Podcast Summary: Risky Bulletin
Episode: Sponsored: Fighting fire with fire
Date: October 12, 2025
Host: Tom Uren (Risky Business)
Guest: Damien Luke (Founder & CEO, Nebuloc)
Episode Overview
This episode dives into the evolving landscape of cybersecurity in the age of AI. Tom Uren and Damien Luke discuss how threat actors are rapidly incorporating artificial intelligence into their attacks, closing the technology gap for both sophisticated and less experienced adversaries. Luke offers perspectives on how defensive AI can level the playing field through automation, efficient use of data, and proactive threat hunting—while emphasizing the critical role of human expertise alongside machine learning.
Key Discussion Points and Insights
1. The Surge of AI Among Threat Actors
- Rapid Adoption by Adversaries: Damien highlights how recent threat reports from OpenAI and Anthropic reveal a swift, widespread uptake of AI by multiple threat groups, including cybercriminal gangs and nation-state actors.
- Quote [01:16]:
"Not just how fast bad guys have figured out how to use AI, but truly the breadth of capabilities... they're doing it really, really fast." — Damien Luke
- Quote [01:16]:
- Democratization of Malicious Capability: AI enables technically less sophisticated actors (e.g., North Korean groups) to conduct broader, more damaging operations than previously possible.
- Quote [02:29]:
"There was one particular North Korean threat group that relied on AI to carry out their entire operations." — Damien Luke
- Quote [02:29]:
2. Lag in Defensive AI Adoption
- Barriers for Defenders: Adoption of AI by defenders, especially in large enterprises, lags behind due to privacy concerns, regulatory compliance, and risk aversion.
- Quote [03:13]:
"We're still at the very, very beginning in terms of widespread AI adoption... people like to talk about using AI; when it comes to implementing it, that's a much scarier prospect." — Damien Luke
- Quote [03:13]:
- Contrast in Agility: Threat actors can quickly experiment without bureaucratic hindrances, whereas defenders face organizational inertia.
- Quote [04:35]:
"Threat actors don't have GRC that they need to get approval from before they push the next threat vector. They can just kind of see what works and go from there." — Damien Luke
- Quote [04:35]:
3. Practical Defensive Strategies with AI
- Value of Human Reasoning: AI should not replace human judgment but rather be guided by it for more effective security.
- Quote [05:23]:
"Something that we tend to skip when it comes to implementing AI is still recognizing the value of the human right and our ability to reason." — Damien Luke
- Quote [05:23]:
- Indicators of Automated Attacks: Defenders can identify signs of AI-driven attacks (e.g., high-frequency file downloads, rapid multi-host logins) by monitoring for non-human speeds and patterns.
- Quote [06:13]:
"If you see someone logging into 10 or 20 different machines within seconds of one another, that's a very great indication that something is automated..." — Damien Luke
- Quote [06:13]:
4. Re-emphasizing Log Analysis
- Logging as a Defensive Goldmine: Rather than relying solely on detection tools, defenders should proactively analyze and prioritize critical logs, using them as early warning systems.
- Quote [07:44]:
"We've become so reliant on our detection systems that we haven't thought to look at the actual data." — Damien Luke
- Quote [07:44]:
- Proactive Over Reactive: Logs shouldn’t just be used post-incident; AI agents can hunt for anomalies in real time.
- Quote [08:02]:
"Perhaps this encourages us to think more proactively about, okay, if I know what an attacker is going to go for... maybe I want faster, better indexed access to my domain controller logs." — Damien Luke
- Quote [08:02]:
5. Limits of Existing Tools and Nebuloc's Approach
- SIEM Limitations: While SIEMs can detect these activities, most organizations underutilize them—often querying only after an incident.
- Quote [09:04]:
"Because there's so much data within a SIEM and SIEMs tend to be... a bit of an afterthought for most organizations." — Damien Luke
- Quote [09:04]:
- Nebuloc's Continuous Automated Hunting: Nebuloc AI agents act as tireless, event-driven threat hunters, making real-time querying and detection accessible to organizations without elite security resources.
- Quote [10:25]:
"Every single hunt is event driven. Every single action that we take allows people to know in real time exactly what's happening." — Damien Luke
- Quote [10:25]:
6. Democratization—For Better and Worse
- Leveling the Playing Field: AI both empowers less-experienced defenders and, worryingly, less-skilled attackers.
- Quote [11:25]:
"If I can automate elements of the kill chain, I can also automate elements of my defense." — Damien Luke
- Quote [11:25]:
7. The Challenge of Guidance and Feedback
- Human-in-the-Loop: AI in security still requires oversight—interpreting “interesting” data, providing feedback, and refining threat hunting logic.
- Quote [12:18]:
"You have to kind of coach it through and then have it get to a certain point, try again... just like how threat actors can quickly iterate... we can quickly iterate on the hunting side." — Damien Luke
- Quote [12:18]:
- Analogy: A Million Pragmatic Interns: AI agents are compared to endlessly persistent interns—needing continual feedback and supervision, but capable of tireless, scalable analysis.
- Quote [13:11]:
"I've heard AI described as like a million interns... it's just like an intern who never learns. So you're always having to ask it the same questions." — Tom Uren
- Quote [13:11]:
Notable Quotes
- On AI adoption by attackers:
"Not just how fast bad guys have figured out how to use AI, but truly the breadth of capabilities..." — Damien Luke [01:16] - On the dangers of slow defender uptake:
"When it comes to implementing [AI], that's a much scarier prospect..." — Damien Luke [03:13] - On signs of AI-driven attacks:
"If several files are being downloaded microseconds apart, that's not a human doing that." — Damien Luke [06:13] - On the role of logging:
"We've become so reliant on our detection systems that we haven't thought to look at the actual data." — Damien Luke [07:44] - On the limits of SIEMs and Nebuloc’s value:
"Every single hunt is event driven... allows people to know in real time exactly what's happening." — Damien Luke [10:25] - On the “million interns” AI metaphor:
"It's also like a very self-effacing, pragmatic intern. Right. So it'll also look at what it's done, evaluate itself, or you can evaluate it and try and find ways to improve." — Damien Luke [13:39]
Timestamps for Important Segments
- [01:16] Rapid AI adoption among threat actors—scope and examples from Anthropic’s report.
- [03:13] Challenges and slowness of AI adoption on the defense side.
- [05:23] Combining AI with human reasoning in detection.
- [06:13] Detecting automated attacks through behavioral anomalies.
- [07:44] The overlooked power of proactive log analysis.
- [09:04] Current underuse of SIEM tools for real-time defense.
- [10:25] Nebuloc’s solution: continuous, automated threat hunting.
- [12:18] The need for feedback, iteration, and expert guidance in AI-driven hunting.
- [13:11] The “million interns” metaphor and the iterative nature of AI.
Concluding Moments
- Humor and Realism:
"Thanks very much for an interesting conversation that makes me worry about the future of work." — Tom Uren [14:15]
"The future is bright, just different." — Damien Luke [14:24]
Summary
This episode offers an incisive look into how both attackers and defenders are leveraging (or failing to leverage) AI in cybersecurity. Damien Luke drives home the urgent need for defenders to close the technology gap—not by replacing people but by building AI systems guided by human expertise. The takeaway: in a world where attackers automate and scale rapidly, security teams must do the same, with trustworthy, well-orchestrated AI agents that make real-time defense achievable—even for teams without elite resources.
