Loading summary
A
Foreign. And welcome to this soapbox edition of the Risky Business Podcast. My name is Patrick Gray. For those of you who don't know each edition of the Soapbox podcast here at Risky Business Media, it's sponsored, it's always sponsored. And that means everyone you hear in a soapbox edition of the show paid to be here. And as a further disclosure, today we're chatting with Damian Luke, who is the chief executive and founder of Nebula, which is a company that I also serve as an advisor to, which means that I do have a teeny, teeny share options package in the company. So, yes, Damien, smart dude. He has worked at CrowdStrike, he's worked at Palo Alto Networks, he worked at Arctic Wolf. So he's worked in the EDR and MDR space for quite a long time. He even worked in the defense industrial base, like straight out of college. And yeah, so he's had a front row seat to all sorts of carnage over the last decade plus, and that means he's had a bunch of opinions and ideas on what sort of security technology we all should be building. So the original pitch for Nebula was AI threat hunting, right? Which is you can leverage agentic AI, collect a bunch of data, and then send these agents out doing hunts. And, you know, Nebulox still does that, but I guess the pitch has broadened now at customer request. You still start with these sort of hypothesized threat hunts, but then you can do stuff like build detections based on what you find. You know, Nebula sort of become a tool that's very handy for detection teams. And it's also just a great platform for asking questions of. And a big part of the reason that it's useful for doing that, as you'll hear, is because Damian and his team have really done a lot of work building a really cool graph out of the data that Nebula collects. So, I mean, that's really what this interview is about. Like, to what degree is security a data problem? And if it is a data problem, how do you solve that? And if you're going to use something like a graph, do you want to build that graph to be optimized for human consumption? Where we've got, you know, seems these days where we try to flatten everything for human consumption, but now we're sort of throwing agents at a problem where we flattened it for human consumption. So that doesn't seem quite right. So do we now start. Have to, you know, should we now not be flattening things so that agents can use them a little bit better? It's that sort of conversation, right? It's one for the security nerds. Nerd. So I'll drop you in here where Damien is giving a one minute pitch just on what Nebula is to help frame the conversation. So here is Damian Lukey from Nebula. Enjoy.
B
We're a hunt for security operations platform, right? Like everything is still hunt first. We still start with the like unknown unknowns, hypothesis based hunting, right? We use intelligence we infer based on what we know in your environment and we drive the hunt. But the idea is like hunts should have outputs and those outputs become detection. So ultimately like the pitch really is. Look, you've got a brilliant group of folks. You've made a ton of investment in security breaches happen because of low no signal events. We're going to find those, but we're not just going to find those, we're going to translate those ideas. Even if you don't find something into detections and you can run them in Nebula, you can run them in your sim, like wherever you run detections is fine by us, right? But the whole idea is that you should have this continuous analytical layer that's being built over time. Everybody's curious about what's running in their environment. Everybody knows that there are always things that we might, you know, that would be good to know and good to find and then the real value is, okay, great. And now instead of, you know, JIRA tickets and two week sprints, I can write detections test and validate them in you know, three minutes and they capture intent and behavior instead of we need to make sure that we wrote the SIM correlation rule the right way. So that's really been the pitch.
A
Look, that's a really succinct pitch and I thank you for that and the listeners thank you for that, for keeping that down to like a minute. But one thing I wanted to ask you about is like, you know, very early on in Nebula, it was all about finger guns, AI threat hunting. Right? Like that was the whole thing. It's a threat hunting agentic platform. Pew, pew. But nowhere in the pitch just then, you know, did you mention AI. Despite the fact that I know this, you know, you're still very much an AI forward company. So I'm just saying it's interesting. It's not the primary message anymore, it's the primary hook in the message. So like maybe you could tell us why that is.
