Safe Mode Podcast: "Rethinking Resilience with WatchTowr CEO Benjamin Harris"

Release Date: October 16, 2025
Host: Greg Otto, Editor-in-Chief at Cyberscoop
Guest: Benjamin Harris, CEO of WatchTowr

Episode Overview

This episode dives into the evolving meaning of resilience in cybersecurity, with a particular focus on vulnerability management, patching, and attacker behaviors. Host Greg Otto interviews Ben Harris, CEO of WatchTowr, exploring whether companies need to fundamentally rethink how they approach resilience in the face of sophisticated, persistent threats—and whether fault can be considered "forgivable" or "unforgivable" in recent high-profile security incidents.

Key Segments & Insights

1. Exposing Satellite Security Weaknesses

With Derek Johnson (Cyberscoop) ([01:40]–[10:45])

Academic Research on Satellite Data Security:
Researchers from University of Maryland and UC San Diego used commercial ($600) satellite equipment to intercept unencrypted data—including SMS, calls, and military signals—from geostationary satellites.
Low Barrier to Exploitation:
“You kind of just need technical know-how and a hundred dollars’ worth of equipment … what can you do with more funding?” – Derek Johnson, [05:30]
Critical Infrastructure Concerns:
Unprotected satellite links act as weak points in global information flow.
Greg Otto: “This stuff should basically be labeled as critical infrastructure.” ([08:23])
Industry Response:
Entities mostly downplayed the research, offering standard assurances with little real change.
Core Lesson:
“Society by and large [is] not treating intermediate geostationary satellites like the information transferring hubs that they are and protecting them accordingly.” – Derek Johnson ([07:42])

2. Interview with Ben Harris, CEO of WatchTowr

Main Segment ([11:56]–[34:46])

WatchTowr’s Approach to Vulnerability Research ([12:26]–[14:05])

Culture of Rigor & Openness:
The team at WatchTowr is deeply passionate and opinionated, balancing personal drive and business utility.
Research Focus:
Vulnerability research is driven both by technical curiosity and client need, with findings directly feeding into preemptive simulation tools.

Evolving Attacker Strategies & Patch Evasion ([14:52]–[19:00])

Attackers Maintaining Persistence:
Fast patching used to close incidents, but attackers now deploy stealthy backdoors pre-patch, subverting resets and creating long-term threats.

“Patching fast is great, but actually doesn’t necessarily tell you that you’ve actually dealt with the incident.” – Ben Harris ([18:39])
Examples:
- Ivanti Connect Secure: Attackers bypassed even factory resets ([15:54])
- Similar patterns observed in SAP NetWeaver, Fortinet FortiGate, and others.

The Patch Management Paradox ([19:00]–[20:48])

False Sense of Security:
Enterprise metrics that simply count patched vulnerabilities are outdated.
Teams lack tools to verify if edge devices (like VPN appliances) are truly secure post-patch.

“If you patch your appliance, is it compromised? Who knows? Like literally who knows? There is no way to find out.” – Ben Harris ([19:43])

Network Edge Device Vulnerabilities ([20:48]–[23:13])

Lack of EDR on Devices:
Black-box nature and technical idiosyncrasies of network appliances prevent visibility or forensic monitoring.
Industry Maturity Needed:
Vendors must evolve to offer real monitoring as a selling point. Harris predicts the first vendor to offer proper appliance visibility will meet a strong market need.

Rethinking Resilience in Cybersecurity ([23:13]–[26:24])

Beyond Vulnerability Management:
True resilience is about business continuity, not perfect prevention.

“Cyber is about resilience. It’s not about preventing every cyber attack, it’s about making sure that they don’t take you down.” – Ben Harris ([23:50])
Privilege and Scale:
Small organizations are at a disadvantage; true operational resilience may only be possible at enterprise scale.
Defaulting to “Assume Breach”:
Modern reality forces all organizations to accept breach assumptions and build processes accordingly.

