Risky Business Snake Oilers – April 9, 2026

Episode Theme:
This edition of the Snake Oilers podcast, hosted by Patrick Gray, spotlights three innovative security vendors—Portswigger (Burp Suite/Burp AI), Sondera, and Truffle Security (Truffle Hog). Each segment offers deep insight into how these companies are reshaping the landscape of application security, AI agent governance, and secrets management in the age of rapid software development and pervasive AI adoption.

1. Burp Suite/Burp AI by Portswigger

Guest: Daf Stuttered (Founder, Portswigger)
Segment Start: 03:02

Key Discussion Points

• The Evolution of Burp Suite & Integration of AI

  • Burp Suite, launched in 2003, is now used by 80,000+ professionals in 20,000+ organizations worldwide.
  • Portswigger is bridging manual desktop testing (Burp Suite Pro) and enterprise-scale automation (Burp Suite DAST) using AI.
  • Burp AI launched in early 2025, focusing on copilot-style features to accelerate human testers' workflows rather than replacing them.

• Real-World Impact of Burp AI

  • AI helps users quickly move from suspicious findings to working exploits, automates tedious tasks like access control checking, and increases productivity for large pen testing teams.
  • “Orange Cyber Defense deployed Burp AI to all of their pen testing team. Found that they're able to go generally between two and five times faster in their work and paid for itself in the first two or three engagements.” – Daf Stuttered [04:13]

• Boundaries of Automation & the Role of Humans

  • Portswigger views AI as a powerful "accelerator," not a replacement for skilled human testers.
  • Humans remain necessary for oversight, coverage, and preventing risky AI decisions—especially where LLMs might "make stuff up” or act unpredictably.
  • Memorable Quote: “Pretty much anything we do with AI, there is still that need for that human in the loop to keep it on track and make sure it's doing the right thing… particularly with offensive appsec.” – Daf Stuttered [06:20]

• AI Broadening Access to Testing

  • AI lowers the skill barrier for non-experts and small teams needing basic security testing, while also serving as a “force multiplier” for top experts like James Kettle.

• Addressing AppSec Team Challenges

  • Enterprise AppSec teams face overwhelming, ever-changing attack surfaces due to frequent releases and AI-generated code. Burp AI enables teams to keep up.
  • Patrick Gray: “Now people are of course using AI to generate the code as well and just yeet it into prod instantly.” [11:30]

Burp Suite DAST: Enterprise-Scale Automation

• Shares its core scanning engine with Burp Suite Pro.
• Seamless transition between manual and automated workflows using custom configurations and checks.
• Quote on Custom Checks: “One great example… when [the React to Shell] bug dropped, we were able to release a custom scan check pretty much instantly… deployed it straight away…” – Daf Stuttered [13:34]
• DAST tools find classes of vulnerabilities (e.g. request smuggling, cache poisoning) that SAST/AI can miss—these only manifest at runtime.

Notable Timestamps:

• 04:13 – User success stories and productivity gains
• 06:20 – Why skilled humans are still needed
• 09:40 – AI for broader markets: from SMEs to experts
• 12:36 – How DAST complements AI-era testing

2. Sondera – Deterministic Controls for AI Agents

Guest: Josh Devon (Co-founder)
Segment Start: 18:23

Key Discussion Points

• What is Sondera?

  • Builds a harness and control plane for AI agents. The harness acts as a “man-in-the-middle” on agent trajectories, giving visibility and deterministic control.
  • Unlike “guardrails” that just add an extra AI layer, Sondera uses policy as code for real-time, provable, and enforceable governance.

• Technical Overview

  • The harness can be instrumented into custom agents (via open-sourced SDK) or installed as hooks in third-party agents (e.g., Claude Code, GitHub Copilot CLI).
  • Monitors every step of an agent’s process, both before and after tool decisions, maintaining stateful context (not just step-by-step).

  Quote: “What the harness does ... is man in the middle… the agent trajectory.” – Josh Devon [18:23]

• Defense Against Context-Splitting Attacks

  • Handles attacks where sensitive information is split across multiple agent steps (analogous to historic packet fragmentation attacks).
  • Maintains full context throughout agent “flight,” crucial for compliance (e.g., GDPR) and preventing data leaks.

• Deterministic Policy Enforcement

  • Uses the Cedar policy language for policy-as-code. Sondera’s auto-formalization process converts enterprise procedures and natural language guidelines into enforceable, verifiable code.
  • Avoids “prompt suggestion” pitfalls by directly blocking noncompliant agent actions, regardless of prompt injection or emergent behaviors.

  Quote: “We are not using another model to judge the behavior of another model. What we're doing is using policy as code in real time to evaluate the agent's behavior.” – Josh Devon [24:02]

• The Principle of Least Autonomy

  • Ensures agents operate with tightly bounded permissions to avoid “insider threat on steroids” risks.

