A

The real conversation that experts are having around AI and cybercrime. Welcome to Safe Mode for 2026. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cybersecurity.

B

An attack is coming.

A

It's about keeping us safe.

C

He's just a disgruntled hacker.

D

She's a super hacke.

B

Alert.

C

Stay safe.

E

Stay safe. This is Safe Mode.

A

Welcome to this episode of Safe Mode. I am your host, Greg Otto. In this episode, we are talking to not one, but two experts from CrowdStrike. We'll be talking to Adam Myers, the head of Counter Adversary Operations, and Ilya Zaitsev, the CTO of CrowdStrike. Really interesting conversation about how they label AI as sort of being the overarching reason that we're in the steroid era of cybercrime. So interesting conversation there. And speaking of cybercrime, interesting story to talk about. This week, joined by Matt Kapko, we've had our first big cybercriminal takedown. I would categorize it as. Matt, give us the details.

D

Yeah, thanks for having me on, Greg. So this is Red vds. This was a cybercrime marketplace that became a prolific tool for cybercrimin in the past year. Microsoft, some industry partners, Europol and authorities in Germany. They seized domains and infrastructure that were used to run this platform. It was really slick. It had a nice user interface, offered all sorts of services, including virtual machines, Windows based desktop, remote desktop protocol servers. Cybercriminals used all this infrastructure for scams, mass phishing attacks, credential theft, account takeovers, and other frauds such as business email compromise.

A

So it really ran the gamut. I would say some of the details. I was going to ask you what could you do? But it sounds like what couldn't you do if you were an aspiring cyber criminal? And I will say that it also had almost to its detriment, like really good SEO. Like, as we were looking through details, I was googling through and sure enough, if you go to Google Red bds, it still comes up. Obviously the website does not work anymore, but really kind of flagrant in the cyber criminal atmosphere where I can just Google your service and it comes up like it was any other SaaS product that is out there. So what were some of the victims that were talked about here that had fallen prey to cybercriminals? Using this service.

D

Yeah. So Microsoft said that it was used to facilitate thousands of attacks just in the past year. It's been around since 2019. Victim organizations were hit in real estate, construction, manufacturing, healthcare, logistics, education and legal services. So again a widespread. But two victims in particular, they joined Microsoft as co plaintiffs in a civil action against Red BDS. This included Alabama based H2 Pharma. This is a pharmaceutical company that lost more than $7.3 million. And then a Florida based condominium association called Gatehouse Dock Condominium Association. They were tricked out of a half a million dollars.

A

And that really goes to show. I thought that was very interesting in that look it you really have no idea. Not that you really don't have any idea but like the opportunistic nature of cybercrime. Like we're not talking about Goldman Sachs

E

or you know,

A

some big pharmaceutical company there. I mean H2 Pharma is a pharmaceutical company but we're not talking GlaxoSmithKline or something like that. That it really goes to show that cybercriminals are out there. And the financially motivated ones. Like I, I think that term financially motivated gets glossed over a lot because it's, it sometimes is used as just oh, it's not a nation state where. No it's not. But like that's what motivates them. Financially motivated and it very opportunistic in that they will find money no matter where it is, no matter how big or how small the organization is.

D

Yeah, that's right. I mean with real estate in particular, I think this is a good example. I mean they're just really smart. They knew when deals were closing and would get in that way. Right. When it's just diverting payments, when they know that a payment is going to be transferred, they break into that system at that moment and have those funds transferred to them directly. Basically by tricking these organizations into thinking that they're paying the right person.

A

And not just necessarily a US thing. I mean Red vds was used pretty internationally.

E

Correct.

A

I remember looking at a heat map that Microsoft put out and this was not necessarily just a US thing.

D

That's correct. Yeah. It was global in nature. Some of the victims were Microsoft customers as well. I think that explains why Microsoft got so heavily involved in this. Also using Microsoft, you know, infrastructure, not Microsoft owned infrastructure, Microsoft tools. Microsoft said attacks were enabled by Red VDS. They compromised more than 191,000 Microsoft email accounts, more than 130 organisms, 130,000 organizations worldwide were impacted by That, I mean, it was global in nature, as you said.

A

And going back to the point that you were saying, the real estate fraud alone, I feel like that has kind of stopped being in vogue among all the other things that we write about. But I mean, 9,000, I think was the stat, 9,000 customers and beyond the U.S. that were directly impacted by the real estate related broad in this too. So it goes to show that not, I go back to the word sophisticated, we throw around that word so much. This didn't seem to be very sophisticated. It's almost like the blocking and tackling of cybercrime where, no, we're just using this service to run real estate fraud and taking all the money that we can grab.

D

That's right. And they also set up the service to work this way. So they rented servers from third party hosting providers from multiple countries, which allowed cybercriminals to use IP addresses that looked like they were located close to targets. So that would evade all location based security controls and blend in with normal traffic. So it looks like someone who's supposed to be communicating with you or operating on your network.

