Summary7 min read

Risky Business: Soap Box — Where Does AI Fit Into Cloud Security?

Host: Patrick Gray
Guest: Tony De la Fuente (Founder, Prowler)
Date: May 15, 2026

Episode Overview

In this sponsored Soap Box edition, Patrick Gray talks to Tony De la Fuente, founder of the open-source cloud security tool Prowler. The discussion goes deep into the intersection of AI and cloud security — how AI is changing the way security tools (like Prowler) are developed and used, what "agentic" cloud security means, and the impact on SaaS business models. The conversation also tackles technical, business, and community aspects, offering real-world insights and future-looking predictions.

Key Discussion Points & Insights

1. The Rise of AI-Generated Code in Open Source Projects

AI is now a major driver of code contributions:
- Tony explains that almost all new code submitted to Prowler is AI-generated, either by the community or internally.
- The key is having robust guardrails — testing, security checks, and review — around the AI-generated code.
“Pretty much, I would say 100% of the code is generated by AI now. Of course that is not bad at all, as long as you have the proper guardrails in place.” — Tony De la Fuente [02:57]
AI aids in context, not yet fully trusted for action:
- Deterministic, rules-based controls are still critical, especially for nuanced cloud security tasks.
- AI excels at providing context and correlation, not so much at replacing expert-created controls.

2. Agentic Security: AI Agents vs. Traditional Tools

AI will not kill specialist security tools:
- Tools like Prowler or Burp Suite are as essential as ever — agents should use, not replace, these tools.
“I think we've got to start seeing these agents as replacing a lot of the drudgery, a lot of the manual labor. But I don't think the agentic age necessarily is going to really replace a lot of these tools.” — Patrick Gray [04:40]
Cloud environments are highly dynamic:
- Unlike static code, cloud infrastructures constantly change — new APIs, features, and endpoints appear regularly.
- AI models alone struggle with this fluidity; specialist tools are built to handle it.
Best model: AI agents orchestrate trusted tools:
- Prowler offers deterministic guidance and actions.
- AI agents (within modern IDEs, for example) can call on Prowler to assess and remediate security issues.
The rise of agentic workflows:
- Prowler is building workflows and registries (like Prowler Hub and Studio) that serve as “huge prompts” for AIs, maintaining reliability.

3. AI, Open Source, and the Evolution of the SaaS Model

The “vibe coding” dilemma (build vs. buy):
- AI makes it easier and faster for enterprises to self-build SaaS features on top of open source.
- However, Tony argues that maintaining these customized "Frankenstein" solutions is unsustainable compared to professional SaaS.
“We will see what's going on... when those very well done vive coded applications... are becoming a monster... So let's see what we get with AI and with those Frankensteins.” — Tony De la Fuente [14:19]
Open source as a foundation:
- Many companies use Prowler as a component, but the real business value is ongoing, reliable service, not just initial capability.
“Software is not only creation. Software is about maintenance, evolving, knowing what you are building.” — Tony De la Fuente [17:22]
The enduring value of SaaS:
- The perceived "SaaS apocalypse" (fear that SaaS is obsolete) is overblown; enterprises still need scalable, well-maintained solutions.
“Reports of the death of SaaS... have been greatly overstated.” — Patrick Gray [16:31]

4. Building for the Agentic Future

Making tools “agentic-ready”:
- Security tools need not only a good human UI but APIs, interfaces, and guardrails for agentic (AI-driven) interactions.
- The vision is for agents to operate detection, remediation, compliance, and operational tasks in real time, both in infrastructure and “in the loop” with humans.
Determinism over AI guesswork:
- Security still relies on deterministic policies — knowable “right” and “wrong” configurations, mapped compliance controls — rather than AI-driven guesses.
Hybrid agentic workflows:
- Agents initiate scans, interpret results, and trigger remediations, but underlying logic remains rules-based.

