Summary6 min read

Podcast Summary: The Defender's Advantage Podcast

Episode Title: Google’s Disruption Mission
Date: April 27, 2026
Host: Luke McNamara (Google Threat Intelligence Group)
Guest: Charlie Snyder (Head of Disruption Operations, Google Threat Intelligence Group)

Episode Overview

In this episode, host Luke McNamara interviews Charlie Snyder, who leads the Disruption Operations unit within Google's Threat Intelligence Group (GTIG). This episode explores the mission, strategies, and impact of Google’s disruption team, highlighting real-world operations, the balance between disrupting adversaries and maintaining intelligence visibility, and the future direction of disruption efforts at Google. Charlie details how the team focuses not merely on defending users but actively imposing costs and degrading the capabilities of significant cyber threat actors.

Key Discussion Points & Insights

1. The Mission and Approach of the Disruption Unit

[01:59 – 05:17]

Primary Mission:
"We exist to degrade and disrupt the capabilities and operations of kind of the most significant threat actors targeting our users and customers at Google." (Charlie Snyder, 01:59)
Adversary-Agnostic:
The team targets attackers regardless of whether they are state-backed, cybercriminal, or enablers of others’ attacks.
Collaboration & Partnerships:
Disruption operations are conducted in close partnership with other Google teams and industry partners for greater reach and impact.
Core Disruption Tools:
- Technical Takedowns: Swift and aggressive removal of threat actors from Google platforms, and supporting external partners to do the same.
- Leveraging Legal Systems: Using existing laws creatively to take legal action against cybercriminals and their infrastructure.
- Disclosure: “Sunlight can be a disinfectant.” (Charlie Snyder, 03:40) Selectively publicizing threat actor activity can disrupt operations.
- Product Hardening: Using threat intelligence to strengthen Google products, aiming to stop repeat abuse rather than just evicting attackers.
What They Don't Do:
- No “hacking back” or offensive operations.

2. Distinction from Traditional Google Security Efforts

[05:17 – 07:32]

Most of Google’s historical efforts focused on threat detection and protecting users/products.
Disruption unit’s unique role:
"We are the first team whose primary focus is on disrupting the actor behind that activity. So we're not a detection team... We are a team focused on imposing costs on those bad actors." (Charlie Snyder, 06:01)
Sees itself as a ‘value add’ for the defender and abuse teams, making their work easier by targeting the root cause.

3. Case Studies in Disruption

[08:02 – 18:06]

a. IP Idea (& Residential Proxy Networks)

[08:02 – 14:10]

Threat: IP Idea runs large residential proxy networks (which allow attackers to mask their origin by routing traffic through unwitting users’ devices).
Enabler Focus: Disrupting enablers (like IP Idea) can ripple out to impact a broad range of threat actors.
How the Scam Worked: Attackers would convince app developers (including on Google Play) to integrate malicious SDKs, which would then draft consumer devices into the proxy network, often without user knowledge.
Abuse Range: Hundreds of different attack groups used IP Idea, including APTs, cybercriminals, hacktivists, and those targeting Google’s own AI (e.g., model distillation attacks).
Disruption Actions:
- Technical enforcement on Android (removal of malicious code).
- Legal action, working with partners (e.g., domain registrars) to take down IP Idea’s command & control, infrastructure, and storefronts.
Outcome:
"By taking down all of their websites, we kind of, you know, we impacted that. ...We know we have to keep hammering away at the residential proxy issue." (Charlie Snyder, 13:25)

b. GRID TIED (China-Nexus APT Group UNK 2814)

[14:10 – 18:06]

Group Profile: Long-tracked China-based group targeting global telecommunications companies.
Method: Used malware that communicated with attacker infrastructure via Google Sheets as a covert command-and-control channel.
Discovery and Response:
"This started with a managed threat defense investigation...we found the actor was using...Google Sheets specifically as kind of a C2 mechanism." (Charlie Snyder, 15:53)
Coordinated Action: Integrated efforts from multiple Google teams and external partners.
Effect:
- Identified and terminated the attacker’s use of Google APIs.
- Sinkholed attacker infrastructure.
- Disrupted live connections to over 70 telco companies worldwide.
Disclosure: Raising public awareness and sharing indicators of compromise to boost broader investigation and product hardening.
Broader Lesson: Products like Sheets can be repurposed for malicious activity; highlights need for ongoing resilience building.

