Before The Commit

Episode 31: Sam Kassoumeh, Co-Founder @ SecurityScorecard

The conversation covers the topics of AI security gateways, SaaS-based companies, AI in coding, the evolution of Security Scorecard, and the impact of AI on threat intelligence data. The conversation delves into the transformative impact of AI and Threat Intel on data analysis, product development, and organizational workflows. It explores the exponential growth in interconnectivity and observation data, the value of net flow data when run through models, and the automation of manual tasks in identifying and cross-correlating data sets. The intersection of AI and Threat Intel is redefining the assessment process, transforming workflows, and changing the roles and responsibilities within organizations. Takeaways * AI security gateways are a hot commodity in the security space. * SaaS companies are doing more with less, leveraging AI and automation. * AI is changing the way coding is done, reducing the need for human intervention. * Security Scorecard was founded to address the growing dependency on supply chain partners and third parties. * AI has revolutionized threat intelligence data, uncovering deeper insights and network connections. Exponential growth in interconnectivity and observation data * Value of net flow data when run through models * Redefining the assessment process and transforming workflows Chapters * 00:00 AI Security Gateways in the Security Space * 07:35 AI's Impact on Coding and Automation * 28:44 AI's Impact on Threat Intelligence Data * 34:31 Value of Net Flow Data When Run Through Models

Episode 30: Steve Thomas, CEO @ HackNotice

The podcast episode features Steve Thomas, CEO of Hack Notice, discussing the evolving landscape of AI in cybersecurity and its broader impact.**AI's Disruption and Industry Parallels:**\The conversation begins by drawing parallels between AI's impact and the software engineering industry. Just as AI didn't replace engineers but amplified their productivity, it's expected to do the same in other sectors. The legal industry, for instance, is seeing disruption from AI tools like Claude, potentially lowering costs and increasing accessibility. This shift is moving pricing from billable hours to value-based models, a trend observed in SaaS development where traditional seat-based pricing is becoming obsolete with the rise of AI agents.**Threat Intelligence and Hack Notice's Approach:**\Steve Thomas shares his experience founding Pwnlist, a pioneer in breach monitoring, highlighting his focus on addressing "hated problems" in cybersecurity. Hack Notice, his current venture, tackles third-party risk by applying a threat-informed approach, analyzing data from hacker forums and credential leaks to provide an adversary's perspective on vendor vulnerabilities. This contrasts with traditional cyber hygiene metrics, focusing instead on the operational tactics of threat actors.**AI's Role in Cybercrime:**\The discussion delves into how AI is accelerating cyber threats. AI is enabling more sophisticated and personalized attacks, such as spear-phishing, and potentially improving vulnerability discovery. The rise of info-stealer malware, which rapidly harvests credentials, API keys, and browser data, is a significant concern. This malware's efficiency and the increasing volume of stolen data, particularly AI-related credentials, pose a substantial risk.**Security Implications and CISOs' Concerns:**\While CISOs are aware of AI's dual role as both a tool for defense and a weapon for attackers, their immediate focus is often on leveraging AI for efficiency and productivity rather than solely on its security risks. The rapid proliferation of AI tools, including potentially insecure open-source models and cloud-based services, creates a challenging environment. The lack of robust data governance for AI usage by employees is a significant concern, as this data can reveal intent and potentially lead to legal or security breaches.**The Future of AI in Cybersecurity:**\Steve emphasizes that the AI landscape is volatile, with rapid advancements and market shifts. He believes that companies with deep domain expertise and a focus on building reliable, guard-railed AI solutions will succeed. The traditional models of threat intelligence reporting are becoming obsolete, needing to be machine- and AI-readable. He advises CISOs to focus on the basics of cybersecurity, understand their adversaries, and carefully manage AI integration, particularly by avoiding direct access to production environments for AI systems. The key takeaway is that AI is an accelerator, making both offensive and defensive capabilities more potent, and thus underscoring the need for robust, AI-informed security strategies.

