Podcast Summary: Risky Bulletin – "What it means to be a learning organisation"
Date: March 8, 2026
Host: Tom Uren (A)
Guest: Marco Slaviero, CTO of thinkst (B)

Main Theme

This episode delves into what it means to be a genuine "learning organisation" in cybersecurity, using thinkst's approach as a case study. Tom Uren talks with Marco Slaviero, CTO of thinkst, about the company's commitment to continuous learning, the role of their Labs division, the Thinkscapes research curation, and practical examples of how research translates into both internal development and external product features.

Key Discussion Points & Insights

1. Defining a Learning Organisation

• Core Value, Not Buzzword:

  • thinkst explicitly adopts 'being a learning organisation' as a foundational company value, not just lip service.
  • "It's cheesy to talk about values sometimes, but it genuinely is one of our four values." (B, 00:41)

• Active Implementation:

  • Dedication to this value is demonstrated through investment in Thinkst Labs—a dedicated team driving research and knowledge sharing.

2. Thinkst Labs: Structure & Activities

Thinkscapes: Curated Research Summaries

• What It Is:

  • A quarterly research summary that surveys thousands of cybersecurity talks, blogs, and papers, distilling the most valuable insights.
  • Originally a paid offering, now released for free as a service to the cybersecurity community.
  • "We go through as much as we can, we pull out the bits that we think are interesting and then we publish that as a sort of a service." (B, 01:44)

• Purpose:

  • Thinkst Labs operates as a "cost center" — its main goal is learning, not direct revenue generation.
  • Publishes not just original research but also curates others’ work to boost collective knowledge.

Internal Knowledge Development

• Internal Talks & Staff Development:

  • Labs organizes and coaches internal staff talks, helping engineers and newcomers develop presentation and research skills.
  • "For lots of the team, it's the first time that they've done a talk...Labs activities there is coaching folks through building this talk and delivering the talk..." (B, 03:16)

• Building Toward External Contributions:

  • Goal is to develop staff not only for internal skill growth but to enable external speaking and research dissemination.

Experimentation & Technology Exploration

• AI & Knowledge Management:

  • Labs explores new technologies, such as AI for internal knowledge management and tool development.
  • Consolidates disparate knowledge sources (wikis, ticket systems, etc.) into usable interfaces.

• Product Ideation (Proofs of Concept):

  • Labs runs POCs for potential product features, many of which don’t make it to market but still inform direction or result in blog posts.
  • "Labs will often undertake that work and…what happens at the end of the day is we go, actually, this thing doesn't fit into the product..." (B, 05:12)

3. Research as More Than Just Marketing

• Many cybersecurity labs use research mainly to drive marketing and consulting, but thinkst's approach is broader — focusing on internal improvement and genuine contribution.

• "For lots of the more consulting folks, their labs teams are typically there to effectively show how smart they are and then to generate follow on consulting work...we do position ourselves slightly differently." (B, 08:12)

• thinkst draws inspiration from Xerox PARC — striving for impactful research, even if not directly commercial.

• Flexible Research Directions:

  • Labs has the freedom to pursue non-commercial projects, e.g., a staff sabbatical on computer vision that culminated in an academic paper.

4. Translating Research into Products

Recent and Upcoming Features (Canary Tokens)

• Deceptic Acquisition:

  • Acquisition of Deceptic expands Canary token capabilities with CrowdStrike API credential tokens.
  • These credentials are generated within thinkst-owned CrowdStrike tenants, stripped of permissions, and monitored for unauthorized use.
  • "We give you a set of CrowdStrike API credentials and you deploy those somewhere in your network...if those credentials are ever used, we're monitoring them, we'll send you an alert..." (B, 11:14)

• AWS Canary Token Scaling:

  • Previously, AWS token creation was limited (max 5,000 per AWS account).
  • New approach leverages AWS Identity Center, allowing up to 200,000 users/credentials per account.
  • Expands customers' options for deploying lures/detectors across large environments.
  • "We now add in, or we will shortly be adding the IAM Identity centre users, and that will let customers create many more credentials than they were able to do with the API credentials..." (B, 13:19)

Notable Quotes & Moments

• On Living Company Values:
  • “Values are only cheesy if you don’t live up to them.” (A, 01:34)
• The Labs Mentality:
  • “It's a cost center. Like it's not trying to generate revenue and it shouldn't be trying to generate revenue.” (B, 02:40)
• Academic Inspiration:
  • “Xerox parc, it looms very large in our thinking for the sort of research lab that can do fundamental research and have this huge impact...” (B, 09:12)
• On Product Fit:
  • “There's a great thing here to put into the product, but it's going to require a bunch of these holes to line up...that doesn't fit for how we see Canary. And so then that thing doesn't go into the product.” (B, 05:37)
• On Value of Learning:
  • “We're happy because it gives our own team a place to explore and to stretch themselves, and that's good enough for us.” (B, 09:59)
• Host Summing Up Culture:
  • “I enjoy learning about corporate culture and how people actually make sure that it is a culture rather than just a value stuck on a wall.” (A, 14:21)

Timestamps for Important Segments

• 00:16: Introduction to “learning organisation” concept and Thinkscapes
• 00:41: What being a learning organization means at thinkst
• 01:44: How Thinkscapes works and its evolution
• 03:16: Internal talks, coaching, and research skill development at thinkst
• 04:26: Exploring new tech, AI, and knowledge management
• 05:12: Product POCs and decision-making process for feature inclusion
• 07:24: Reflections on cybersecurity research as marketing vs genuine contribution
• 09:12: Inspiration from Xerox PARC and non-commercial research directions
• 10:25: Labs’ role in product roadmap (Canary Tokens, Deceptic acquisition)
• 12:16: Technical details about CrowdStrike and AWS canary tokens
• 14:21: Closing thoughts on corporate culture and learning

Episode Takeaways

• thinkst exemplifies what it really means to be a learning organisation—integrating learning deeply into both internal culture and external contributions, valuing knowledge for its own sake, and thoughtfully bridging research and product development.
• The company’s Labs is a space for both focused product innovation and open-ended exploration—a model with outcomes ranging from direct product improvements to personal academic growth for staff.
• Their open approach to sharing research, including curated Thinkscapes, aims to uplift the community as a whole, not just serve as a marketing vehicle.

This episode is a candid, inside look at building a sustainable, curious, and genuinely innovative cybersecurity company.