Sponsored: Seeing into the seams

Risky Bulletin - Sponsored: Seeing into the Seams

Podcast: Risky Bulletin (Risky Business)
Host: Tom Uren
Guest: Justin Kohler, Chief Product Officer at SpecterOps
Date: January 18, 2026

Episode Overview

This episode features a deep dive into the evolution and practical impact of BloodHound, a cybersecurity tool maintained by SpecterOps, with a focus on its expanding role in attack path management across multiple identity platforms. Tom Uren and Justin Kohler discuss the growing complexity of identity systems, the challenges in managing them, and how BloodHound is adapting to help organizations secure their interconnected digital environments.

Key Discussion Points & Insights

1. The Challenge of Managing Modern Identity Systems

Complexity of Permissions (00:22)
- Managing permissions across computer systems has become "impossible to manage if you're just people, even when you're following best practice."
- BloodHound was originally built for visibility into privilege escalation paths in Microsoft environments, now it is expanding into new areas and taking a more active remediation role.

2. BloodHound’s Evolution and Expansion

From AD Focus to Multi-Platform (01:24)
- Originally Microsoft-centric (Active Directory/Azure), BloodHound now targets any system where privileges can be assigned—cloud control planes (AWS, GCP), management tools (Intune, Jamf), and data platforms (Snowflake, GitHub).
- Introduction of Open Graph in August (2025), allowing community-driven extensions—over 30 new platforms now integrated.
"Often it's not what I have access to as my user account, but how does my user account chain into something else? ... That's what real attackers do."
—Justin Koehler [01:31]

3. The Risks of Interconnected Systems

Identity Chaining Across Services (04:21)
- Chaining privileges across platforms creates new, hard-to-detect vulnerabilities, often because responsibility for different systems is separated among teams.
- Open Graph allows organizations to see these cross-platform attack paths.
Community vs. Enterprise Extensions (02:59, 04:44)
- Community-built extensions are available open-source and are "without warranty."
- SpecterOps is validating and supporting a subset for enterprise use, ensuring reliability and accuracy.
Example Vulnerability Path (05:40)
- A real-world engagement: attackers moved from GitHub (via CICD pipeline) to AWS accounts, despite "correct" configs in isolation. The interconnection was only obvious with holistic visibility.
"Individually you can think you're making really good configurations. Looking at them in totality is when you realize you did something wrong."
—Justin Koehler [06:30]

4. The Salesforce OAuth Breach Parallels

Detecting Modern Attack Chains (07:12)
- Similar patterns in high-profile breaches (e.g., Salesforce via OAuth tokens)—compromises span multiple platforms.
- BloodHound could detect such chains today if visibility is available.
"If we had visibility over it...we could detect that."
—Justin Koehler [07:32]

5. Best Practices and Organizational Evolution

Best Practice Limitations (08:01)
- Security teams can't rely on isolated best practices; must analyze privileges and exposures across their ecosystem.
- BloodHound automates discovery of privilege chains that previously required manual pen-testing expertise.
Customer Trends (09:01)
- Organizations are increasingly interested in expanding security visibility beyond Active Directory to all identity platforms.
- Demand has driven the move toward Open Graph and model extensibility.
ETAC Feature (09:15)
- Launch of Environment Targeted Access Control (ETAC)—scoped visibility and access management by domain/platform.
- Supports use cases like M&A (segregated access for acquired companies) and admin delegation for specialized platforms (e.g., Snowflake).

6. Reducing the Expertise/Resource Barrier

BloodHound Sentry Service (10:23)
- Announced identity risk reduction service, combining product with expert support—assistance with deployment, configuration, and attack path remediation.
- Helps clients who lack time or deep expertise to safely reduce privilege risks.
"A lot of people want to say, 'well, I don't want to take my application offline because you removed something.' That's kind of a terrifying scenario. So our expertise can walk you through all of that."
—Justin Koehler [11:25]

7. On-Premises Deployment Support

Responding to Financial and Government Sector Needs (12:31)
- BloodHound now supports full on-premises deployment, addressing regulatory constraints in defense and finance sectors.
- Early focus on SaaS streamlined development, but customer requirements have driven support for both options.
"Customers in highly regulated environments, or especially like defense organizations, cannot use a cloud backend no matter who it is or where it's hosted...So now we can support on prem deployments of Bloodhound."
—Justin Koehler [13:08]

