Block's CISO James Nettesheim on How 40% of Their Detections Are Now Written with AI

19 snips

Feb 10, 2026

James Nettesheim, CISO & Head of Enterprise Technology at Block, a detection engineering and incident response leader who co-built Goose and helped design the Model Context Protocol. He discusses building Goose and MCP, hardening agents against prompt injection, democratizing detection writing with natural language, Binary Intelligent Triage with 99.9% accuracy, and principled, data-safety driven AI rollouts.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Goose Began As An Internal Passion Project

Block's engineers and CTO started Goose as a passion project to unlock agentic AI for the whole company.
Goose matured alongside the Model Context Protocol and became a reference implementation for general-purpose agent use.

INSIGHT

Principled Risk-Taking With Data Safety Levels

Block treats AI adoption as a principled risk tied to its mission of economic empowerment.
They implemented 'data safety levels' to map sensitivity to handling and security controls.

ADVICE

Democratize Detection Writing With AI

Democratize detections by enabling anyone to write detections using natural language and Goose recipes.
Use AI as step zero and then tune detections and tests with AI to reduce false positives.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

What if the real risk isn't adopting AI agents, but refusing to? James Nettesheim, CISO & Head of Enterprise Technology at Block, argues that principled risk-taking beats playing it safe. James shares Block's journey co-designing the Model Context Protocol with Anthropic and building Goose, their open-source general-purpose agent that enables anyone in the company to write security detections using natural language.

James also explores Block's Binary Intelligent Triage system achieving 99.9% accuracy, their data safety levels framework, and practical strategies for balancing autonomous AI capabilities with human oversight. James offers candid insights about implementing AI security principles, the evolution from tool experts to domain experts, and why open source remains fundamental to Block's mission of economic empowerment and technological innovation.

Topics discussed:

Co-designing of MCP with Anthropic and developing of Goose as an open-source general-purpose AI agent
Implementing prompt injection defenses and adversarial AI concepts to harden Goose against malicious instructions and attacks
Rolling out AI responsibly through data safety levels modeled after CDC bio-contamination protocols for sensitive data handling
Democratizing detection engineering by enabling anyone at Block to write detections using natural language
Achieving 40% of new detections created with AI assistance through recipes, playbooks, and automated tuning capabilities
Building Binary Intelligent Triage system that analyzes historical alerts and investigations to achieve 99.9% automated triage accuracy
Balancing autonomous AI capabilities with human oversight, requiring PR reviews and maintaining accountability for agent-generated code
Transitioning from tool expertise to domain expertise as the future skill set needed for detection and response professionals
Block's commitment to open source development driven by economic empowerment mission and desire to build accessible financial tools

Listen to more episodes: