soon. So yeah, that's what my view is with this. Yeah, yeah.

B (22:16)

Actually that's fascinating. The idea of AI agents sort of fighting a defender and an offender. The how is trust becoming a measurable performance indicator for AI systems? I mean, what will companies be expected to prove to users to build trust?

A (22:40)

I think one of the biggest problem with EI is it's like a black box. You feed in some information, it gives you some information out. And what people are really worried is I really don't want to give my personal data to AI because I'm not sure how this data is being processed internally. Is it been saved somewhere and how is it being processed and giving me an output? And that's where the word trust comes into play. Trust is very important in an AI world, right? So there's this very thin line where, you know, we are a trust implicit society, which means by default we try to trust something, but if the trust is broken, that's it. Then we become A trust explicit society, then we are like, we're not going to trust you first show me some proof and then only I'm going to go ahead and do it. And that's the kind of a society which we live in in today's world. Unfortunately, there has been certain instances in the past with AI models leaking information or getting into data which they should not be allowed to have access to. In that kind of build, that kind of built this behavior that, hey, I do not trust AI models. So it becomes a very big problem for companies like us who are utilizing AI to power or to harness defending part of it, to actually build trust for the users. And how we build it is actually by providing transparency. And I had talked about it previously as well. Transparency is the key to building trust. If I transparently tell the users, this is how I process your data, this is how the AI processes your data, and this is what the outcome of the data processes is, where you start building trust. That's the initial first step towards building trust, right? Incidents like, if you remember in the start of 2025, incidents like deep Seek, you know, getting all the data into some servers who people were not aware of. A lot of news came up because of that. A lot of places people stopped using Deep SEQ altogether. That kind of showcases that how important trust is, right? Somehow we do trust Anthropic and OpenAI to make sure that our data is there because of data privacy and things like that. Okay, my data is not going out of the country. It's still there, which is great. But whenever the user gets spooked, if the data goes to some other places or if the data is being mishandled or misused. So trust is a very important thing in terms in the AI realm. And it is very important for companies, not only like us, but companies who are in the AI space to actually build a transparency in terms of how the data is being handled and how AI models are to going using these data internally.

B (25:42)

Yeah, yeah. Actually that's interesting how not only because of AI, but certainly AI plays a big part of it. That trust is eroding in and certainly in US society, but globally. Trust in technology, trust in media, trust in governments, trust, you know, and this is a big part of it. So how do companies start evaluating not just who's accessing their app, but what their intent is.

A (26:21)

So it all depends on how the data is being processed and what is the intent of the data which is getting processed? It starts with that if a company is actually utilizing your personal data to predict or to do something. For example, let's say I'm a healthcare company and I really need access to your healthcare records to actually predict something or to help you something that is something which is a Nobel cause. Right. And I should be given a control about what are the data which I should be sharing and what are the data which I should not be sharing. So companies should be giving those kind of controls to the end user and should also convey what are the data needed to actually make a proper work or the use case of it. Right. Until unless I know the use case of it, I may not be trusting the system to give those data out. I understand. Like for a health. It is a big problem in a healthcare kind of an industry because they need access to all your healthcare record to actually give you a proper treatment plan. And the only way that can happen is if you can share this data with the company. Now I'm not talking about AI, I'm just talking in the general mindset. And then there are certain controls as well. So there are things like data scrubbing. Sometimes you need to share data, but that does not need to be involved in terms of linkages. Right. So there are things like data lineages and data linkages. So for example, you can share your health records, but that does not need to be identified. That Craig's health record is this. It can be like person X and this is the health record of person X. Right. And that is enough for a model or for the company to actually predict or give you a proper treatment plan, depending on what of the data it is. It is easier to explain it in a healthcare realm, but you can extrapolate from the healthcare realm to other realm as well, like your payment processing, your consumer brands, your E commerce, everything you can just, just extrapolated to other such industries as well. So it is very important for users to understand why they need the data, how much data needs to be shared and what is the minimum data which needs to happen to be shared so that, you know, they get the benefit out of it at the end of the day.

