A

Why your SOC may never be fully autonomous. We'll talk about it on this episode of Safe Mode. Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cybersecurity. An attack is coming. It's about keeping us safe. He's just a disgruntled hacker.

B

He's a super hacker.

A

Stay alert.

C

Stay safe.

A

Stay safe. This is safe Mod foreign. Welcome to this week's episode of Safe Mode. I am your host, Greg Otto. In our interview segment this week, we are going to be talking with Mike Nichols, the GM of security for Elastic. Mike was just at the Gartner summit and had a really long winding road talking with CISO's about what they see with the future of AI and how they see it being integrated into their SoC. And Mike and I talked about things like tribal knowledge, shadow it, and why humans will just never be pulled out of that SoC. But first, talking with Tim Starks and talking with Tim about a story that we talked about a few weeks ago on the podcast with Todd Beardsley from Rapid7 and a former DHS official that oversaw the Kev program, talking about the idea that the patching times for the federal government were going to shrink from weeks to days. And the hypothetical is now reality.

B

Tim, let's dive into it. Yeah. So as of Wednesday, there is a binding operational directive from CISA that sets forward these remediation timelines that go up to like, and I say go up, but they, they move the, the deadline up from say, weeks to like, literally three days for the most severe vulnerabilities. And they rank them on a set of criteria. Like, does it affect something that's publicly exposed to the world? Is it Internet facing? Say, is it something that, that can be actively exploited? Is it something that's on the catalog, in the caf catalog? And is it something that could lead to full takeover of a system? And it's interesting, I mean, I feel like there's been some talk of this, there's gonna be some like squirreling away of this debate for a few weeks, but actually a few months, it turns out, in terms of if you look at what the, if you look at what Nick Anderson, the acting director, was saying the day before this was all public, publicly released, they've been working on this for months and months.

A

So with what Anderson said. Cause I know that you were at an event where Anderson spoke. It's not so much about just timeline short like that. That's like, that's really not the directive here. He was really adamant in talking about changing the way risk is thought of when it comes to these vulnerabilities because it is just not vulnerability on list. List says patch. Please patch. Now, like there's a little bit more nuance here that he's trying to drive home.

B

Yeah, definitely. I, you know, the thing that struck me about that speech, but also talking with some reporters after including myself, was just the broader overall way he's looking to rethink CISA's approach to vulnerability management and how it handles risk. Because it was just one part of it. The binding operational directive was just one part of what he'd been working on. And the other part he talked about was the way we prioritize protection of critical infrastructure, which is mostly privately held. And you know, being a old Grognard, as they say in D and D, like the, the, the, this, this notion of prioritizing assets and saying, what do we really need to protect? It's been around for a little while. Right, right.

A

That's not new.

B

It's not new. So I, you know, I'd asked him like, what do you. What's the difference between this and say Section 9 was another concept that was out there going back to 2013. Or Sickie. I remember, do you remember the Sikhi era from the Cyberspace Solarium Commission? And you know, he had a decent answer to it. So I, I think the, the trying to focus on these assets that matter the most and trying to focus on the vulnerabilities that matter the most is a common sense idea. But it's also, how do we actually do that? I think that the bot is evidence of one of the things they're trying to do about that. And then I think it'll be interesting to see that he talked about having conversations with banks and going into, and saying, look, let's look at what assets you really need to protect. He mentioned the banks example of like your, the protection of your bulk payment system versus the protection of the local branch down the corner, which is how do you prioritize that? What are you spending money on? So I think that it'll be interesting to follow what those discussions look like out to what degree they've already happened. You know, how they're prioritizing. Even those is going to be interesting, I think.

