Sam (3:52)

Andy, let's shift gears into AI. You mentioned it earlier. Obviously AI is transforming cybersecurity defense. From your perspective at unit 42, what are some of the promising use cases of AI in Intel or security operations today?

Andy Piazza (4:08)

Yeah, so I think AI is really promising. And so it's really easy for me to be a doom and gloom guy, especially as a threat intel person. I see the worst in security every day. So I want to start with I do see it as promising. We've had some interesting gains from just internally. I have a teammate who built a really cool tool that helps us analyzing phishing kits. So if you don't know, phishing kits are something that bad people on the Internet can buy. Someone has basically pre configured all of the files you need to stand up a phishing credential harvesting server. So those phishing kits can include thousands of files with thousands and thousands of lines of code. My team used to manually go through those and review those. We'd look for hacker handles and different code similarities and things like that. And now with the new AI tool that we have built in house, we throw a phishing kit at it. It categorizes it and compares it to all the other known phishing kits we've already manually gone through and It'll give us six or seven different files that says these have an 80% more similarity to these other ones. And now we have a much narrower set to pull a couple of files up and go. Yeah, this is probably the same phishing kit. We've also used that to pull out indicators of compromise much faster because we know how the different phishing kits are structured. So those URL paths where those actual credential harvesting sites are going to be, it's great because we're talking thousands and thousands of hours are now done in like 20 minutes of computing. And now my team has actionable intelligence and they can go hunt on our telemetry for those file paths and URL paths within, like I said, maybe an hour of getting that fishing kit instead of two weeks. And sometimes we're getting ahead of those things because we can get them through different sources before anybody's even stood up the infrastructure. So we're getting those into our products and blocking infrastructure before it's even been registered by bad guys. So I saved us a bunch of time on there. But flip side, we do still have to validate a lot of that. There's a big believer in human loop with any automation, whether using AI or dumb automation, for lack of a better word. You know, we still see it what some would call hallucinate. I know you had a guest a few months ago was talking about, she called it lying, not hallucinating because the AI actually knew that it was giving a false answer. So I really like that perspective. Like we teach people, you ask me a question, I say I don't know the answer. That's how we teach people to operate. But for some reason we're teaching AI to come up with answers. I know there's a lot of people that are frustrated with early deployments of like Apple Intelligence or Alexa because it wasn't giving them answers. Well, I'd rather have that than tell me to add gasoline to my spaghetti to make it spicy. Right. An actual real world example we've seen, that's a horrible, horrible thing. We still want to validate, but we've done some really cool stuff like building our threat actor profiles. It takes a lot of reading and reading and reading of 10 plus years for some of these groups that have reporting out there. Now we're able to use an LLM pointed at a couple of trusted sources and it brings in a profile. We can skim it, we can make sure it's edited properly. And we've even seen AI editors that leave hanging sentences and have bad Grammar. Because as smart as we think these are, it's not actual intelligence. It's not humans thinking, right, we're electrocuting rocks. That's all a computer's doing. So, like, we still need human in the loop. But I think it's more of a gaining, like, you know, 30 to 40% gains rather than the 99% gains that some of the hype train is telling you you're going to get.

Sam (7:26)

Yeah, it's good to hear that your team validates and even if it's a matter of speeding you up so that you can get ahead, that your team's still in there. I worry about what are the attackers doing to get smarter with AI.

Andy Piazza (7:40)

So I think we've seen a lot of threat researchers. Thankfully security researchers in the space more than bad guys. But I think it was about a year and a half ago we saw a researcher package come out called Black Mamba. It was a piece of malware that replaced the command and control operator with an AI. So normal dumb malware checked in with a C2 server, command and control server. And instead of a human being like, oh, pull these files down or do these other actions, they were using an AI in that model. So again, it was just researchers. But now, just a couple of weeks ago, last month, Ukraine cert, our good colleagues in Ukraine, they just released a malware family or article about a malware family that Russia threw at them that they believe was replacing the C2 operator with an LLM. And. And what scares me about that is the scalability of attacks now really starts to get realized. You think about the solar wind reach. We believe thousands of organizations had that backdoor, but only a handful really got interacted with by the bad guys because they were limited by human resources.

Sam (8:42)

They needed to sleep.