B (28:53)

Yeah. You know, the problem is you mentioned is educating the public because GDPR is as I see it, has been largely a failure because in order to comply, you know, companies put up this little, you know, accept button and nobody has time to read through, I mean the fine print. You need a lawyer to go through it. And so they just accept. And with this, as this trust issue grows, how do you educate people or companies as to how they, they should handle this stuff? And also you were saying how, you know, we all, not all, but we trust OpenAI and anthropic because the sort of core researchers are at those companies. They raised a lot of money from reputable VCs and investors. But I don't know what OpenAI is doing and I use it every day, you know, for a while I know they're, you know, and we've all had that experience of having a conversation with our wives about, or spouses, I should say with, about, you know, going on a vacation to the Bahamas. And next thing you know we're getting fed ads about vacations to the Bahamas. And it's like the go to is that my phone is listening to me. I don't know, maybe it is. I always tell my wife, no, it's these systems gather so much data they can triangulate based on something search that somebody in the family did. But it does make you uneasy. How do companies build that trust and how should consumers react to these apps?

A (31:10)

I think this is a great question. And, but the thing is, trust is kind of a mix between the law, the government and the company. It has always been a mix of all the three. Because just as a, like I run Appnox and I can just tell you in a blanket statement, I don't store anything in my database, right? Why will you trust me if I say that? You will only trust me if there are certain processes in place. So now if I back it up by saying that, hey, I have SOC 2 type 2 as a certification which kind of puts in a process or a control which kind of tells me that even if I hold some sensitive data in my databases, I still have some access control to it. But still you will be like, that's okay. But I still, I mean there's a little bit of build of trust which happens there, but still it's not fully trustworthy. And then the third part is the law of the land, right? How stringent the law of the land is. And you talked about GDPR being not a very strong privacy following. And I agree with you. Like those accept cookies which comes in now, our brain always is programmed to click on accept, but have you tried clicking on decline? The website still works normally, right? It is just a consent. It doesn't matter whether it's an accept or a decline. Unfortunately, that's the truth in today's world, right? If a company is actually building on trust, if you actually click on decline, it may be some of the videos, let's say a YouTube video is there to showcase how the product works. But if you click on decline. That YouTube video should not be loading because otherwise you are consenting that this, your data will be shared to YouTube and you do not consent to that. It's a very simple way of figuring out whether they have actually implemented it properly or not. Unfortunately, in today's world, all we need to see is just disclaimer, message and that's it. But still it builds a little bit of trust. And a third thing is the government. I'm happy about the US Government. They do have a Congress where if there are issues which happens, they do call the companies out, they do hold them accountable. I think that is a really good thing that kind of builds public, public trust. Right? So the question over here is why did deepseek, which is a Chinese based company, the servers are in China, versus OpenAI? Why do I trust OpenAI more than Deepsea? The reason is I know that today if something terrible happens with my data, unfortunately, if something terrible happens only with my data, maybe there's nothing I can do about it. But let's say a terrible thing happens to the whole country with a lot of data, there's a mass problem which happened. The government is there to call them up and you know, they can ask them questions. But what happens if Deep Seq has the same kind of a problem? Can the US Government go and ask them, hey, can you come here and answer this question? That's not going to happen. And will the Chinese government do the same thing over there in China saying that, hey, why is this happening? People do not trust that. So it has nothing to do with, with whether US government is better or China government is better, but it is about what is the process. How do people perceive these processes up in a broad daylight? Right? And these are all psychological matter. Unfortunately, this has nothing to do with tech. This is everything to do with psychology. That's why we trust OpenAI or Anthropic more because of the law of the land, because of the government, because we know that if tomorrow something terrible happen, there's at least they need to answer to the government of the United States. Unfortunately, if it is not in the United States, if it's in some other government, some other country where some other government is there, we are not sure whether they're going to do the same thing or not. And that's why a call which I want to make is I think this is for each and every country, for each and every government in each and every country. They should have those kind of laws of land and have those kind of processes where they can call a company up and ask them why or how the user data is processed in. That kind of builds a lot of trust. So that's why it's a shared responsibility. Unfortunately, it's just not what the company can do. Yeah, yeah.

B (35:41)

You did a report recently about the security of retail apps. And in the recent holiday season there's, you know, everyone's buying. I mean, what did you find? What are some of the surprising findings

A (35:58)