The “Assume Breach” Debate ([26:24]–[29:06])

Defense-in-Depth vs. Threat Hunting:
Traditional “assume breach” approaches emphasized bigger walls; modern attacks require active threat hunting, anomaly detection, and an understanding of attacker dwell time.
Dwell Time and Detection Difficulty:

“Threat hunting became less of, can you spot malicious, but can you spot anomalies, or can you spot, like, abnormality in the environment?” – Ben Harris ([28:59])

Role of Threat Intelligence ([29:06]–[31:35])

Using Real-Time Data Proactively:
WatchTowr’s philosophy is “attackers defend against attackers;” understanding adversary TTPs enables replaying attacks in safe environments to detect and block tactics before damage escalates.
External Signs of Compromise:
Observing attacker behavior in the wild informs proactive defense for clients and enterprise defenders.

Game: “Forgivable or Unforgivable?” ([31:35]–[34:45])

Oracle CVEs:
Forgivable: “Because it’s such a complex chain.” – Ben Harris ([31:38])
Fortra GoAnywhere:
Unforgivable: “Transparency is a choice. … at this point, based on what we see, I would describe the situation as unforgivable.” – Ben Harris ([32:25])
Salesloft:
Forgivable: SaaS platforms’ interconnected nature makes them tempting targets, and many SaaS companies lack mature defenses ([32:54])
Ivanti EPMM:
Unforgivable: Lack of proactive internal process and unnecessarily painful remediation elevate it beyond “forgivable” ([33:40])

“The expectations on these vendors to do the right thing is really not that high.” – Ben Harris ([34:11])
Industry Culture:
The “secure by design” pledge often gets watered down in legal negotiations, falling short of real commitment.

Notable Quotes

On researcher ethics and vendor responses:
“Entities mostly downplayed the research, offering standard assurances with little real change.” – Derek Johnson ([07:42])
On patching and persistence:
“Where we used to see just really quick exploitation, now we’re seeing incredibly quick exploitation coupled with fairly subtle backdoor attempts … attackers can maintain their access and continue their attack further on.” – Ben Harris ([15:54])
On the reality of detection:
“Is it compromised? Who knows? Like literally who knows? There is no way to find out.” – Ben Harris ([19:43])
On the future of resilience:
“The next step, I think, will be trivializing that or, sorry, commoditizing that ability to assume breach … in an affordable manner, that’s where we need to be able to get to as like an industry.” – Ben Harris ([24:41])
On what’s “forgivable” in security:
“If vulnerabilities are a fact of life … transparency is a choice.” – Ben Harris ([32:25])

Key Takeaways (w/ Timestamps)

Data sent through space is not as protected as assumed—satellite links must be treated as critical infrastructure ([08:23])
Modern attacks focus on persistence and stealth, rendering fast patch cycles alone insufficient for true defense ([18:39])
Enterprises face significant limitations in detecting and eradicating advanced compromises on their network appliances ([20:48])
Resilience requires threat hunting & ‘assume breach’ culture, not just patch management ([23:50], [26:24])
Vendor transparency and maturity are critical and distinguish “forgivable” from “unforgivable” security lapses ([32:25])

Listen to the full episode for richer context on the industry’s biggest challenges, approaches to resilience, and persistent themes in enterprise defense.

Safe Mode Podcast: "Rethinking Resilience with WatchTowr CEO Benjamin Harris"

Release Date: October 16, 2025
Host: Greg Otto, Editor-in-Chief at Cyberscoop
Guest: Benjamin Harris, CEO of WatchTowr

Episode Overview

Key Segments & Insights

1. Exposing Satellite Security Weaknesses

With Derek Johnson (Cyberscoop) ([01:40]–[10:45])