Notable Quotes & Memorable Moments

On the Nature of Privilege Management

"It's not that we're uncovering more...the connections have always been in place. Developers make identity assumptions in isolation, but in totality it could be pretty bad."
—Justin Koehler [08:01]
Analogy for Security Teams

"It's like the Red Queen in Alice—you’re running very, very hard to stay still."
—Tom Uren [07:40]
BloodHound’s Real-World Impact

"Those ways that we connect identities, we can do that now with Bloodhound. So we discover it on an engagement and then we pump it back into Bloodhound."
—Justin Koehler [08:45]
On the Changing Product Roadmap

"For years I told my CEO flat out that we would never do it, but now we are...support on prem deployments of Bloodhound."
—Justin Koehler [12:31]

Important Timestamps

00:22 – Introduction to the challenge of managing modern permissions
01:24–02:49 – BloodHound’s expansion from Active Directory to other platforms; Open Graph and extension model
05:40–07:12 – Real-world cross-platform breach example; parallels with Salesforce OAuth breach
09:15–10:20 – Organizational adaptation, ETAC and Open Graph impact
10:23–11:41 – Introduction of BloodHound Sentry expert assistance service
12:31–13:29 – Rationale and customer demand for on-prem support

Tone & Takeaway

The conversation is candid and practical, highlighting the reality that complexity in identity systems is a universal issue—no single team or best practice can keep pace alone. BloodHound aims to be the connective tissue revealing these hidden seams, while SpecterOps continues to evolve both the tool and its surrounding services to keep up with real-world organizational demands and constraints.

Summary in a Sentence:
BloodHound’s journey reflects the industry's need for comprehensive, cross-platform visibility in identity management, moving from detection to remediation and support, while responding to increasing complexity and diverse customer requirements.

Risky Bulletin - Sponsored: Seeing into the Seams

Podcast: Risky Bulletin (Risky Business)
Host: Tom Uren
Guest: Justin Kohler, Chief Product Officer at SpecterOps
Date: January 18, 2026

Episode Overview

Key Discussion Points & Insights

1. The Challenge of Managing Modern Identity Systems

Complexity of Permissions (00:22)
- Managing permissions across computer systems has become "impossible to manage if you're just people, even when you're following best practice."
- BloodHound was originally built for visibility into privilege escalation paths in Microsoft environments, now it is expanding into new areas and taking a more active remediation role.

2. BloodHound’s Evolution and Expansion

From AD Focus to Multi-Platform (01:24)
- Originally Microsoft-centric (Active Directory/Azure), BloodHound now targets any system where privileges can be assigned—cloud control planes (AWS, GCP), management tools (Intune, Jamf), and data platforms (Snowflake, GitHub).
- Introduction of Open Graph in August (2025), allowing community-driven extensions—over 30 new platforms now integrated.
"Often it's not what I have access to as my user account, but how does my user account chain into something else? ... That's what real attackers do."
—Justin Koehler [01:31]

3. The Risks of Interconnected Systems

Identity Chaining Across Services (04:21)
- Chaining privileges across platforms creates new, hard-to-detect vulnerabilities, often because responsibility for different systems is separated among teams.
- Open Graph allows organizations to see these cross-platform attack paths.
Community vs. Enterprise Extensions (02:59, 04:44)
- Community-built extensions are available open-source and are "without warranty."
- SpecterOps is validating and supporting a subset for enterprise use, ensuring reliability and accuracy.
Example Vulnerability Path (05:40)
- A real-world engagement: attackers moved from GitHub (via CICD pipeline) to AWS accounts, despite "correct" configs in isolation. The interconnection was only obvious with holistic visibility.
"Individually you can think you're making really good configurations. Looking at them in totality is when you realize you did something wrong."
—Justin Koehler [06:30]