A

Right. And yeah, to your point, we are not reinventing the wheel here. I mean, talking about this From a risk management standpoint has always been part of cybersecurity. That is something that has just been pervasive going back to before cisa, back when it was NPPD that we were talking about risk management, there was a risk management center in dhs. Like this is the fundamentals of risk management. So talking about prioritization, that really is the fundamentals of risk management. There is high risk, medium risk, low risk. And I, I remember going back, I, I forget whether it was necessarily in Fitara rules or other legislation that has come out that has been really focused on, on federal agencies where it's find your crown jewels and protect them. Yeah, that's generally really on a smaller idea what, what we're getting at with this new bond in that, yeah, if this patch is attached to a system that is protecting classified information, guess what? Yeah, that is severe. And if it's a 10 on a CVS scale, yeah, you're probably going to have a weekend ruined if you are in an IT team in a federal agency or you can, you know, assess based on the information that is out there and line it up with updates that come out in, in other ways. I think you alluded to that a little bit in your story where it's. Yeah, sometimes the Kev list comes out and there is a directive to patch in two weeks. But there are other IT functions that, that take time. Patch management is harder to do than just click button, download and deploy. And it's another layer of common sense here that we're getting to that really needs to be exercised more than it already has been.

B

Yeah. And I think what's such that there is new value added to this. It's this kind of four, four categories of criteria. So, so something hits all four of those things at once. Agencies really need to prioritize that because there have been emergency directives that come out. You know, when there's something really, really supremely upsetting happening that's, that's kind of like a bod. But it's just like this is, this issue is so such a big deal right now. We need all agencies to get all hands on this right now. So it's more about trying to train the agencies to think about this stuff in a different way and to approach it a different way. As a result, it's a little less on the target side and a little bit more on the. What are the really worrisome things that we need to be concerned about? Less ranking them on a scale of 1 to 10, but more across categories and especially with with AI, you know, increasing this path from exploitation to, from discovery to exploitation, they're very concerned about that. I think one of the things that'll be interesting about this, and this is something that someone alluded to in my story, I believe it was Patrick Garrity who had said. From Vulnczyk, who had said some. Nope, actually it was. Yeah, it was. It was Todd, actually.

A

Oh, okay. Yes, it was Todd in the story.

B

Yeah, it was Todd. It was Todd. It was Todd who mentioned that. You know, I think we might be seeing more vulnerabilities that hit this, this three day mark than maybe they're expecting right now. Because they did do a survey of one big agency and looked at what vulnerabilities this might apply to, and they said 1%. But with the way AI is exacerbating some of this stuff, I think we might be seeing more than 1%. We might be seeing more of these three day things than maybe CIS is expecting.

C

Right.

A

Well, we'll see how this all unfolds now that it is a reality. Tim, really appreciate you breaking it down for us. Yeah. And now to our interview with Mike Nichols from Elastic. And look, it was another big week for AI in cybersecurity. Anthropic rolled out Claude Fable 5, which was powered by its Mythos model, which we all know Mythos is the big cybersecurity tool of the moment, with a bunch of enterprises experimenting with how they can use this to find and remediate vulnerabilities. And the agentix SOC is not far off. It's going to become a reality sooner than later. And. And we talk with Mike about what that looks like in practice and why Agentix SoCs will never be fully autonomous SoCs, and why humans will always be in the loop and how AI implementation inside a sock can be thoughtful and not be reckless. Check it out. All right. Joining us for this week's interview segment is Mike Nichols, the general manager of security for Elastic. I know Mike is coming off a busy week at the Gartner Security and Risk Summit that was just held in the D.C. area. So eager to talk to Mike about all the conversations that he was having during the conference. Thanks for joining us, Mike.

C

Yeah, I'm happy to be here and I'm eager to speak to you as well.

A

So tell me about the conversations that you had at Gartner. I know that a lot of what went on there was very, very AI based. By the time that this interview airs, our audience will have read a story about other conversations that I had at Gartner myself, where people are trying to adjust to like a post Mythos world. And I know a lot of that. Even though Mythos itself is not an agentic AI tool. Agentic AI is part of this, a conversation where all of this gen AI is fighting bugs faster than security teams can react. And I know that the philosophy of Magentic SOC goes into that. So I would love to hear what you have to say about the way that CISOs and enterprises are thinking about crafting an Agentix SoC.