from that one thing? So the reason why we did the report is very interesting is because there was a Black Friday sale which started happening and I'm like, I need to, you know, buy some gadgets for myself. And then I realized there's so many people who are actually utilizing applications to actually buy, order things or even pre book things in Black Friday. And that kind of led me to think about, hey, it's just not me. Like all my friends are all around, they're all using this Amazon and other applications to pre book or to even book things or to order a couple of things. So that's why we thought, okay, and now it's a holiday season, it's Christmas time, I'm going to buy a couple of things for my family. And all of this, I use my mobile app to do it. And that's the behavior of the consumer. So then the idea kind of came to my mind like, hey, are these apps even safe to use? What is it hiding behind the scenes? And that's why we started actually collecting these applications, this retail applications to figure out what are the different things which we have found, which we can find in this application. And we found couple of issues in these applications for sure which we have written in the report. We found applications not following secured communication between the server and the mobile apps, which means that there is a possibility of a man in the middle attack. A man in the middle attack is nothing, but there is a connection. And if I'm a man who can sit between the two connection and I can see what is flowing, that's what a man in the middle attack looks like. Most of these applications are vulnerable to those attacks. There are a couple of applications where hard coded API keys are inside, which again falls back into the realm of creating fake shopping applications, cloned applications using those API keys to call those APIs behind the scenes. So now that became a really big threat vector. That's what the report kind of talks about. In brief, that's what I'm talking about. But that's what the report kind of talks about, like the state of what these mobile applications Is the retail applications are, I'm not saying that they are really bad, but neither am I saying that they are at the top notch. Secured application. Unfortunately, if you compare it with banking application, banking applications has far more security protections and elements in there than these retail applications. And I completely understand because a couple of my friends, they work in e commerce websites. For them, the holiday season is mostly about scaling servers, making sure they're able to serve the demand of how many orders are getting placed and fulfilling those orders. And not a lot about security. And even if it is about security, it is about how do we prevent bot attacks, how do we prevent a lot more traffic incoming, how do we save those? Not the fundamental security part, like hey, is the connection even secure? Are you using SSL in a proper way or are you storing secrets in a proper way in the application? So we were able to figure those things out and that's what the report kind of talks about.

B (39:16)

Yeah, yeah. And so appnox, I mean you do more than study this stuff. You have products. So what are appnox? And as we said before we started, the Knox comes from Fort Knox. What does appnox do? I mean, what are the products that you offer? And is your market companies that are building apps or is your market consumers that are using apps?

A (39:44)

Our market is companies who are building these applications. And as you rightly said, we came up with this name appnox from the story Fort Knox by Twitter. We are not building forts, we are building applications. And how do we make sure that these applications are secured? So that's where the name comes from. And we have a couple of products. So our fundamental product is actually about figuring security bugs in mobile applications. And we are focused only on mobile because that's what our talent is and that's what we are expert on. So we don't want to go into other markets, we don't want to compete against other the very big vendors which are there. We are focused on mobile applications and we try to be the best in that market. We try to do that. So the first product is about figuring security issues, bugs in the application. That's the first one. The second one which is very important is we call it Store Knox, where we observe these Play Store and apps. That's where I come up with all of this report from the second product. What it does is it basically observes the App Store, play store and third party store. We observe around 30 plus stores across the world and we try to see what are the different applications which are getting uploaded in these stores and we try to see that if this application has been scanned by appnox or not. That's number one. Number two, we try to figure out if there are any fake applications which are getting published in the store. And we help brands and consumer brands and companies to take those applications down as well, once we kind of figure out if there are. And a third thing which we do is a kind of AI pen testing module where we try to utilize the reasoning capability of the AI to actually perform pen testing on top of these applications. Rather than a human doing the pen testing, we're trying to make AI do the pen testing of this application, which is again, as I started, like, it's no more manual, it's much more faster. And we try to figure out what are how these applications can be hacked and we kind of help the companies to get those data and to make sure that they fix the application before it actually gets hacked. So, yeah, these are some of the things which we keep doing at App Docs.

B (42:04)

Yeah, yeah. You have another report on developer burnout and it's related because as AI starts generating more code, it affects the secure development practices and debugging workflows. Can you talk about. I found it fascinating because one of the the reasons for burnout is although AI things like cloud code speed up development, it also puts pressure on the developers. It's like, you know, used to be able to do one thing over a period of time. Now you're expected to do five things because, hey, you have cloud code. Yeah. Can you talk a little bit about that? And how is that that affecting the security of the code written?

A (42:56)