Andy Piazza (8:43)

If that C2 server is now running an AI that doesn't need to sleep, it can interact with a thousand different compromised or 10,000 different compromised companies, pull all that data, exfiltrate it all, put it into a database, and then that operator, one or two people instead of thousands of them, can use an LLM and say, what financial data is in here, what legal data is in here, what Personas are in, and they can just use plain language. They don't have to be data analysts anymore. And one or two operators can now pull real level intelligence out of things with just plain language and not having to be data scientists or spend thousands of hours comparing documents and reading through target information. They can just dump it all into a big database and let an LLM answer it. I go back to the OPM breach. Around the time of the OPM breach, some major airlines got popped, some major hotels got popped. There was a lot of data coming out. If that threat actor has that database and they've got an LLM on it now. And a couple of those hotels and airlines were believed to be ones that were being used by the US Government for certain agencies. I dump all that into an LLM and go, which one's the CIA operator? I just type that out as a question and it dumps me out a bunch of Personas out of those databases. That scares me.

Sam (9:55)

Have you encountered any specific examples where generative AI tools were used in an activecampaign?

Andy Piazza (10:03)

Yeah, so we're seeing a lot of generative AI, for the most part, very scammy stuff, but we're also seeing it with the North Korea stuff doing some of the Personas. We actually have an interesting threat researcher article out. This is cybertime. It was either last week or six months ago. I think it was about six months ago. We looked at a bunch of the scammy sites. It was the celebrity get rich, bitcoin, those types of things. And they were using images of Trump and Musk and a bunch of other celebrity types. What was cool was when we looked into it, one, you could pretty easily tell it was Genai type stuff and some video clips and some images. But when we started, we really want to go, can we apply traditional cyber threat intelligence modeling to track this? And when we started looking at the infrastructure, just like we would look at phishing infrastructure, command and control infrastructure, we realized it was probably only one or two groups behind all this activity because the infrastructure was all shared and the registration information was all shared. And it was really cool because we was like, yeah, everyone thinks AI is this big, scary, unknown weapon, but in reality, it's still running on the same technology that we're used to. It's a little bit different, right? And it's a little bit black box. You don't quite understand how the AI works, but really it's being stood up on domains, it's being set up, stood up on IP addresses, and it's. We're able to use our traditional methods to still track that infrastructure and say this is probably a cluster of activity related to a single group or two groups based off of some of the patterns we saw. So, you know, I say all the time, there's no silver bullet in defense, but there's also no silver bullet in attack. Like, we can still track this stuff and, and chase bad Guys, the old fashioned way.

Sam (11:36)

Andy, let's shift into the ugly AI hallucinations. And you mentioned it earlier, that's a great marketing term for machines that lie. Model drift, data poisoning. The risks aren't just theoretical. What's your view on the most dangerous or maybe the most misunderstood threat vectors within AI systems?

Andy Piazza (12:01)

Yeah, so when I talk to CISOs and CIOs, you know, I try to highlight like when we write a threat research article on jailbreaking AI, we have to use quasi safe scenarios we don't want to show because we don't want to interact with customer data. So if we're going to break an AI chatbot, it's going to be like, write me a phishing email, write me malware. And I know that sounds super malicious and weird to say semi safe, but that's a lot different than dump out all your customer data. And that's the thing I'm trying to tell CISOs and CIOs. You're deploying a chatbot to your website. Is that chatbot also the same model that's tied to the backend database? Because if I jailbreak your website, I'm not going to use it to write phishing emails. I'm going to basically do like a traditional SQL injection again, new technologies, old again type of thing, vice versa. I'm going to go in and go, give me all your customer data. Was just out in California talking to some county CISOs and some school CISOs and we were talking about the governance model around using a chat system on a government website, like a county website. You don't know what that user's gonna come and questions they can ask. So now it's gotta be like HIPAA compliant. Cause what happens if I go in and I go, I have this disease. What kind of medical services you have? You can't predict what kind of questions. Now that it's a freeform field now that box has to be HIPAA compliant. I could go in there about having to pay a fee or something. So now it's gotta be what PCII or financial compliance. Like all of the compliance models now apply to this chatbot, all because you want to save a user 30 seconds from finding the FAQ or just finding the resource on your own. I just think about how much additional risk and governance that is now because everyone's just being pushed to adopt a technology they barely understand. I think that's really scary.

Sam (13:48)

Andy, how do we build trust in AI systems when they can be manipulated and so easily deliver false positives?

