Risky Biz Soap Box: Prowler, the open cloud security platform - Risky Business

Summary4 min read

Risky Business Podcast Summary

Episode: Risky Biz Soap Box: Prowler, the Open Cloud Security Platform
Host: Patrick Gray
Guest: Tony De la Fuente, Founder of Prowler
Release Date: July 14, 2025

Introduction

In this special Soapbox edition of the Risky Business podcast, host Patrick Gray engages with Tony De la Fuente, the visionary founder behind Prowler, an acclaimed open-source cloud security platform. Launched nearly a decade ago, Prowler has grown into a vital tool for information security professionals, boasting a vibrant community and extensive feature set.

Origins of Prowler

Tony De la Fuente recounts the genesis of Prowler, rooted in a pressing personal need.
[01:28] Tony De la Fuente:
"In 2016 I had all of a sudden like 30 AWS accounts to manage and to assess and I had no idea what to do... I started writing probably without even knowing it, a wrapper of the CLI to check only security configurations, misconfigurations basically related to security."

Faced with managing multiple AWS accounts, Tony identified a gap in the available tools for comprehensive security assessments. Driven by necessity, he began automating security checks using the AWS CLI, initially focusing on hardening services like S3, EC2, and RDS. This proactive approach led to the release of Prowler, a simple yet powerful bash script that assessed AWS security configurations across all regions and supported services with ease of use at its core.

Growth and Community Engagement

Prowler's simplicity and effectiveness quickly garnered attention.
[06:09] Tony De la Fuente:
"The goal was to not to make this hard because cloud security is hard already... I wanted to help others. Basically that is the key of open source."

Tony emphasizes the importance of ease of contribution and comprehensive documentation in fostering community growth. By categorizing Prowler checks and aligning them with compliance frameworks, he made it accessible for a wide range of users—from cloud security practitioners to pen testers and architects. This inclusive approach led to an ever-growing repository of GitHub stars and a robust global contributor base.

Transition to SaaS Platform

Recognizing the limitations of a command-line interface (CLI) for continuous monitoring and broader usability, Tony spearheaded the development of a SaaS platform alongside the CLI tool.
[12:43] Tony De la Fuente:
"I realized that we need to offer a platform. The whole platform, the whole enchilada... continuous monitoring."

The SaaS platform, complemented by ProwlerHub, provides users with comprehensive dashboards, real-time monitoring, and enhanced usability. This transition ensures that Prowler remains relevant in the dynamic cloud security landscape, accommodating both immediate assessments and long-term infrastructure management.

Business Model and Open Source Philosophy

Balancing open-source accessibility with a sustainable business model, Tony outlines Prowler's approach.
[16:28] Tony De la Fuente:
"What I wanted to do is... go get an open source, an open platform, and in five minutes you get the results and if the value is enough, you pay us."

Prowler offers its core functionalities as an open-source tool, encouraging widespread adoption and community contributions. Revenue is generated through the hosted SaaS version, which provides additional features, ease of deployment, and dedicated support. This model mirrors successful open-source enterprises like Red Hat, offering both free access and premium services.

AI Integration and Prowler Lighthouse

Innovating beyond traditional security assessments, Prowler integrates Artificial Intelligence (AI) through its Prowler Lighthouse feature.
[19:09] Tony De la Fuente:
"We are adding AI capabilities like Prowler Lighthouse, where you can ask pretty much anything that is going on in your cloud security..."

Prowler Lighthouse leverages Large Language Models (LLMs) to enhance user interaction, providing intelligent assistance in analyzing security data, generating remediation templates, and offering proactive security recommendations. This AI-driven functionality aims to transform cloud security management by making complex tasks more intuitive and efficient.

Challenges and Security Considerations with AI

Tony addresses the complexities of integrating AI into security platforms, particularly concerning data integrity and access control.
[30:24] Tony De la Fuente:
"We have built in Prowler Lighthouse on top of our RBAC to make sure there is no information leak. That is key in any type of deployment of security tools with AI."