I think that's a great question. So, yeah, so we actually worked on this report because we wanted to see. There are a lot of companies who are coming up with like prompt based engineering. Like you write a prompt, hey, can you create a website for me or a mobile app for me? It kind of immediately, within a matter of like five to 10 minutes, creates a code, give you an application which is looking really pretty, works, and you're like, wow, I could have spent at least a week to develop this. Now it's five minutes and I get a code. But we need to ask this question, is that code secured? Is that code secured enough? Is it handling business logic properly? Is there guardrails and checks and balances inside these applications which make sure that your data is not getting leaked anyway? Unfortunately, that's not the goal of an EI writing a piece of code. Right. You as a user, we define a goal that, hey, I need this application Looking really good. And this is the operation guideline for this application. But unfortunately we do not put in security best practices in the prompt part of it in that kind of extrapolates to developers. Now they are able to churn out code really fast. And this is a real life example which I'm talking about. At Appnox we had an AI agent sitting which checks if there is any error in the APIs which happens. It immediately tries to figure out where the error is in a code base in GitHub and sends out a pull request to fix that error in the API. Now not all the pull request needs to be merged because sometimes this errors are expected errors. But now what happened is for developers to now go ahead and check the code whether the code written by the EI is secure, that's number one. Number two, does it actually solve the purpose of the error which this code is trying to write? And number three is to validate this code, even to put it into a QA system to understand whether this actually works or not. That took a lot of time. So now just to give you a kind of a hindsight how it works, let's say there is an error which is a valid error. We immediately raise a JIRA technique it and then we assign it to a developer and then developer takes one day to understand what this error is, takes another day to actually fix it, sends it to a review, the reviewer goes to the code. It's pretty easy because it's a human. If they don't understand the code, they call up the developer like hey, I don't understand what you've written. Let's get on a call, they kind of have a chat, half an hour, review is done, then you go to qa, everything looks good and then that's it. Overall turnaround time is two to three days. Now let's talk about AI. The speed at which the code got generated is a minute, right? It took a minute, that's it. But now I go into looking at the piece of code, understanding why did this code get generated, try to look at the root cause of it. Now I don't understand the piece of the. What is the root cause of why this got generated. So that took me half an hour, one hour to understand. And then I give it to a reviewer and the PR reviewer is like, why did you write this piece of code? I do not have anybody to talk about it now. Now the reviewer is now going to use another AI model or a clock code to actually understand the piece of code, which kind of confuses them more. And then they're like, oh my God, I don't understand this. And then the engineering manager is going to come and say, hey, this piece of code was written in five minutes, it's been a D, why is it not in the production? And then the QA tries to test it. They still have no idea what this code does, right? Somehow there's a senior engineer who has to get involved and now they understand, oh, this code, there's something mistaken, I'm going to modify it. They use AI again to modify it. And now it goes to production PR and then goes to production. Can you see where the developer fatigue comes in? So developer fatigue has shifted from writing the piece of code to actually reviewing it and putting it before the production. It hasn't solved anything. It's just shifting the problem from the source to a later part of the source. That's what happened here. And this is a real life problem. And that's why we decided that, hey, can we do a kind of a survey and understand are we making something wrong? Is it a problem at applocks or is it a developer wide problem problem? That's what the report kind of talks about. Like what are the core like? Obviously we are able to come up with prototypes and MVPs like really quick, really fast right now and then. But are those product easily deployable in production? Are those secured enough? Do I understand the piece of code which the AI has written right? Do I have the intricate knowledge about what it is? Why is it written? So all of this now gets shifted towards a later part of the SDLC cycle, the development journey and that is where the developer burnout becomes real. So that's the part of the report which we have written over there.

B (48:05)

Yeah, yeah. And yeah. So the problem is the more AI takes over code writing and then reviewing of code and the less involved humans are, you lose touch with what the code is doing. And there may be security vulnerabilities that a human would catch that the AI, because it's been trained on past vulnerabilities, not new ones, may not recognize what is penetration testing.

A (48:39)

Penetration testing is a methodology by which a pen testing person, he tries to penetrate inside the application. So for example, if you have a web application, let's say, let's say it is a shopping application, if I'm a pen testing guy, so pen testing guy, I try to penetrate inside your application and go towards places, pivot towards places where I am not supposed to go. For example, if I am able to get access to the admin panel or if I'm able to get access to the database, those are the places which as a normal user, I should not be able to reach to. But as a penetration tester, I am able to reach through via a certain path or via exploiting certain vulnerabilities. And that is what a penetration testing is. In short, we say pen test.

B (49:32)

Yeah, yeah. And is there a gap between what an AI system can do in penetration testing and what a human can do?