Andy Piazza (13:57)

Testing Testing, testing and human in the loop. Right? Like, you know, just like everybody, whenever we was hesitant about going to the cloud, we saw business units adopt the cloud way before security operations or even it were aware of it. We're seeing that with AI as well. I'm hearing here on the floor, walking around black hatted, like, oh, yeah, we're officially using this model, but I really like this other one. So I just pivot to my personal computer and, you know, I never put corporate data in there type of thing. But yeah, I'll go to my personal computer and use ChatGPT because we use Gemini. And I didn't like Gemini's answer. And I'm just like, you are a security professional and you just told me it went around your security controls.

Sam (14:34)

So you come at this from a security standpoint and somebody who's a defender, and I look at it and I see the same thing. I've done the same thing. Or I'm like, oh, I didn't get a decent answer. Or I'm blocked and I want to get something done. So I'll look to another computer, my phone, my personal laptop to go try to figure something out. And to me, that's a really simple and incredibly difficult problem to solve for if you put a mandate in or you may get a block. Humans are clever and will get around it. And so it's like, how do you make it easier to do the right thing?

Andy Piazza (15:15)

Just like when we did Cloud and any other technology and to give someone even an internal AI model. But say you can use it for general queries, but you can't use it for customer data yet. Well, customer data is the most challenging data. So you get the stupid stuff that I call it the stupid stuff. But like, hey, do you want me to summarize this email? Well, it's three sentences. If I need AI to summarize these three sentences, you could probably fire me already, but I needed to do the hard things, but I'm not allowed to apply it to the hard things yet. So, yeah, in a security mind, we do need to get faster at helping business units adopt the technology. But there's just so much. We use the term black box. There's just still so much unknown about not only the hallucinations and the data modeling itself, but the governance of it and the discoverability of it. Right. There's a lot of risk and legal risk involved in you operating with customer data. Did all of your contracts need to be rewritten because of this new technology for every one of your customers? You know, you have to have legal go through and review all of your contracts to see if you can do that thing with that data. That all just takes time. Unfortunately.

Sam (16:24)

Yeah.

Andy Piazza (16:25)

There's two problems I have with the way we're adopting AI as a business world right now. One is I don't care what technology stack I'm using. I say I'm pretty smart when it comes to technology, but when I talk to developers or architects and stuff about a project, I intentionally go, I'm a user, I want a green go button. I don't care if it's SQL, no SQL Graph Database. And that's my problem with AI is it's not being built inherent into my tools. You're giving me this blank prompt and being like, it's super powerful. And I'm like, I just see a blank page. It's hard to visualize that. Then the other piece of the way we're doing this rollout right now across many, many companies is everyone needs to learn AI. That's not my software developers or engineers, that's everyone. So now I've got HR staff and finance staff and all these non technologists who are taking parts of their business day to go learn a brand new technology with zero rollout in training. Where is the AI trainer who comes in and shows you, hey, do you know you could actually write up your questions and it can record a podcast for you now. And you're like, well don't do that because I like my job. But they could probably help you edit your podcast faster or web videos. You could probably do some really cool graphics in the background. But for you to stop and learn, that is very, very expensive. When it's every employee across every company trying to figure out technology by themselves, like, that's a really weird way to adopt technology.

Sam (18:19)

None of us are spent our undergrad learning prompts for AI. None of us are necessarily world class at that. Some are better than others, right? But it's still a weird moment when you're going like, that's not in the 80% of the value you bring as a marketer, a storyteller, a thinker, an editor, whatever it is, to go and run at the AI system with a bunch of prompts and try to build that out. And then of course we're not seen in the organization as a engineering or software function. So when we have a need, can we get Google Cloud platform or can we get something that helps us distribute a script? You're in marketing, man, what are you doing? And you're like, well, if we're going to scale this thing. We need those tools too. We need that access too. And I can only imagine our infosec team and our CISO going, no, absolutely not, this is not going to happen. And yet that's the edge that we're bumped up against because the push is go deploy AI tools and everything that you're doing on a content marketing team, which is a storytelling team.

Andy Piazza (19:36)

That's why I say I want to see AI built into the tools that I use so we see it in our platforms. Not to get too corporate, but like I want a quick summary of the alert in human English instead of tech techies. Right? Like we can do that with AI for your like from a content creator perspective, you upload this episode, you should be able to native in your video and audio editing app, be like, pull out social media clips and it should be able to go and find the spicy take or the cool line and be able to clip that, drop that as a clip or drop that as a social media picture or whatever. Like that's good AI not going to a blank screen and being like, how do I use you?