Ensuring that AI functionalities adhere to strict Role-Based Access Control (RBAC) standards is crucial to prevent unauthorized data exposure. Tony highlights the ongoing efforts to balance the innovative benefits of AI with the stringent security requirements inherent in cloud environments.

Conclusion and Future Directions

Tony concludes by reaffirming Prowler's commitment to solving real-world cloud security challenges through open-source collaboration, continuous innovation, and user-centric design. With the integration of AI and the expansion of its SaaS offerings, Prowler is poised to remain a cornerstone in the information security landscape, continually adapting to emerging threats and technological advancements.

[31:59] Tony De la Fuente:
"Thank you, bud. See you soon."

Key Takeaways

Prowler's Origin: Born out of necessity to manage and secure multiple AWS accounts, evolving into a comprehensive cloud security tool.
Community-Driven Growth: Success attributed to ease of use, strong documentation, and active community contributions.
SaaS Evolution: Transition from CLI to a robust SaaS platform to support continuous monitoring and broader usability.
Sustainable Business Model: Combines open-source accessibility with premium SaaS offerings inspired by models like Red Hat.
AI Integration: Introduction of Prowler Lighthouse to enhance security management through AI, while maintaining strict security protocols.
Future Focus: Continued innovation and community engagement to address evolving cloud security challenges.

This episode offers a deep dive into the journey of Prowler, highlighting the intersection of open-source philosophy, community engagement, and cutting-edge technology in shaping a leading cloud security platform. Whether you're a seasoned security professional or new to cloud security, Tony De la Fuente's insights provide valuable guidance on leveraging Prowler to safeguard your cloud environments.