Episode 29: Agentgateway and Portkey

Here's a summary of the video transcript:The podcast episode covers several key topics related to AI and technology.**SpaceX Acquires Cursor:** A significant portion of the discussion revolves around SpaceX's potential acquisition of Cursor, an AI-powered code editor. The deal is valued at $60 billion, highlighting the increasing value placed on AI and software development tools. The merger of XAI (Elon Musk's AI company) into SpaceX is explained as the entity behind this acquisition. This move is seen as SpaceX's strategy to bolster its AI capabilities, particularly in coding, by acquiring Cursor's technology and talent. The acquisition is also discussed in the context of existing AI coding tools like Claude Code and OpenAI's Codex.**The Value of Software and Talent:** The high valuation of Cursor, a company that emerged recently, underscores the immense value of software and the engineering talent behind it. The discussion touches on the idea of "acqui-hiring," where companies acquire others primarily for their skilled workforce. The $60 billion figure is considered substantial, even for an "aqua hire," emphasizing the scarcity and importance of specialized AI and software engineering talent.**AI Gateways: Portkey and Agent Gateway:** The "Tool of the Week" segment delves into AI gateways.- **Agent Gateway (Solo AI):** This solution is described as a Kubernetes-based orchestration tool for managing AI agents. It focuses on providing governance, policies, and routing rules for containerized AI agents within a Kubernetes cluster, integrating with tools like Istio. It's positioned as an "AI governance" solution for managing inter-agent communication.- **Portkey:** This is presented as a SaaS-based AI gateway that acts as a proxy server. It offers features like user management, analytics, logging, and a robust system for managing API keys, prompts, and guardrails. A unique aspect highlighted is Portkey's ability to manage prompts and their versioning outside of application code, enabling A/B testing and easier modification of AI behavior without code changes. It also supports agent integration via the A2A protocol.**AI's Impact on the Workforce and Layoffs:** The podcast discusses the broader implications of AI on employment. Snap's recent layoff of 1,000 employees is cited, with the CEO attributing it to AI taking over a significant portion of coding tasks (over 65%). This sparks a discussion on whether these layoffs are due to overhiring or a genuine shift in required skills, suggesting that companies are adapting to AI's capabilities by seeking new types of talent or upskilling existing employees. The trend is seen as a leading indicator for other industries, implying a future where AI augmentation or replacement of roles will become more common across various departments, not just engineering.**AI and Copyright Concerns:** A significant legal development is discussed: Anthropic's argument before a federal judge that training its AI models on copyrighted song lyrics constitutes "transformative fair use." This case is seen as setting important legal precedents for the entire AI industry regarding the use of copyrighted data for training. The discussion touches on the vast scale of data used in AI training, the immense potential copyright infringement damages, and the practical challenges of enforcing these laws in the AI era. The analogy is made between how humans learn from creative works and how AI models are trained, raising questions about the future of intellectual property in the age of AI.