B
One of the key lessons that we learned was again understanding what an agent is and is not good at. So a lot's been learned since the Seed round. The real unlock for us was making the shift from agentic threat hunting, which was great. It was all about like behavioral hypotheses, understanding behavior, using that to surface what might have been missed by your existing systems and then translating that more to the problem of. And this is something our customers really helped us with is the age old question of, okay, great, so like I've run a threat hunt and you know, maybe I found something or I didn't. How do I keep that information? How do I take those lessons learned? The more we thought about it, the more we dug into it, we were like, well, we're writing detections within our platform. What if we expose that to customers? So you had this hunt piece and detection piece and really the underlying mechanism that united it. It's kind of funny, we'd had it all along was a graph.
A
That was going to be my next question, which is like, what so you plot, you know, are you yet one more like Splunk Extens or Splunk Plugin or, you know, how does this work? And it sounds like, no, you're actually building your own sort of data structure here and turning it into a graph. And like that's, that's kind of the approach you've gone with 100%.
B
Right. I think the term now would be like context engine or context graph if you want to go big. But context engine is the truer technical term. But yeah, we built a graph and then that graph is something that the agents can access and reference. So they can walk the graph and look at different identities tied to different hosts and different service accounts tied to an identity and ultimately be like, hey, wait a minute, is Damian in accounting actually who he says he is, or is it his openclaw agent that's, you know, accessing critical infrastructure when it shouldn't? That was a really key unlock for us, was just uniting those together and having data structure. Owning that. Building the graph was just really helpful. And that was a big shift for us.
A
Right.
B
Evolving beyond the initial hypothesis and really realizing that we could scale beyond that. And when I say like hunt for security operations, really what it is, is like if you think of threat hunting, you know, that is a traditionally ad hoc workflow. We want to make it continuous. But ultimately good hunting should inform good detections and good incident response. And that's really what we're driving towards as a, as a company.
A
So I mean, is the idea here, right, that you think you can be the detection stack or are you trying to complement the detection stack?
B
I think to start really, we want to compliment the existing investments people have made. But eventually, yes, I would love to own the detection stack, but that is a journey and I think it's disingenuous of a company to come out, raise a series A and say, yep, you don't need all the things that you had before. Rather like there's a world where you can start to build better, more accurate, more performant detections in Nebula. And provided we continue to grow, earn the trust of our customers and do our jobs, eventually, yes, that's, that's what we'd like to do. But that takes time and that takes trust.
A
Well, yeah, yeah. I mean, it's funny, right, because your background is in ADR and then MDR and building a sort of platform where you're like, okay, well we started off doing AI threat hunt, now we're just going to build a graph and let agents crawl all over it and do everything with it and eventually own the detection stack. Is exactly what happens when you give someone who worked in MDR a bunch of money and say, go, go, do right. Like, I mean, this is like, I'm guessing a lot of what you're doing now is informed by that sort of experience. And I think, you know, everyone I know who worked in MDR has been proud of what they've been able to achieve, but also frustrated with what they can't achieve given the gaps in tooling that we all suffer from. Right.
B
I mean, you said it well, Patrick. I think the, the one piece in my background that's not covered is like I began as an operator in the dip. So like when you deal with nation state cyber defense as your first job out of uni, that changes you. And then you join an EDR company and then you go to an mdr. I think a lot of folks end up being inspired by that first order problem. And that's really what we're trying to solve, which is how do you solve for the problem reach. Because in an mdr, when you integrate with the smorgasbord of solutions that are out there, you actually see like,
A
some
B
are very good, but they're really good in their specific niche. And when you try to take a more holistic approach to like, how do you look at risk management and resilience for an enterprise, like, that's a much bigger problem. And like no one solution, no one EDR or IM or CSPM solves for that. And I think we live in a world where it's really easy to believe that if I buy the right tool, I Am resilient when in fact no tool. And this is why we all do telemetry logging so you can search. It is perfect. So I think that's why a lot of us MDR folks get inspired by that is because we've seen the systems problem of, of. Of breach prevention at scale.
A
Yeah. And I mean, this isn't a prevention product, but if you wanted to build, you know, so much of security these days. Right. Detection, hunting and whatever, it is just a data problem.