Sam (20:13)

Right. So Andy, if AI takes over lower level roles, what do the next generation of managers and leaders, where do the next generation of managers and leaders come from?

Andy Piazza (20:27)

Well, I think we're in this weird, almost like a AI version of like Dunning Kruger effect where we're thinking it's like much stronger than it is. And I think just like we've seen in the past with moves for offshoring and onshoring, I think we're going to see, you know, we've seen a lot of companies cut and be very open about cutting because AI is replacing staff. I know a number of companies that aren't cutting, but they're saying before you get additional headcount, you got to prove, you know, that AI couldn't do it and automation couldn't do it. I think we're going to see that for the next few years where people really, there's a lot of lot invested and there's a lot of opportunity available with using AI. And so I think the, the dream's still there. But I think about three, four years from now we're going to see the swing back towards more human centric and realizing unless, you know, AI blows up and is actually useful and, and hits all those realizations, I think we're going to see a shift back to humans. So we're going to be a little bit delayed in that career growth chart. But I am for some reason Hopeful, which is weird for me that I think we're gonna, we're gonna learn some hard lessons. But listen, I would love to talk to every tech CEO in the world right now and they're all watching their peers lay people off for AI and be like, if you're the one company that goes to the market and says, we're not going that direction, we're going to invest in humans, there is rockstar talent available applying for every one of our roles. You know, 10, 20 candidates that you would love to be for a single role dream team. If there's a company that's out there that's got the leadership, says, I'm going to hire all those people while you're laying them off, we would be crushing it in five years when all of them are trying to come back from this.

Sam (21:59)

Yeah, I think that in investing that's often said zig when they zag, right? So if you see an opportunity where everyone's trying to get out and that assets really, really depressed, you can buy in and when it bounces, you're going to be ahead. And I kind of wonder if the zigzag here is while everyone else lays off, you're going, it's counterintuitive, but go pick up the actual intelligence.

Andy Piazza (22:25)

And it's interesting too, right? If you look at business in history is like, we always, you know, we talk to CISOs and CIOs a lot and it's always, how do I compare to my peers in the industry and all of that. But it's like, that's not what's ever made a great company. It's the one that did the opposite of what everybody else that's made great companies at great times or made great moves. And it's like, let's start actually saying what we say, right? Like think differently and do something different. If everyone's laying off and trying to adopt AI, like, let's invest in our humans and still invest in AI. I do believe in it, like I said, but it's 30 to 40% gains.

Sam (22:58)

What's your advice for CISOs or security leaders that are trying to evaluate an AI solution? How do they separate out the real innovation that's going to help them from some of the snake oil?

Andy Piazza (23:13)

Always ask to bring the security engineer in the room, not just the sales pro. That's step one and just ask real questions about. I think we're at the point now where companies should be able to talk about impact and metrics and KPIs of those types of things and not just the promise of what it's going to do at this point in AI, if somebody's selling you something, they should have some measurable real world examples. And, you know, we see it all the time in our space where they can you have an employee referral, is there, or a customer referral that is there. Another CISO who's willing to get on the phone with me, make sure they're not being paid or compensating in some other way, because there's some companies in the industry that will do that. But talk to your peers. You know, the CISO network is even probably tighter than the Threat intel network. Talk to your peers. Are they getting real value? Just like, you know, I use it all the time for security awareness training about phishing. Sense of urgency is the number one sign to me that something is a scam or fraud. We've got people out there right now on LinkedIn who are like, if you're not already an AI, it's too late. That sounds like a scam to me. Sorry, bro. You know, I do believe AI is promising, but it's super beta. If you go on like the. There's a really good tech description or discussion on subreddit right now where someone complete, clearly, completely in the tech developer side is like, I don't know why all these enterprises think AI is ready. Like, we're still so beta, blah, blah, blah. I'm like, have you any. Like, it was completely oblivious to the other side of the messaging that you're too late. If you haven't adopted AI already, your competitors already beat you, you might as well sell your company. You're done. That's a scam. Anything that has a sense of urgency, people should be like, all right, I need to slow down and think about this. Is that true? Are we getting value from AI? Are we getting the value that was promised at its current rate? What about when it's no longer subsidized and I got to pay 10 times as much? Am I really. Is it really worth firing those 10 humans when that price is going to quadruple soon or worse? I would encourage every CISO and CIO who's being pushed to do this. Ask the question. Who's telling me to do that? Right, the old. I can't speak Latin, but the old legal term of who benefits. Right, like, who's benefiting from that message?