A

And that's another thing too, the third party hosting. Bulletproof hosting, still a problem. I mean it's, it's, we've, we've written about it for a while now. I have had conversations when you back

E

to the last decade about it.

A

I mean, as long as there is somebody willing to stand up a server and not really ask any questions about what is transpiring on that server, we're going to have these types of problems.

D

That's right. And it's showing up everywhere. This is just one more example where bulletproof hosting providers are a key part of their operation.

A

All right, Matt, really appreciate you covering what is the first major takedown of 2026. I'm sure there will be plenty more this year as there has been for the past few years. And I know you will keep our readers and listeners on top of it.

D

Wonderful. Thank you so much, Greg.

B

Thank you.

A

Joining us on this week's interview segment is Adam Myers, head of counter adversary operations for CrowdStrike and Ilya Zaitsev, the CTO of CrowdStrike, really getting into how AI has changed the cybercrime landscape. Like, look, we've been talking about AI for a while and a lot of those conversations have been around how attackers are using AI. And up until about, I want to say, the fall of 2025, a lot of that has been centered around social engineering or how attackers were using AI to craft better language to help their schemes. Now, Adam and Ilya talk about how attackers are going to the next level and really finding novel ways to use AI on the technical side and what that means from the standpoint of lowering the bar to entry for cybercriminals, how model supply chain risks can lead to broader implications, and really what is the difference between AI security and securing AI? Really interesting conversation, these two. Really, you can tell about 20, 20 minutes in that they loved talking about this. So really fascinating conversation. Check it out.

E

All right. And joining us on our interview segment this week, not one, but two CrowdStrike experts really excited for this conversation. Joining us is Adam Myers, the head of counter adversary operations for CrowdStrike and the host of a podcast himself, CrowdStrike's Adversary Universe podcast, and Ilya Zaitsev, the CTO of CrowdStrike. Gentlemen, really appreciate you hopping aboard.

B

Thanks for having us, Greg.

E

So when this interview was pitched to me, there was a really interesting turn of phrase and talking about 2025 as the steroid era for cybercrime and how AI really shook things up over the course of the year. So given your two's expertise here, I would just love to open it up to say, you know, when we think about that term, the steroid era of cybercrime, what is the one observable change you'd point to that somebody that is, I don't want to say a novice, but like cybersecurity adjacent, somebody that needs to understand how cybersecurity operates in an enterprise. What's the one observable change that you can point to when it comes to this era? Is it speed? Scale? Success rate, Victim selection? All of the above. Where do we see the changes?

C

I'd say it's probably three things. One of the biggest things that we've seen over the last, let's say, 18 months. And this is something we highlighted in our global threat Report, which came out last year. We've got another one that'll be coming out pretty soon as well. Was the first was the shift in how adversaries are gaining access on the e crime side in particular, we've seen a massive shift, I think everybody's familiar with, with kind of the, the old phishing attack where you get an email and there's a malicious attachment, you open it up and maybe it's a Microsoft Office document with malicious macros and it writes malware and so on and so forth. Everybody's kind of familiar with that. But what we've seen is a significant shift away from the endpoint as the Initial access vector because things like endpoint detection, response technology, next gen technology has made it very difficult to use that technique. It's kind of like walking into an airport with a water bottle. You're probably going to get stopped. And so the adverse adversaries, rather than working harder, they found another way. And we noted that voice based phishing has really taken off. We saw 442% increase in voice based phishing attacks. Adversaries are increasingly calling the help desk and pretending to be a user who lost their password and getting the password reset. And from there they have a legitimate account, they can log in. Oftentimes they'll need to enroll their own multi factor authentication device and they have ways to kind of convince the help desk to help them do that as well. And that's kind of one approach. The other thing we see also is some adversaries will target individual users. They'll blow up their email with a bunch of spam messages and then call them pretending to be the help desk. And so these things have really changed how the adversaries are gaining access. The second thing is speed.

B

Hold on Adam, let's, let's let me double click on that one for a second and you know, talk to Greg a bit about like what, what, why is that happening? Right, like, or what's, what's helping to enable it? Because AI, you know, adversarial use of AI is actually at the center of that. And I think, you know, the first example that Adam gave, you know, the voice based, you know, phishing attacks, that's one that I think even, even non technical, non cybersecurity individuals listening to this potentially would probably really viscerally connect with. I don't know about you, but my phone sometimes is unusable because I'm getting so many spam recorded voice calls. I feel like I've been offered several million dollars of approved loans every single day. That didn't happen, you know, a year or two ago, a year or two ago there was a human calling me up with a noticeably thick accent in a loud call center from a foreign country or those emails that were coming in that Adam mentioned. It was pretty easy back in the day, two, three years ago, just to look for horrific spelling and poor grammar and things like that. One of the reasons why the adversaries have shifted to these tactics Adam mentioned to some extent it's because we've locked the front door, right, with, with modern advanced cybersecurity technology. But also those social engineering techniques are much more effective because we have generative AI technology. Now adversaries have, you know, basically at the margin, zero cost, super effective technologies to create very convincing, you know, native language sounding voice, you know, voice recordings, interactive conversations with agents, you know, English, English emails that have better spelling and grammar than many native speakers do. So those techniques have gone much cheaper, much quicker and much more effective, which I think is another big reason why we're seeing a big spike in that kind of activity.