Episode 28: Cloudflare AI Gateway

The video discusses several key topics related to AI and its impact on the tech industry.Firstly, it delves into Anthropic's "Mythos" model and "Project Glasswing." The speaker expresses skepticism about the hyped claims surrounding Mythos, suggesting that the limited release might be due to resource constraints (GPU availability) rather than its groundbreaking capabilities. The speaker draws parallels to Anthropic's past PR strategies, citing the "blackmailed engineer" story as an example of manufactured hype.Secondly, the video addresses the perceived "nerfing" of Anthropic's Claude Code. The speaker details a series of changes, including the introduction of "adaptive thinking," a reduction in default "effort" settings from high to medium, and the removal of visible "thinking" logs from the UI. These changes, while potentially offering cost savings for Anthropic, have led to performance degradation for users, particularly those engaging in complex tasks. The speaker notes that while these changes can be reverted manually, the opt-out nature and the timing of these updates are concerning.Thirdly, the discussion shifts to Cloudflare's AI Gateway. The speaker highlights its features, including virtual gateways with unique hashes for custom rules, compatibility with various SDKs (OpenAI, Anthropic), and logging capabilities. A key aspect is Cloudflare's use of Llama for processing "guardrails," which are implemented for content moderation (e.g., blocking defamation or political content). The speaker also notes the limitations of these guardrails, such as the lack of regex support for sensitive data like API keys, suggesting the gateway is more suited for corporate chatbots than coding environments. The caching, rate limiting, and alias features for API keys are also discussed as beneficial for managing AI access.Finally, the video touches upon the impact of AI on junior engineers. Statistics are presented indicating a decline in "programmer" job postings, contrasting with a smaller drop in "software developer" roles. The speaker suggests a shift from task-based junior roles to more AI-centric orchestration of agents. The speaker predicts a future shortage of software engineers, with companies increasingly needing junior engineers to manage AI systems, thereby elevating the importance of mentorship in AI agent management. The video concludes with a broader discussion on how AI is transforming various careers and the need for educational institutions to adapt their curricula to include AI proficiency. The overall sentiment is that while AI adoption presents challenges, it also creates significant opportunities for those who embrace it.

Episode 27: CMUX and Crow

The video discusses recent developments and challenges in the AI landscape, focusing on Anthropic's Claude and its evolving pricing and usage policies. The conversation highlights concerns about the sustainability of the AI model market, with predictions of a potential bubble burst due to overvaluation and the difficulty of monetizing models directly.A significant portion of the discussion revolves around Anthropic's changes to Claude's pricing, moving away from commoditized pricing towards pay-per-use API keys. This shift has led users to seek cheaper alternatives and has impacted tools like Open Claw, which previously leveraged Claude's more accessible pricing. Anthropic's attempts to enforce usage policies, including blocking Open Claw via system prompts, are examined. The video also touches upon the potential reasons behind these changes, such as GPU constraints and Anthropic's need to manage costs.The leak of Anthropic's source code is discussed as a potentially significant event, raising questions about the long-term impact on the company's competitive advantage, given that Claude Code was considered a key differentiator.The conversation then shifts to a more technical aspect, with a detailed explanation of the evolution of developer workflows using AI coding assistants. This includes the progression from simple copy-pasting to the use of tools like Cursor and eventually CMUX for managing multiple coding projects and workflows. The limitations of generic tools like CMUX lead to the development of a new application called "Crow," designed to orchestrate AI agents, manage tasks, and integrate with development tools like GitHub. Crow aims to provide a more integrated and efficient workflow for developers working with AI assistants.A significant portion of the video delves into the security implications of LLMs, particularly focusing on prompt injection attacks and how malicious actors can exploit AI agents. The concept of an "Agent Commander Command and Control" server is introduced, demonstrating how AI agents like Open Claw can be hijacked through crafted prompts embedded in emails, documents, or web pages. The discussion draws parallels between these AI vulnerabilities and traditional social engineering tactics, emphasizing the need for robust security measures like prompt sandboxing, allow lists, and restricted access privileges. The importance of securing AI deployments, especially those exposed to external input, is stressed, with the analogy of internal vs. externally accessible employees highlighting the differing security considerations.Finally, the video touches upon the broader economic and resource implications of AI growth. The impact of geopolitical events, such as the conflict in Iran, on oil prices and, consequently, on the energy costs required to power data centers and AI computations is discussed. This leads to a reflection on resource constraints, including rare earth minerals and energy, as potential limiting factors for AI development in the coming decade. The innovative approaches of companies like Tesla and SpaceX in addressing these resource challenges, through battery technology, distributed data centers, and space-based infrastructure, are highlighted as potential solutions. The conversation concludes by acknowledging the escalating demand for AI services and the potential for increased costs due to these supply-side pressures.