TechSpective Podcast

Most cloud security tools have a detection problem. They find misconfigurations well enough. The issue is what happens after — a ticket gets opened, someone works the queue, the fix goes in, and three weeks later the same misconfiguration is back because a different person on the team made the same call. Ariel Litmanovich watched that cycle for years, not at some mid-market company struggling with tooling, but at the Israel Defense Forces, running cloud security for one of the more demanding environments you can imagine. The team had budget, direct relationships with AWS, Azure, and GCP, and access to good tools. They still kept finding the same problems. That frustration is where Aryon Security started. The platform Ariel and his co-founders built intercepts cloud configurations before they reach production. If a resource is being deployed in a way that violates policy, it gets stopped at that stage — not discovered later, not added to a remediation queue. They came at this from the application security world, where shift-left has been standard practice for years, and applied the same logic to cloud infrastructure. The security controls move to where the decision is made, not where the damage shows up later. Ariel joins me on this episode of the TechSpective Podcast to talk about what that looks like in practice. We cover the friction organizations run into when they move from detection to enforcement — what it means for the engineer whose deployment just got blocked, how the exception process is supposed to work, and why those details determine whether a policy actually holds or quietly gets routed around. We also get into a specific challenge that rarely comes up in cloud security marketing material: what happens when developers have a legitimate reason to configure something outside the standard policy, and how Aryon handles that without creating a backdoor that undermines the whole approach. We talk about AI too. Ariel’s argument is that attackers using AI have compressed the window between a misconfiguration going live and it being exploited. He walks through what that means for detect-and-remediate as a primary strategy and why the timing math matters for cloud security decisions today. He also gets specific about where Aryon actually uses AI in the product versus where it does not. Aryon does not fit neatly into any existing analyst category, which can be a challenge for procurement. Budget gets allocated against categories defined by Forrester Waves and Gartner Magic Quadrants. When something does not have a pre-approved line item, buying decisions get complicated, regardless of whether the product solves the problem. He talks through what that friction looks like and mentions some 2026 market research that is relevant if you are actively making cloud security tooling decisions right now. If you work in cloud security and have ever looked at your remediation backlog wondering why the same issues keep cycling back through, this conversation is worth your time.

Before COVID forced everyone out of the office, hiring for most companies was a pretty localized exercise. You posted the job, you interviewed whoever could physically show up, and you picked someone. If you were based in a mid-sized city, you hired from a mid-sized city talent pool. Remote work changed that. Suddenly a company in Topeka, Kansas could interview candidates in Portland, Maine — or anywhere else. This meant more competition for good candidates. However, it also meant a dramatically better shot at actually finding the right person for the job. And depending on your market, the cost savings weren't trivial either. Most of the data suggested remote work was as productive as in-office work, sometimes more so. The case for keeping it was strong. A lot of companies made it permanent, or at least optional. The Fraud Problem Nobody Planned For But there's a problem that came along with all of that — one that didn't get much attention until recently. When you expand your hiring geography to anywhere with an internet connection, you also expand your exposure. As a result, you encounter applicants who are not who they claim to be. I'm not talking about resume padding. I mean organized fraud. That includes fake identities. There are people swapping out mid-interview so that the person who actually shows up on day one is not the person you interviewed. AI is being used in real time to answer technical questions the candidate doesn't actually know. And in some well-documented cases, state-sponsored actors — North Korean IT workers operating under false identities — get hired. These workers receive company laptops and exfiltrate data almost immediately. The FTC reported that US businesses lost a staggering amount to this kind of fraud in 2024. And that's not just the companies that hired someone fraudulent. A significant chunk of that is wasted time. This includes the cost of running three, five, or seven interview rounds on a candidate who turns out to be fake, and having to start over. In this episode of the TechSpective Podcast, I talk with Den Jones, CEO and founder of 909Cyber, about a product he's been building to address exactly this problem. Den has spent 30 years in identity and zero trust — at Adobe, Cisco, and elsewhere. 909Shield applies that same thinking to the hiring process itself. This happens before a candidate ever gets to the first interview, before a company ships a laptop, and before access is provisioned. More to the Conversation Than Just the Product We get into how the fraud actually works — and it's more varied and more organized than most people realize. We also talk about what a solution looks like, the tradeoffs involved in verifying someone's identity across multiple touchpoints, and the data privacy questions that come with building a biometric trust layer for hiring. There are also some side conversations worth tuning in for. For example, whether it actually matters if an employee works for multiple companies simultaneously, as long as they're delivering. Also, whether using AI to answer interview questions should disqualify someone when employers are often mandating AI use once they're hired. And whether return-to-office mandates, at least in some cases, are partly a response to this fraud problem rather than the real estate economics most people assume. Den also traces how 909Shield came to exist — which did not start with a plan to build a remote hiring verification platform. It started with a passion project to help cybersecurity students find part-time work while they were still in school. Later, that evolved into a freelancer marketplace and then into a fraud-prevention product for remote hiring. This is its own story, and it's worth hearing him tell it. 909Shield is launching in mid-June. Den is actively looking for design partners — companies doing meaningful hiring volume who want to help shape the product and lock in early pricing. If your organization does a significant amount of remote hiring, this conversation is worth your time. Check out the full episode on the TechSpective Podcast.

