Summary4 min read

Podcast Summary: The Digital Executive

Episode Title: Dave Gerry on Rethinking Cybersecurity Through Crowd Intelligence and AI Innovation | Ep 1053
Host: Coruzant Technologies (Brian)
Guest: Dave Gerry, CEO of Bugcrowd
Date: May 1, 2025
Duration: ~10 minutes

Episode Overview

In this insightful episode, host Brian welcomes Dave Gerry, CEO of Bugcrowd, to discuss the future of cybersecurity through the lens of crowd intelligence and AI innovation. The conversation explores how crowdsourced cybersecurity models adapt to evolving threats, the shifting perception of ethical hackers, and the realities of defending against increasingly sophisticated attackers leveraging AI. Dave also forecasts the next era-defining trends in the industry and shares how Bugcrowd and its distributed researcher community are helping organizations remain resilient.

Key Discussion Points and Insights

1. Why Crowdsource Security is More Effective

[01:18–02:17]

Democratization of Cybersecurity Skills:
- Instead of hiring full-time security experts, organizations can access over 600,000 on-demand researchers globally.
- This model mirrors consumer on-demand services, providing agility and broad expertise.
- Quote:
  
  “We start to democratize access to cybersecurity skills. So instead of having to go out and hire people full time, you're able to access over 600,000 security researchers on demand for the exact skill sets that organizations need today.”
  — Dave Gerry [01:29]
Leveling the Playing Field:
- Crowdsourcing brings an "army of defenders" to fight against adversaries, making the ongoing 'defender vs. attacker' battle less asymmetrical.
- Quote:
  
  "Helping them start to take what historically has been a really asymmetrical battle...and start to bring an army of defenders alongside our customers."
  — Dave Gerry [01:52]

2. Staying Ahead of Zero-Day Vulnerabilities

[02:46–04:13]

Community Ingenuity:
- Researchers in the Bugcrowd platform possess fresh insights and skills, often discovering zero-day vulnerabilities before anyone else.
- Unlike vendors tied to R&D cycles, Bugcrowd’s network moves at the speed of global cyber talent.
Blurring Lines Between Threat Actors:
- Sophistication is growing so fast—thanks to AI—that it’s increasingly difficult to distinguish between nation-state and criminal actors.
- AI is democratizing attack capabilities, making even less-experienced attackers seem more advanced.
- Quote:
  
  “There's a narrower gap and it's becoming harder to identify a nation state actor from a cyber criminal gang...The sophistication is growing really quickly due to AI.”
  — Dave Gerry [03:31]

3. Misconceptions About Vulnerability Disclosure and Ethical Hackers

[04:45–06:50]

Changing the ‘Hacker’ Stereotype:
- The media’s ‘hacker in a hoodie’ trope is outdated; today’s ethical hackers are diverse experts from various professional backgrounds.
- Many work with reputable organizations during their day jobs and contribute to security research in their free time.
Motivations Beyond Money:
- Many ethical hackers are driven by passion and the desire to make systems safer, not just financial rewards.
Normalization through High-Profile Programs:
- Initiatives like the Pentagon’s 2016 hack program helped legitimize the practice of working with external researchers.
Importance of Responsible Disclosure:
- Clear guidelines and controls are necessary to manage disclosure, but increasingly, companies see these external researchers as team extensions.
- Ongoing regulatory changes encourage more organizations to formalize their vulnerability disclosure processes.
Quote:

“There's been this connotation of a hacker...in a dark room with a hoodie...I think organizations today are really starting to realize that this is a really diverse, amazing group of individuals.”
— Dave Gerry [04:50]

4. The Next Era of Cybersecurity: AI and Market Shifts

[07:24–10:09]

AI: Double-Edged Sword:
- AI empowers defenders to detect abnormal activity "within milliseconds".
- However, AI also enables attackers to automate and accelerate zero-day discovery and exploitation dramatically:
  - Patch-to-exploit cycle has shrunk from about a week to under 24 hours.
Expanding Attack Surface:
- AI is being adopted in all departments (sales, marketing, dev, etc.), which dramatically expands potential vulnerabilities.
- Businesses must balance the speed of innovation with necessary controls to mitigate new privacy, security, and safety risks.
Future Focus:
- Cybersecurity vendors will need to accelerate innovation to keep pace with fast-evolving threats and ensure safe AI deployment for clients.
Memorable Quote:

“Bad actors are moving faster, they're leveraging AI and it's incumbent on us as an industry to start to empower our defenders...”
— Dave Gerry [08:37]

Notable Quotes & Memorable Moments

On the power of the crowd:

“We’re helping our customers identify these vulnerabilities before a bad actor does.”
— Dave Gerry [03:16]
On AI’s rapid impact:

“We're now seeing that [patch-to-exploit] is happening in under 24 hours.”
— Dave Gerry [08:12]
On organizational change:

“Business does need to move a little bit slower. They do need to have more controls in place.”
— Dave Gerry [09:39]

Important Timestamps

[01:18] — Why crowdsourced models work in cybersecurity
[02:46] — How Bugcrowd gets ahead of zero-day threats
[04:45] — Misconceptions about hackers and disclosure programs
[07:24] — Next big shifts: the role of AI in cybersecurity
[08:12] — Zero-day patch-to-exploit cycles now under 24 hours
[09:39] — Balancing innovation speed with risk controls

Tone and Language

The conversation balances technical sophistication with accessible language, offering both strategic overviews and specific industry insights. Dave’s tone is clear, articulate, and forward-looking, while Brian, the host, is appreciative and engaged, often reinforcing key ideas for listeners.