B
Yes.
A
Right. And so the solution to that is going to be something along. I mean, you know, you, you've been a listener to the show for a long time and you've heard me say this for a long time that like detection and response and you know, threat hunt and all of that sort of stuff, eventually it's got to collapse because all of it, I mean, I guess response is a bit different, but you know, detection and, you know, threat hunt is. And we've talked about this, you and I. Right?
B
Yeah.
A
It's kind of the same thing, just at different speeds. So eventually you would think all of this is going to collapse into one thing, like, for example, a giant graph database. And I'm not, you know, I'm not sitting here with my hand on my heart saying, yes, Nebula has solved the detection problem by building a giant graph that could do, you know, like, obviously I'm not saying that, but like, you know, that. I guess I agree with you that the solution, long term, that's what it's going to look like. It's going to look more like that and less like Splunk and less like, you know, Google Cloud Cloud Splunk and Microsoft Cloud Splunk. Right. Which is everybody's thing. And it's going to be more like a graph with agents crawling all over it and answering questions. I mean, you know, this is where we got to go, right?
B
Yeah. I couldn't agree with you more on the security being a data problem. And that also goes back to the whole, like, I have these 18 widgets and they all tell me they solve this very specific problem in my organization. And the great thing is they all have different schemas. And then I try and put it into a sim and that has six different case types for event id. It just is such a challenge. And I completely agree. That was actually the core realization and first real play that we figured out again pre and really after the seed with the investment was like, oh, we have to build the underlying schema and do normalization. Because I can only, like, you cannot Build a good graph if you don't have consistent data structures, you cannot do streaming detections if you don't normalize the data. And there are really efficient ways to do it. But if you don't solve the data problem, what use are your analytics? Your queries will break, like, nothing will work. So I completely agree with you, Patrick. Completely agree.
A
Now, look, I think one thing that's, you know, we've sort of talked a little bit about AI and then we've sort of talked about the data problem and building a graph, right? And trying to, you know, normalize data to an extent to get it in there. But I also think that, like, once you've built this graph, right, where you've got all of this information about devices and identities and events and traffic and things that have happened, and you put that all in one place, I mean, that's more useful in the AI age, right? So that's the thing, right? Like what you build now is different because of what you can do agentically?
B
Yes.
A
Like, do you agree with that? That like, this graph is probably more viable, you know, as a product because of what you can do with once you get agents crawling all over it. And indeed, building it is easier now because you were just talking about how you got to normalize the data going in there and like, figure it all out properly. I mean, AI is pretty good at like building you a script to do that, for example. So, like, you know, as much as we're talking about how the exciting thing here is to do something not really AI related in terms of building this graph, it still kind of is AI related because the graph is more useful now and easier to build thanks to AI.
B
Well, I would posit the graph is different because of AI. The nice thing is really what's fundamentally changed, in my opinion is like back in the day, well, you had tables and a SQL database, then you had graphs. But ultimately the humans still had to walk the graph. And these graphs can get really.
A
Well, that's what I mean. They're going to get really complicated and a human's going to look at it and just go, man, I don't know what to do with this. I can't even understand this. Whereas an agent doesn't have these concerns, it'll just randomly stumble around until it finds something interesting.
B
Correct. Now, honestly, and this is the nuance, right? It's like you now have this agentic layer on top of it that you can build. Ideally, you want to have the agent manage enough context and understand the graph well enough to not go on a wild goose chase and burn a million tokens to try and figure out, hey, did Damien Lukey log in at 9am Eastern? So that's also part of the learnings. When you have agents working with the graph, I think the real unlock, because it's funny going back to graphs 5, 10 years ago, that's not true. 10, 15 years ago. Let's think about like OG CrowdStrike, carbon black silence folks that were building graphs. The graph was the first step. The real unlock was. And I'm biased because I saw what we did at CrowdStrike with the threat graph. The real unlock was not, hey, can I use the technology? But rather like, what do I enrich the graph with? You know, when you have a Falcon Overwatch or nation state threat intelligence and you use that to enrich the graph, that's what really builds compounding value. So one of the things that.