E

So with the success rate on the social side, Adam, you were also talking about speed there. I would love to talk about that and dive into that a little bit more.

C

Yeah, absolutely. One of the things that we always calculate is what we call the breakout time. That's how long it takes for an adversary to go from initial access. They successfully social engineered the help desk or the user.

B

Right.

C

Humans are always the weakest link in that security chain. And then how long does it take for them to get to something meaningful? And we calculate that as breakout time. In 2023, the average breakout time that we observed was 62 minutes. In 2024, the average breakout time was 48 minutes. So the adversary got 14 minutes faster on average. And the fastest breakout time we saw was 51 seconds, which is less time than it takes to make a cup of coffee. So you can imagine that speed in combination with the adversary's ability to use different approaches to gain access, both through social engineering, which we've talked about. The other thing we've seen, and this will tie back to AI, and I think where this goes in the future is a massive increase in the use of vulnerabilities for initial access. Adversaries have increasingly targeted the security devices. Many enterprises rely on the things that connect their enterprise to the Internet. VPN concentrators, firewalls, routers, switches. And so they've really been able to kick up the speed at which they're able to gain access and then to move laterally and then having the vulnerabilities. A lot of the vulnerabilities we're seeing even now, we've seen some indications that some of the exploits that are out there have been developed with the, the use of AI. There's artifacts in the exploits that we're finding in some cases that kind of let us know that some of the comments and the structure came from an LLM and that helps kind of facilitate building that exploit. So that's the second piece, and I'll take a pause and see if Ilya wants to comment on that before I move to the third thing, which is I'll reveal that In a second.

B

Yeah. Thanks, Adam. So, yeah, just maybe to talk a little bit more or give a different perspective also on the vulnerability aspects. I think there's another angle to it, which is not just that new AI technology makes it easier and quicker for adversaries to, in some ways, you know, semi autonomously discover vulnerabilities. There's another aspect which I think is probably more relevant in the consumer space, but I wouldn't be surprised if it crops up in the enterprise too, which is the introduction of more vulnerabilities into poorly written insecure code that could come from, you know, amateur developers, or not really developers, by coding and creating applications. I think a lot of people have heard the term knowledge or the term AI slop before, or at least in the last year, but that's usually been in reference to like, you know, pictures and news, you know, news feeds and things on social media. But if you look at like, some of these open source projects, the amount of automated commits coming into them and brand new projects being thrown up onto GitHub that were coded entirely, you know, through agentic systems by people with little to no coding experience, those technologies, if used correctly by experienced developers and architects, can actually, you can use them to create safer code and create tests and look for vulnerabilities. But if you don't know what you're doing and you don't prompt them correctly, they'll actually introduce potentially a ton of security risks and vulnerabilities, which of course makes it even easier for adversaries to exploit, you know, exploit them and do malicious things, whether they're doing it the old fashioned way or the new, you know, AI supercharged way.

E

So whether it's.

C

Sorry, go ahead.

E

No, I was gonna say. So whether it's vulnerabilities or talking about the vibe coding stuff, like you're hitting on a bunch of topics that I definitely want to get to. But I wanted to go back to what Adam was talking about in terms of the vulnerability prompting and diving into that a little bit more. What part of an intrusion is becoming promptable in your eyes? Because I think I go back to one of the bullet point moments of 2025 was the anthropic report that they discovered, like a large.

A

I don't know if you want to

E

say large, but definitely like an operation that was built to automate parts of an attack that was much more, quote, unquote, traditional. Like it wasn't so much social engineering as it was sort of exploiting vulnerabilities. So I'm wondering in your Eyes. What part of an intrusion is becoming promptable now? Is it the recon, the exploit selection, or that initial vulnerability that you were talking about before?