C

Well, I would agree. First of all, that AI, as expected, was the king of the show in a constant conversation. I think what I love about the Gartner summit is we get a chance to be in front of a lot of our public sector customers that have challenges traveling, especially with budget restraints. And you know, with the recent changes with the cybersecurity, you know, new policy in the White House, obviously AI is forefront for them to think about how to do this. And we get a lot of questions of, you know, like you said, where should I start? How do I do this? How do I do it in a safe way? And what I think Mythos has done is open people's eyes to what we've known for a while in the industry, which is, you know, if you equate Mythos to basically what adversarial AI is doing that over the past year there are tools like Muthos that the adversaries have created and weaponized that have allowed them to just expedite the attack. And you see the stats everywhere. 27 second breakouts and over a thousand percent improvements in phishing. So I think the good thing about the Mythos launch has been that eye opening of well, wow, we really do need now defensive AI. So coupling that with the policies the conversations were not about, should I, but how do I throughout the conference.

A

So let's get into that, how do I because a lot of this, there are so many moving parts to this, especially as rapid as the industry is changing. I'd love to know what do you see as the features of an Agentix Hawk? Is it the seam, the soar, threat hunting, detection response, kind of everything looped together. Where do you start when you're thinking about what features go in to an Agentix SoC?

C

I like to frame or ground myself in the classic framework. So I'm a big OODA loop believer for my military background. But also, you know, you can use TDIR or any framework like that. And the way I, the way, the simple way to talk about what I believe agentic SOCs are, is, you know, they're now basically a group of junior analysts that are going to be working on your behalf, but still require that manager or sort of watch commander to oversee what they're doing and approve when there could be a critical impact on what they're doing. And I think we could talk about the different phases. But I will say one of the things that was key in the conversations I was having was to be for customers and users to be cautious of some of the vendor speak out there that I think is dangerous. Like the full autonomous soc. I think this belief that we'll somehow end up in a world where we don't need security teams anymore is dangerous, if not just straight lies. And the reasoning is adversaries, of course, utilize AI. So defenders are just a lot further behind than we ever were. And the usage of defensive AI brings us back up to where we were, which was already behind. So the conversations were much more about how to do AI implementations in your environment to fit that TDI framework, but do it in a way that's transparent, it's controllable, we can go through these different steps. But that's really kind of the key for me is it's not a silver bullet, it is a new tool in your arsenal and it's foundational to the way you operate. But you still have to have those critical analysts in the loop that are, or on the loop, I should say, that are helping to approve these potentially impactful decisions that the AIs are making.

A

So you use that term on the loop and I've heard that term before in some of my conversations as well. And there's a distinct philosophical difference between keeping a human in the loop versus keeping them on the loop. So I'm wondering, in your opinion, or can you paint me a picture of what you believe a security analyst's day to day work now looks like when they transition to doing all of those jobs manually, for lack of a better term, to being a supervisor of these agents.