A
Well, yeah, I mean, you take your CrowdStrike data and then you throw some Corelight data at it and all of a sudden you know, it's more than the sum of its parts, right? It's like 10 times more useful.
B
Well, and that I think, you know, just in general, for folks who are looking at messing around with graphs, I think the big question you have to ask yourself is like, okay, great, I can use a graph and that's really efficient. But like, what other enrichment sources can I use? And am I thinking about what those enrichment sources would look like to an agent? So when the agent engages with the graph and the different nodes on it and the edges, it's got to traverse. Can it make sense of that so it can go back to Patrick or Damien and go, that's funny, man.
A
It's like designing to make something user friendly where the user is not human.
B
Yeah, it's. I don't know, I heard someone say this, and I think it's true to an extent. Right? Like, we have a new hybrid workforce and it's not hybrid. Like sometimes in the office and I'm at home, it's like, I have humans and I have agents. And we now have to figure out a way to, to get the agents to understand things so that we can use them more effectively and vice versa. Which is interesting, right? You know, if you told me 10 years ago that we'd be trying to figure out this problem, I'd be surprised. But here we are.
A
So look, look, look, look. So here we are, right? So we've got to the part of the discussion where we're like, okay, let's stop and see where we are, right. And you've come along, you know, AI threat hunting, original proposition, and now you're like, well, we're just going to build a giant graph and like do a lot more with it and let agents do stuff with that and let humans do stuff with, you know, with that. So all of a sudden we've gone from something very niche to okay, well we're going to build a graph for everything and solve a whole bunch of different problems. I mean, this is a pretty drastic expansion in scope, don't you think Damian?
B
It is. I think one of the key things was figuring out how to build the right graph. So you know, the way that we build our graphs is we build context graphs per enterprise that we work with. Really the problem that the graph is trying to solve is can I build a behavioral system of record for the enterprise that I work with and then the agents know how to work with that graph. Whereas the temptation originally was Patrick. And when you're like, oh yeah, like this big graph, the temptation originally was can I just like build the world's greatest graph database and take, you know, billions of events and put it all in? That was another thing when trying to figure out what AI is and isn't good at. Like trying to have it run on a hypergraph or like a really, really big graph database was not efficient. The real value was building graphs per customer. And those graphs are, they break down, don't they?
A
They just like, those things get to a certain size.
B
They just like, eh, you know, they do. And it's not the fault of the agent really. I think a lot of the times you run into agentic problems, it's, you know, a layer eight error. It's because we tried to give it a problem that was too big for it to solve. You know, the context window is only so big and you keep asking it questions and it's traversing something huge. It just becomes unmanageable.
A
I mean it either falls over or just starts spouting absolute nonsense. Right. It's kind of funny what happens to them when you push them too far. They just get real stupid.
B
To be fair, I think we humans can also, if you give us too much all at once, we don't sound the best either. But it's been interesting. Right? One of the core things though, when it goes back to why you build a graph is fundamentally what's the problem you're trying to solve. For us with AI threat hunting, the idea was always behavior and behavior was all about relationships. So the best way to model relationships with behavior was a graph. So it worked for the problem that we solve. And then, yes, you're right. Like as we expand with this context graph, as we expand into detection, like it's opened up a whole bunch of new use cases with the same core technology, which is really exciting because we're, we're doing more all on the same platform.