Sam (25:25)

Follow the money.

Andy Piazza (25:26)

Yeah.

Sam (25:28)

What questions should they ask the vendors or the internal teams specifically, like, what are those things that help you really suss out the.

Andy Piazza (25:38)

So from the Business impact, you know, said get the metrics, get to give me some real world case examples. How much time is being saved? How much money is really being saved? You know, am I really getting value from this? But, you know, from the CISO perspective, more about the security is like, what is your governance model? Is this going to your cloud? Is this on prem? If it's going to your cloud, is it mixed, you know, tenant data, or do I have my own dedicated data tenant? What are you doing to secure your systems? Do your admin. Like, I'm at the point now, if I become a CISO, every one of my contracts, like SaaS contracts, will require physical MFA for all of my vendors, like every one of my contractors, you know, SaaS, platform, whatever, that they require physical MFA for all of their users, not just administrators. Because that's how much I believe in physical MFA multi factor authentication to stop stupid stuff. Like, those would be the things I'm looking at is what are your security controls? And not that stupid spreadsheet like all the companies are passing around. I forget the term of it, but they ask all these security controls, I want to look across the table and get that person to tell me, you know, tell me you're securing my stuff. One of the things I've hated about security for a long time is this idea of like, risk transference, right? Sure, that sounds cool when you're a ciso, but if I'm your customer, I don't give a crap who your third parties are. I trusted you with my data. I'm going to sue you. Like, you're going to lose brand, you're going to lose a customer if you screw this up. I don't care. It's your third party. So you need to make sure that the trust that I give you is extended to them and that they have the same level of security, if not higher than you.

Sam (27:09)

Daniel Ford was on the podcast back in January and he made this comment that has stuck with me. He's taking the risk for his customer, but he doesn't have to suffer the consequences when that risk comes to roost. And it's like, huh, risk transference. It's the end customer that eats it. Yeah, maybe the company gets hit, but in the end, whose data was lost? The customer. Right? Like that's that wild moment and it's a big responsibility. I like the idea that the MFA could be one of those pieces, physical MFA could be one of those pieces. Because I think it comes down to how do you verify that the person on the other side of any transaction is actually who they say they are. And with AI, with deepfakes, with some of the scams, all of the urgency, it's tough. And maybe something more fundamental of just moving back to a token is, is the right direction.

Andy Piazza (28:13)

When I ask, you know, I ask Zizos a lot like, what are your crown jewels? And they'll say, you know, their salesforce data, their customer data, their intellectual property research and development and all these things. And I'm like, no, no, your email. If you lock down anything at all with a physical MFA token, it should be your email first because your email resets the passwords to all the things you just named. So guess what? My password manager and my all of my email accounts require a physical token for me to log into the first time on any device because that's where all of my crown jewels tie back to my password manager. And my email is basically also a password manager because I can reset all of my other accounts with that.

Sam (28:52)

Andy, looking ahead, you know, you've had a front row seat to some of the biggest evolutions in threat intel. Where do you see AI? Where do you see AI's role in cybersecurity heading in the next five years?

Andy Piazza (29:08)

I've been really. The really promising side of AI is where we see what's now being called agentic AI as of a week or two ago, but is the extension of soar, right? Security, orchestration, automation, response. But smart Soar now, as I'm calling it, I think the ability to scale our analysis capabilities very quickly, identify, you know, behavioral analytics, you know, variations of behavioral analytics, that something is weird and off. Especially as we look at something like a muddled Libra actor who's not using malware, they're logging in as you or logging in as an account and using tools that are already there. They're not downloading malware. We see that with the Chinese when they go into a number of organizations, they may use initial exploit to get in, but then they're abusing accounts and abusing and we call it, like I said, living off the land or lol. That's really hard to detect from a security perspective. There's no malware, there's no malicious code, that type of thing. And then, you know, everything is always about speed and scale. You know, we saw with the Red Team exercise that we used AI for for this year's incident response report. What was it, like under 25 minutes or something stupid. How many soc most people don't realize with the way log forwarding works and alert forwarding. There are SOCs that may not even gotten those alerts to the siem in that 25 minutes. You know, that may be a 60 minute delay or a 45 minute or 30 minute delay before an alert goes from the SOC or from the security device to the actual SIEM, where the SOC analyst would even start the investigation. So that breach was over before some SOCs were even alerted. That's the things that's scaring me.