Most organizations believe they have a solid handle on their AI risk. According to a new report, that confidence may be misplaced. ArmorCode partnered with the Purplebook community to survey more than 650 cybersecurity leaders to produce the State of AI Risk Management 2026 report. The results reveal a disconnect that's hard to explain away. Nearly 90% of respondents said they had complete visibility into AI usage across their organizations. However, more than 60% of those same respondents said AI usage in their organizations is essentially ungoverned. These weren't different groups of people. Instead, it was the same respondents giving contradictory answers within the same survey. I talked with Mark Lambert, Chief Product Officer at ArmorCode, about what's behind that gap and what organizations can realistically do about it. This conversation took place on this episode of the TechSpective Podcast. Lambert wasn't surprised by the findings. The pressure organizations are under to capture productivity gains from AI is real. Normally, the instinct is to adopt now and figure out governance later. AI-assisted code generation is delivering meaningful output, and the business case is hard to argue with. However, the security implications are another matter. As Lambert explained, even if AI-generated code has half the vulnerability density of human-written code, a 4x productivity multiplier still nets out to more vulnerabilities reaching production. As a result, there are not fewer vulnerabilities. We also got into something I hadn't fully thought through before our conversation. Tools capable of discovering security flaws at a scale no human team could match are already here in limited form. Lambert described what he sees as a three-wave scenario for how this plays out — beginning with CVEs in critical infrastructure, moving to open-source vulnerabilities, and eventually reaching nation-state actors who've been capturing codebases for years. Now, these actors have the right tools to mine them for exploitable flaws. Most organizations are already struggling to keep up with patching. Additionally, the question of what happens when the volume of known vulnerabilities multiplies significantly is one that the industry doesn't have a good answer for yet. From there, we got into agentic AI, which is where the governance conversation gets complicated fast. I've been using the intern analogy a lot lately when talking about AI agents — you'd give them tasks, but you wouldn't hand them access to everything, and you'd review the output before it went anywhere it mattered. Lambert agreed with the framing. The problem, as I see it, is that the analogy breaks down at scale. Managing a handful of agents the way you'd supervise a new hire is workable. However, doing that with a hundred agents means the human review process becomes the bottleneck. Therefore, you've given back the efficiency gains you were after. Lambert and I worked through what governance actually looks like when agent deployments grow. This includes scoping agency based on business risk, making sure high-stakes decisions can be reversed, and building in the audit trail. He pointed to a fireside chat from RSAC. The question came up of whether two agents could theoretically handle Sarbanes-Oxley compliance between them. The concept highlights an important point about where the line between autonomous and human-reviewed needs to sit. The self-driving car comparison came up, too. The first time I used adaptive cruise control, I kept my foot next to the brake the whole time. Later, I've since ridden in Waymos, where I would have been fine falling asleep. That trust didn't come from a product announcement — it came from watching the system handle real situations over time. Lambert made the point that the same logic applies to AI agents in enterprise environments, which I think is right. Consequently, the organizations that will do this well are the ones that build trust in their agents. Lambert tied all of this back to ArmorCode's focus on unified exposure management — pulling data from hundreds of sources, applying business context, and using AI to prioritize what actually needs attention rather than just generating more alerts. Watch or listen to the full episode for the complete conversation.

