Risky Business Podcast – Soap Box Edition: “It Took a Decade, but Allowlisting Is Cool Again”

Date: March 12, 2026
Host: Patrick Gray
Guests: Dave Cottingham (Chief Product Officer & Co-founder, Airlock Digital), Daniel Schell (CTO & Co-founder, Airlock Digital)
Theme: The modern resurgence and evolution of application allowlisting, Airlock Digital’s engineering and strategy, and why allowlisting is finally being widely adopted in enterprise security.

Episode Overview

In this sponsored “Soap Box” edition of Risky Business, Patrick Gray is joined by Dave Cottingham and Daniel Schell, co-founders of Airlock Digital, to dive deep into the renaissance of allowlisting as a core security control. The conversation ranges from debates about the role of AI in allowlisting, to the company’s product philosophy, to why truly effective allowlisting remains difficult—and rare. The episode highlights how Airlock Digital’s engineering-first approach is responding to evolving attacker techniques and what has changed (and what hasn’t) in how organizations talk about and implement deny-by-default strategies.

Key Discussion Points & Insights

1. Airlock Digital’s Leadership Changes and Focus

• Dave Cottingham’s New Role
  • Dave stepped down as CEO to become Chief Product Officer, allowing a US-based CEO, Kevin Dunn, to lead US expansion.
  • “I'm so excited to be able to concentrate on product...continuing to build the best thing, deliver, leaning forward for our customers and make a product that does what it says on the tin.” (Dave, 01:32)
  • Emphasis on product-driven culture and focusing on engineering excellence.

2. AI vs. Deterministic Approaches in Allowlisting

• AI Not Always the Right Fit

  • Debate on whether AI should manage allowlists rested on determinism: AI can provide context, but the core of allowlisting needs transparency and predictability.
  • Airlock built an “AutoTrust” recommendation system but deliberately didn’t use contemporary AI/LLMs for the decision-making logic.
  • “It was very interesting...somewhat conflicted between the two camps, which is you do need AI, but you also don't at the same time.” (Dave, 03:06)

• Why Not AI?

  • Non-deterministic outputs weren’t deemed safe for high-assurance controls.
  • “Because we can’t...context is king, but because we are powered by data that is inside the customer environment...we can get most of the way by looking at things like prevalence in terms of execution frequency.” (Dave, 03:56)
  • VirusTotal and other external signals supplement decision trees without giving up control.

• Guided Recommendations vs. Full Automation

  • The new AutoTrust feature will guide rather than replace operators for allowlist enforcement.
  • “Providing the customer with a guided path...to a point of enforcement...the worst outcome for us is if a customer doesn’t actually get to a point where they’re locking a system in enforcement mode.” (Dave, 05:52)
  • Explanatory feedback is provided, but outcomes remain deterministic.

• Notable Exchange: Tone & Humor

  • Patrick pokes fun at “corpo speak”: “That is corpo speak. That is forbidden on Risky Business...The word I believe you're looking for is lessons.” (Patrick, 10:11)

3. Durability and Engineering Philosophy of Allowlisting

• Unchanging, Enduring Controls

  • Airlock’s core approach hasn’t changed – a sign of a “durable, enduring control.”
  • “Something that's durable is fundamentally the product hasn't changed. But where that gets interesting is that frees you up to do a lot of really fundamental engineering.” (Patrick, 11:26)

• Deep Engineering Features

  • Assembly reflection prevention, “ClickOnce” app controls, and browser session visibility—features anticipating and blocking attacker tradecraft.
  • “If there's a way that attackers can execute code that is sort of out of scope for us, it really becomes a giant hole in the solution.” (Daniel, 12:47)
  • Airlock often already blocks new attack types without additional signatures or detections—by having thorough execution control.

• Communication Challenge

  • Tension in how to communicate nuanced technical capabilities to end users without overwhelming them.
  • “You can’t put it front and center in the console because that’s just going to get annoying...At least educating that there’s something we can do about it.” (Daniel, 15:22)

4. Strategy: Not Detections, But Attack Surface Hardening

• Not About Chasing Threats
  • Unlike EDR, Airlock focuses on eliminating execution opportunities rather than detecting every technique.
  • “We’ve been pulled in...ways that we can cut to the foundations of what made the attack work...So we’re getting rid of classes of attacks rather than just focusing on the code or the outcome.” (Dave, 16:21)
  • Modern tradecraft chains are complex, but with allowlisting, “it’s just 20 more cases of code execution that gives more opportunity to stop it along the path.” (Daniel, 17:19)

5. Why Is Airlock Still Unique?

• Lack of Serious Competition

  • Despite the clear value, allowlisting remains rare—implementation and lifecycle management is hard.
  • “The majority of the security industry sells a product, whereas we sell a product that allows you to implement a strategy inside your business.” (Dave, 18:40)
  • Skepticism persists about operationalizing allowlist at scale, but customer success stories are driving change.