Academic Research on Satellite Data Security:
Researchers from University of Maryland and UC San Diego used commercial ($600) satellite equipment to intercept unencrypted data—including SMS, calls, and military signals—from geostationary satellites.
Low Barrier to Exploitation:
“You kind of just need technical know-how and a hundred dollars’ worth of equipment … what can you do with more funding?” – Derek Johnson, [05:30]
Critical Infrastructure Concerns:
Unprotected satellite links act as weak points in global information flow.
Greg Otto: “This stuff should basically be labeled as critical infrastructure.” ([08:23])
Industry Response:
Entities mostly downplayed the research, offering standard assurances with little real change.
Core Lesson:
“Society by and large [is] not treating intermediate geostationary satellites like the information transferring hubs that they are and protecting them accordingly.” – Derek Johnson ([07:42])

2. Interview with Ben Harris, CEO of WatchTowr

Main Segment ([11:56]–[34:46])

WatchTowr’s Approach to Vulnerability Research ([12:26]–[14:05])

Culture of Rigor & Openness:
The team at WatchTowr is deeply passionate and opinionated, balancing personal drive and business utility.
Research Focus:
Vulnerability research is driven both by technical curiosity and client need, with findings directly feeding into preemptive simulation tools.

Evolving Attacker Strategies & Patch Evasion ([14:52]–[19:00])

Attackers Maintaining Persistence:
Fast patching used to close incidents, but attackers now deploy stealthy backdoors pre-patch, subverting resets and creating long-term threats.

“Patching fast is great, but actually doesn’t necessarily tell you that you’ve actually dealt with the incident.” – Ben Harris ([18:39])
Examples:
- Ivanti Connect Secure: Attackers bypassed even factory resets ([15:54])
- Similar patterns observed in SAP NetWeaver, Fortinet FortiGate, and others.

The Patch Management Paradox ([19:00]–[20:48])

False Sense of Security:
Enterprise metrics that simply count patched vulnerabilities are outdated.
Teams lack tools to verify if edge devices (like VPN appliances) are truly secure post-patch.

“If you patch your appliance, is it compromised? Who knows? Like literally who knows? There is no way to find out.” – Ben Harris ([19:43])

Network Edge Device Vulnerabilities ([20:48]–[23:13])

Lack of EDR on Devices:
Black-box nature and technical idiosyncrasies of network appliances prevent visibility or forensic monitoring.
Industry Maturity Needed:
Vendors must evolve to offer real monitoring as a selling point. Harris predicts the first vendor to offer proper appliance visibility will meet a strong market need.

Rethinking Resilience in Cybersecurity ([23:13]–[26:24])

Beyond Vulnerability Management:
True resilience is about business continuity, not perfect prevention.

“Cyber is about resilience. It’s not about preventing every cyber attack, it’s about making sure that they don’t take you down.” – Ben Harris ([23:50])
Privilege and Scale:
Small organizations are at a disadvantage; true operational resilience may only be possible at enterprise scale.
Defaulting to “Assume Breach”:
Modern reality forces all organizations to accept breach assumptions and build processes accordingly.

The “Assume Breach” Debate ([26:24]–[29:06])

Defense-in-Depth vs. Threat Hunting:
Traditional “assume breach” approaches emphasized bigger walls; modern attacks require active threat hunting, anomaly detection, and an understanding of attacker dwell time.
Dwell Time and Detection Difficulty:

“Threat hunting became less of, can you spot malicious, but can you spot anomalies, or can you spot, like, abnormality in the environment?” – Ben Harris ([28:59])

Role of Threat Intelligence ([29:06]–[31:35])

Using Real-Time Data Proactively:
WatchTowr’s philosophy is “attackers defend against attackers;” understanding adversary TTPs enables replaying attacks in safe environments to detect and block tactics before damage escalates.
External Signs of Compromise:
Observing attacker behavior in the wild informs proactive defense for clients and enterprise defenders.