C

I think it's a good way to rethink sort of the entire process. I've seen some people that take the idea of agentic socks and they just think they're bolt on, they're the chatbots. And what that does is basically break your existing practitioner's process and, and it is a swivel chair problem. I have to ask for something. In reality, what we need is we need to stop from drowning, we need a bigger team. And so that's where human on the loop is much more impactful. So you think about each individual task that a human does. And so, for example, we could say false positive reduction or correlation of different alerts, attribution of an adversary, these different steps. That is part of what the analyst does in that triage process before they put the package together to their next tiered SOC analyst. Each of those is a skill or an agent that is interacting. And the idea of human on the loop is each one does not need permission to complete his job and pass to the next piece. So a false positive reduction system can, or agent or skill can analyze, understand where false positives might be, and then make the, at least stage the changes itself. You know, go and trigger a detection engineering skill, build out the right capability to build out exceptions, and then present that as a package in the same way that an analyst would to their, to their manager, right? Present a package that says, here's my work, I think we should do this, and here's why. And then what you end up with, what your SOC analysts evolve to are managers that are looking at these cues going, yes, I agree with this, and no, I don't. And what I think will happen is much in the way where, you know, I come from the endpoint space. So, you know, early days in endpoint we didn't prevent it was, you know, it was verboten. You had to kind of earn your trust in the organization. But now quarantining is, you know, kind of given. People just accept it. In the autonomous SOC analogy, I like to think of it as a dial. It's not a switch you flip. And so what we'll do is we'll have these people that are on the loop today making these decisions of, yes, I agree, and no, I don't, but as they gain trust in both the models and the decision criteria, they'll start to accept those. Yes, you know what? From now on, stop asking me and do this piece and you'll get to more and more autonomy. But that is something that each individual organization should do on their own. It's their own decision. A vendor should not force you into a risk profile or to an autonomy decision. I think that's critical in this security, how you evolve to this agentic architecture.

A

So with that risk profile and that evolution, I'm wondering, in your opinion, when these agents do make a wrong call or there is a false positive or, you know, anything that a human could go, that's not really right. That's not what should be happening. How do you build trust with the CISO when the system is making decisions without a Human in the loop and I guess not really a human within the without human because we were just talking that you believe that they should be in there at, at some point. But where does the comfort level really hit a sweet spot for you when. When there is an opportunity for these agents to get something wrong?

C

Well, I'll tell you where I see success today because obviously I think it's going to change. You know, it'll change next week probably as things can improve. But as of right now, you know what, what we see these AI skills and systems do is do a few things. One, they're removing vendor specificity, which is great. I don't need to go teach you or certify you on my product. You know, we have a lot of these things and a lot of vendors are offering the ability to just work in natural language and we'll figure out the guts of our own, you know, kind of language behind the scenes and that expands the scope of what your analysts can work on. You no longer have these silos of I'm the SIEM user and I'm the endpoint user. You can have a more holistic approach to the end to end. You know, the OODA loop as we talked about earlier.

A

Right.

C

I think that's critical. And then where we also seeing a lot of benefit is that I call them the serendipity discoveries. Machines are great at finding where things are related beyond just simple hashes. You know, we used to work in the SOC and group by IPs and things, but now we can use frameworks like MITRE's ATT and CK Matrix, for example, and infer or use the context of those techniques or tactics. And what these systems can do at machine speed is actually fine correlated links and say hey, these six alerts are related for example and pull that up to the analyst. Where we recommend that human on loop today is where things would typically get impactful. So for example, not automatically pushing a fix to a detection rule because that might open up a blind spot for you or not automatically isolating a host or blocking, you know, someone's access through Okta right now. Right. But they can cue that up and have a one button answer to do that. And I think what's going to happen over time is that trust will grow, but only through transparency. So to your point, when the AI works, it can't be hidden behind the scenes. It needs to be very open. You know, I like the way that a lot of these modern chat interfaces work today where you can open it up and see what exactly it's doing. You can, in your own environment, you can tailor the guardrail, so to speak, and say don't access the system, you know, don't go to Reddit and get their opinion. Use my, use my trusted instant response program, for example. And I do see a world where we'll get more and more comfortable. Again, speed I can't predict. I think it'll probably be faster than we all expect based on how good these things are getting. But yeah, I would treat it today like a junior analyst that you're growing and they, you know, you don't let junior analysts go and shut down a system and do forensics. A junior analysis first, starting with understanding the alerts and recommending, hey, I think we should investigate this further or I think we need to make these actions and that's sort of where we see today. But I think it'll greatly accelerate.