Every few years, something comes along that reshapes the threat landscape and sends the industry scrambling for new tools, new frameworks, and new buzzwords. The perimeter died. Then it came back. Endpoints became the priority. Now they're not the whole story. Identity is the new battleground. AI is changing everything. And yet, the more I talk to people who've spent decades in the trenches, the more I keep hearing the same thing: the fundamentals still work. We just stopped trusting them. I had that conversation recently with Will Ledesma, a cybersecurity veteran with over 25 years in the field and a current role at N-able. Will also serves as a cyber warrior in the U.S. Air Force — and as a fellow Air Force vet, I can say the service tends to instill a certain appreciation for doing things right the first time. State of the SOC Report We talked about what N-able's latest State of the SOC report actually shows about where attacks are coming from — and the answer probably isn't what you'd expect if you've been following the conventional wisdom around endpoint protection. The data points somewhere else, and Will does a good job of explaining why that shift makes sense when you look at what's been happening across the business world over the last few years. From there, the conversation moved into identity — not just the username-and-password kind, but the full scope of what "identity" means in a world where your network includes laptops, IoT devices, cloud workloads, software applications, and increasingly, AI agents running on behalf of your employees. If an attacker can own any one of those identities, a lot of your other defenses stop mattering. Companies are bringing in AI tools at a rapid pace, leaning on them to augment their workforce and drive efficiency. That's fine. But what happens when those systems become mission-critical, and someone decides to take them out? Compliance and Security We also got into something I've been saying for years about compliance. Compliance and security aren't the same thing. You can check every box on a framework audit and still get breached — plenty of high-profile companies have proven that. The frameworks have value, but they're a floor, not a ceiling. And too many organizations treat them like the finish line. Will's framing for all of it comes back to defense in depth — a concept he learned early in his career and one that he argues is more relevant now, not less. The attack surface has expanded. The identities have multiplied. The stakes are higher. But the logic of layering your defenses, covering your fundamentals, and not betting everything on any one control? That hasn't changed. The episode is worth your time whether you're a practitioner, a leader trying to make sense of your security investments, or just someone trying to figure out what "cyber resilience" actually means when you strip away the marketing. Hint: it's bigger than cybersecurity.

There's a pattern that shows up in incident response work that nobody talks about in the vendor briefings. You bring in forensics after something goes wrong, and somewhere in that process, you find a tool — already deployed, already licensed, sometimes running for years — that had the data to catch what happened. Nobody was looking at it. In some cases, it wasn't even turned on the right way. Max Henderson runs global digital forensics and incident response at Kroll. He's seen this enough that it's not a surprise anymore. That's part of what makes him a useful person to talk to about Kroll's new cyber resilience research. He’s not reading a survey and drawing conclusions. Instead, he's comparing it against what he actually finds on cases. I had him on the TechSpective Podcast, and we started where I always start with someone who's close to research like this: not the findings, but what surprised him. His answer goes somewhere I didn't expect, and it reframes a lot of what follows. It's not about a specific attack type or a new threat category. Rather, it's about a structural problem in how organizations think about security investment. This is one that keeps showing up regardless of how much they've spent. The report itself covers 1,000 decision-makers across 10 countries. The headline numbers are familiar in their frustration — 94% treat cybersecurity as a top risk, budgets are up, nearly everyone has an incident response plan. And yet 72% still report misalignment between security priorities and business decisions. That gap has a real explanation. Max gives it one that makes more sense than the usual "leadership doesn't get it" framing. We spent some time on the confidence problem. Organizations consistently overestimate their readiness — not because they're being dishonest, but because of how the question gets asked internally and who's answering it. The gap between saying you can quantify cyber risk and actually being able to do it when something happens is significant. Max has watched that gap reveal itself in real time during incidents. This happens in rooms with executives who are hearing for the first time how long they might be down. The speed problem isn't getting better. Kroll's data on outbreak times is uncomfortable, and the percentage of organizations that feel equipped to respond within that window is even more uncomfortable. AI is part of why timelines are compressing — but not in the way most people fixate on. The most effective attacks Max is seeing right now don't involve sophisticated AI-enhanced exploits. Instead, they involve someone picking up the phone. The gap between where organizations focus their security investment and where they're actually getting hit is one of the more consistent findings across Kroll's casework. The AI discussion goes a few directions. There's the attacker side, which is getting more attention. But there's also what happens when organizations build out powerful AI infrastructure internally. What that looks like as a target is important, too. Max made a point about MCP servers specifically that I hadn't heard framed that way before — the security risk isn't necessarily about abusing the AI itself, it's about what you've handed to whoever can get onto that system. There's also a thread on agentic AI and the forensic problems it creates. I think that is going to become a much bigger conversation. I asked him at the end where he'd tell an organization to start. One priority, 80% of the way there. The answer connects back to where we opened. Full episode on YouTube and wherever you get podcasts.