5. Cloud Security in the Age of Infinity Script Kiddies

Every attacker (and defender) can now code well, instantly:
- The AI era means threat actors have unprecedented, low-barrier access to powerful coding capabilities (“infinity script kiddies”).
- Organizations need to double down on solid, battle-tested foundational controls — not just chase the AI hype.
“All these agents out there doing offensive stuff, I call it like the threat environment now is you've got to deal with infinity, Infinity Script kiddies.” — Patrick Gray [27:02]
“Actually, we are now, everybody is now a script kitty, right?” — Tony De la Fuente [27:35]
This drives increased demand for foundational security tools:
- Companies are now more interested than ever in robust, deterministic controls (like those Prowler provides), to anchor their security against both AI and human threats.

6. Expanding Coverage Beyond Just Cloud IaaS

Security focus now includes SaaS, multi-cloud, and connectivity layers:
- Attacks increasingly target “where everything rubs together” — SaaS platforms, authentication, data flows.
- Prowler is extending coverage to SaaS (GitHub, M365, Google Workspace), cutting-edge platforms (Vercel, Cloudflare, Kubernetes), and more.
“Because now people is not deploying everything in one single place, it's deploying every data, workloads, touching multiple clouds or SaaS that are key for their infrastructure.” — Tony De la Fuente [31:42]

7. The Agentic Cloud Defender: Prowler Today

Prowler is building an AI/agent-friendly ecosystem:
- “Prowler Lighthouse AI” allows users (humans or agents) to query, analyze, and remediate via chat.
- Integration with AI-driven IDEs enables end-to-end workflows, from detection to automated remediation via pull requests.
“That is why we call ourselves the Agentic Cloud Defender.” — Tony De la Fuente [32:58]

Notable Quotes & Memorable Moments

On AI-generated open source contributions:

“Pretty much, I would say 100% of the code is generated by AI now... as long as you have the proper guardrails in place.” — Tony De la Fuente [02:57]
On the reality of SaaS and maintenance:

“Software is not only creation. Software is about maintenance, evolving, knowing what you are building.” — Tony De la Fuente [17:22]
On ‘Frankenstein’ homegrown solutions:

“We will see what's going on... when those very well done vive coded applications... are becoming a monster... So let's see what we get with AI and with those Frankensteins.” — Tony De la Fuente [14:19]
On AI’s impact on security tool demand:

“Reports of the death of SaaS... have been greatly overstated.” — Patrick Gray [16:31]
On the script kiddie arms race:

“All these agents out there doing offensive stuff, I call it like the threat environment now is you've got to deal with infinity, Infinity Script kiddies.” — Patrick Gray [27:02]
“Actually, we are now, everybody is now a script kitty, right?” — Tony De la Fuente [27:35]

Key Timestamps for Important Segments

| Timestamp | Topic | |-------------|---------------------------------------------------------------| | 02:57 | AI-generated code now dominates open-source project commits | | 04:40 | Discussion: Will AI replace or augment traditional security tools? | | 07:33 | Using agents to drive specialist tools — not to “vibe code” from scratch | | 11:15 | Open source, AI, and the build vs. buy business dilemma | | 14:19 | Costs and pitfalls of DIY “Frankenstein” SaaS solutions | | 17:22 | The necessity of proper business models and maintenance | | 20:46 | What it means to be “agentic ready” — tools as both UI and API | | 22:35 | Multi-cloud and national cloud support, remediation focus | | 24:54 | What’s the vision for agentic cloud security? | | 27:02 | Infinity “script kiddies” and the new security landscape | | 29:50 | AI-enabled attackers driving stronger demand for foundational security | | 31:42 | Prowler’s focus on SaaS and hybrid cloud | | 31:58 | How “Agentic Cloud Defender” works at a practical level |

Episode Takeaways

The future of cloud security is “agentic” — AI agents will drive workflows, but deterministic, rules-based tools remain indispensable.
Open source projects benefit immensely from AI, but need strict guardrails for quality and security.
The SaaS business model is not dead; value increasingly comes from maintenance, expertise, and reliability — not just code.
The complexity and interconnectivity of cloud/SaaS/multicloud landscapes make robust, foundational tools (like Prowler) more important than ever.
Enterprises may be able to “vibe code” their own tools with AI, but most will realize that professional maintenance and innovation are worth the investment.
The threat environment is leveling up (infinity script kiddies), so defensive security tooling must rise to the challenge.

For cloud security professionals, this episode offers a frank, in-the-weeds look at how AI is genuinely reshaping both the technical and business sides of securing the cloud — and why some fundamentals will never go out of style.

