Ep 43 - Anthropic Said Fable 5 Was Too Dangerous Then Got Caught Lying

Ep 43 - Anthropic Said Fable 5 Was Too Dangerous Then Got Caught Lying

🎙️ Coffee, Chaos and ProdSec [https://linktr.ee/coffeechaosprodsec], Ep 43 Anthropic spends months marketing Fable 5 as uniquely dangerous. The government believes them and shuts it down. Then Anthropic spends the next week explaining that actually, every other frontier model can do the same thing. This week Cameron and Kurt break down the Fable 5 and Mythos shutdown start to finish. The real timeline behind the export control directive, what the so-called jailbreak actually was (hint, someone asked it to fix a bug), and why the classifier that was supposed to stop misuse ended up blocking security researchers instead of attackers. From the Amazon phone call that kicked the whole thing off, to a full lineup of conspiracy theories ranging from corporate warfare to straight up bad luck, to the much bigger conversation underneath all of it about treating frontier AI models as a single point of failure in your supply chain, this episode covers what happens when marketing works exactly as intended and then backfires completely. If you've built workflows on a frontier model with no backup plan, this one's your wake up call. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

Ep 42 - Identity Sprawl, VulnOps, and Nine Domains Later - Part 2

🎙️ Coffee, Chaos and ProdSec [https://linktr.ee/coffeechaosprodsec], Ep 42 Five domains. One episode. No recaps for people who skipped Part 1. Cameron [https://www.linkedin.com/in/cameronww7]and Kurt [https://www.linkedin.com/in/kurthendle]close out the greenfield ProdSec build with Identity Security, Vulnerability Management, GRC, Product Security Incident Response, and AI Security. NHIs are outnumbering humans 40 to 1 and 78% of organizations have no formal policy for creating or removing AI identities. That is not a roadmap problem. That is a credential sprawl problem nobody has named yet. Kurt wants VulnOps to replace the four-team hot potato game everyone is currently playing with CVEs. Cameron wants a PSIR team before the first researcher email lands. Both of them find GRC boring and are not pretending otherwise. AI Security gets its own domain because embedding it anywhere else just means two domains without coverage. If you work in Product Security, DevSecOps, or Application Security and you have ever gotten a 516-page compliance document you definitely did not read, this one is for you. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

Ep 41 - No Budget, No Blueprint, No Lies - Building ProdSec From Scratch - Part 1

🎙️ Coffee, Chaos and ProdSec [https://linktr.ee/coffeechaosprodsec], Ep 41 DevSecOps is dead. Cameron [https://www.linkedin.com/in/cameronww7]said it. Kurt [https://www.linkedin.com/in/kurthendle]didn't fully disagree. And that's just the first five minutes. This week Cameron and Kurt kick off a two-part series on building a ProdSec program from scratch, no inherited tool sprawl, no political debt, just a greenfield mandate and nine domains to figure out. But before the org chart gets drawn, they set the stage with the agentic SDLC, because any program being built today is being built into a development environment that already broke the assumptions traditional AppSec was designed for. Part 1 covers four domains: AppSec and DevSecOps as a merged practitioner reality, Security Architecture as the upstream design function most teams only add after something goes wrong, and Cloud Security as the infrastructure layer nobody fully owns and everyone argues about, including a full WAF debate nobody asked for but everyone needed. If you work in Product Security, Application Security, or DevSecOps and you've ever been handed a blank org chart and told to figure it out, this one is the episode you didn't know you were waiting for. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

Ep 40 - GitHub Breach, Open Source Malware, Dev Machine Gold Mines ft. Paul McCarty and Jenn Gile

🎙️ Coffee, Chaos and ProdSec [https://linktr.ee/coffeechaosprodsec], Ep 40 Less than 5% of CVEs are actually exploitable. One hundred percent of malicious packages are bad by design. So why is your entire AppSec budget chasing the first problem? This week Cameron [https://www.linkedin.com/in/cameronww7]and Kurt [https://www.linkedin.com/in/kurthendle] bring on Paul McCarty and Jenn Gile, co-founders of OpenSourceMalware, to break down why the open source malware problem is structurally different from vulnerability management, why your EDR and SCA tooling weren't built for it, and why 78% of what OSM tracks has zero attribution because most threat actors aren't TeamPCP screaming for clout. They're quiet, they're patient, and they're already on your developer machines. From AI slop squatting and four to five net new info stealers per day, to credential-stuffed dev machines, non-deterministic agents bypassing guardrails, and DPRK making $2 billion while everyone watches TeamPCP, this one covers the threat class that most programs still don't have a budget line for. If you work in AppSec, DevSecOps, or Product Security and your malware response plan is "covered by SCA," this episode is going to be uncomfortable. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.

Ep 39 - Governing AI Agents and NHIs - Identity Is the Control Plane Full Stop

🎙️ Coffee, Chaos and ProdSec [https://linktr.ee/coffeechaosprodsec], Ep 39 AI agents are in production. They have access. They're taking actions. And almost none of them have an owner. This week Cameron [https://www.linkedin.com/in/cameronww7]and Kurt [https://www.linkedin.com/in/kurthendle]come off a multi-day identity summit with a take they're both confident in: the industry is reaching for gateways, firewalls, and legacy IGA platforms to solve an AI security problem that is fundamentally an identity problem. None of those tools were built for agents and slapping an AI badge on them does not change that. From the three identity types debate that nobody has settled, to why access certification is a group therapy session waiting to happen, to why AI gateways are just firewalls with better marketing, this episode covers what identity governance for AI actually looks like when you strip out the vendor noise. If you work in Cybersecurity, Product Security, Application Security, or DevSecOps and you have ever nodded along when someone said guardrails without knowing what they meant, this one is for you. ☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.