• Technical Difficulty

  • Supporting multi-OS (Windows XP onward, Linux, Mac) with performant, low-overhead clients is challenging.
  • “We've been building this for a very long time. It's actually pretty hard. You can't just vibe code this up...” (Daniel, 21:09)
  • Many “allowlisting” claims from PAM or blocklisting-only vendors are superficial—true execution control is rare.

• Market Education Hurdles

  • Allowlisting has long been dismissed as “too hard” or “only for kiosks.” Compliance standards help shift perceptions.
  • “It used to be converting the haters...or you can only do it on ATMs and static kiosks. That was sort of the legacy we inherited...And I think now and thanks a lot to compliance standards, people haven't had a choice and they've had to implement these things in certain places.” (Daniel, 24:55)

6. Integration and Evolving Needs

• Integration into Business Workflows

  • Airlock’s current focus is seamless approval and exception handling via tools like Teams, Slack, and ServiceNow.
  • “We need to make sure that we're playing nicely and integrating well with all of the tools that are around us...driving a process through an organization and weaving it in amongst the business tooling.” (Dave, 23:00)
  • Patrick jokes: “Everyone starts off building their security startup to tackle Chinese APTs...and it always ends with like we're writing a ServiceNow integration.” (Patrick, 24:11)

• Pitch Has Gotten Easier

  • Operators are now more open to allowlisting, especially with large-scale, dynamic user environments showing demonstrable success.

Notable Quotes & Memorable Moments

• Product Focus and Leadership Change (01:32)

  • Dave Cottingham: “I'm so excited to be able to concentrate on product...and make a product that does what it says on the tin is the...primary goal there.”

• On Non-Deterministic AI (03:56 - 04:44)

  • Dave Cottingham: “It's non deterministic, which is like when you're putting it in charge of an allow list...that's quite a specific static set of information.”

• On Lowering the Bar for Operations (07:09)

  • Daniel Schell: “I think it lowers the bar a little bit for operators as well.”

• On “Learnings” vs. “Lessons” (10:11)

  • Patrick Gray: “That is corpo speak. That is forbidden on Risky Business...The word I believe you're looking for is lessons.”

• Engineering for Durability (12:47)

  • Daniel Schell: “If there's a way that attackers can execute code that is sort of out of scope for us, it really becomes a giant hole in the solution.”

• True Market Differentiation (18:40)

  • Dave Cottingham: “The majority of the security industry sells a product, whereas we sell a product that allows you to implement a strategy inside your business.”

• Technical Challenge (21:09)

  • Daniel Schell: “It's actually pretty hard. You can't just vibe code this up...there's a huge part also on performance and architecture.”

• Allowlisting’s Boring but Critical Role (24:11)

  • Patrick Gray (joking): “Everyone starts off building their security startup to tackle Chinese apts and make the Ministry of State security cry and it always ends with like we're writing a ServiceNow integration.”

Timestamps for Key Segments

• 00:00-02:14 – Introduction, role changes at Airlock Digital, US expansion.
• 02:14-10:57 – Debating and dissecting AI’s role in allowlisting, deterministic vs. non-deterministic approaches.
• 11:26-16:03 – Durability of the allowlisting model, engineering deep features, communicating capabilities.
• 16:03-19:16 – Hardening strategy vs. detection, blocking classes of attacks.
• 19:16-22:38 – Lack of serious competition, technical difficulties, the perception challenge with allowlisting.
• 22:38-24:46 – Integration with business workflows, product evolution, enterprise adoption.
• 24:46-27:07 – Changing attitudes toward allowlisting, compliance drivers, successful large-scale deployments.

Conclusion

This episode is a candid, technically rich exploration of application allowlisting’s long road to mainstream enterprise acceptance. The Airlock founders share hard-won engineering insights, clarify industry misconceptions, and demonstrate why “deny by default” is enjoying a renaissance—offering a rare look at how enduring, effective security controls evolve over time. The conversation is as much about product philosophy and operational challenges as it is about technical accomplishment, making it a valuable listen (or read!) for security practitioners and strategists alike.