C

Yeah, I'd say all of it. And the anthropic report, I think, was kind of highlighting the potential for this. But even in that report, they said that there was still some degree of hallucinations and that they still had to have humans in the loop. I think as the technology continues to progress, we'll see more, more and more that the AI will be able to do a lot of that without human, you know, interference or having a human in the loop. But the other thing that I think is important, based on kind of what Ilya was talking about with the Vibe coding, it also depends on what model you're using. We released a report a few weeks back where we had done research into, and this goes back my team wanted to use some models from Chinese companies like Deep Seq and Quen, and they wanted to use those to do Vibe coding for some stuff. And I said, absolutely not. And so they set out to try to prove me wrong and say, no, these, these models are safe. We should be able to use it for, for coding. And what we found was that when you ask the, these models to develop code for you, if you add geopolitical context, right. I'm, I'm a US company doing X, Y and Z, that in certain cases, the introduction of vulnerabilities by the AI it intrinsically had built in this kind of, you know, whether it was aligned to ideology. I like to call it a loyal language model. But, you know, looking at things like Deep Seq, if we asked it to write code for the Fallon Gong or the Leaguers, which are kind of both groups that have been marginalized inside of China, that it introduced vulnerabilities 50% of the time that it didn't. If you were saying, hey, I want to build the same application for a European soccer team or football, depending on, on how you want to call it. And you know, for example, we asked it to build a social media application for the Uyghurs, and it actually didn't have any of the authentication and session management built in, just completely omitted it. So you could just go to the admin page and see all of the users emails and phone numbers and geolocations. So the model that you choose is also really important in kind of determining what that outcome is.

B

And I do want to come back, Greg, in a second if we have time to talk a little bit more about the first part of the question on how adversaries are using it for actual operational control and whatnot. But on the, on the model side, you know, Adam, first, I'll just quickly say, in case anyone's curious. Adam, seem aside, you know, for research purposes, we do have blanket prohibitions on any internal usage other than, you know, research, you know, threat intelligence experimentation from models of, you know, questionable provenance for, for this exact reason, I think a lot of people mistakenly think, well, it's, it's air gap, right? I'm not, I'm not sending data to a Chinese hosted server. I'm just running an open source model in my own environment. But to Adam's point, fine, it's air gap. But once it's running code, and once that code is connected to a network, right, it may have vulnerabilities inserted into it unintentionally or intentionally. And this brings up a kind of a broader topic of the idea of data poisoning or, or data training poisoning, where, you know, in this case, in the case that Adam brings up, you know, it's speculation, but you could, you could assume or you can make an assumption or hypothesis that that might be intentional manipulation of the output of the model weights. But you also have to remember that, you know, large language models, big frontier ones, open source ones, et cetera, they're trained. A huge amount of that data is open data, right? That's available, that's being collected off of the Internet, being scraped, et cetera. Even a legitimate, you know, trusted provider might unintentionally scoop up, you know, in reams and reams of data, malicious instructions, right? Intentionally designed to subtly modify the output of these systems, which are probabilistic, they're black boxes, right? If you don't, if you don't review the actual data coming in, there's no way to tell, you know, what tampering may have occurred once you've got, you know, model weights at your disposal. So it's something that I think enterprises need to think about in general, regardless of the source of those models, what those guardrails are that they're putting in place and around their usage of the models.

C

And in the case, in the case of the Chinese models, you know, there is national security law in China that says that those models have to conform to socialist ideologies. So it's not, it's not clear to Ilya's point, whether the model was deliberately trained or that was an artifact of the. They sourced their training material from, you know, things that might have been influenced by Chinese CCP propaganda and Things like that.

B

If we have time, Greg, just to go really quickly back to the first part of.

E

Sure, let dive into it. I'm glad I gave you, gave you guys a podcast. Right, let's, let's go.

B

You know, so I think, I think you know, some of what you guys were discussing very much thinking about what's possible today, like what's the contemporary adversary usage of this. And I think, you know, to Adam's point, or implicitly Adam's point, I think it's probably most likely that adversaries are using, are starting to use this technology today in more of a, let's call it a co pilot or an assistant mechanism where they're using it to introduce some dynamic aspects and non deterministic activities in their playbooks in their scripts. Right. Instead of having a hard coded sequence of run this recon command, if this do that, you could add a degree of dynamic logic. It's also very effective at parsing through huge amounts of data. Right. If you're running automated recon, LLMs can run through that information and look for interesting things that you're asking it to find much quicker than a human can. Hitting the control F button and searching for keywords and, and things like that. So I think it's pretty, pretty safe to say that adversaries are doing things like that today. I'm actually surprised Adam didn't mention this. He'll probably, when I remind him he'll have some more to say on this. But we've seen a couple of indications of something I think that's even more concerning, which is elements of taking humans out of the loop entirely. So instead of having command and control systems, you know, calling back to a human operator or a machine operator, we've seen a few examples, Adam can probably speak more to it of prompts actually being delivered and executed locally. So start thinking about when that technology matures, which it surely will one day. It may not be there today, but AI models are getting smaller. The amount of GPU processing and NPU processing on local endpoints are getting larger and stronger and faster. At some point you have to imagine we're going to see autonomous malware, right? That that can be delivered via prompt run on a locally deployed model. And that can basically live off the land. Like an adversary would run built in operating system commands to do things like recon, et cetera, without the need to have constant instruction, constant command and control interaction with a human operator, which of course would significantly speed up their operational tempo, but also reduce some of the traditional signs that A defender may look for. Right, that, that communication over the wire, so to speak.