A

So let's dive into that growth. Let me present you with the hypothetical. One of the greatest challenges in enterprise IT is capturing and this is my term, I don't know if other people use it, but like tribal knowledge, almost like every, every enterprise and their IT system is their own unique snowflake. So no, there's unwritten nuance for analysts to learn about why specific system works a certain way or a user is behaving a certain way. So how do you see Agentix platforms converting that human intuition into scalable AI logic?

C

Yeah, that's definitely an exciting thing. This, this tribal knowledge or knowledge bases. We've all tried, you know, we've written wikis and things. But the reality is when you're inundated with alerts, the last thing you do when you finish, when you close out something is then go right up what you learned. Right. You just quickly move on to the next item. So we are already seeing the fact that AI can use previous knowledge preview context of how did this analyst operate? In fact, you can even depending on how much data it has access to understand where you're interacting within the ui. It definitely understands the questions you're asking if you're doing a chat type work or things like that. And that can be built into the knowledge so or the context. So when the next time an analyst is working in something like that, you can say, hey, you know, people like you did this, for example, that feedback loop is critical and it's one of the things we've definitely pushed, you know, people who ask us like, definitely talk to your vendors and make sure they are learning. It is a self learning system or a self, you know knowledging system. It can't just be a static model that sits in time and it can't be one that requires data scientists or, you know, your own specific tuning to get there. So a very simple way to look at the past and move forward. I think that's great. I also think it's also, besides that knowledge, there's also the knowledge of all the data that we typically need that is hard to access. So simple things like change control to firewall logs for knowing if somebody made an impact there, or the configurations of your load balancer and routers, all that data that sits around and is useless now can get again added as context. And it's very, very simple now for these models to have access to all of that data. And so now your team becomes, instead of knocking on the wall of the knock and asking for permission to get access to something right, they have it at their fingertips. So I definitely see that being one of the critical benefits. And again, AI will I think greatly help with retention because I think the burnout is just based on just being just slammed with work that is not fun. And so it'll help with that. But even beyond the retention, like you said, the training of the new people that the new generation of, you know, the soc analysts, I think it's going to be critical. They can just get up and running. They don't have to read a book or read a wiki. They start working and it will infer or inject knowledge as they're operating.

A

So I'm wondering with all of this and the conversations that you are having, what are you hearing in terms of what CISOs or technology leaders inside both the public and the private sector are talking about in terms of like what is possible to build and what is possible to buy? Because look, like we've been talking, a lot of this is based on the data and the context that can be driven from the data inside enterprises. But we are seeing a lot of tools that are being built out by traditional cybersecurity companies or new startups. Like I spent time talking about Expo at Gartner. I know there are other companies out there, but it seems like we're at another inflection point which is similar to what we've seen with like cloud, where it was like, stand it up ourselves or do we just buy it and let companies do it on their own? Do you see some similarities there with the Gentix SoC? Because I've seen them in my own conversations. But I'm wondering if you're hearing the

C

same Thing definitely I see a very strong similarity with cloud for a couple of reasons. But to the first one you just mentioned about, you know, how do we get started? One, I'll say I love that there's an infusion of new startups in this space because that forces the, the long term vendors here to innovate, right? They, they get off of their, you know, kind of resting on their laurels and start to do more innovative capabilities. I think right now there is no product you can buy that will make you agentic. Right? It is definitely a process problem to start and that's, you know, maybe not the best thing for a product vendor to say. But you do need first to understand your process because no AI that gets plugged in. If you don't have good processes in place, documented processes in place, it's not going to help you. Right. It's going to bring in global knowledge, but to your own business and your own mission isn't tailored to that. So I think the first step I usually recommend to CISOs is let's talk about how you operate, what is your SOC process and where do you see the SOC at the future becoming that idea? Hopefully they're in line with what we think of that. You know, instead of having a tier one kind of massive base of people that becomes agentic and you have more of these tier 2, your tier ones elevate to more of these managers as we mentioned earlier. So they need a more holistic approach. In fact, you probably won't have a role like detection engineer in the future. You'll have a SOC analyst who can have an agent that does detection engineering and they'll review and analyze it and they might have expertise there, but it isn't their sole focus.