A
This was always the thing with the threat hunting stuff, right, like, that you initially pitched the company with. And I'm thinking, look, AI threat hunting, that's really cool. You know, you can go and ask a bunch of questions or whatever, but it's like, you know, I'm a car person, right? I'm a car person. And if you're going to pull the engine out of a car just to replace like one part while you're in there, you may as well do a bunch of other stuff. Replace a bunch of seals, replace a bunch of parts that commonly, commonly fail once you've done all of that work to get the engine out of the car. And I think when you're building a software platform that can do AI threat hunting, once you've brought all of that data into one place, like while you're there. Yeah, you know, I think it's like having the engine out of the car, like while you're there, there's probably a lot more that you can, that you can do there. So I've always seen that, that opportunity to do more. And indeed, you know, you've been steered by some of your customers in terms of what they want while that data is there. And it's like not even necessarily security use cases. Like a lot of what they're looking for is maybe like weird software in their environment that shouldn't be there, or people accessing AI services that they shouldn't access. And just that sort of governance piece has actually been surprisingly in demand for you, right?
B
Oh, yeah. I mean, we've seen a tremendous amount of demand around shadow AI. We, because again, we focus on behavior, have gotten really good at insider risk detection. Now there's a fun philosophical discussion that I always like to have, which is technically a successful threat actor who gets creds and logs in. And Damien in accounting, who's, you know, trying to download corporate secrets to his desktop to, you know, exfil. They're both insiders, but yes, we've definitely played into that. And I think it's really indicative of two core problems. One is like security is being asked to do a lot more than they were traditionally because the world is changing. So Fast and people suddenly go like, oh, that looks like it's a governance problem, but it's a data problem, therefore it's now the CISOS problem. And for us, what we figured out pretty early on was actually you have a strong edr and especially if you get any sort of network telemetry, you see a whole lot of stuff and then it's just a question of classification. And then once you have strong classifiers, handing that off to an agent to say, yep, this is indeed a shadow AI use case because of reasons xyz. So yeah, it's been interesting to see that shift soapbox moment though. AI versus traditional signal extraction. I think a core piece though was not to just say like, here are a bunch of command line arguments, search the table. But rather we realized if you want to define what shadow versus legitimate AI was, you needed to build decent heuristics and eventually models that would tell you what a person versus an AI would do. And then if that AI were writing commands, when was it going too far versus doing something that's seems weird, but totally cool. And that, my friend, was honestly, there was a learning curve with that. You can't solve it right the first time.
A
But I think it's interesting because there's so many ways to do like the shadow AI thing, right. When people are using it via a browser. Like one of the wonderful ways to solve for that is to use like some of these browser plugin based products.
B
Yep.
A
You know, push security comes to mind. They're another decibel, you know, portfolio company like you guys are. And you know, but the point, I think that's the point, right. When you've got all of that EDR data, you got data from everywhere, Right. And you're throwing it into that graph. And that's my point about, hey, threat hunting is great, but like why have you got the engine out of the car? You know, maybe we want to replace this part that fails at, you know, 100,000 miles. You know, the car's got 80,000 miles on it. We've got the engine out of the car. Let's, you know, let's replace that part. But then I'm, I guess, you know, you've obviously got a lot more ambitious with this thing and you're saying, well, you know, eventually we want to turn it into a, you know, detection and threat response unigraph that can do everything. I guess I'm wondering like, take me on that journey to how you get to that endpoint, you know, from where you are now, like, what's what's next? You know, because you got the threat hunt piece, you've got the informing detection piece, but you're not quite the detection stack. How do you go from here? Like what are you replacing? What are you displacing? How does that work?
B
Yeah, so I mean fundamentally going back to first principles. So if you do behavioral threat hunting, you find either an instant or you build a detection. Now hunting is typically defined by analytics that you write I ascribe to the school of continuous hunting. There are different triggers, different kinds of behaviors that I should always be monitoring. Not all of them are bad, but it's useful to know when who am I runs on a Windows system or it's useful to know when someone's doing SSH port forwarding or port 3389 is open the real drive. If you think about what behavioral detections, both event based. So if I do a behavioral detection for a Mac OS device or a Linux box versus a correlation rule which is like I look for multi events on one system or different events across identity, cloud, endpoint, network, you name it, ultimately build analytics, right? Like that's really what you start to build is like an analytical layer on top of that. So you know, I describe what we do as like hunt for security operations. If I were to use the term that's that's on our website. It's a contextual security analytics platform. Really the idea is you build these analytics, like if you hunt, if you're constantly looking for abnormal behavior and convicting that and attributing it, you build these really strong analytics. These analytics end up being really robust detections.