Conclusion

This episode offers a concise yet comprehensive look at the critical shifts in cybersecurity strategy, emphasizing the transformative impact of crowd intelligence and AI. For organizations seeking to understand how to leverage global cyber talent or navigate the AI-powered threat landscape, Dave Gerry’s insights are especially timely and actionable.

Loading summary

Transcript16 lines

[00:00]
A
Foreign.
[00:09]
B
Welcome to Coruscant Technologies, home of the Digital Executive podcast. Welcome to the Digital Executive. Today's guest is Dave Gary.
[00:17]
A
Dave.
[00:18]
B
Gary serves as the Chief Executive Officer at bugcrowd. Prior to bugcrowd, Dave was the Chief Revenue Officer and Chief Operating Officer at White Hat Security, which he oversaw strategic planning and execution for global revenue growth, service delivery and customer facing operations from 2017 to 2022. With over a decade of experience within the cybersecurity industry, Dave possesses a keen understanding of industry developments with the fast changing market and has held key business leadership positions within several cybersecurity companies such as White Hat Security, ntt, Veracode, Sumalogic and the Herjavic Group. Well, good afternoon, Dave. Welcome to the show.
[00:56]
A
Thanks so much for having me. Great to be here.
[00:58]
B
Absolutely. I appreciate it, brother. I know that we're just an hour apart. You're in that just outside of Boston and I'm in Kansas City. I love to traverse the globe every single day. So Dave, jumping into your first question at bugcrowd, you're at the forefront of crowdsource security. What makes this model more effective or adaptive compared to traditional approaches?
[01:18]
A
Yeah, you know, it's, it's a really good question, Brian. I think if organizations look at the cybersecurity landscape today, they're seeing more attacks than ever before. They have a wider, more dispersed attack surface. And companies are still struggling to hire elite cyber talent. Right. This isn't something that's new. We've seen this everywhere. And fundamentally what's different than our model is we start to look a lot more like consumer on demand models and start to democratize access to cybersecurity skills. So instead of having to go out and hire people full time, you're able to access over 600,000 security researchers on demand for the exact skill sets that organizations need today. And that's really kind of helping them start to take what historically has been a really asymmetrical battle, right. This defender versus the adversary, and start to bring an army of defenders alongside our customers to help them win in this changing environment.
[02:17]
B
I really love that. That's totally awesome. You're putting a bunch of experts together and really just leveling the playing field. As you know, the latest cyber attacks are just getting more and more advanced. People are leveraging new tools, AI Some of them are state sponsored, as you know, some come out of China. So I really appreciate what you're doing to make the world safer. So Dave, cybersecurity threats are constantly evolving. How does bug crowd stay ahead of Zero day vulnerabilities and emerging attack vectors.
[02:47]
A
This is really the power of the crowd. This is the ingenuity and the creativity that exists among all of these security researchers. Unlike traditional security scanning companies or security vendors that have to keep up with the pace of R and D, we're able to tap into the latest and greatest knowledge that exists within that community. So they're finding zero day vulnerabilities before anybody else's. We're seeing that these folks are developing skill sets and tactics for identifying vulnerabilities that would take weeks or months to put into a scanner. So it's helping from a bug crowd perspective that we can stay a step ahead. But the more important part is that we're helping our customers identify these vulnerabilities before a bad actor does. You talked earlier about nation state versus kind of cybercriminal gangs, how that's playing out. One of the really interesting things for us is we're seeing that there's a narrower gap and it's becoming harder to identify a nation state actor from a cyber criminal gang. And a big piece of that is that the sophistication is growing really quickly due to AI. You have more amateur actors that are able to come off or appear more sophisticated because of the ability to tap into AI and our customers are feeling the same thing. So we're helping to bring the right experts at exactly the right time to help them solve whatever challenge it is that they're facing. You can drive, most importantly, the cyber security outcomes that they care about.
[04:14]
B
Thank you. And I like your model again, that crowdsourced cyber teams. You know, you're sharing knowledge, you've got a knowledge base, you have tools that you obviously share, and this allows you to stay a step ahead of the criminals. Now, of course, we know AI and some of these other tools are making it even more difficult to prevent attacks because of the sophistication that's coming down the pike. So I appreciate you highlighting that. Dave, what are some of the biggest misconceptions companies still have about vulnerability, disclosure, and working with ethical hackers?
[04:45]
A