A (49:43)

To be very honest, before AI, there was no way to actually do a penetration testing. Because for you to do a penetration testing, you need human, and the human is the most important thing. Because I, as a human, I can reason in my brain, I try to reason. How do I bypass some of the way in the application to actually reach to the database or to the admin panel, which an algorithmic way of doing is not possible? Algorithm has a defined set of targets. It knows that this is the pattern and this is how the vulnerability is. But with AI coming with a picture, what a penetration testing using AI has is the reasoning cycle, how AI reasons itself. Now, that is not a predefined reason. So AI can be. And it has its pros and cons as well. Sometimes it can reason properly and that's what we need as a part of penetration testing. Sometimes it will reason some improperly, and that's what we call hallucination. Right. So improper reasoning. If somehow we can filter out the improper reasoning and if we focus on the reasoning which it has done in a proper way, that's how we can automate penetration testing. And in today's world, a lot of companies are coming up with utilizing AI to do a penetration testing. And that has become a possibility in today's world. But I can automate a part of the reasoning cycle of a human in a model where we can train the model or we can use any foundational model like Claude or Gemini to reason out what is the next step of action it needs to do. And that's how our penetration testing is becoming far more and more automated nowadays. Is it equivalent to what a human pen testers are? I don't think it is there. Maybe it is at 1%, but I'm happy it is at 1%. At least it's better than zero. Right. But from 1 to 100%, it won't take time. I think the time horizon which I'm looking at is in the next two to three years we will have AI agents which are actually doing much better than what human pen testers are. But that's Just kind of a visionary statement which I would give. Hopefully human levels up and that's how the whole game is over here.

B (52:03)

Yeah, yeah. Looking forward, what concerns you? I mean that's a positive development that AI can, will be able to do penetration testing. But you know, as agents in particular grow, what's the concern that you see in the future and what are you guys working on next?

A (52:25)

So we are working on the same thing. We are trying to build that brain of a penetration tester. Right. And we are trying to train this model towards thinking in terms of how to go ahead and reason out your way towards the end goal, the end objective, which might be getting access to the database or getting access to the admin panel and things like that. So there are certain things. That's what we are working on. The future of this is amazing because if you look at humans, us, right. There's a problem right now where people start by saying, what will happen to my job if AI starts doing everything? Because I'm trying to commoditize what a human does into an automation. And then the question comes, what happens to my job? But I think it is a good thing. It is not that your job is at risk, but you are going to solve the next order problem. It's a higher order problem. Today we don't care. We know that computers works on a binary 10 and that's what it is. But we don't really care about what is exactly happening in the microprocessor or on the GPU. What is the 10 thing happening. We're working on a higher order problem where we're building softwares on top of that. Now we don't care even about building software. Now we are working on prompt engineering. We're trying to build prompts. Somehow this prompt, if I give this as an input in the prompt, this is the output which comes out. But at the end of the day, fundamentally everything is running on ones and zeros. Right? But we are solving higher order problem. My point is penetration testing will become commoditized, will become automated. But then humans need to do a lot more higher order problem. They need to then focus more on zero days attack, like attack which even AI won't be able to figure it out because it's so complex. And that's how the whole human and AI conversation will keep happening. AI is not going to come and eat your job up. It's like you have to level up to the next higher level, higher order problem. That's what you have to work on. So that's what I feel, that's what I believe and that's what we are working towards as well. We are trying to build AI pen testing product and the difference between us in AI pen testing product is we are working on top of binary, right? So the thing is there are companies like you know who are into AI pen testing. They work on APIs and API is human describable language. Like if you look at a URL you would know, for example, if you look@appnox.com, you know that there's a company called appnox.com and that's the URL. But a binary do not have those English language name binaries, ones and zeros, it's registries. And what we are working on is translating those binaries in a way that AI model can understand those binary and then do a pen testing on top of those binary. And that's the differentiation which we are trying to work on and hopefully we'll be able to launch it in January 2026.

B (55:23)

Yeah okay. This episode is brought to you by tastytrade on ionai we talk a lot about how artificial intelligence is changing how people analyze information, spot patterns and make more informed decisions. Markets are no different. The edge increasingly comes from having the right tools, the right data, and the ability to understand risk clearly. That's one of the reasons I like what Tastytrade is building. With Tastytrade, you can trade stocks, options, futures and crypto all in one platform with low commissions, including zero commissions on stocks and crypto, so you keep more of what you earn. The platform is packed with advanced charting tools, back testing, strategy selection and risk analysis tools that help you think in probabilities rather than guesses. They've also introduced an AI powered search feature that can help you discover symbols aligned with your interests, which is a smart way to explore markets more intentionally. For active traders, there are tools like Active Trader Mode, one click click Trading and Smart order Tracking. And if you're still learning, tastytrade offers dozens of free educational courses plus live support from their trade desk reps during trading hours. If you're serious about trading in a world increasingly shaped by technology, check out tastytrade. Visit tastytrade.com to start your trading journey today. I'm going to myself. TastyTrade Inc. Is a registered broker, dealer and member of FINLA, NFA and SIPC.