Loading summary

Transcript55 lines

[00:00]
Tony De la Fuente
Foreign.
[00:06]
Patrick Gray
And welcome to this special soapbox edition of the Risky Business podcast. My name's Patrick Gray. These soapbox editions of the show are wholly sponsored and that means everyone you hear in one of these editions of the show paid to be here. Today we are chatting with Tony De la Fuente, who is a founder of Prowler. And Prowler's got an interesting backstory, actually, because it started off as a tool that, that Tony used to, you know, he wrote it himself basically a bunch of scripts in a trench coat. And he wrote it to do certain security things to a bunch of AWS accounts he was responsible for. And from there it just sort of grew, got a little bit more complicated. He open sourced it and one thing led to another and now it's an immensely popular project with, what is it, 13,000 plus GitHub stars at the moment. Right. So it's got a really active community behind it. It's, it's a great tool. It doesn't just do Amazon anymore, it does all of the major cloud providers plus SaaS as well. So Google, Workspace, M365, all of that. So, you know, once a year Tony and I get together for one of these longer form interviews and we just sort of chat all about the world as he sees it. And I guess this year it'll come as no surprise that we're chatting about all things AI and from a few different angles too. So for starters, you know, how is AI changing running a open source project? Like, is that, you know, is every single commit now coming? Like, is that all AI generated code? And it turns out, not surprisingly, the answer is yes. Secondly, you know, is Tony concerned that when you're building a open source plus kind of business, is he worried that people are going to try to vibe code the sort of enterprise features using open source Prowler as a base? So it's like a bit of an interesting business conversation.
[01:52]
Tony De la Fuente
There's.
[01:53]
Patrick Gray
And you know, what does this tell us about the SaaS business more broadly? I think, as you'll hear, we sort of came to the conclusion that you can vibe code an equivalent to SaaS software, but it doesn't mean you should because that's probably still going to be a pain in the, you know what. And you know, we also talk about how Tony sees Prowler playing in the agentic world. You know, what is agentic cloud security actually look like? What's his take on that? And you know, as you'll hear, he thinks, and I think reasonably so, that tools like Prowler are very useful in the AI world because they're sort of a little bit more deterministic than a model. You know, you can go ask a model, hey, you know, here's an API key, go secure my cloud infrastructure. And I think we know that's going to end really badly. So, you know, getting, getting AI agents to use tools seems like the way everything's sort of shaking out. Anyway, I will drop you into the interview now as Tony explains that yes, all of the code being submitted, submitted to parallel these days is indeed AI generated. I hope you enjoy this interview and
[02:58]
Tony De la Fuente
you can go to the repository to see the open pull requests. Pretty much, I would say 100% of the code is generated by AI. Now of course that is not bad at all. So as long as you have the proper guardrails in place. Of course, in terms of tests when it comes to accepting the code, the basic test for security, etc. I mean linters etc. But also something that we see and that is very positive when it comes to coverage is the community is adding more and more controls into Prowler. So instead of thinking that AI will know what to do in the cloud for security, we are still building deterministic controls and the community is sending to the, to the contributing with those deterministic controls into Prowler. Because at the end of the day the right or wrong configuration is something based on the output of an API, right? But at the same time it's not just a single Boolean result. Is that result along with everything around, right? To get the context actually and for that AI is great to get that context and with graph databases, Boolean results based on the deterministic information, you get the whole picture of what is going on in the cloud and what is actually the important thing to do, right?
[04:41]
Patrick Gray
Not just well, but I mean this is, this is, this is the whole thing, right? I think there's a bit of clarity now that wasn't quite there even a year ago. There was this sort of thinking that oh, AI is going to come along and it's going to replace all of the tools. And we've even seen stuff like the so called SAS apocalypse, right, where the shares in a whole bunch of SAS companies lost a bunch of value because everybody's like, oh, SAS SaaS is dead. I mean I think what we're seeing, you know, sure, there's going to be some pressure on SAS and whatever, but, but when it comes to like hard tools, right, stuff like Burp Suite, stuff like Prowler, I mean good Luck trying to get an, you know, you're going to be better off getting an agent to use the tools. I think we've got to start seeing these agents as replacing a lot of the drudgery, a lot of the manual labor. But I don't think the agentic age necessarily is going to really replace a lot of these tools. Right. I mean, what do you think of that? That, that idea when it comes to