4. The Role of Disclosure

[18:06 – 20:12]

Disclosing threat details helps warn potential victims and stimulates wider investigation across the community.
Emphasizes that attacks are ongoing, not limited to any single group or snapshot in time.

5. Measuring Disruption Impact – Trade-Offs and Philosophy

[20:12 – 26:25]

Measuring Impact:
- Acknowledged as "a supreme challenge..." (Charlie Snyder, 21:24)
- Wins: Helping victim organizations directly, product hardening, and forcing attackers to expend more resources.
- Drawbacks: Disruption can sometimes reduce visibility on adversaries (the “intel gain/loss” dilemma).
Evolving Threat Landscape:
"Adversaries are bolder now. They're willing to do things that were unthinkable before..." (Charlie Snyder, 23:17)
Philosophy: Against increasingly aggressive threats, Google feels an obligation to meet aggression with active disruption, not just monitoring.
When to Disrupt:
If threat actors continue successful operations unchanged over years, "maybe it is time to try something new and take on a little bit of risk that we might lose visibility." (Charlie Snyder, 25:50)
- However, when visibility is too tenuous, caution prevails.

6. The Future of Disruption

[26:25 – 28:16]

Scale & Systematization:
- Currently, efforts are ‘artisanal.’ Next steps involve scaling with automation and AI:
  "We're very interested...to leverage AI and automation to scale our impact." (Charlie Snyder, 27:14)
Partnerships:
Eager to deepen collaborations with other tech companies and governments.
Goal: “Bringing more pain to more bad actors.” (Charlie Snyder, 28:09)

Notable Quotes

On the Disruptive Approach:
"We are a team focused on imposing costs on those bad actors." (Charlie Snyder, 06:05)
On Enabler Disruption:
"The reason we like going after enablers is by going after one, you can potentially impact a wide array of threat actors who are relying on those enablers." (Charlie Snyder, 09:45)
On Ongoing Cat-and-Mouse:
"We don't just launch kind of one-off projects. It's very much kind of a journey, a cat and mouse game, et cetera." (Charlie Snyder, 13:43)
On Measuring Success:
"How do we really know that it's a bad day or a bad week? ... It is a challenge. We try our best and we look at different things." (Charlie Snyder, 21:36)
On Evolving Adversaries:
"Adversaries are bolder now. They're willing to do things that were unthinkable before..." (Charlie Snyder, 23:17)
On Future Vision:
"We're very interested and I think well positioned, you know, working where we do to leverage AI and automation to scale our impact..." (Charlie Snyder, 27:14)
"What I hope is next is bringing more pain to more bad actors." (Charlie Snyder, 28:09)

Timestamps for Key Segments

01:59 – Mission and tools of the Disruption Unit
05:46 – How Disruption differs from past Google efforts
08:02 – Deep dive into IP Idea case
14:10 – Grid Tied / UNK 2814 operation
18:06 – The role and value of public disclosure
20:12 – Measuring impact & the gain/loss of disruption
26:25 – The future: scaling, automation, and partnerships

Conclusion

This episode offers a rare inside look at Google’s proactive disruption efforts against top-tier cyber threats. Charlie Snyder provides concrete examples (IP Idea, Grid Tied/UNK 2814), discusses the philosophy driving the disruption team, candidly addresses the trade-offs inherent to aggressive disruption, and lays out a compelling vision for scaling these operations through automation and broader partnerships. The episode is an insightful listen for defenders interested in the evolving playbook for large-scale, proactive cyber defense in the private sector.