Sam (30:43)

Yeah. A few Years ago at IBM, one of the CISOs there was saying that their golden metric was could they get the alert to their teams in under 60 minutes? And under 60 minutes was 59 minutes, 59 seconds. Right. You were stretching and we were part of the services team and that's get.

Andy Piazza (31:03)

To the alert, not close the alert.

Sam (31:05)

No. And we were part of the services team and we were being pushed to try to move our minutes down, which makes sense. And they finally were able to move and automate and optimize down to 60 minutes. And that wasn't that long ago. And Now I'm seeing 25 and you're popped and I'm going. It took an immense amount of work to get it to 60 just a few years ago. How do you get it to sub 25 so that you're not on the backside of. Okay, now we've got to clean this up. We've got to go and do we have a material incident? Is it a brand problem? Is it worse than that? Did we truly get them out of our systems?

Andy Piazza (31:48)

Right.

Sam (31:49)

And it's just wild to me that that's the speed that we are asking some of these teams to work at, but they're not even able to get through, as you say, log or alert forwarding for an hour, by the way.

Andy Piazza (32:02)

It's still like the 1% of companies that even have a SoC, right. And then another, what, 10 or 20% that probably have a managed SoC. There's still plenty of organizations that don't have security operations centers at all that like, that's what our tools always need to improve. Right. And that's the cool thing with this company, is we've got the bad guy mindset, but we've got the good guy mindset. And we're working together to like write really good analytics and write detections. You know, we as threat researchers, we work regularly with detection engineers. When red team exercise happens, they're pulling that stuff in and making sure that we have detections in place. So it's not all doom and gloom. It's really easy for me to Be the threat intel guy and be like, I hate it when I go. We go into. You see a threat intel brief you always the coolest. But worst case as possible. And then I'll get to the recommendation slide and it's basically like if you had a billion dollars, here's all the things you should do. Like we really need to get meet customers in the middle.

Sam (32:55)

Andy. I ask every guest this question. What's the most important thing that a listener should take away from our conversation today?

Andy Piazza (33:06)

Definitely look at your identity hygiene as a human, as a person, as an individual. Don't think about it just from a corporate perspective. One of the best things I've ever seen a company do is they paid for a password manager that included family accounts. It's the only company I've ever worked for that improved my personal security, not just my corporate security because now I was able to extend those accounts out to my family. Got my wife and children used to using password managers. I could share. We had shared Vault so I could share the Netflix password and not have to text it to them every time the kids forgot type of thing. I would just encourage people to think about that. Like password managers are super easy now you can use the free version of 1Password or LastPass. I highly recommend paying for the premium again. A couple hundred dollars could save you a $10,000 trip to Ireland that you never went on because somebody else did it on your identity. Right. That risk reward is kind of there. So yeah, I would say invest in your personal identity.

Sam (34:05)

It is seamless.

Andy Piazza (34:06)

Yeah.

Sam (34:07)

1Password is the solution that I ran into extended hoisted upon my family for the same reasons. And I find that that password management, even within those password managers that are able to go through and say this account's been compromised, this is a reuse, this one's not a strong password and help you with that. Hygiene in and around your passwords gives you opportunity to start using passkeys and or multi factor where it's provided. Sometimes I don't know. It's the password manager that's flagging me and saying you can set up multi factor on this makes it very simple to do that. I agree. I think that's like low stakes.

Andy Piazza (34:53)

Yeah. We look at the trends in attacks. We have the NYI report and everybody's report is wrong. So I'm not going to say just ours is wrong. But we talk about like initial access and people will be like oh X percent was phishing or identity related. X percent was exploitation. That's initial access. Every breach involves an identity if I exploit do a public remote code exploitation and I get root access. Root is an identity so every attack involves identity.

Sam (35:36)

Andy, thanks for talking about the good, the bad and the ugly of AI with me today. Fascinating conversation. Got into some spicy takes but I think some important insights and I can't wait to have you back on the podcast again.

Andy Piazza (35:50)

Appreciate it as always.

Sam (35:53)

That's it for today. If you like what you've heard, please subscribe wherever you listen to podcasts and leave us that review on Apple Podcasts or Spotify. Your reviews and your feedback really do help me understand what you want to hear about. I want to thank our executive producer Michael Heller, our content and production teams, which include Kenny Miller, Joe Bunacourt and Virginia Tran. Elliot Peltzman edits the show and makes as the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. Sam.