[05:36]
Tony De la Fuente
knowing what to do in any cloud, to secure the cloud, we can go to the easy part, the easier part, which is, okay, let's secure aws. I mean everybody knows about AWS or even Azure, right? Or Google Cloud, well documented, kind of well exposed into the APIs regions. It's easy to understand, right? More or less. But it's a live organism. It's not something that you go like a terraform file, that the terraform file is static, right? Of course you can go through all the terraform lines and to see if it's right or wrong. As we can see, pretty much any cloud code or any IDE can do that. Very secure. When we are talking about the cloud, we are talking that first we need to know the endpoints, the regions, APIs, services that are available, how those services are configured today, but how are they going to be configured tomorrow? Because cloud providers are adding new features all the time, changing API endpoints all the time, adding new regions all the time. All that stuff is a life stuff that you need to know where to go to get.
[06:49]
Patrick Gray
Well, and this is, and this is exactly the point, right? Which is that if you are in a situation where you're trying to get an LLM to do that for you, you're basically giving it a prompt that's more or less a spec, right? For, for the software in the first place. Because you got to tell it to do so many things and make no mistakes, right? And it will make mistakes that it just sort of doesn't seem quite feasible to do this. Well, just raw with a, with a, with an online, you know, LLM with a Frontier model, it just doesn't seem like a good idea.
[07:22]
Tony De la Fuente
Going to take a lot of time. First it's going to be costly, of course, and it's going to be very random, so to trust, but that's it.
[07:34]
Patrick Gray
But that said, you take some tooling, whether that's Prowler, whether that's something else, you know, it's got those vibes like you give it Prowler and you say, I want you to use Prowler to do xyz. I'M guessing you have done that.
[07:47]
Tony De la Fuente
Yeah. Actually now when you use cloud code and you, I mean of course you can configure Prowler mcp, which means that you make your AI driven IDE cloud security expert, not only knowing about what
[08:02]
Patrick Gray
to do in cloud, you know, we're talking about MCP. That's so 2025, Tony.
[08:08]
Tony De la Fuente
Yes, but 2025.
[08:10]
Patrick Gray
Yes, but still works. Yes, but I guess what I'm asking is like, you know, have you, how have you gone with getting some of these frontier models to use Prowler? Like, is it easy? Yeah.
[08:21]
Tony De la Fuente
So the point is you can tell cloud code, hey, taking into account the prescriptive guidance that Prowler gives you in terms of controls, remediations, detections, remediations, compliance, etc. Tell me how my X whatever cloud is working out. So it's deterministic part with a pinch of AI instead of AI. Go and see what's going on. Right?
[08:51]
Patrick Gray
Yeah. And hope for the best.
[08:53]
Tony De la Fuente
Exactly. So we are, we are driving. Yeah. At the end of the day, what we are doing with Prowler Hub, our registry is like a huge prompt for AI to know what to do in the cloud, in any cloud. So actually with Prowler Studio, which is another open source tool that we have created on top of cloud code is basically a workflow. So that allows you to create detections, remediations based on the deterministic database of Prowler. For any cloud provider, you can tell, hey, I need to know what's wrong. In Google Workspace, for example, it's going to create you the basics and not that basics artifacts to find issues in the cloud and then you are going to be able to correlate those issues with other results. I mean right now, so we have detections and remediations, but we put the results, the findings into a graph database and also the relational database in order
[09:59]
Patrick Gray
to
[10:02]
Tony De la Fuente
link all the results and correlate all the results for a proper results. Right?
[10:08]
Patrick Gray
No 100%. But here comes a curlier question. Right? So I think we've established that even in the AI age, we still need tools. Right. The models still need tools to use to do specialist tasks. Right. Because. Okay, sure. Could you vibe code something that would kind of do it? Yeah, maybe. Is it going to be a pain in the. You know what? Yeah, it definitely it will be. But I guess my question is you're running a, you're running a open source project, so I'm wondering how concerned you are by the idea that someone could take the open source component of Prowler and then Vibe code, the sort of enterprise features. Because if I'm you, I'm not worried that nobody's going to need Prowler anymore. But I am starting to think, well, you know, are they going to need the optimized for business part or are they going to create their own Prowler SaaS and just, you know, do that that way? I mean, I think those sort of risks are overstated to be honest. Because no, even if you can Vibe code it, nobody wants to spend their time doing that. But I'm really curious to, to hear your thoughts there, Tony.