Loading summary

Transcript21 lines

[00:02]
A
You know, some of these actors we've tracked for a very long time. We want to look at how things have been working, you know, for a threat actor that we've been monitoring for a long time. Do they look substantially similar today as how they looked, you know, two years ago, three years ago, five years ago? Are they able to successfully complete the same types of operations that they were doing a couple years ago? If so, you know, maybe it is time to try something different. You know, if we're seeing them be successful, it's kind of a status quo business as usual for them. They clock in and they, you know, they compromise users. Maybe it is time to try something new and take on a little, little bit of risk that, that we might lose visibility.
[00:53]
B
Welcome back to another episode of Manian's Defenders Advantage podcast. I'm your host, Luke McNamara. Today I have the pleasure of welcoming on Charlie Snyder, who is the head of the disruption operations here within Google's Threat Intelligence Group. Charlie, great to have you here today.
[01:10]
A
Thanks so much, Luke, for having me. I'm, I'm honored to be on and looking forward to the conversation.
[01:15]
B
I'm excited to be having this conversation. We're talking today about the disruption unit newly announced, I guess formally announced at RSA release recently. But this is not obviously a new group. It's been around here within gtig for a little while. For folks who have read some of our blogs, they'll notice references to some of the activity that this organization that you lead has been a part of. But I thought we could dive a little bit more into sort of the kind of mission and focus and intent behind this group, some of the operations that you've been involved with. And maybe a great place obviously to start is how do you sort of define the mission of the disruption team?
[02:00]
A
Yeah, sure. So, you know, we define our mission pretty simply. We exist to degrade and disrupt the capabilities and operations of kind of the most significant threat actors targeting our users and customers at Google. So we are an adversary agnostic team that partners closely with all of the, you know, adversary aligned teams within Google Threat Intelligence Group to identify and execute, you know, opportunities to disrupt malicious activity. It's probably worth explaining a little bit, you know, how we do this, like what are our tools? There's been kind of a lot of information out there, a lot of speculation about, you know, not just what Google's doing to disrupt, but, you know, other industry partners. So I think it's helpful to be a little bit more granular about what specifically we're doing. Versus not doing so. We have kind of four broad categories of action. So the first, the one that kind of drives maybe most of the headlines, is technical takedowns. This is both kind of on our platform and then enabling other partners to take action on their platforms as well. But you know, from a Google perspective, we definitely want to be aggressive when we see threat activity on our platforms and services, targeting our users to be aggressive in kicking them off. So that's one second is using the legal system to our advantage. We want to be, you know, actively using, you know, the laws where we operate to, you know, hold threat actors accountable and using some of these authorities in creative ways. And frankly, there's been a lot of kind of trailblazing from, you know, other teams at Google as well as industry partners here that, that we're seeking to replicate. Third is disclosure. I think, you know, sunlight can be a disinfectant. It's not always disinfectant. I think a lot of threat actors are pretty immune to bad publicity. But there can be cases where selectively sharing kind of the misbehavior of actors can be helpful. And then last, and I think this gets overlooked sometimes in the disruption conversation, we're also very focused on using threat intelligence to drive product hardening and remediation. We do not want to be in a place where we're constantly kicking bad actors off our platform just for them to turn right around and come right back in. So those are the tools we're focused on using. I think importantly, there's been some speculation about hacking back and taking offensive action and we're not doing that. And then I think the last thing I would say about our mission and like kind of our tools is kind of a thread running through all of this is, you know, across all of these, you know, I think partners play a big role here. So that's a big part of our job too. Whether it's, you know, taking technical action, fixing things. You know, we can be more effective and more comprehensive in disrupting adversary behavior when we bring in other partners in the ecosystem who can take action on their end as well.
[05:18]
B
You referenced this a little bit, but I wonder if you could kind of maybe frame this some more, which is, you know, how this differs from what Google has historically done. Obviously we've got, you know, trust and safety teams, counter abuse teams across the Alphabet ecosystem. Is it really the thing that you see that sort of defines this is the holistic nature that you're looking at this strategically working with a lot of those teams or how does this differ from what we have done in the past here at Google?