A
Can you give us an example there though, like a concrete example of what sort of detection you wind up with?
B
So one is a really interesting password manager analytic that we wrote. It was driven off of a hunt. So basically the hypothesis was we were looking for password manager compromise and there were different kinds of behaviors that you would look for. If a password manager was compromised, you'd see vault files on an endpoint accessed, but you would miss credentials being used in identity, so you'd need that. And then if you wanted to see from the cloud side the identity and different service accounts that it might be using once it had compromised the password manager, like those all in isolation, A, like live in their respective data silos and B, you can build each of these detections but like, okay, is it useful if I see a vault file? So the analytic that we wrote was we were able to go, okay, we see like multiple credentials being used across different service accounts after vault files are accessed on an endpoint. So that's like one example that's really cool.
A
And it's okay. So we're all able to sit down, right, as people who know a bit about security and think of these sort of sequenced stateful patterns that turn into really actually quite high quality detections. The problem is always where to put them. Like how do you actually get that detection to run in a typical detection stack? Where does it. Is that in the seam? Can you even instrument that easily in the seam? Or are these detections that you are actually now running in your platform?
B
So you run them in our platform. So you'd run them. I mean that's a correlation rule. You need many events to happen. But we have like a streaming detections pipeline so as the events come through we'd see it.
A
Because I think, I think all of the same people are like, oh yeah, you can correlate so much. You can correlate so many things in this bad boy, you know, seems to be the thing. But I mean it gets, it kind of falls over after a bit. Right. Like it gets, it's just too hard and you need to be pulling in too much and then these scene bills going to the moon and like it just gets hot.
B
Yeah. And you know, like the pipe character was wrong. So you actually are searching for the wrong thing the whole time. No, the other piece. And it's interesting, this is like a whole other topic. But detection, drift monitoring is another core piece that we look at. Right. Like analytics are good, but like environments evolve. So you also want to be continuously monitoring these analytics being like, hey, are they performing? Like, are they working as they should? Which is why like whenever you create detections in Nebula, like we require test against production data. So you don't just like throw something at data. Being like, this should be good because there's a big difference between like a query that you run on a backend and a correlation rule that's battle tested. And that was a really key piece you asked about what we replaced though. Patrick and I just want to make sure we touch on that.
A
Well, because by the sounds of things, these detections that you're doing the logical place, like if one of these correlation based detections fires, the obvious thing you would do is like kick that out, I guess either into slack or into a seam or whatever. But I'm guessing like what are most people doing into the seam, into the
B
seam and into slack. We've also exposed APIs so you can like hunt and do A bunch of stuff just via API in Nebulock, which is great, but we are this very organic layer that kind of sits atop or alongside the seam now.
A
Now we get to the question about what do you replace?
B
Yeah, so I mean like we're on
A
the topic of seams.
B
Seeing as we're on the topic of seams, you know, for folks that want like a really direct analytics platform that like is able to log key telemetry pieces that matter when it comes to security, we're perfect on a replacement piece. We're really good at the like insider risk, insider threat. I don't want to say ueba, but you know those analytic platforms that were false positive holes and have large costs in terms of rent space for security operations teams, but are required at times. That's been a very organic replacement motion for us. The thing that is missing from all of those is a Z score on top of an analytic. Telling you that something is a critical, in my opinion is not going to cut it in this dynamic threat environment. You need something that's pragmatic, that reasons on top of it, that understands context and that's what we do. So that's really what we're replacing right now. But then there's a whole component around efficacy. We've been able to help teams, security teams of four people do things that they never could before because now they have this like hunting and detections Iron man suit that they can run alongside and like plays nicely with the other tools that they have.