Loading summary

Transcript56 lines

[00:00]
Patrick Gray
Foreign and welcome to this special Soapbox edition of the Risky Business podcast. My name's Patrick Gray. For those who don't know, every single edition of Soapbox is wholly sponsored. And that means everyone you hear in one of these soapbox editions paid to be here. Today we are speaking with Tony De la Fuente, who is the founder of Prowler. Now, Prowler is a really interesting open source project and now company that was founded nearly a decade decade ago. So it's cloud security, a cloud security platform that really has nearly been around for 10 years and it is very popular, has a million contributors, a million stars on GitHub sort of thing. And yeah, it works really well. It's multi cloud, covers off everything. Started as an AWS project but now kind of covers everything. So in this interview with Tony, we really just talked about the origins of Prowler. He created it to solve a problem. He's a security practitioner, he's worked as a cloud security architect, he's worked as a pen tester. And yeah, as you're going to hear, Prowler really just was born of necessity. He needed to create something to just get his job done and then it just sort of went from there. So here is a nice half hour conversation with Tony Delafuente where we talk all about Prowler, you know, where it came from, where it's going. It's all very interesting stuff and I do hope you enjoy it. Cheers.
[01:29]
Tony De la Fuente
So in 2016 I had all of a sudden like 30 AWS accounts to manage and to assess and I had no idea what to do. By that time I think there were a couple of tools, but not very comprehensive tools or not very easy for me at least. And also I wanted to learn how to perform the assessment, but also the hardening of initially AWS, 30 AWS accounts. So what I did was started reading about hardening S3EC2 and RDS and I said, okay, I'm going to do this just once, I'm going to automate everything with the AWS cli. And I started writing probably without even knowing it, a wrapper of the clique to check only security configurations, misconfigurations basically related to security. I started with S3SD2 and everything for the first CIS AWS security benchmark. That was what I released. The first version of Prowler was a basic way of assessing aws, all regions and all this dev supported services in just one line in a bash script. The point is whatever you you run, Prowler always went through all the Regions and all the supported services so you don't have to configure anything. That was the good thing. And using the same credentials and the same pattern patterns as in the. In the AWS CLI that everybody is familiar with. Right. So it was very easy to use because you get read if you have something to fix and green if it's well computer. So very, very straightforward. In a matter of weeks or months, I did a couple of conferences talking about cloud security hardening because I've been. I've been doing also digital forensics and I started some articles about digital forensics in the cloud and how to perform incident response and forensics. Talking also about Prowler because Prowler has categories in one of the categories of Prowler is forensics readiness. So do you have all the logging enabled and all that stuff. So Prowler became. Started becoming popular by that time and started getting more and more GitHub stars and over the years was getting more developers, community contributions, many different companies using Prowler and asking me for new features. And it was my pet project because I started something for my needs. But I realized that I needed to put many more hours than just work hours. Right. Because I have many other things to do. Of course. And many years later I joined aws.
[04:44]
Patrick Gray
And was it the fact that you were the Prowler guy that got you the job at aws? I can't imagine it hurt.
[04:52]
Tony De la Fuente
It helped a lot. Yeah, it helped a lot by that time because I tried to join AWS many times and never worked out. Probably because I wasn't ready. Probably because I didn't prepare the interviews very well back in the days or probably because my English wasn't very good or everything together. But at some point when Prowler was way more popular, everything went very well in the hiring process and I ended up joining aws Just to step back.
[05:27]
Patrick Gray
There for a moment, right? So you said like all of a sudden, you know, you've written this one thing that's like command line, very simple, very easy. You don't have to configure it to look specifically anywhere because it looks everywhere and you just get green or red, right? Like I 100% understand how you get up at a conference and say I've built this like single line tool, you know that you just feed it a cred and it will go and do this for you. I can understand why people are going to start using that. But like everybody talks about how they'll contribute to open source software, but nobody ever actually does Right. So I'm wondering how did this, who was it, who was jumping on this? Was it other practitioners? Was it pen testers? Like, how did you actually get people to put time into this as a project? Because that's, that's like so hard.
[06:10]
Tony De la Fuente
Well, the goal was to not to make this hard because cloud security is hard already. Right. So. And to create Prowler checks and Prowler categories and compliance frameworks in Prowler for from the day one was very easy, very easy. And I wanted also to add good documentation. I always loved to write blog posts, documentation, et cetera. So that helped a lot.
[06:37]
Patrick Gray