[05:46]
A
Great question. I'm always quick to state like disruption is by no means new to Google. There are lots of teams, some of which you've mentioned, that disrupts malicious activity on a daily basis, you know, hundreds, thousands of times per day. What I think is new or a little bit different is that the primary focus of most or all of these teams is, you know, things like detection of threats, defense of our products, defense of our users. And with our team, I think, although Google's a big place, you never know. But I think we are the first team who's primary focus is on disrupting the actor behind that activity. So we're not a detection team, we're not a defense team in the purest sense of how I would think about it. We are a team focused on imposing costs on those bad actors. Importantly, there's obviously a nexus between all of the counter abuse security teams, threat intelligence functions at Google. We benefit immensely from their expertise. In fact, we couldn't really do anything without those teams tracking threats 24, 7. And what we try to do is leverage all of that expertise, the tooling, the visibility, to really look at an actor from that other standpoint of how can we go study what they're doing, study what they value and try to degrade and disrupt that to try to make them have a bad day. And in that way I really hope that we can be a value add to those defender teams, to those counter abuse teams to make that kind of firefighting a little bit easier.
[07:32]
B
So I think maybe it would be helpful to get into some of the examples where you guys have been active already. Again, this has been around for a little while here at Google, even though we're talking about it more publicly and it's shown up in a few of the blogs within the last several months, within last year. Maybe we could dive into a few of those examples because I think that really highlights, highlights some of the ways that you approach this sort of work. So whether it's grid tied or iPadadia, I don't know which one you want to dive into first, but maybe we could talk about some of those examples.
[08:02]
A
Yeah, sure. And you know, as I mentioned up front, we are kind of, you know, adversary agnostic in that we don't just look at apts, we don't just look at crime. We look for good opportunities where a given threat is causing havoc or causing pain to our users and customers and then pair that with the opportunity. There's some cases where we might see malicious activity, but we don't really see a good path to disrupting them in a comprehensive way. And so for better or worse, there's no shortage of different things to look at and focus on. And as you mentioned, a couple of our projects have been publicized in the last six or seven months that we've been up and running. And I think the two cases, one is kind of a group of residential proxy networks, all operated by kind of this same group called IP Idea. And the other was taking down a campaign we called Grid Tied, that was a China Nexus APT group on 2814. And so that kind of shows, like, the breadth of different activity we're looking at. And I think there's some interesting kind of differences between those cases. So, you know, IP Idea, we started looking at kind of this group, which I would put in kind of like the enabler category. They're kind of. They kind of sit in the, in the crime bucket, but what they're really doing is enabling a lot of other bad activity. And so when you. The reason we like going after enablers is by going after one, you can potentially impact a wide array of threat actors who are relying on those enablers. You know, residential proxy networks have become a bit of a scourge in the last several years. What these are, you, you know, they are a proxy network. So you can look at them as, you know, a way for a user to make their activity appear as if it's coming from a different place online. And the difference with residential proxies, as opposed to other forms of technologies that do this, like ISP proxies or VPNs, is residential proxy networks are built upon basically consumer devices in residential Networks provided by ISPs. And the reason they want to do that, the reason threat actors want to use them, is because they look like they're coming from, you know, John Doe in Iowa or wherever. And the way they build these networks is, you know, in a couple different ways. One, pure malware. They will infect those consumer devices and join them to the network also through kind of subterfuge. So what we found in our investigation was they would essentially go to developers of applications in our Play Store. Although it wasn't limited to just Android, it was other platforms as well. Say, hey, developers, this is a totally legit software development kit. If you incorporate this in your app, you'll get paid for doing so. Like, we'll basically pay you on a per download basis. And when, when it was incorporated into that app and when users download and run the app that, that joins the, the device into