A

Right.

C

They'll have a sort of a breadth across the holistic again going back to ooda, the whole OODA loop process, but definitely like where we see cloud. I think the most parallel is, and probably the Most frightening for CISOs is the fact that they're still behind on the kind of COVID impact of the SaaS growth. They still don't have access to all that data, all the SaaS information, all the cloud data there to do that security layer of it. In fact, they've made concessions. Even before cloud data they were making concessions on what they could afford and what they could technically analyze. So we have this visibility gap. And now when you look at models and agents, agents are already 100 to 1 of people in organizations. And so the amount of data they produce is kind of astronomical. And we're looking at 10 to 50 more times telemetry than what we typically had from these agentic workflows. All those agents are now a new attack surface, right in the way that Surface accounts were in the past, you know, shared passwords, things like that. And now we have agents as an attack surface where if I take that over, how much can I now compromise? So as good as AI is, it's also obviously a challenge.

A

Yeah, you're taking the question out of my mouth. I was going to ask you. We know attackers are just going to look at this as another tool that they can try to exploit. So what happens when the AI agents themselves become intact services? And especially in a novel way where you can't prompt injection doesn't have a cve, like there's not a patch that you can put out there for a prompt injection. So I'm wondering what what CISOs are doing and how they're reacting to thinking through the ways that that will impact their organization.

C

I think that's where the first step we mentioned earlier, like the choose your own autonomy matters. We like to tell people like get started in an AI, but do it in a safe and controlled way. And there's a couple pieces to that. The first one that I'm a big believer in is that a CISO's entire job is to basically build the risk profile of their organization. And when a vendor comes in and says, I've had this amazing thing, but you must use the model I give you. So now you have to add a new supply chain vendor. For example, I'm only going to host my model in Bedrock. Well, now you have opened up the Amazon Bedrock model as part of your new supply chain risk. Or I'm going to provide a proprietary model that I don't even expose what's behind the scenes. Now you have to trust that. So one of the first things we talk about is agnosticism or bring your own models. Are you able to start with what you trust? Either a model you've chosen yourself, an on premise and disconnected model where you know your data doesn't leave. And even more importantly, kind of the top question I get, especially in international customers today, is sovereignty. Can I choose that my where my data is within the boundaries of my environment. So that's sort of step one is before you jump into AI, make sure it fits the risk profile you have and don't increase your profile just to get access to this data. So make sure it fits into the what you've defined. And then as I said earlier, Start small, start with human on the loop where there's non impactful decisions being made. You're going to find a massive benefit already. I mean one of the most simple things that I found to be very exciting for people is there's so much you mentioned that the tribal knowledge, how many people have written detections and then left the company and there's these page long detections that no one understands. They don't know what they do but they're afraid to turn them off.

A

Right.

C

That's a phenomenal thing that AI can decipher, it can explain it in human readable language and it can even tell you whether or not it's valid anymore based on the current attack surface. So there are a lot of benefits that are not yet the scary side of, or not say scary, but the more trusting side of autonomy into actual impacts in the environment. But actually things like understanding what's running, recommending gaps in telemetry, all these kind of areas I think we find a lot of promise with. And once you get trust, the CISO is then able to turn the dial more. Okay, now I'm going to let it start looking at alerts now I'm going to have to start building workflows and remediation plans and I think that's the natural evolution. It isn't like I said earlier, vendors who say flip the switch and go all autonomous, I think they're going to have a challenge because security by nature we are a skeptical bunch, we should be and we have to earn the trust to operate within an organization.