Yeah. Okay. So you're like the one guy on the planet who likes writing documentation, but yeah, cool, go on.
[06:43]
Tony De la Fuente
I mean, I wouldn't say I love writing documentation, but I've been writing in my personal blog post many, many years. So. And it's something that, I mean I like to communicate what is needed and the how to's and you know, tutorials and all that stuff. So I wanted to help myself first to learn hardening and assessment of the cloud security, but also I wanted to help others. Basically that is the key of open source. Right. And challenging myself every time that there is a new threat in the cloud or new service for AWS back in the days now is pretty much any cloud. So that was very, very good because IAM vulnerabilities were everywhere, right. Insecure APIs or API calls, all that stuff. So that was a way for me to stay up to date with all that was happening. Everything that was happening in the cloud.
[07:46]
Patrick Gray
Yeah. So it sort of became a way for you to a sort of cornerstone of your way to understand what was happening in your field, I guess is like, well, I have to learn about this new thing that we need to check for. And the best way to do that is by writing a check for this framework that I've got.
[08:04]
Tony De la Fuente
Yeah. Basically when I started with computers, that was when I was 19, I got amazed within the Internet, right. And the different protocols and I started learning Internet protocols. Do you remember that? The O'Reilly books that for SNMP or POP3, IMAP, all that stuff. I have all those books because I loved to learn from the very basic or the foundation of the Internet with the cloud. What I did with Prowler was more or less the same, but for services, for example SQL. Okay, let's learn about SQS security. And everything that you can do to secure SQL is something that I implemented in Prouder, then SNS, then S3. Everything related to VPCs everything related to security groups, all that stuff. Or then AWS released the elasticsearch service that is now open source. Right. I did all the security checks for them because I wanted to know all the security misconfigurations and threats and the hardening of that service. So that was a way for me to become kind of an expert. I don't consider myself an expert because the cloud is very broad, but it helped me a lot to learn how to do different configurations in the cloud and understand the APIs and how all that stuff works in the cloud.
[09:40]
Patrick Gray
Just going back though, because like we've established how you are able to flush out contributors. What's the sort of loose demographic info for a prowler contributor? Are they also just like cloud security architects or admins or just a whole mix? Because there's quite a few. You've got quite a few contributors now, right. So I'd imagine it's pretty broad now.
[10:00]
Tony De la Fuente
But 250 or almost 300. Yeah, almost in global contributors. The point of the cloud is that everybody that moves to the cloud has at some point or realized at some point how important security is. So we have of course the cloud security practitioners, pen testers, cloud architects, not cloud security architects, but also cloud security architects.
[10:30]
Patrick Gray
Yeah, the ones who get given big binders full of compliance requirements and are told to by the board that they.
[10:38]
Tony De la Fuente
Have to meet them infrastructure developers because they are writing code and they are deploying code and they want to make sure that in runtime their code is working fine. And also at some point the technical, you know, the VPs of it or CISOs, that they have some sort of techy skills, they can run prouder very well as well. And now it's even easier because we have the web UI, the SaaS platform. But yeah, cloud security engineers, architects, compliance auditors, if you see it's very broad because when you move to the cloud, as I said, at some point you realize, hey, I have something to do here.
[11:24]
Patrick Gray
Now you just mentioned the SaaS thing, right? So I've seen you've demoed to me. Both people can, you know, click through to the demo you and I have already published on the YouTube channel. But you know, you've got this command line one which is great. You could throw like a cred into it or an API key or whatever and get it to actually go and fix stuff, which I really like because for a lot of these SaaS platforms, right, that do like, that do security, they're like, yeah, sure, give us an API key and like we'll Totally take care of it and go and you know, use this privileged access to only do good stuff in your environment. So one thing I really like about Prowler is you can actually use the SaaS platform for the discovery part just with read only access. And then if you actually want to get Prowler to go and fix stuff, just spin it up on a laptop, you know, give it a credential, do the thing and then burn the credential, that's fine, you can do that. So I really dig that, but it strikes me like I know you a little bit, right. And you're like old school security person. Did it break your soul a little bit having to make a pointy clicky like SaaS version of this? Did it make you sad?
[12:32]
Tony De la Fuente
Not really. Not really because. Because I mean I started product from the CLI because I love the cli, you know.
[12:39]
Patrick Gray
Yeah, because you're. Because you're an old school turbo geek, right? Yeah, I get it.
[12:43]
Tony De la Fuente
Exactly. There is a book that I love that is at the beginning was the command line and I love doing that and the power of doing that for one point in time assessments. But at some point I realized that hey, we need to offer a platform. The whole platform, as you said, the whole enchilada.