  Memorable Analogy:
  “You’ve got to treat every agent like it’s a person with awesome hacking skills, worse judgment than a human being, and zero fear of consequences for violating company policy.” – Patrick Gray [27:40]

• Simulation and Policy Optimization

  • Sondera supports dry-run "simulation" of agent deployment—enables CISOs to test proposed policies and agent access scenarios before real-world release.
  • Generates “agent cards” summarizing capability and risk. Uses adversarial LLMs to probe agent action space and identify risky flows, iteratively refining policy controls.

Notable Timestamps:

• 21:42 – Stateful trajectory analysis and defense against context splitting
• 24:02 – Policy as code for real-time agent control
• 27:40 – Treating agents as “insider threats”
• 29:08 – Agent deployment simulation and risk assessment

3. Truffle Hog – Next-Gen Secrets Detection & Lifecycle Management

Guest: Dylan Airy (Founder, Truffle Security)
Segment Start: 33:14

Key Discussion Points

• Why Secrets Management Is So Difficult (and Critical)

  • Secrets sprawl (API keys, credentials) is one of the most impactful and complex security challenges in AppSec—arguably harder than SAST or SCA.
  • Truffle Hog focuses on end-to-end secrets lifecycle management: discovery, validation, tracing, and remediation.
  • 800+ integrations allow for real-time testing and validation of exposed keys across a wide range of platforms.

  Quote: “We create accountability for being able to measure when [leaked secrets] get remediated or fixed… by testing the key by doing an API call…” – Dylan Airy [33:14]

• Why Truffle Hog vs. Built-In Tools Like GitHub Advanced Security

  • Many customers run both GitHub’s push protection and Truffle Hog; the former blocks some secrets by default, but Truffle Hog provides deeper validation, better noise reduction, and a single view across all platforms.
  • GitHub’s liveness checks and permissions contextualization are far less mature.
  • Truffle Hog consolidates findings across varied locations (e.g., code, chats, cloud storage) and tracks remediation to true closure.

• Secrets Leak Hotspots

  • Rough breakdown:
    • 60-70% of exposures: code repositories (Git, SVN)
    • 15%: Atlassian suite (JIRA, Confluence)
    • 10%: chat platforms (Slack, Teams)
    • Remainder: logging pipelines, Postman, etc.
  • Leaks in logs and public channels may be less common but can be catastrophic (“a public slack channel where it's the entire company…” – [40:16])

• AI and the Growing Threat

  • AI coding assistants substantially increase secret exposure risks by hardcoding keys, reusing credentials, and often bypassing traditional peer/automated reviews.
  • Some executives now prioritize shipping AI-driven features over security concerns, accepting risk for speed—while security teams are left to manage the aftermath.

  Quote: “Some CEOs...are so hellbound on getting their organizations to adopt AI, they are sidelining security...Skip the security review, skip the person saying, we'll figure that out later.” – Dylan Airy [44:01]

  • Security staff often find AIs using user credentials to do things end users never intended (“it starts pillaging through my home directory to find the secret to do the deploy itself.” – [45:09])

• End User and Buyer Profile

  • Still primarily sold to AppSec teams (even though it arguably addresses broader IAM/identity risks).
  • Provides sophisticated triage but relies on customers to set business context for true prioritization.

Notable Timestamps:

• 33:14 – Why secrets management is uniquely challenging
• 36:21 – Limitations of built-in tools and where Truffle Hog adds value
• 39:12 – Where secrets leak most frequently
• 44:01 – Impact of AI coding and shifting executive attitudes
• 46:03 – Who in the organization actually buys and uses Truffle Hog

Memorable Moments & Quotes (with Timestamps)

• “If anyone confidently tells you where we're going to be in two or three years with AI that they're probably speculating.”
  – Daf Stuttered (Portswigger) [06:20]

• “You're building insider threat software on steroids.”
  – Patrick Gray to Josh Devon (Sondera) [27:40]

• “There's a long list of problems with [GitHub’s] liveness checks...so for the long tail of everything else, they'll still use Truffle.”
  – Dylan Airy (Truffle Security) [36:21]

• "Some CEOs...are so hellbound on getting their organizations to adopt AI, they are sidelining security and they're saying, look, we need to pick up these agentic workflows. It will make us 100 times faster. Skip the security review."
  – Dylan Airy [44:01]

Summary Table of Segments

| Segment | Guest | Core Theme | Key Points | |----------------------|------------------|---------------------------------------------------------|--------------------------------------------------------------------------------------| | Burp Suite/Burp AI | Daf Stuttered | Using AI to supercharge manual & automated AppSec testing | AI as productivity multiplier; still requires humans for oversight; DAST runtime attacks| | Sondera | Josh Devon | Deterministic mid-flight controls for AI agents | Policy-as-code, stateful harness, agent simulation, defense against context splitting | | Truffle Hog | Dylan Airy | End-to-end secrets discovery/validation | Cross-platform, liveness checks, AI amplifying risk, limitations of built-in tools |

In the words of Patrick Gray (47:02):
“I did not think that, you know, you would need an entire company just to do secrets tracking and I was absolutely wrong about that, because now when I look at where Truffle Hog is, what it's doing, it's absolutely something people need.”

For further information: Each vendor and project has links in the show notes at Risky Biz.
End of summary.