the network in most cases without that consumer's knowledge or awareness of what was going on. And so essentially the consumer is renting their bandwidth to this proxy network. And because of those advantages of residential proxies, again it's making it look like it's coming from, you know, a normal residents somewhere in the world. It is overwhelmingly abused by threat actors. And as we kept pulling the thread, we found hundreds of threat actors using IP ideas, residential proxy networks specifically everything from, you know, APT crime, hacktivism, information operations. We observed model distillation attacks against our LLMs transiting that infrastructure. So really enabled a lot of bad behavior. And in that case we were able to bring together a couple different tools including enforcement on Android, ripping all of this stuff out of Android devices and also some interesting legal authorities. We were able to kind of repurpose a court order to work with other providers in the ecosystem, like domain registrars and the like to take down all of their or a lot of their online infrastructure. And we went after both the command and control that the devices were communicating with that were routing proxy payloads through those devices to the end destinations. But we also went after their digital storefronts so where they actually marketed these proxy technologies. And I think the latter is probably maybe the largest effect I think because you know, these technologies are in a competitive marketplace. There's lots of proxies out there. They'd spent a lot of time and capital in getting distribution, getting people interested in their product and by taking down all of their websites, we've, we kind of, you know, we impacted that. So in that case, you know, this is a very kind of complex ecosystem. We're pleased with the initial results but you know, there's no shortage of devices out there that can be added to these networks. They've been able to reconstitute to a degree. And that kind of illustrates another kind of important point about our team, that we don't just launch kind of one off projects. It's very much kind of a journey, a cat and mouse game, et cetera. We know we have to keep hammering away at the residential proxy issue. The other case you mentioned, kind of more of a straightforward disruption of a APT group's operations. Again, this is UNK 2814, it's a China Nexus APT group. We had been monitoring this group for a long time, well before our team was formed. And there was this kind of untold story I think about global telecommunications targeting. And I think obviously Salt Typhoon gets, you know, has gotten A lot of the headlines and in particular for some of the specific systems they, they were targeting in the United States, but there are other China Nexus Apt groups out there that are, that are going after and successfully compromising global telecommunications infrastructure every bit and having every bit as much success as Salt Typhoon. And so. So this group has been on our radar for a long time. And what I think is interesting about this case is how much we benefited from different Google teams coming together in a relatively short amount of time to create a significant impact. So this started with a managed threat defense investigation. And what that is is you know, we have a product that will, on behalf of Google Cloud customers, monitor their security telemetry when alerts fire. And in this case, so it all started at a customer where that team, our managed threat defense team, quickly saw an alert, triaged it and actioned it quickly about a process being initiated from a suspicious location in the system. What we were able to find pretty quickly is the actor was using,
[15:53]
B
you
[15:53]
A
know, an interesting malware family that had been on our radar, but we didn't have kind of all the pieces of it to piece it together fully that used, you know, Google APIs and Google Sheets specifically as kind of a C2 mechanism. So rather than the way you or I would use spreadsheets, they would communicate, you know, the attacker would communicate from an attacker owned server to the victim, in this case the customer we were investigating, to issue commands to the compromise machine and to upload data from the compromise machine to the attacker all through Google Sheets basically. And so as soon as we saw that, we were obviously very interested in how we could pivot off this and create greater disruptive impact against the threat actor. And so we were able to combine kind of that world class investigative capability, working with customers, with our visibility within Google to identify all the instances, we think, where the actor was utilizing this mechanism. And through that process, as well as working with some key partners, we were able to identify quite a bit of infrastructure and identify, you know, frankly a large number of victims, almost unanimously in the kind of telco sector and then rip it all out all at once and sinkhole a lot of their infrastructure as well. And you know, as I think we said in the public materials, you know, building up this capability that the threat actor had of, you know, essentially maintaining live connections to 70 plus telecommunications companies worldwide, likely took quite a bit of effort for the threat actor to build over time. And we hope we set them back quite a bit. So that was a really fun, interesting project, working with a lot of really Highly capable teams across Google and with partners in a relatively condensed amount of time.