[13:06]
Patrick Gray
Yeah, yeah.
[13:07]
Tony De la Fuente
From the CLI to detect, but also remediate to the continuous monitoring. Because one time security is not security and not even in the cloud. It's one time assessment is fine, you get a photo, right. Of your status, but in the cloud that everything is changing all the time, you need continuous monitoring. That is why we started building the application parallel the application parallel the platform. Right. And we have from the CLI also local dashboards. Because if you are a practitioner and you are assessing something today for a customer or for your own company, you want to see data straight away. You can do that as well from the CLI with the local dashboards. But if you are maintaining an infrastructure over the time and you want to see also how you have been improving or, or the other way around with your infrastructure, you need something else. So that is why we started Parallel Cloud or the application that is available open source but is in our SaaS where you can see the progress that you are building the cloud, if anything new is happening, you can see that very quickly. We are adding new checks and new features all the time. And that is one of the reasons also that we created Prowler Hub is a way for everybody to see everything that you can do with Prowler and also to learn how to do everything with Prowler.
[14:45]
Patrick Gray
Yeah, because I mean, previously you would have a situation where someone might write a check. They don't really describe it very well. It's just sitting there in GitHub. What does it do? Who can say? Right. And so you fix that with ProwlerHub, where you could really go in there now and actually know what you can expect from a particular check.
[15:02]
Tony De la Fuente
You can learn all the metadata, all the attributes that that check is doing, but also see the code and understand everything. And the same for remediations that we call fixers. So you can learn cloud security for any of our supported cloud providers from the very, very beginning. And also the compliance part, because at the end of the day we do the mapping between the technical checks and the compliance requirements. And that is also available to consume in the web UI, but also via an API in ProwlerHub. That is hub.prowler.com yeah.
[15:43]
Patrick Gray
Now let's talk about the sort of hosted SaaS version, right? Because it's interesting, you're really committed to the open source thing. I think it's cool. Like you are 100% committed to making all of this stuff available, both Command line and the SaaS platform. If you want to spin it yourself up, run your own web server with the Prowler SaaS platform on it, you can absolutely do that. As far as I know at the moment the only thing that you're charging for is actually the hosted version. You could just go do it with a credit card, which is quite nice. But then that begs the question, right? So let's talk about for a moment Prowler the business, because we've been talking about Prowler the platform. What's the play here? What are you cooking up, Tony Delafuente?
[16:28]
Tony De la Fuente
Well, the point of cloud security is, I think we said this at the beginning, is that to access a proper cloud security platforms is hard, are black boxes. They have a lot of controls and sometimes you don't even have that visibility. So what I wanted to do is, hey, don't worry because you can, since you have the need until you have the solution. Instead of going through procurement processes, black boxes solutions, go get an open source, an open platform, and in five minutes you get the results and if the value is enough, you pay us.
[17:12]
Patrick Gray
Yeah. And is that for the hosted version? You mean they pay you?
[17:18]
Tony De la Fuente
Yeah. So I mean our pricing model is based on resources, but also we are adding a new pricing model based on accounts or subscriptions or projects, depending on the cloud provider you use, which is even easier. The easy that Prowler is, it has to be also easy to consume and easy to buy. And that is what we are building in the platform. So we want you to have the solution as soon as possible and pay for it if it gives you value. And we are sure that Prowler is giving you value because we are, we have more controls than most of the cloud security vendors and growing all the time because we have an incredible community that is helping us improving controls, adding new controls and of course now with AI is even giving us a big push to improve everything that we do and help also our customers with end users. With everything that an LLM can do for cloud security, for example, I mean we call our AI capabilities is Prowler Lighthouse. You can ask Prowler Lighthouse pretty much anything that is going on in your cloud security and also ask Lighthouse to give you or any template to prevent anything new to happen, all the guardrails so you can create a very nice service, control policies or cloudformation or terraform templates to prevent resource exposure or to have for example, a database properly configured that is now easier than ever.
[19:01]
Patrick Gray
Is that part going to be open source, right. Where you are shipping it with like some open source model or something or like how does that work?
[19:09]
Tony De la Fuente