C

Yeah, I was about to actually jump into that. So excellent lead in there. But one of the things, for example, and you know, we've seen both, both cases where an adversary in the middle of an intrusion, they, they pivot to an LLM and they ask it to help write a script to extract Microsoft entra ID or something like that. So that's something that they do in flight and it's a very manual process. But one of the things that Ilya is alluding to is something called lame hug, which is associated with the Russian gru, which we track as fancy bear. And they had this malware that really was just a installer that looked like a Python installer or something like that. And it reached out to an LLM on hugging face API and rather than having built in capabilities, it had prompts and the prompts would ask it to return Windows commands to profile the system. And then when that completed, it would have a second prompt and it would say, okay, now give me Windows commands to find all the interesting files, bundle them up and exfiltrate them out. And when I saw that, my initial reaction was, wow, it's, it's probably not too long before an enterprising adversary takes a LLM, a lightweight LLM and builds it into the malware. So it doesn't necessarily have to be pre configured to take certain actions. They can kind of dynamically decide that they want to do something and have the LLM do it for them. And that was my initial thought. And then, you know, we start seeing things like Microsoft has copilot on all of the operating systems. So one of the things that, you know, I've been really kind of thinking about is that these AI that we're building into every software, every operating system, everything that we're doing becomes the malicious insider. And when we think about enabling those AIs to have the ability to take action through agentic capabilities now, you know, there's things that the adversary can do that don't require any sort of real deep understanding of the environment. They can just leverage those agentic systems to, to take action on their behalf. So it's really getting quite interesting from an AI perspective in the threat landscape.

A

So does this forthcoming shift, or maybe

E

we're there now, does it change the balance for enterprises between preventing breaches and detecting breaches? Like should organizations assume now more than ever, like you know, the zero trust mantra, assume, breach, or is there still a path to materially reducing initial access

C

Well, I think Elia can, can speak very much to that, but I think, you know, one of the things that we're seeing is that the, the way that defenders have to operate, there's this concept of the defender's dilemma, right? The defender has to be right 100% of the time, and the adversary only has to get lucky once. And that for years, has really kind of created a huge problem for the defenders. It's led to stress, it's led to burnout, all of the things that we've been hearing about. And I think now for the first time, we're starting to see that these systems, these, these AI systems can actually enable the defender to operate at speed and at scale so that they can be more.

B

Right.

C

More of the time and leverage these systems to really have better outcomes. From a security perspective.

