Helping defense's use of AI catch up with offense, cost of the vulnpocalypse, news - Evan Powell - ESW #461

Interview with Evan Powell - Generative and agentic AI are improving cyberattacks faster than they're improving cyber defenses.

Offensive folks have been having the most luck with AI so far, which is further eroding any advantage defenders might have had. Evan Powell joins us to share some ideas on how defenders can get some benefits from AI as well, and why open source is important with this approach.

Topic

For this week's topic segment, we've got two very interesting data sources.

The first is Anthropic's first update on Project Glasswing, where they're absolutely tearing through codebases with ultra premium Mythos tokens, but then hitting a human-shaped bottleneck as they attempt to validate all the findings.

The second is the first report from Root Evidence, the latest startup from Jeremiah Grossman and Robert Hansen (aka RSnake), which aims to help organizations filter out all the vulnerabilities that don't matter.

Where these two reports meet in the middle is my concern that the use of AI to scour every last bug out of code is going to be the most Sisyphean task the cybersecurity industry has ever come up with (and we have some deep experience here).

The Weekly Enterprise News

Finally, in the enterprise security news,

1. Less funding, more acquisition
2. the AI SOC startup space is CROWDED
3. your CEO is suffering from AI psychosis
4. Some CISOs are done with the job, IT can have it
5. detecting and removing dangerous secrets from dev workstations
6. 230,000 security advisories roll up to 6 attacker behaviors
7. The FBI's 2025 IC3 report is out
8. When tech billionaires make predictions, they're actually sales pitches

All that and more, on this episode of Enterprise Security Weekly.

Visit https://www.securityweekly.com/esw for all the latest episodes!

Show Notes: https://securityweekly.com/esw-461