[18:07]
B
That's an interesting one too when you think about one of those levers, one of those tools that you utilize being disclosure. Given that even though that actor has been around for a while, we've tracked them for a while, there had not been a lot previously discussed about them out in the open source. And it's also a campaign, a set of activity where as we highlight in the blog, there were a lot more other suspected victims than the ones we are aware of. So I think that's a great example where obviously many different tools kind of applied to that. But even just talking about this publicly and raising awareness about this actor and what they're doing, hopefully it leads to further investigations into parts of this that maybe we haven't seen or hasn't been discovered yet.
[18:52]
A
Yeah, absolutely. I think that was a big goal or reason for releasing some information publicly. Again, you know, wanting to drive the message. It's not just, you know, it's not just salt typhoon, it's not over. This activity is, is continuing, people are at risk and then obviously releasing, you know, indicators of compromise to help organizations check if they've been impacted. You know, the other piece of it that's kind of a longer term thing is driving, you know, kind of more resilience and product hardening. One thing we point out is sheets is just another mechanism to upload and download arbitrary data. There's lots of places attackers can misuse products. For C2. It's clearly becoming a common tactic to use the products of popular kind of cloud and all online technologies in general for that purpose. And so hopefully we can, you know, spark additional action, you know, both within Google and with, with other operators of online services to try to find more solutions to try to cut down on that. And again, I think that's a, that's a longer term piece of that.
[20:13]
B
Let's talk a little bit about measuring impact. I think as you noted at the beginning, you know, some of the ways that adversaries respond to being publicly disclosed, their activities being disclosed, some of the extent to which their operations are disrupted, that's going to vary, it's going to vary actor to actor, what was actually impacted. There's also this dynamic where at times the very act of disruption, of taking down infrastructure, of forcing an actor to retool might mean that we lose some visibility into their operation. So there's, there's trade offs to even some of this activity. As we've always known, when we release blogs and Put the stuff out there publicly. The actors read this stuff. That's not new. But I guess I'm curious, maybe at a high level or even in some of these specific areas, how do you think about measuring the impact from disruptive operations to specific actors? And how do you think about that kind of balance between needing to do more to impose cost, particularly in the private sector, needing to kind of take more of a stance there, but then also meaning that, you know, in some cases we may risk losing visibility into operations?
[21:24]
A
Yeah, great question. So first piece of it, you know, measuring impact, it is a, it's a supreme challenge. And I think this is not common to what we're doing. It's common across the security field in general. How do you know if things are getting better if you've done your job? And certainly when you're working against highly advanced threat actors, it can be very hard to get accurate assessments of. Again, we set out to make bad actors have bad days. How do we really know that it's a bad day or a bad week? So it is a challenge. We try our best and we look at different things. First, if we're able to identify potentially impacted organizations and help them remediate and recover, you know, I think that's, that's always a win. But two, can we identify classes of attacks, things that we can work on to again, kind of like harden the products, make it, you know, make the attacker have to expend more resources to do what was previously a little bit easier for them. And so we measure, we have metrics related to that. And then, you know, of course, just looking at, you know, for whatever we can find. And again, this is often a challenge, you know, how has the actor specifically been impacted? Do we see their operations becoming less effective? Things like that. And then of course, that kind of leads into, you know, the last part of your question, which is when we do this, we necessarily often lose visibility. And so that gets into that kind of intel gain loss conversation that I think has been an ongoing conversation in this industry for, for decades. You know, there's, there's a couple ways we look at that and like the, you know, what we can gain versus lose by being a little bit more aggressive, having a more kind of disruptive posture versus things, you know, against