4. The Salesforce OAuth Breach Parallels

Detecting Modern Attack Chains (07:12)
- Similar patterns in high-profile breaches (e.g., Salesforce via OAuth tokens)—compromises span multiple platforms.
- BloodHound could detect such chains today if visibility is available.
"If we had visibility over it...we could detect that."
—Justin Koehler [07:32]

5. Best Practices and Organizational Evolution

Best Practice Limitations (08:01)
- Security teams can't rely on isolated best practices; must analyze privileges and exposures across their ecosystem.
- BloodHound automates discovery of privilege chains that previously required manual pen-testing expertise.
Customer Trends (09:01)
- Organizations are increasingly interested in expanding security visibility beyond Active Directory to all identity platforms.
- Demand has driven the move toward Open Graph and model extensibility.
ETAC Feature (09:15)
- Launch of Environment Targeted Access Control (ETAC)—scoped visibility and access management by domain/platform.
- Supports use cases like M&A (segregated access for acquired companies) and admin delegation for specialized platforms (e.g., Snowflake).

6. Reducing the Expertise/Resource Barrier

BloodHound Sentry Service (10:23)
- Announced identity risk reduction service, combining product with expert support—assistance with deployment, configuration, and attack path remediation.
- Helps clients who lack time or deep expertise to safely reduce privilege risks.
"A lot of people want to say, 'well, I don't want to take my application offline because you removed something.' That's kind of a terrifying scenario. So our expertise can walk you through all of that."
—Justin Koehler [11:25]

7. On-Premises Deployment Support

Responding to Financial and Government Sector Needs (12:31)
- BloodHound now supports full on-premises deployment, addressing regulatory constraints in defense and finance sectors.
- Early focus on SaaS streamlined development, but customer requirements have driven support for both options.
"Customers in highly regulated environments, or especially like defense organizations, cannot use a cloud backend no matter who it is or where it's hosted...So now we can support on prem deployments of Bloodhound."
—Justin Koehler [13:08]

Notable Quotes & Memorable Moments

On the Nature of Privilege Management

"It's not that we're uncovering more...the connections have always been in place. Developers make identity assumptions in isolation, but in totality it could be pretty bad."
—Justin Koehler [08:01]
Analogy for Security Teams

"It's like the Red Queen in Alice—you’re running very, very hard to stay still."
—Tom Uren [07:40]
BloodHound’s Real-World Impact

"Those ways that we connect identities, we can do that now with Bloodhound. So we discover it on an engagement and then we pump it back into Bloodhound."
—Justin Koehler [08:45]
On the Changing Product Roadmap

"For years I told my CEO flat out that we would never do it, but now we are...support on prem deployments of Bloodhound."
—Justin Koehler [12:31]

Important Timestamps

00:22 – Introduction to the challenge of managing modern permissions
01:24–02:49 – BloodHound’s expansion from Active Directory to other platforms; Open Graph and extension model
05:40–07:12 – Real-world cross-platform breach example; parallels with Salesforce OAuth breach
09:15–10:20 – Organizational adaptation, ETAC and Open Graph impact
10:23–11:41 – Introduction of BloodHound Sentry expert assistance service
12:31–13:29 – Rationale and customer demand for on-prem support

wavePod

Powered by Wave AI

Summary

Risky Bulletin - Sponsored: Seeing into the Seams

Episode Overview

Key Discussion Points & Insights

1. The Challenge of Managing Modern Identity Systems

2. BloodHound’s Evolution and Expansion

3. The Risks of Interconnected Systems

4. The Salesforce OAuth Breach Parallels

5. Best Practices and Organizational Evolution

6. Reducing the Expertise/Resource Barrier

7. On-Premises Deployment Support

Notable Quotes & Memorable Moments

Important Timestamps

Tone & Takeaway

Summary

Risky Bulletin - Sponsored: Seeing into the Seams

Episode Overview

Key Discussion Points & Insights

1. The Challenge of Managing Modern Identity Systems

2. BloodHound’s Evolution and Expansion

3. The Risks of Interconnected Systems

4. The Salesforce OAuth Breach Parallels

5. Best Practices and Organizational Evolution

6. Reducing the Expertise/Resource Barrier

7. On-Premises Deployment Support

Notable Quotes & Memorable Moments

Important Timestamps

Tone & Takeaway