[11:16]
Tony De la Fuente
Well, that is the risk of building a successful open source project, but not from today because of the AI. Also, 10 years ago was the same issue tell.
[11:26]
Patrick Gray
Yeah, but now it's easier. Now it's easier, right. You would admit that the calculus has changed a little bit.
[11:31]
Tony De la Fuente
Yeah. Now of course now you can build in a week what you could build like 10 years ago in five months. Right. But also if you move back, even back 20 years ago, before the explosion of open source happens the same. I mean with open source we managed to build software way, way faster, right? Because you are using components. So I mean people is not typing all the modules, all the components of software anymore, right. So with AI is the same but the holistic way. In the holistic way. So when you have a successful project that does a good job, it has a proper, it has a big community, of course everybody is going to use you, right? Because it doesn't make any sense to build another tool to do the same because you have already that tool and you have already that community, etc. That is happening and that was happening five years ago, even before having AI with Prowler. I mean so a lot of companies are using Prowler underneath, but they are not, they are not Prowler. They can use Prowler as a component in the, in their infrastructure and that is what is happening. So but my question is, so what is the, what is the goal of software? Of course is solving a problem and then what is the goal of the company on top of the software? Is to make business on top of that. So I think it is easier or should be easier to make a profitable business on top of that opportunity than on top of nothing, right? So for us is key to have a lot of companies using Prowler. At the end of the day, Prowler is for cloud and cloud is a business itself. It's not like Prowler is for something free, for proud is for Something that everybody's paying, so the money is there. So I don't see a problem if somebody says, okay, Prowler is very helpful, I'm going to build something on top of Prowler. I see actually an opportunity. Let's see how big that opportunity is. And of course there is people that is going to take advantage of the open source nest and freedom.
[13:46]
Patrick Gray
Well, I just mean, I just mean I'm not even talking about competing companies. I'm talking about like I'm an enterprise person. I see that I could use Prowler, I could probably vibe code up, a bit of an interface, you know, some of the enterprise features that I need, you know what I mean? Then I don't have to buy your product. That's all I'm wondering. I mean I think most people, they can't be bothered doing that. They, they're probably going to just spend the money. But you know, I just wonder what your thinking is there. Because the calculations around build versus buy when it comes to open source projects, it's changed. That calculus has changed quite a lot.
[14:20]
Tony De la Fuente
Yeah, so I see. So recently there is a, I mean many companies are saying, okay, why I'm going to pay for a SaaS if I can build it in house. So, right. That is happening now of course with this SaaS apocalypse. But we will see what's going on in a year from now, in two years from now when those very well done vive coded applications to solve a problem are becoming a monster, are becoming a Frankenstein. And the two guys that were building that, they decided to leave the company. So let's see what we get with AI and with those Frankenstein's. Right, and how to maintain those. So because again that is some sort of similar story happened with open source back in the days. Like okay, I don't have to to buy something because I already have MySQL right. And now I have a 3 TB MySQL database and call somebody to optimize those queries. Right. So I think something similar can happen or it's probably going to happen with AI and by coding monsters. What we truly believe is that generating a context with open source or even without open source, but following best practices about how to add components, how to add more capabilities on top of a platform is key. Of course, as I said before in Prowler, all the code is AI generated right now, right, from Community, even ourselves. Of course we have to review the code, we have to test the code to QA the code before going to production. We have of course, dev, staging, and also different ways of rolling out features into production, including paid only features that we have. But the point is, are we going to be able to maintain all that code properly to offer a proper service? That is the goal of software vendors, right? Or services.
[16:29]
Patrick Gray
Yes.
[16:30]
Tony De la Fuente
When you have it on the.
[16:32]
Patrick Gray