A
So right now, I mean, you know that that's the efficiency use case, right? Getting that team of four people to be able to do more.
B
Yes.
A
You know, I mean it sounds like you're not gunning for the SIEM world. Right? Like you want to be the siem, which makes sense, but you do sort of wonder and I'd love to hear your thoughts on this. You know, even if this is not the market that you want to eat, someone's going to eat it. Right? Like you, surely. I just feel like seams at this point are just outdated tech. You know, like we've got these things trying to do what they can to produce a human readable result and even that is breaking down because there's too many alerts, there's too much to process. So now we've got this situation where we're getting agentic platforms to consume the output of something that already simplified things for humans. And then we're, you know, getting an agentic analysis of that to do SOC triage. It just seems like the whole thing is ridiculous. And eventually what's going to make more sense is to have something a bit more three dimensional being analyzed by, you know, AI developed rules, if not directly by LLMs. And you know, that's, that's just going to give us just better results. Fewer, fewer false positives, better results. I mean, is that where you see this going? Right? Because you are playing in this space. You've come from the EDR world, you've come from the MDR world, and now you're doing some applied technology here. You're building a graph, you're seeing what's possible. Is that where we're heading? Because it's where I think we're heading. And look, it's long term. I'm not saying like Splunk is still going to be around in 15 years, right? Like, we can't escape that. But I think for Greenfield's businesses in five, 10 years from now, you know, their detection stack is going to look radically different to what's in place now.
B
No, Patrick, I completely agree. I think the SIM is. We understand it will just not be able to deal with the load like before. We think about threat actors that move at machine speed. Like, let's think about the amount.
A
We're already there.
B
Yeah, we're already there. Well, and you're also dealing with like exponential amounts of exhaust from agents that you have to log. Like, where is this all gonna go? How is this gonna work with a system that's already broken? So you see what I mean?
A
Like, we're flattening all of this data into like human readable. Yes, but there's too much of it, so the humans can't read it. So then we, you know, we're saying, hey, agents, can you go grab this stuff that we've flattened into human? Like, it just doesn't make sense. Sense. It just seems if you were designing detection from scratch, it wouldn't look like what it looks like now.
B
No. And I think, you know, you. Because different players, like, we're in this. I think we're in this very interesting transition moment where I agree with everything you say, Patrick. But also, like, detection doesn't really have a single home. Like, I talk to most customers and they say we run detections in our simulation. And then I'm like, do you do. Okay, but where do you run? Like these endpoint detections? And they're like, oh, in our edr.
A
Great.
B
Two homes. Right.
A
But I think more and more it doesn't matter because of agents, because an agent is going to be really good at saying, well, I need a bit of context from this system over here. I'm just going to go grab it. And an agent's going to say, you know what? I'm regularly grabbing context from over here. Maybe we should pull that into the graph, the make life easier graph. You know, I think at that point the graph is the make life easier tool for the people, for the agents. And it can be informed. Like, what goes into the graph can be informed by the people and the agents. You know, but you're right, like, it doesn't. It doesn't need to be in one place anymore.
B
No, I think, like, this concept of data gravity, like, is not what it need, what it used to be before. You do need, like a centralized operating core. Right. This graph, this idea of a place where agents can go, that does exist. So it's this interesting combination of, like, a centralized place of intelligence. But also we don't need to backhaul our salesforce logs and store them for two years. Right. Like, that world is gone, should be gone. We don't need to do that anymore. I completely agree. So it's like centralized intelligence with data where it's supposed to be, which builds a really interesting, flexible way that ultimately allows this, like, human plus agentic, this hybrid future to happen. The real trick is figuring out how to make the right graph, how to make it good. Data normalization. And I'm biased, but I think that's something that we've done an excellent job at because I've hired people smarter than me, Patrick. They've really helped along this path.
A
It's always a good idea.
B
Yeah. If I was the smartest person in the room, we'd be in trouble.