B

Yeah, I would, I would say, you know, there's, there's good news and bad news, right? And we, we talked already a lot about the bad news. I think the, you know, the, the, the ability for adversaries to operate quicker and enhance their ability to successfully leverage some not new techniques, right, like social engineering, et cetera. I mean, that, that, that's the bad news. The silver lining, which, which I'll mention before I pivot to the good news that Adam alluded to, the silver lining is when we talk about these different, you know, techniques and scenarios, everything we discuss, right, using AI to identify vulnerabilities, et cetera, these aren't fundamentally new concepts, right, in cyber security. These aren't brand new adversary tradecraft, ttps, et cetera. It's a acceleration of existing threats that we've been dealing with as an industry for years, for decades now. It, arguably, one of the things that I have talked about frequently over the past two, three years is that probably one of the biggest, you know, impacts that AI has had for adversaries is it raises the, the bar, right, the, the skill of the average operator. What it, what it doesn't do though, right? The silver lining that I mentioned is it doesn't, you know, today with, with contemporary AI technology, right, like Transformer LLM based technology. We're not yet. Maybe we will be someday. Maybe it'll be different technology that gets us there. But we're not at a place of, you know, true artificial superintelligence, where we have AI systems that are doing things that humans have never thought of, dreamed of or done before. That that would truly be a scary scenario. We're at a place now where, just like all other domains, AI is taking things that humans have already done and figured out and is able to replicate it, you know, very cheap, very fast, etc. Etc. So while the bar may be getting raised for the average adversary and the speed of things we've seen before are accelerating, we're not yet at the place where we're seeing a completely novel things that no human defender has ever encountered, right? So now we go, now we go to the good news, right, which Adam alluded to, which is what, what does this technology bring to the defender? Well, if the adversary is getting faster, right, the humans that the defenders of course, need to speed up as well. And, and what better technology to enable that, to empower them to do that than AI, you know, and again, Adam kind of alluded to this, but one way to think about that defender's dilemma is from an economic perspective, right? Like the cost to an adversary of tweaking their attack and trying one more time and modifying something a little bit historically has been relatively low, right? They just have to be right once it's the defender who's got to invest traditionally a significant amount of time, resources, human energy, historically to deal with all of this at great cost. And they have to be right every single time at the wrong one. So you have a potential for a breach. So stepping away from cybersecurity for a second, you know, what is one of the key benefits of AI? It brings down the cost of labor, right? The marginal cost of looking at one more thing is dropping to zero. So now for maybe the first time, we have a tool that really helps the defender kind of level the playing field in that respect. I'll give you one very, very concrete example because I know I've been talking in a fairly abstract manner, okay. One of the areas that we, for example, as we at CrowdStrike, as we've been introducing new forms of generative AI and agentic technology into the hands of our defenders. One of the biggest early successes that we've had as part of our Charlotte agentic product line is this idea of detection triage or agentic triage, where we're able to use our own AI system that we've built to review alerts that are coming in, determine if they're true positive, false positive, and if they're true positives, kick off and recommend next course of action. That's one of the most historically for a human soc operator, time consuming things that they do. So when we released our detection triage system, one of the reasons we were so excited is because we had real benchmarks to back up its Effectiveness and I don't have exactly in front of me, I think it was 98.5 or 98.6% accuracy rate, meaning it agreed with our expert human defenders, our managed services teams, 98.6% of the time, which is a fantastically high number. So the difference is, of course it takes a lot out of a human operator. It takes time and energy and you know, they sleep, they go on vacation. You can only find and hire afford so many of them. The marginal cost of having our agentic system triage of detection is next to nothing, right? So now think about that for a second, but back up now. If I have a system that can virtually, you know, close to 99% of the time determine if something is a true positive or false positive, besides saving, you know, time on the, on the, on the analyst side of having to triage that and what are the other implications there? Well now false positives all of a sudden might become less of a problem, right? Like one of the reasons why false positives are an issue. The primary reason besides, you know, taking inadvertent action is fatigue on the human operators, right? Well, if I have a system that can clear out false positives at a virtually 99%, you know, effective rate with virtually no cost and overhead, why wouldn't I just start creating a lot more and a lot noisier detections? Because even something that is wrong 90% of the time, it's right 10% of the time. So if I can filter out all the noise but still get that benefit, I'm actually going to increase my catch rate at the end of the day and not have to worry about that one of those other defenders dilemmas. So that has a, you know, a pretty transformational effect on how you can approach detection engineering that just wouldn't exist without some of these new technologies.

C

It also too, when you think about the, one of the biggest things that leads to the burnout and to the, to the, the issues for human operators is the context switching, right? The SOC analyst isn't doing just one job, right? They're, they're doing malware analysis, they're doing incident response, they're monitoring the, the deep dark web. What we, we might, you know, think about in terms of digital risk protection. So you know, when we look at it, they have like seven different hats. They're constantly switching off and each time they switch that hat, they have to reinstrument their systems, they have to, you know, use different tools, they have to jump between different problems and it's expensive and it takes A lot of time and energy from that human analyst. And so one of the things that we've been working on as well from an agentic perspective is taking the load off of the human and moving that context switch into the AI so that they can stay in one tool, one view and take many different actions. So the AI is actually switching the hat for them. And that results in an extreme amount of additional resource and capability for each human that you have working for you.

B

Just to underscore it before we move on, yes, it brings benefits to the adversary, but I think on the balance, for the reasons we just mentioned, those fundamental shifts in cost curves and labor curves, et cetera, when properly implemented, I think on the balance it's actually a significant net positive, more for the defenders than it is for the adversaries. Right.

E

Like obviously, look, agentic AI is everywhere, including in cybersecurity. And it's really helping. Like Adam said, SOC analysts sort of offload the grind safely. But I'm wondering, you know, as we move into more and more agentic AI, I'm wondering for enterprises, where's the line where they shouldn't cross when it comes to autonomy? Like name one action that should stay human approved even if there is a model or the agent is nailing this 99% of the time. Where should the human always stay in the loop?

B

You want me to go first, Adam, or.

C

Yeah, go for it.