It's really great, like, Tony, it's really great what you're saying because, like, I totally agree with you to the, to the, to the degree that I actually bought some shares in SaaS companies after the SaaS apocalypse because of exactly what you're saying, which is everybody's like, oh, my God, I can, I can be my own software company. And it's like, okay, but meanwhile, the SaaS companies, they're also doing a whole bunch of AI delivered code, but at a much bigger scale. And you can kind of cook up in your, you know, I mean, it's a metaphor, but your basement, right. So their stuff's going to get better and your stuff is going to be a bad approximation of what they had before they started using AI. And I just sort of think, yeah, it's, it's, I think the death of sas, the death of tools, it's been greatly overestimated. Greatly. Reports of the death of sas, reports of the death of IT tooling have been greatly overstated.
[17:23]
Tony De la Fuente
Yeah, yeah, I totally. And, and again, let me add this again to make, to make sure, for everybody to understand, to see if you agree with me on this. With the growth of Software back in 15 years ago, 20 years ago with Open Source was kind of the same. Now right now everybody is building tools because developing is a commodity. Anybody. So from the idea to the software is like, the idea is the prompt to build the software right now. Right. Go to lovable, go to any other tool to make that. So we are in this similar paradigm, which is great, that software is a commodity. Software can be created by anybody. But software is not only creation. Software is about maintenance, evolving, knowing what you are building. Because it's like, it's like, do you think a guy, of course, in a garage can create a crosstrek, the new Crosstrek? We can probably do effective xdr, right? You and I, you know, in a weekend can do some sort of xdr, but this is not about the next year.
[18:35]
Patrick Gray
Not an XDR I'd want to run, you know.
[18:38]
Tony De la Fuente
Exactly, exactly. This is not about solving a single problem or an important problem. This is beyond that we are talking.
[18:45]
Patrick Gray
I sort of, the way, the way I see it, right, is like, with all of this software as a Service, what you're really paying for is the expertise and that's not changing. You've been paying for the expertise of people to deliver to you. You know, basically an application over web that is being constantly updated, constantly maintained. I mean that's why it's as a service, it's the service part of as a service, okay. And it's just. Okay, so the delivery of that service is changing a bit, but that doesn't mean we don't need the service anymore. We don't want to all become software companies, you know, and there's all that thought bubble about how every company is a software company these days. And like I guess for, you know, I guess for large enterprise that is partially true. But that doesn't mean that you want to have to recreate every bit of tooling that you use in your enterprise. Just because you can vibe code stuff now like that just seems insane, you know, and I, I think, you know, I think I mentioned it earlier. We had a great chat with the people at portswigger talking about Burp and like, okay, you hear about, you know, Claude being used to do offsec stuff. But like what you're going to give it netcat and curl and tell it to go do a pen test? Like, it's not going to, it's, that's not going to work. It needs to use tools. So I see like a lot of open source tools. Open source tools are going to be very, very important to the frontier models for them to use to do things. I mean, I guess it's just like where, I wonder, right where I think we've got to work it out and what you're going through right now is the future of the open source part of it is very clear, right? You just keep going, you know, there's going to be more code, there's going to be, you know, new features and everything's going to accelerate. And when it comes to it, but when it comes to the business side of it, that's where you got to sort of innovate and think, well, how do I make this, you know, this an appropriate commercial software as a service tool that people are going to want to buy in the AI age, right? How are we going to get this thing to play nicely with the agentic approach? I mean, that's about where you are, right?
[20:47]
Tony De la Fuente
Yeah, exactly. So now it's not only needed, which is needed as well, but it's not only needed a proper ui, proper way for a human to interact with software, but also you have to have that software to be able to be interacted by an agent or multiple agents, right? In order to know what to do, how to use it, etc. To extend that also you have to have your proper skills or skill set in the software to get everybody know, hey, if you want to add this or to do that, do it this way. Or you have to have those guardrails around the software to be agentic. That is why we call Prowler the agentic cloud defender. Because it's not only the human that can go through APIs and dashboards and beautiful charts, all that stuff to see what's going on, but also an agent to say to see, okay, this is the data, this is the correlation. Give me what is what, what's next, right? Based on again deterministic information, not just guessing or magic AI type of information that nobody trusts. So that is the. Those kind of guardrails that we are building around cloud security are key for the human of course interaction, but also for those agents that at the end of the day those agents are going to make decisions for the humans to. And then it's like a closed loop, right? Because it's not only about detection, it's also about remediation. It's about remediation, real time detection, real time remediation and that loop over and over. Let's say that you need to have your. Beyond the major cloud providers, whatever cloud in Europe that you have to have gdpr like the French, the French are