A

Yeah, you're hitting on my last question here. And it really gets to a more philosophical mindset is that look, anybody that pays attention to this space, and especially in cybersecurity AI like I, I've never seen a product, whether it's technology or anything else move this fast. And if you're a sizzo, trust does not happen overnight. Obviously trust, the bedrock of trust happens because you need to take time in order to assess and, and figure out and actually be comfortable with what is happening and the pace by which agentic AI is happening. Whether it's, you know, capabilities or the ability to have products in the marketplace based on the way that sizzos build up their trust. Like it just seems at competing odds. So if you're a ciso, what else? I would say not just from a technological standpoint, but even psychological. I'm asking to put your psychological hat on here to some degree. How do you develop trust especially in a marketplace that is just moving so fast That, I mean, Mythos has been around two months. Like I, I don't understand. If you're, if you're a corporation or if you're an organization that has an enterprise system that deals with thousands of endpoints and users, how can you realistically establish trust with the way that the market is moving?

C

It's a hard one. And I think that's why the job of the CISO is so difficult and maybe such a high rate of burnout there is because you are being dealt a difficult two sided coin here. In one case, your job is to not impede the organization's ability to succeed, but also to secure it. And you mentioned, I think the biggest thing about AI, the reason it's impacted so much is it's one of the first technologies in cybersecurity that also really started in consumerism. You know, we were using it at home, we use it at home today. It's in everything we've built, in everything we do. And so naturally when people come to work, they want to take advantage of it. And what we saw in the early days, people tried this policy enforcement and that didn't work because I had my cell phone with me and I just asked the question myself or I open up a browser with a different model and I. So many people have paid for their own. It's, it's so beneficial to your work. You're paying for it yourself. Right. It's just you don't need to worry about the enterprise license from your company. So part of a CISO's role is to first understand that that shadow AI problem is real and you have to allow people to embrace AI otherwise they're going to circumvent your control entirely. So that means some risk, but it doesn't mean you have to go, like I mentioned, flipped entirely into fully autonomous. I think that is where there's an a. The marketing messaging of some vendors is actually becoming dangerous to CISOs. There's a way to embrace AI and make your company more successful but not be in the forward leaning train where you're saying, I'm just going to turn everything on to full stop and see what happens. And that is again that dial of autonomy. And I think every single vendor, including obviously many of our customers, my largest vertical in Elastic is the global public sector and we work with a lot of them to, you know, do this. Choose models that are fully on premise, as I mentioned earlier, choose levels of autonomy where they can feel comfortable and confident. I think it goes back to transparency. It really needs to give you the report, again, think of it like that analyst that you just hired who you would not trust to go and you know, fully remediate a threat end to end without some supervision. But they, you would trust them to provide you the report of what they did. If you think about that model and again have your humans as those managers of those things, trusting and approving those. It does a couple things. One is it, I think it allows you to get more trust. But also, you know, there's all this talk about hallucination, but again, junior analysts make mistakes all the time. I mean, senior analysts make mistakes all the time. So it's okay if the AI makes a mistake, if it learns from it and if it exposes it to you. It's where the danger is, is when AI is so confident in what it's doing and doesn't expose how it got to where it is and just assumes that what it does was what it tells you is correct. But I think if you focus on that model of transparency and trust, explainability and okay, it's okay to make a mistake, but explain and learn from it. If those things are embedded or a bedrock of your agentic plans and then you have vendors that help support that in your environment, we see success, we see a lot of customers that have got, I mean last year I had large financials that would that said no way are we ever putting AI in here. And this year they're saying I can't get enough. How do I get more access? So the benefits, I believe, do outweigh the cons. But there is a true challenge of letting unfettered access without oversight into your environment.

A

Great, Mike, really appreciate you hopping aboard and talking through this. I know that this is, like I said, it's just been on the tip of everybody's tongue and I really appreciate your insights and joining the program.

C

Thank you so much. It's always great to talk to you. I appreciate it.

A

Thank you. Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital privacy brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your CISOs, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com. thanks for listening. Check us out next week. Sam.