That is exactly what you said. We wanted also to have that open source because first, because it's very helpful and second, because nobody else is doing something like that open source. So you don't go to Wiz or Prisma Cloud, Palo Alto or anything and say, okay, give me your chatbot that I want to learn about that. So we are doing that to improve the product and to improve also the user experience. Because at the end of the day, we are builders and we are practitioners building something for our practitioners. Right. And is the way to learn. And of course, if you come to our platform, everything is already configured for you.
[19:50]
Patrick Gray
Yeah.
[19:50]
Tony De la Fuente
But if you get the open source option, you have to maintain and configure everything by yourself, which is fine if you want to, but you don't have to. If you come to our SaaS platform, we have users and customers in any place in the planet. Because at some point, any company, any organization goes to the cloud or for some tests or for some proof of concepts, but also for production workloads. And I'm talking from New Zealand to India to us, Argentina, Colombia, Brazil, pretty much anywhere in Europe as well, has cloud security needs. And if you have a cloud security need and you want a comprehensive platform that is offering you a solution in minutes, that is prouder.
[20:43]
Patrick Gray
Yeah. So let me ask you a question though, and this is more on the business side just because I'm curious, right. Like how much does the fact that all of this is available as free and open source code, how much does that complicate how you calculate your pricing? Right. Because there's going to be that point where people are like, that's too expensive, I'm going to do it myself. And you've chosen this path, so how do you navigate that? Because I've always wondered how you do that.
[21:18]
Tony De la Fuente
The cloud paradigm is different to back in the days of UNIX than Linux, but it's kind of similar. So not everybody wanted to admin and build everything by themselves and a lot of companies preferred and wanted to have Red Hat for example, because was everything ready? Because the, the storage storage, enterprise storage management that came with Red Hat was working way better and faster than anything that you had to, to compile or build by yourself at the end of the day.
[21:52]
Patrick Gray
Yeah. And wind up in, you know, spending like 10 hours per box in dependency hell.
[21:56]
Tony De la Fuente
Right, yeah, exactly. If you have cheap resources, you are going to have, you will want to build that by yourself and that is fine. But not everybody has cheap resources, not everybody has the time and not everybody has the knowledge. So that is why the business model works. And you can, you can see Mongo, the same for MongoDB, the same for Redis, the same for Elastic. Elastic. Elasticsearch with Elasticsearch is a very good example of something that was very accessible for everybody and everybody had the opportunity to, to build their search capabilities etc. With elastic but also building a company around, around that for massage also of course different type of services, which is what we are doing. We are building also business, we are doing business with oem. So other platforms that they are doing their security using Prowler or covering the security part of different type of platforms in the cloud with Prowler also intelligent services, different governments using Prowler and new cloud providers. There are new cloud providers, new players that we will see some coming up soon and they don't have a third party companion for their security and they trust Prowler and they pay us to support them.
[23:24]
Patrick Gray
Now look, Tony, in the past when I've spoken to you and I'm like, well this kind of sounds a little bit like an open source whiz, you know, you've sort of resisted that characterization, but I've noticed you are resisting it a little bit less these days. I mean, is part of the vision here to go after companies like that, are you seeing wiz customers churning onto.
[23:47]
Tony De la Fuente
Prowler in the cloud when if we talk about cspm, kspm, sspm, whatever or cnapp, pretty much everything because Gartner and other, they want to put everything in a box, that is fine. But honestly I don't care about that. I do care about solving the problems that everybody has in the cloud. Right. Helping the cloud security engineers, the architects, et cetera. And that looks like is the dashboard solution that all those solutions are offering. But there is a shift now to that is changing everything. Of course, that is AI.
[24:27]
Patrick Gray
Yeah.
[24:28]
Tony De la Fuente
So we want to be able to provide beyond the mapping with the. I mean finding that issue, but going beyond with Prowler. So the good thing of Prowler being open source, that adopting new technologies is also very easy. The example is now that we have released with Prowler, Lighthouse that is inside Prowler, we want to be able to go from the detection plane detections to being your engineer, your cloud engineer. That is not easy nowadays because LLMs are work in progress and MCPs, etc. But you are going to come to Prowler that already has the access to all your clouds to do whatever else you want to do because it's already built in Prowler.
[25:20]
Patrick Gray
Yeah. So this is less about the sort of wiz approach of cnappy kind of stuff and more about like if you want to have, you know, a securely administered cloud environment, I guess is more the thinking here, which is a different. It is coming at it from a different angle. So I can see why you would resist the, you know, you would say that they're not really doing the same thing.
[25:41]
Tony De la Fuente
The point is, at the end of the day, people knows about the big ones and they want to see their mapping also in their heads. Right. And of course there are some basic needs in any security platform. Right. Like the integrations, alerts, this reporting, you know, the compliance part. That is fine and that is something that we have in Prowler and we are adding more features.