For a long time there's been this connotation of a hacker sitting in a dark room with a hoodie, typing furiously over a computer. Right. That vision's been baked in since the days of the hackers movie all the way through Mr. Robot. Right. And you see this view of hackers as the proverbial bad guy. And I think organizations today are really starting to realize that this is a really diverse, amazing group of individuals that come from all Walks of life, right. We release what we call our inside the mind of a hacker for it every year. And then the metrics continue to change, right. In terms of the age of the hacker community, the skill sets that they have, how they're furthering and bettering themselves, how many of them are actually working in household brands on a day to day basis as security engineers or in some cases security leadership. And then they're doing this in their free time because they actually care about it. Right. If you look at the motivations, we all have this perception that they're doing it for the money, right. You think about ransomware, gangs and even nation states some instances. I think as organizations come together, they're realizing that there's a ton of talent that exists. I think a lot of this was normalized in the 2015, 2016 range. When the Pentagon came out and said that they were going to run that, the first hack Pentagon program and start to tap into the ingenuity of the crowd. I think that's really where we started to see this industry shift. And today the fear has somewhat gone away, right? There's a trepidation sometimes around, well, how do I know that it's not going to be disclosed and we can walk them through the controls that are in place there. But fundamentally they're looking at the crowd as an extension of their team, I think is the regulatory environment continues to shift and more government agencies are starting to acquire vulnerability disclosure programs or responsible disclosure. That's going to help further this mission of let's tap into the most elite talent when we need it and be able to solicit feedback from the public and most importantly, again, help us find these vulnerabilities before a bad actor does.
[06:50]
B
Thank you. I really like that. And I like that you produce that report, I think you call it Inside Mind of a Hacker. I think that's great. And of course, you know, tapping into this most elite group of people again, I think crowdsourcing is one of the biggest things that we can do to be stronger, especially in this space. But I like how many professionals in every industry are working or volunteering their time to make the world a safer place. So I appreciate that. And Dave, looking ahead, what innovations or market shifts do you believe will define the next era of cybersecurity and how is bugcrowd preparing for them?
[07:25]
A
Without a doubt, it's this AI era, right. And there's been a lot of hype around AI in terms of the benefit that it's gonna provide and it's gonna revolutionize Everything we do. But from a cybersecurity standpoint, we're seeing some really actionable things coming out of it. So if you think about, for example, from a defender point of view, they're able to now within milliseconds, detect unusual behavior in their environment, whether that's coming from an internal or an external source, and be able to act upon that by leveraging AI, whether it's agentic AI or in some cases, they're leveraging homegrown model that they built. Now what's equally impressive, what's scary on the bad actor side, is that they're also leveraging AI, right? They're becoming more sophisticated in terms of attacks. Right. One of the things and changes we've seen over the past 12 to 18 months has been the speed of zero day identification to exploit. If you think back, we used to have Patch Tuesday and the patches would come out, folks would start bad actors would start to reverse engineer those. They built an exploit package and ultimately deploy that. And that would be about a week. We're now seeing this and we're confirming this by talking with our customers. We're now seeing that this is happening in under 24 hours. So bad actors are moving faster, they're leveraging AI and it's incumbent on us as an industry to start to empower our defenders with this. If you look at how AI is being used across every organization, right. We think about it's helping sales and marketing, it's helping finance, it's helping legal, it's helping development, and we're seeing a level of productivity. But in all of those cases, it also does introduce potential risk into the environment, continues to expand that attack surface. So it's a really delicate balance for a chief security officer, in some cases a chief data officer today to sit where you're trying to control the privacy, safety and security risks that happens when you introduce AI into the environment. At the same time, you're trying to keep pace with the speed of business. And organizations want to grow and they want to continue to develop their capability. And now you have this third cohort of the employee where we can all go sign up for the latest and greatest AI tech and realized how much more productive or efficient it makes us as individuals. But business does need to move a little bit slower. They do need to have more controls in place. So it's a really delicate balance. And I think as we see the industry start to shift, you'll see more and more of the security vendor market start to shift to how do we accelerate the pace of our own innovation to stay one step ahead of the bad actor and make sure that our customers have the tools that they need to be able to deploy some of these AI solutions with confidence and in a really safe through what?
[10:10]
B
Thank you, I appreciate that. You know you've highlighted something, you know defenders obviously they've got some great tools now including AI tools on the networks. Again agentic AI is is really coming out now but it's nice that we can detect things within milliseconds but as you know with these zero day vulnerabilities we've got to be on the lookout and ever so vigilant. You highlighted a point that I think is important is businesses do need to really slow down a little bit more, make sure there are controls in place so we can minimize that privacy, security and risk that is so important in these days. As you know. Dave, it was such a pleasure having you on today and I look forward to speaking with you real soon.
[10:47]
A
Yeah, this was a ton of fun. Thanks again.
[10:49]
B
Bye for now.