[22:35]
Patrick Gray
building their own one. It's like the, we'll call it the no Donald cloud, right? Yeah.
[22:42]
Tony De la Fuente
I mean pretty much any country is building their own cloud now and we are supporting those clouds in many different ways. So if you go to those clouds and you pull, I mean you plug Prowler into those clouds, it's a matter of knowing what to look at but also making sure you are remediating those issues. It's not only about detection again, it's about remediation in real time. But moreover in the infrastructure as code before is, I mean to prevent that to happen. Right. All that stuff is of course you have to tell AI so how that has to be because in many cases those clouds are very preparatory. I mean things are. You don't know until you look at them like stack it. In some cases in Germany or many others in different, different countries or in other cases we have not realized that they are based on open source like OpenStack for example, or even closed clouds like VMware VCF. So everybody has their own flavor or even just Pure kubernetes, which makes a different story that we also support as well. But yeah, the also frameworks around those detections and those remediations and the attack paths around those are key in order to of course control whatever the AI can do with the data. So you have to tell the AI okay, if this happens with this stuff and this other resource here, this is an attack path, for example, and this is going to be bath so well,
[24:31]
Patrick Gray
so that was my next question, which is, which is what's the vision for how all of this works, right? Like is it the, you know, is there just an agent sitting there doing stuff all of the time where, you know, your platform just keeps kicking the agent to perform certain tasks, to do assessments, do remediations based on the assessments, or is there a human in the loop? Or like what's that? What's the vision for how the whole thing is actually going to work?
[24:55]
Tony De la Fuente
So the way we see it is you have three main sources of truth, right? One is what you understand for cloud security, which is the registry of artifacts to know what to detect. Let's go very basic. So if S3 bucket is open, it raise a flag, right? And if it's open, because it has to be open, no worries. If it's open with pii, big red flag, right? All that stuff is some sort of deterministic, right? So the agent needs to know what is right and wrong. Second, you need to know if it's right or wrong, what to do, right? So that part is also deterministic. You can add some pinch of AI on top of the remediation, but the remediation has to be told somehow, right? Also how that impacts to your compliance framework around. So if you need to be compliant with something that needs to be mapped with something and of course you can let AI to do that, but it's probably going to be wrong. So you need to have that mapping in a place, right?
[26:11]
Patrick Gray
Like, well, but I mean you can, you can have, you can have Prowler do it, but AI can be kicking off the scan and actually matching it and telling you if it's done right.
[26:19]
Tony De la Fuente
Exactly, exactly. So everything that we are talking are the deterministic part on top of everything that an agent can do. An agent not only triggering a scanner or triggering a remediation or whatever around the cloud, but also getting to know what to do, configuring or muting what is not important, creating groups for account groups for your different teams, hiding or exposing information, etc. So it's not only about if you have properly configured your specific cloud. It's everything around the operation of cloud, security of the cloud infrastructure.
[27:02]
Patrick Gray
And that is beyond, I mean, I think of these agents, right? Like I joked recently that, you know, all these agents out there doing offensive stuff, I call it like the threat environment now is you've got to deal with infinity, Infinity Script kiddies, right? And if you think about it on the, on the, you know, the defensive side, it's almost like you've got access to infinity 18 year olds who can code really good software. But like they're 18 year olds, you know what I mean? You got to give them pretty clear instructions. Well, they're going to do something insane.
[27:36]
Tony De la Fuente
Actually, we are now, everybody is now a script kitty, right? What?
[27:41]
Patrick Gray
Yeah.
[27:41]
Tony De la Fuente
What is vibe coding, right?
[27:44]
Patrick Gray