B

Well, look, I, I think there's, there's a couple things to say there, Number one, there's necessarily going, there's not going to be a one size fits all answer for that because different organizations are going to have different risk profiles and tolerances, different regulatory requirements, etc. So at some level it's, it's going to have to vary based on the kind of business you're in and the kind of decisions that have to be taken. Now I think, you know, more, more. Giving you a bit of a broader generic answer though. I think the key, I wouldn't say that there's any one specific decision, at least when we're talking about enterprise software, it, cybersecurity. I think it'd be naive to say that there is any specific category or type of decision that should never ever be made by AI. The answer to me is it depends. And what it depends on is can you measure the accuracy, the effectiveness of that system? I think it's kind of similar in some ways to self driving cars. People are scared and apprehensive about self driving cars. But I think if you take a, if you Take the emotion and the fear of the novelty and unknown out of it and look at the data. Most people would tell you we're at the point now where in the circumstances where driverless cars are allowed to operate, they're probably safer than humans. There's been, and there's a lot of empirical data to show that at this point. Right. So I think if you, if you can't measure the effectiveness of an AI system at a specific task, you should not be attempting to turn over control to that AI system. If you can measure, benchmark, validate and audit the decisions, I think then the answer becomes, well, at what, at what percentage level are you comfortable? Right. What, what are your human operators able to operate at today? And what, what is your, you know, benchmark validated agentic system able to operate today? At some point you, you have to, you have to expect, given the continued rate of improvement of, you know, artificial intelligence systems, maybe not for all tasks today, but at some point it's not hard to imagine that they will exceed the human operator. At that point I think you have to ask yourself, the question is if you're, if you're confident can measure that it outperforms a human, why wouldn't you make that switch over? Unless of course again you've got legal regulatory liability, you know, compliance reasons why you just simply can't, or it could

C

have a negative impact. So I think about when intrusion detection systems were, were first kind of really prevalent and then they iterated past that and they came up with intrusion prevention systems. Right. These are network technologies. But a lot of organizations were really hesitant to use IPS because they were worried it would break or disrupt some of their operations. So you know, when I think about some of the things that you might do like device containment or things like that, that might be something you'd be more comfortable having a human in the loop. And to use Eli's example of self driving cars, I think you know, when you have a self driving car, I don't, I've never done it. So I'm just kind of speaking from what I've read here. Right, but you have to have your wheel, your hands on the wheel. Right. Just in case it requires human intervention.

B

No, not a Waymo. I was just in my first Waymo. It was terrifying for two minutes and I was like, that's pretty cool.

C

I'm afraid to get in those, so

B

don't go by me.

C

I'm a little bit Adam.

E

I have, I haven't done a Waymo yet. I'm with you.

A

I'm not there yet, but yeah.

C

So I think that, you know, things like that, you'd want a human to at least check the work before a device is contained or something gets disrupted, particularly in manufacturing or healthcare or someplace where there could be real world implications from an action that an AI would take.

B

Yeah, and I think it may sound at first like Adam and I disagreed on that point, but not really. So if you, if you take the example of, you know, the, the IDS versus IPS transition, you know that that's exactly validating my point. The reason why most organizations did not flip from IDS to IPS is because the empirical and anecdotal evidence showed that they were just too error prone, they made too many mistakes. And those mistakes, when you're in prevention mode versus detection mode, have too much of a business impact to accept. And that's not quite the same thing though, as I think what we were talking about earlier, which is a decision that a human is making today. What I mean by that is an IPS system wasn't replacing a human decision to go block activity, right? It was, it was measuring and acting on activity that prior to, you know, the detection version IDS system, those activities just weren't occurring. It's not like a human was sitting there inspecting all your packets and saying, aha, I found the back a bad packet, let me go flip the switch. Right? So if we think about like an agentic SOC type system, where it's not an AI system doing something that a human operator hasn't done before, we're actually talking about taking an agentic system and having it perform the same actions that a human would be doing manually. And that's where I think we get back to the point that I was making, which is, yes, if, if today you're using a system that you can't validate with hard data works better than your human operators. If you can't even measure how effective your human operators, you're certainly not ready to turn it over to your agentic operator. But once you get to the point where you run it in that, you know, ask the human for, ask the human operator to approve your action and review your steps. And you've done it for some time and you've generated a significant data set to show that, hey, look, maybe it started we were a little bit hesitant and uncertain and the models weren't there, the ejectic systems weren't there. But we've been running it for some months, some years and we've got data to show that it takes the same decision at a higher quality rate than a human does. I'm not, I'm not, I'm not saying we're there across the board as an industry today, we're not. But if we do get there someday, why wouldn't you want a system if I didn't tell you it was a human versus a machine and I told you one of them gets it wrong 10% of the time making the same decision, taking the same action, and one of them gets it wrong 5% of the time getting it wrong and taking the action is going to have a bad impact either way. Right. Whether a human flips the switch or machine flips the switch. If I can prove to you with data, with math and with confidence that the machine makes mistakes less often than the humans, I mean, I would think, even, I would think a risk adverse organization would prefer then to have the more effective system taking that action. Again, we're not there yet, but I think that's. We could get there, we probably will get there. And that's how organizations should decide when they make that switch.

C

Fully agree with Julia on that. I think, you know, when we go back to that 14 minute delta between 2023 and 2024, one of the things when I talk to executives and boards and stuff, I say, did you get 14 minutes faster at being able to identify, investigate and remediate what happened? And most of them kind of stare at me blankly because they don't have that visibility into how effective their humans are. So 100% agree with Ilya there and with the IDS, IPS, that was the best off the cuff example I could give. But you know, IPS was very much heuristic based. It didn't have a lot of that built in intelligence that we're talking about here.