Game: “Forgivable or Unforgivable?” ([31:35]–[34:45])

Oracle CVEs:
Forgivable: “Because it’s such a complex chain.” – Ben Harris ([31:38])
Fortra GoAnywhere:
Unforgivable: “Transparency is a choice. … at this point, based on what we see, I would describe the situation as unforgivable.” – Ben Harris ([32:25])
Salesloft:
Forgivable: SaaS platforms’ interconnected nature makes them tempting targets, and many SaaS companies lack mature defenses ([32:54])
Ivanti EPMM:
Unforgivable: Lack of proactive internal process and unnecessarily painful remediation elevate it beyond “forgivable” ([33:40])

“The expectations on these vendors to do the right thing is really not that high.” – Ben Harris ([34:11])
Industry Culture:
The “secure by design” pledge often gets watered down in legal negotiations, falling short of real commitment.

Notable Quotes

On researcher ethics and vendor responses:
“Entities mostly downplayed the research, offering standard assurances with little real change.” – Derek Johnson ([07:42])
On patching and persistence:
“Where we used to see just really quick exploitation, now we’re seeing incredibly quick exploitation coupled with fairly subtle backdoor attempts … attackers can maintain their access and continue their attack further on.” – Ben Harris ([15:54])
On the reality of detection:
“Is it compromised? Who knows? Like literally who knows? There is no way to find out.” – Ben Harris ([19:43])
On the future of resilience:
“The next step, I think, will be trivializing that or, sorry, commoditizing that ability to assume breach … in an affordable manner, that’s where we need to be able to get to as like an industry.” – Ben Harris ([24:41])
On what’s “forgivable” in security:
“If vulnerabilities are a fact of life … transparency is a choice.” – Ben Harris ([32:25])

Key Takeaways (w/ Timestamps)

Data sent through space is not as protected as assumed—satellite links must be treated as critical infrastructure ([08:23])
Modern attacks focus on persistence and stealth, rendering fast patch cycles alone insufficient for true defense ([18:39])
Enterprises face significant limitations in detecting and eradicating advanced compromises on their network appliances ([20:48])
Resilience requires threat hunting & ‘assume breach’ culture, not just patch management ([23:50], [26:24])
Vendor transparency and maturity are critical and distinguish “forgivable” from “unforgivable” security lapses ([32:25])

Listen to the full episode for richer context on the industry’s biggest challenges, approaches to resilience, and persistent themes in enterprise defense.

wavePod

Rethinking resilience with WatchTowr CEO Benjamin Harris

Powered by Wave AI

Summary

Safe Mode Podcast: "Rethinking Resilience with WatchTowr CEO Benjamin Harris"

Episode Overview

Key Segments & Insights

1. Exposing Satellite Security Weaknesses

2. Interview with Ben Harris, CEO of WatchTowr

WatchTowr’s Approach to Vulnerability Research ([12:26]–[14:05])

Evolving Attacker Strategies & Patch Evasion ([14:52]–[19:00])

The Patch Management Paradox ([19:00]–[20:48])

Network Edge Device Vulnerabilities ([20:48]–[23:13])

Rethinking Resilience in Cybersecurity ([23:13]–[26:24])

The “Assume Breach” Debate ([26:24]–[29:06])

Role of Threat Intelligence ([29:06]–[31:35])

Game: “Forgivable or Unforgivable?” ([31:35]–[34:45])

Notable Quotes

Key Takeaways (w/ Timestamps)

Summary

Safe Mode Podcast: "Rethinking Resilience with WatchTowr CEO Benjamin Harris"

Episode Overview

Key Segments & Insights

1. Exposing Satellite Security Weaknesses

2. Interview with Ben Harris, CEO of WatchTowr

WatchTowr’s Approach to Vulnerability Research ([12:26]–[14:05])

Evolving Attacker Strategies & Patch Evasion ([14:52]–[19:00])

The Patch Management Paradox ([19:00]–[20:48])

Network Edge Device Vulnerabilities ([20:48]–[23:13])

Rethinking Resilience in Cybersecurity ([23:13]–[26:24])

The “Assume Breach” Debate ([26:24]–[29:06])

Role of Threat Intelligence ([29:06]–[31:35])

Game: “Forgivable or Unforgivable?” ([31:35]–[34:45])

Notable Quotes

Key Takeaways (w/ Timestamps)