Resilient Cyber

Joe Levy, CEO of Sophos and a 30-year cybersecurity veteran, discusses the massive gap: 359M businesses but under 32K security leaders. He explores why the market fails SMEs, how agentic AI can scale CISO-level intuition, real gains and limits of AI in SOCs, and the tough choices behind a five-year nation-state firewall disclosure.

Show DescriptionThe Zero Day Clock is ticking — and the numbers should make every security leader uncomfortable. In this episode, I sit down with Sergej Epp, CISO at a leading security firm, who built the Zero Day Clock after a weekend experiment using AI to discover vulnerabilities firsthand. What he found shocked him: with no professional vulnerability research background and just a few hours of work, he was successfully finding zero days across major security projects using AI models and basic scaffolding.Sergej breaks down his concept of the "Verifier's Law" — the idea that offense has the cheapest verifier in cybersecurity because feedback is binary and instant (you either popped a shell or you didn't), while defense operates in a space where validation is expensive, ambiguous, and slow. We dig into what this asymmetry means for the industry, why 20 years of warnings from Ross Anderson, Bruce Schneier, Halvar Flake, and others have gone unheeded, and whether coordinated disclosure models are broken now that AI can reverse engineer a patch into a working exploit in minutes.We also discuss the tension between regulation and deregulation playing out in the U.S. and EU, why the answer might be outcome-based accountability rather than prescriptive compliance, and what a realistic defensible posture actually looks like when the mean time to exploit for actively exploited vulnerabilities is under two days — while most organizations are still operating on 30-day patch cycles.Show NotesSergej shares how a weekend AI experiment led him to discover multiple zero days across major security projects with no professional vulnerability research experience — and why that should alarm the entire industryThe "Verifier's Law" explained: offense has cheap, deterministic validators (pop a shell, exfiltrate data, trigger an XSS) while defense faces expensive, ambiguous validation (parsing SIM alerts, measuring security posture), giving AI-accelerated offense a structural advantageThe Zero Day Clock synthesizes 3,500+ CVE-exploit pairs and shows the mean time to exploit for actively exploited vulnerabilities is now under two days — while organizations still operate on 14-to-30-day patch cycles20 years of ignored warnings: from Ross Anderson's 2001 economics paper through Bruce Schneier, Halvar Flake's "the patch is the advisory" insight, and DARPA's Cyber Grand Challenge — the industry has consistently failed to act on clear signalsAI can now reverse engineer patches to identify underlying flaws and generate working exploits in minutes, potentially breaking coordinated disclosure models and compressing the window between patch release and active exploitation to near zeroThe regulation paradox: the EU risks overregulating AI in ways that hamper defenders while attackers face no such constraints, while the U.S. is pushing deregulation that may remove the only forcing function for vendor accountability — Sergej and Chris discuss outcome-based regulation as a potential middle pathDefenders have a data advantage: by understanding their own environments, infrastructure, and processes, security teams can detect AI-driven attacks through behavioral anomalies like hallucinated API calls, non-existent user accounts, and other artifacts of AI-generated attack playbooksThe Zero Day Clock's real power is as a board-level communication tool — a single slide that translates the patching gap into a number executives and policymakers can't ignore, shifting the conversation from "are we compliant?" to "are we fast enough?"

Summary:In this conversation, Chris Hughes and Stanislav Fort discuss the transformative role of AI in cybersecurity, particularly in vulnerability management. Stanislav shares insights on how AI can discover zero-day vulnerabilities in widely used codebases, the challenges of balancing AI-driven discoveries with quality assurance, and the importance of proactive security measures. They also explore the economic sustainability of AI in cybersecurity, the burden on maintainers, and the ongoing arms race between defenders and attackers. The discussion emphasizes the potential for AI to significantly enhance software security and the aspiration towards achieving zero vulnerabilities in critical infrastructure.Takeaways:AI is revolutionizing vulnerability management in cybersecurity.The ability to find long-hidden vulnerabilities is unprecedented.AI can enhance both offensive and defensive security measures.Proactive security integration into development pipelines is essential.The quality of vulnerability reports is declining due to AI-generated noise.Maintainers face increasing burdens from rapid AI-driven discoveries.AI can help secure open source projects effectively.Sustainability in AI cybersecurity requires financial backing.The arms race between attackers and defenders is intensifying with AI.Achieving zero vulnerabilities is an aspirational yet achievable goal.Chapters00:00 Introduction to AI in Cybersecurity02:52 The Evolution of AI and Vulnerability Discovery05:45 AI's Impact on Software Development08:59 Discovering Zero-Day Vulnerabilities11:48 The Great Bifurcation in Security Research14:52 Balancing AI-Driven Discoveries and Quality17:59 Proactive Security Measures in Software Development20:53 The Role of AI in Securing Open Source Projects23:54 Sustainability of AI in Cybersecurity27:07 Addressing the Burden on Maintainers30:09 The Tension Between Autonomy and Security33:03 The Arms Race Between Defenders and Attackers36:12 Aiming for Zero Vulnerabilities38:58 Conclusion and Future Outlook

Eric McAlpine, Founder and CEO of Momentum Cyber and former engineer and Air Force officer turned tech banker. He walks through 2025 M&A and capital market trends. He dissects mid-market deal dynamics, why some startups surge while others stall, the AI security boom, and why services and team signals still drive most transactions.

Ari Marzuk, an offensive security researcher who exposed the “IDEsaster” vulnerabilities in AI coding tools. He discusses a new class of flaws rooted in shared IDE layers. Conversations cover why legacy tools fail with autonomous agents. He highlights low-barrier exploitation methods and the tension between developer productivity and security.

James Rice, VP of Product Marketing and Strategy at Protegrity with 20+ years in security and compliance, discusses why perimeter defenses fail for AI and the need to protect data itself. He covers data-centric controls like tokenization and anonymization, risks from agentic workflows and data leakage, and embedding security inline across AI pipelines. Practical tradeoffs for balancing data utility and compliance are explored.

In this episode of Resilient Cyber, I sit down with Jamieson O'Reilly, Security Researcher and Founder @ Dvuln.Jamieson recently went viral for his hacking activities demonstrating the vulnerabilities and exploitation of OpenClaw (previously ClawdBot and Moltbot), from exposed servers, backdooring skills and demonstrating how to perform potential account takeovers. Jamieson is now helping secure the OpenClaw project. We will walk through his findings, implications of the rise of Personal AI Assistants (PAI) and the various potential risks and security ramifications of insecure adoption and usage.

In this episode of Resilient Cyber, I sit down with longtime Cyber practitioners and leaders Helen Patton and Josiah Dykstra to dive into their latest book, "Switching to Cyber: The Mid-Career Guide to Launching a Cybersecurity Career".The book aims to help mid-career professionals pivot into the cyber career field and navigate finding their cyber niche, bridging skill gaps and conquering tech intimidation among more.

In this episode of Resilient Cyber I sit down with Anshuman Bhartiya to discuss AI-native AppSec. Anshuman is a Staff Security Engineer at Lyft, Host of the The Boring AppSec Community podcast, and author of the AI Security Engineer newsletter on LinkedIn. Anshuman has quickly become an AppSec leader I highly respect and find myself learning from his content and perspectives on AppSec and Security Engineering in the era of AI, LLMs and Agents.

In this episode of Resilient Cyber I'm joined by one of my favorite Vulnerability Researchers, Jerry Gamblin.Jerry recently published a comprehensive 2025 CVE retrospective, which we will dive into, as well as his thoughts around trends and patterns we may see emerge in the vulnerability management landscape moving into 2026 and beyond.