A
I know that feeling well, running this company, but, Damian, Luke, you are building a monster. It is awesome. Thank you so much for joining us to talk through all of that in light of your wonderful, you know, Series A announcement. I can't wait to see what this thing turns into over the next couple of years. It was great to see you, my friend.
B
Right back at you, my friend. Appreciate it. We're just getting started. Thank you.
Date: July 8, 2026
Host: Patrick Gray
Guest: Damian Lukey, CEO and Founder of Nebula
In this Soap Box edition of Risky Business, Patrick Gray chats with Damian Lukey, the CEO and founder of Nebula, a company specializing in security operations driven by AI-powered threat hunting and detection. Damian brings perspective from his extensive experience in the EDR and MDR sectors at CrowdStrike, Palo Alto Networks, and Arctic Wolf. The discussion centers on how threat hunting, data normalization, and graph-based architectures are redefining detection in modern security operations, the essential role of agentic AI, and the future of SIEM (Security Information and Event Management) platforms.
(Timestamps below reference the start of each major segment.)
[02:42]
“You still start with these hypothesized threat hunts, but then you can do stuff like build detections based on what you find… instead of JIRA tickets and two-week sprints, I can write detections, test and validate them in, you know, three minutes, and they capture intent and behavior…”
— Damian Lukey [02:42]
[03:53 – 05:55]
“We built a graph, and then that graph is something that the agents can access and reference... that was a really key unlock for us...”
— Damian Lukey [05:55]
[09:59 – 12:10]
“If you don’t solve the data problem, what use are your analytics? Your queries will break, like, nothing will work.”
— Damian Lukey [11:09]
[12:42 – 15:13]
“You now have this agentic layer… that can build context and understand the graph well enough to not go on a wild goose chase and burn a million tokens…”
— Damian Lukey [13:58]
[16:48 – 18:47]
“Those things get to a certain size… it's not the fault of the agent... It’s a layer eight error. It’s because we tried to give it a problem that was too big…”
— Damian Lukey [17:31]
[18:47 – 22:09]
“Security is being asked to do a lot more than they were traditionally because the world is changing so fast… It's now the CISO’s problem.”
— Damian Lukey [20:06]
[23:26 – 26:11]
“If you hunt, if you’re constantly looking for abnormal behavior and convicting that and attributing it, you build these really strong analytics. These analytics end up being really robust detections.”
— Damian Lukey [24:53]
[26:41 – 29:53]
“The thing that is missing from all of those is a Z score on top of an analytic. Telling you that something is a critical, in my opinion, is not going to cut it in this dynamic threat environment.”
— Damian Lukey [28:37]
[30:01 – 34:33]
“If you were designing detection from scratch, it wouldn’t look like what it looks like now.”
— Patrick Gray [32:11]
“Detection doesn’t really have a single home... I think, like, this concept of data gravity… is not what it used to be before. You do need, like, a centralized operating core. Right? This graph, this idea of a place where agents can go, that does exist.”
— Damian Lukey [33:00 & 33:31]
“We have a new hybrid workforce and it’s not hybrid like sometimes in the office and sometimes at home; it’s like, I have humans and I have agents.”
— Damian Lukey [15:42]
“Analytic platforms that were false positive holes and have large costs in terms of rent space for security operations teams… That's been a very organic replacement motion for us.”
— Damian Lukey [28:37]
“It's always a good idea [to] hire people smarter than me, Patrick.”
— Damian Lukey [34:33]
This episode offers a deep dive for security practitioners and builders into the future of detection: shifting from fragmented, schema-mismatched platforms to context-rich, normalized, graph-driven security operations. AI is simultaneously the enabler and the challenge, changing what’s possible—if platforms are built “for agents, not just humans.” The conversation also signals a coming disruption for legacy SIEMs and endpoint detection stacks, as practical, continuous, behavior-informed analytics come to the fore.
For enterprise defenders and security technologists: this is a must-listen exploration of how threat hunting and detection engineering are converging—and the practical implications for your detection stack now and in the future.