B

Yeah, let me, let me go give another take on that too. I think part of what's at play here is we have this new category of technology with generative AI and large language models. And you know, this concept of hallucinations is what of course scares people, that these systems confidently making mistakes and of course those mistakes being acted upon. And I've heard some people, whether it's specific to the domain of cybersecurity, but also more broadly and other applications and domains of AI talk about hallucinations as something that, because they're fundamental to the nature of LLM, technology invalidates and kind of is a clear sign that we will never be able to get to that full AI autonomy promised land that so many technology companies talk about right I think that's a bit, I think that's a bit of, I'm trying to not say bad words. I think that's a little bit silly. And let me explain why. Hallucinations are nothing new in software insecurity. What is the industry? Whether it's heuristics like ips, ids, but even thinking about the previous generation of supervised and unsupervised machine learning models and classifiers, none of those systems were ever 100%. They all have measurable key true positive, false positive rates, they have receiver operating curves. I don't know of many modern organizations that run no AV or EDR or EPP systems for example. And just look at detections and then decide manually for every single one when they're going to block a process, contain a machine. They've got AI ML systems, maybe not agentic ones, but previous generations that operate at some efficacy rate and they make a risk based decision using rules and policies and soar platforms. If this, and this and this confidence interval and this category of behavior take this action, which does include things like quarantining a device, knocking things off a network, resetting user accounts. And they do that because they accept that, you know, they made that assessment. Here's our risk posture, here is the efficacy, here's the true positive, false positive rate. Under these circumstances we're going to, and we need to, to be effective, take some action that we'll then go review after the fact. Well, if I tell you I've got an ML system that's 95, 99, 50% effective, and I tell you I've got an AI system that hallucinates 50%, 5%, 1% of the time, what, what does it really matter? Like what's the difference between a hallucination in this regard? Right? If I'm using an LLM to make a binary decision versus if I'm using a ML classifier, hallucination versus a false positive. It's, it's the same thing. It's this, right? Different words for the same thing. So like we're, we're, we're somehow treating this category of technology because it's new and scary and different in this radically different way, then we've already come to terms and accepted that hey, it's right more than it's wrong and we're going to take advantage of that for beneficial reasons and have automation allow these systems to make decisions. So I think it's a little bit weird that people are treating hallucinations somewhat differently. I think there's a There's a valid reason for that, which is that many AI systems out there today, vendors aren't providing benchmarks and data to tell you what that accuracy rate is. Right. We do talk about receiver operating curves with traditional ML models. A lot of people are at the stage right now where they're doing something that. One of my responsibilities here at CrowdStrike is running our data science team. We have this derogatory phrase we use that we call agent eating, as in, you know, eating, like throwing something over the fence. We see that in all different disciplines, right? From companies. They'll take a prompt, stick it into a frontier model and they say, hey, look, I built an AI. Okay, well how often does it work? I don't know, it looks good in a demo, right? So that's when I think you deserve to be skeptical, suspicious, and should absolutely not be turning over your autonomous operations to assist them. When there's no data to tell you if it's good or not.

E

Great.

C

And that comes back to the third point that I was going to get to. So I talked about the adversary coming back to what supercharged things in the last year. We talked about the move towards other ways to get in. We talked about the, the speed at which adversaries are operating. The third thing is that we're seeing them increasingly moving away from using malware and tools and they're using more hands on keyboard. We noted that in the last year it went from like 79% to 81% of the cases that we were looking at. There was no malware, it was just hands on keyboard. So as those become more behavioral based, you're looking at PowerShell, you're looking at, you know, Python code, you're looking at wmic, things that adversaries are using to kind of enhance how they live off the land. That increasingly moves to having systems that are more intelligent, that can, can look at a obfuscated PowerShell and figure out what action it's taking on the system much quicker, allows a defender to make a decision more quickly so that, you know, to, to wrap that kind of up, the adversaries are getting, they're coming in through different means, they're going faster and they're stealthier.

E

So with all of this talk, you know, in, in just cybersecurity and technology in general, AI makes it seem like it's a, you know, kind of scary new world. And I really appreciate you guys hopping aboard to tell everybody that the, the answers to defending this stuff or the same answers that we've had for the past 5, 10, 15 years

B

and solution to all of our problems.

C

The Homer Simpson Corollary.

E

Yeah, anytime we can inject a Simpsons reference, I'll always allow it. Adam Ilya, really appreciate you hopping aboard. Thanks for joining the program.

C

Thanks, Greg.

B

It was a pleasure. Thanks for having us.

C

Yeah, thanks for having me.

A

Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital privacy,

E

brought to you by cyberscoop.

A

If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your CISOs, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.

E

SA.