things we're monitoring first. First thing, and I try not to throw around kind of too many industry stereotypes, but in my opinion, I think it is true that the, you know, quote unquote threat picture is worse now than it was maybe 10, 15, 20 years ago. For in. And again, in my opinion, this is really for one primary reason, and it's that adversaries are bolder now. They're willing to do things that were unthinkable before that, that were not kind of the norm of what we would see in, you know, 2015 or 2010. When you look at kind of the crime sprees of Shiny Hunters, the extortion, the ransomware against hospitals, things like that, when you look at the volts holding critical, I say the Volts of Volt Typhoon, the things we're seeing where adversaries are willing to hold critical services at risk for entire nations. When you look at the kind of pairing of cyber and kinetic effects and things that we've seen play out in Ukraine, to me, I feel like adversaries have, you know, whether there were ever norms, it seems like the norms have shifted, if ever there were any. And adversaries are bolder now. And against that type of activity versus, you know, espionage, you know, you really have to meet that aggression head on. You know, we don't want to be just, you know, quote unquote, monitoring the situation when that kind of activity is occurring that, you know, that's not something you're going to be able to explain to, you know, your boss or the government or whatever. You know, we want to take an active posture against what is increasingly kind of bolder and more disruptive adversarial cyber attacks. We want to be pushing actors kind of off the X, give time for, you know, the defender community to take more kind of to take action to protect these services that, you know, everyone relies on. And then the other thing that we look at a little bit there is, you know, some of these actors we've tracked for a very long time and we want to look at how things have been working, you know, for a threat actor that we've been monitoring for a long time. Do they look substantially similar today as how they looked, you know, two years ago, three years ago, five years ago? Are they able to successfully complete the same types of operations that they were doing a couple years ago? If so, maybe it is time to try something different. If we're seeing them be successful and it's kind of a status quo business as usual for them, they clock in and they compromise users. Maybe it is time to try something new and take on a little bit of risk that we might lose visibility. And of course, there's cases where our visibility is too tenuous. We don't have confidence in the effects of some action. We want to take and in those cases, you know, I think caution would, would certainly prevail.
[26:25]
B
So I guess, you know, looking forward, you know, given the sort of, this is, this is still a relatively new kind of area of focus for us and there's going to be some trial and error. Where are you kind of excited about in terms of, you know, potential future areas, you know, without getting into specifics, of course, but when you look at where the utilization of these different tools and levers can be applied, when you look at some of the different problem sets that are out there, do you think we're going to be seeing more of this applied to the infrastructure takedowns? Like with IP idea, is it going to be more around specific actors? Just curious some general thoughts you have. Kind of looking forward into the future here.
[27:07]
A
Yeah, so I'm excited for the future. We are still, we are a small team and we are looking forward to scaling our impact. Just, you know, frankly a lot of this work right now is pretty artisanal. You know, we're very interested and I think well positioned, you know, working where we do to leverage AI and automation to scale our impact. You know, we've got amazing tools to leverage, amazing, you know, expert teams to partner with within Google. And we really want to systematize this disruption activity. So we're focused on that. We're also, you know, I think I've been very pleased with some of the partnerships we've developed with other companies, government organizations and the like. And you know, we really want to build on that and deepen those partnerships, make them, you know, really ingrained into the working model both for us and those partners. And I think we can just accomplish a lot more together. And ultimately, you know what, what I hope is next is bringing more pain to more bad actors.
[28:16]
B
Excellent. Well, I expect in the upcoming months there's going to be more blogs where your team, if not the full focus of it, will have a footnote about. Hey, you know, here's a new operation that we didn't just respond to. We also had a role interrupting, so I look forward to seeing those. And we'll include a link in the show notes to some of the ones that you mentioned as well. But Charlie, thanks for your time today and I think this is a great discussion around the work your team is doing.
[28:42]
A
Thank you so much, Luke. This was a. This was a lot of fun. Let's do it again.
[28:46]
B
All right, take care.
[28:47]
A
You too. Bye. Bye.