Well, script kitties. Script kitties can vibe code o day now, right? So again it comes back, it comes back to the picture of the person giving the, the monkey the machine gun, you know?
[27:54]
Tony De la Fuente
Exactly, exactly. Yeah. That is, I mean that is the reality of something that somehow is, is, is what is happening with this software. And I think it's, it's good. I think everything that is happening with AI and agents around AI and around tools is good because it is pushing us to the next level of hardening systems, which is what I like the most. Of course, attacking and doing all that, that red, red teaming activities are great, but for, for me, what I like the most is, okay, now that we know how a bad actor can do stuff, let's try to secure that, which is harder.
[28:43]
Patrick Gray
Here's the funny thing, right? Is that your business, okay? So you're doing all of the agentic stuff with it, okay? It makes sense, right? But fundamentally you're not an AI first business. You're not an AI first tool. You're a deterministic tool. You're a old school security control. What I found really funny about the last six months is it's the old school security controls that are getting heaps of interest. So like there's all of these AI startups that are AI first everything and they're all really like, wow, agentic this and agentic that. But honestly, the people who are getting the crazy purchase orders at the moment, they seem to be the ones who are making the, you know, belt and suspenders, like basic security controls. Like, hey, maybe we should check our cloud exposures now that we have Infinity Script kids kiddies in our environment. Maybe using stuff like Prowler and its competitors, let's be honest, right? Like maybe actually paying some attention to cloud security. Is going to be a good idea in this AI age. So I guess my question to you is, has the concern around, you know, attackers being AI enabled now driven interest and growth? Because I would, I would be stunned if it had not.
[29:51]
Tony De la Fuente
Yes, it is, it is no doubt because at the end of the day a customer has to make sure they have a very solid foundation of security in the infrastructure to prevent not only easy or soft attacks, but also very advanced attacks and threat actors.
[30:13]
Patrick Gray
Yeah. So basically you are finding that it is driving interest at the moment.
[30:18]
Tony De la Fuente
Yeah. But not only in the major cloud providers, but also in SaaS, important SaaS providers around the cloud. Like I'm talking about GitHub, I'm talking about Microsoft 365, Google Workspace, Vercel and many other SaaS that they are all connected together because when you push the new applications to the cloud, they are using authentication here, data.
[30:45]
Patrick Gray
Well, and that's the stuff where we've seen a lot of attacks lately. Right. Like all in the, in, in the, in the parts where those things all sort of rub together and meet, you know.
[30:54]
Tony De la Fuente
Yeah. So that is why we are adding beyond infrastructure as service providers, like traditional cloud, cloud service providers, to other SaaS providers that they are also handling a lot of power when it comes to deploying a tool with vive coding or with whatever way. Right. That is why we are adding also now lovable as well. We have vercel, we have Cloudflare, we have many like of course Kubernetes, of course OpenStack, Aliba Cloud, Oracle Cloud, etc. So because now people is not deploying everything in one single place, it's deploying every data, workloads, touching multiple clouds or SaaS that are key for their infrastructure.
[31:43]
Patrick Gray
Yeah. So how far along are you with the whole agentic push too with Prowler, is that done? If I sign up as a Prowler cloud user, am I greeted with some wonderful chat interface these days or where is that at?
[31:58]
Tony De la Fuente
We have of course in our UI what we call Prowler Lighthouse AI that you can talk to Prowler and ask pretty much anything from discussing about findings, remediation, attack paths, etc. To ask. Okay, prepare a presentation for my CISO about the compliance status of our Azure infrastructure, things like that. But also from your AI driven IDE like cloud code, Windsource, Copilot, you can connect to Prowler and do everything from there from creating real time dashboards and reports to even run remediations because you can connect GitHub, Prowler etc. And do all those remediations based on the findings automatically and create the pull requests, etc. So those new ways of using and hardening the cloud are perfectly possible. Now with Prowler, that is why we call ourselves the Agent. The Agentic Cloud Defender.
[33:05]
Patrick Gray
The Agentic Cloud Defender. Well, look, Tony, I reckon we're going to wrap it up there, mate, but it's always a real pleasure to chat to you and to hear from you on what you're working on. You know, it sounds like Prowler is an absolute beast at the moment, and it's just getting more and more beastly. Great to chat to you, my friend, and I look forward to chatting to you again in the future.
[33:25]
Tony De la Fuente
Thank you. Thanks for having me, Sam.