[26:04]
Patrick Gray
But it's not what gets you going. Right? Like it's not what gets you excited. Yeah, yeah, yeah, I get it.
[26:09]
Tony De la Fuente
Exactly. Exactly. So let's have the basics, but let's go beyond that. Let's fix the cloud security problems of tomorrow with tomorrow technology as well. Right. Or the current technology and AI is changing all that stuff. And we are, that is why we are so excited with Lighthouse is because we want to be also telling the people, hey, before this is happening, do this, et cetera. So. And also with the MCPS and the agentic AI, considering that we have at Prowler the access to all the clouds. So you can keep building the new way of assessing the cloud, but also fixing the cloud.
[26:52]
Patrick Gray
Yeah. So you talk about AI. I recently caught up with an old friend in Melbourne who is just such an old school guy and very much a cynic on all new technologies. Just nothing impresses him. And I caught up with him and I said, what have you been up to? He said, I've been playing around with AI. It's amazing. And this is the thing, like you're jazzed about this. I can see why. Like I work with a bunch of startups and increasingly the interface for a security product these days doesn't look like a console with charts all over it. It looks like the search box from Google 20 years ago. You know what I mean? It's just like a blank page with a box in and you just tell it what you want to do. I mean, it does. And when you see that it works for a lot of stuff. I feel like the hype around stuff like ChatGPT as like a general model has distracted from the stuff where AI is actually really useful, which is for specific tasks which can be mundane but require a whole bunch of book knowledge, like working in a soc, like sysadmining and whatnot. And that seems to be what you're finding as well, right? Have you got demos of the AI stuff already?
[28:04]
Tony De la Fuente
Yeah, I mean, we have been working on that in the last six months already. Now it's in production, kind of in preview mode. Like everything in AI is preview. Right.
[28:15]
Patrick Gray
Are you surprised, Let me just ask, are you surprised by how well that stuff works? Because most founders, I know, when they actually mess around with it, they say it's not perfect, but they are surprised at just quite how much they can get done with it.
[28:27]
Tony De la Fuente
Yes and no. Let me explain. It's very helpful and the AI and the gen is helping a lot to glue words and to put things together. That is great to do a brief summary about an assessment, for example, for us, or tell me more about the risk of this or how to break into that. All that stuff is very good. But when it comes to the integrations and getting specific information with a vast amount of data, you have to fine tune prompts. You have to do a lot of things.
[29:06]
Patrick Gray
Yeah, they do tend to fall over once you hit a certain level of complexity. Right?
[29:11]
Tony De la Fuente
Yep. Yeah. The point is, if you have a JSON file with 200 entries and you ask an AI to do something with that based on whatever additional model is easy. But when you have a lot of files or database entries and you want to put things together, that is not that easy. And the information you get, the advice that you get is not always perfect.
[29:42]
Patrick Gray
What are people using it to do? Like now, like, do they just turn up and ask the AI, hey, it's my first day using this tool. What should I do? Do you sort of find people are using it as like a bit of a coach?
[29:53]
Tony De la Fuente
Yeah, we do that with Product Lighthouse. So we tell you, hey, try to ask this or that. And also we give you proactive information every time that you. You do an assessment. But the point is that when you. When it comes to using an MCP or the way we have it is like on top of our database there is a rollback access control and our AI is on top of our RBAC to make sure there is no information leak.
[30:23]
Patrick Gray
Yeah.
[30:25]
Tony De la Fuente
That is also key in any type of deployment of security tools with AI. So to make sure a user can access the information that that user has to access, not more, not less. And that is key also. And that is a challenge. It's a huge challenge now with mcps, because MCP are something that are working very well. But when. You know what happens when something is very helpful that is used widely and probably too much and without even having security into consideration. We have also an MCP for Prowler Studio. That is our platform to create new controls with AI. And that is not a security problem because you are. For example, you can install that MCP into cursor, with cursor to create your checks. And that is working directly with our database of checks and generating new checks. But when it comes to customer data or your own security data, that is different. And that is what we built in Prowler Lighthouse on top of our rbac.
[31:32]
Patrick Gray
Yeah.
[31:33]
Tony De la Fuente
So all those challenges are very important to take into account when you develop your AI strategy. Right?
[31:41]
Patrick Gray
Yeah, 100%. Well, that's all really interesting stuff. Tony De la Fuente, it's fantastic to see you again and to, you know, hear about. I always like talking to you about Prowler because you are so enthusiastic about it. It's always good to hear what you've been up to. Great to see you, my friend. And we'll chat again soon.
[31:59]
Tony De la Fuente
Thank you, bud. See you soon.