Episode 191: GenAI Misuse for Physical Threat Planning

Episode 191: GenAI Misuse for Physical Threat Planning

In episode 191 of Cybersecurity Where You Are, Sean Atkinson sits down with Sasha Elvenaes, Sr. Multidimensional Threat Analyst at the Center for Internet Security® (CIS®), and Rian Davis, Multidimensional Threat Analyst at CIS. Together, they discuss how threat actors are misusing generative artificial intelligence (GenAI) to plan physical threats. Here are some highlights from our episode: * 00:40. Introductions to Sasha, Rian, and their research on GenAI misuse * 01:56. The impact of GenAI on lowering the barrier for operationalizing physical threat activity * 03:37. Exploitation of GenAI model design to circumvent models' guardrails * 05:58. The misuse of session persistence to streamline physical threat research * 07:57. GenAI misuse: A call for critical infrastructure operators to think about security differently * 11:52. Factors that make large-scale events a target of physical threat activity * 14:33. The use of GenAI as a strategy for organizations to see what threat actors could see * 15:37. Ongoing question: How can drones help mitigate risks while protecting public safety? * 17:13. Extrapolation as a reinforcement of GenAI session persistence * 20:15. The new reality: Look at what information AI can provide to threat actors * 25:01. Traditional methods vs. GenAI conversations for threat planning * 27:58. Continuous vulnerability assessments, communication, and other recommendations Resources * An Examination of Generative AI and Physical Threat Planning [https://www.cisecurity.org/insights/white-papers/an-examination-of-generative-ai-and-physical-threat-planning?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * An Examination of AI-Enabled Threats to Event and Stadium Security [https://www.cisecurity.org/insights/white-papers/an-examination-of-ai-enabled-threats-to-event-and-stadium-security?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * Multidimensional Threats [https://www.cisecurity.org/topics/multidimensional-threats?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * Man who exploded Cybertruck in Las Vegas used ChatGPT in planning, police say [https://www.npr.org/2025/01/07/nx-s1-5251611/cybertruck-explosion-las-vegas-chatgpt-ai] * Episode 190: Separating Mythos AI Fact from Fiction [https://www.cisecurity.org/insights/podcast/episode-190-separating-mythos-ai-fact-from-fiction?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * Episode 185: AI Prompt Injection from a Risk Perspective [https://www.cisecurity.org/insights/podcast/episode-185-ai-prompt-injection-from-a-risk-perspective?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * 5 Steps to Help Secure Your City before a Large-Scale Event [https://www.cisecurity.org/insights/blog/5-steps-to-help-secure-your-city-before-a-large-scale-event?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * Unmanned Aircraft Systems (UAS): Evolving Risks to Large-Scale Public Gatherings [https://www.cisecurity.org/insights/white-papers/uas-evolving-risks-to-large-scale-public-gatherings?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * 8 Security Essentials for Managing Your Online Presence [https://www.cisecurity.org/insights/blog/8-security-essentials-for-managing-your-online-presence?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] * Vulnerability Assessments [https://www.cisecurity.org/services/vulnerability-assessments?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_191-0610_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 190: Separating Mythos AI Fact from Fiction

In episode 190 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager sit down with Brian Calkin [https://www.linkedin.com/in/brian-calkin], Chief Technology and Innovation Officer at the Center for Internet Security® (CIS®). Together, they separate fact from fiction around artificial intelligence (AI) capabilities like Mythos AI and other AI-driven vulnerability discovery tools. Here are some highlights from our episode: * 00:50. Greetings to Brian and setting the stage for questions from a CIS webinar * 03:05. The lack of a unified formula or standard for vulnerability prioritization * 03:55. The opportunity for defenders to interrupt vulnerabilities chained together * 05:47. An invitation to better understand your enterprise amid the "slopdemic" * 06:33. How AI guardrails tie back into security best practices * 10:15. How a fundamental practice we can refine is the best counter to chained attacks * 12:25. The value of the CIS Community Defense Model and a teaser for Version 3 * 14:50. Mythos AI vs. Static Application Security Testing (SAST) in terms of practice and time * 19:08. Visibility, governance, and prioritization: Three elements of a "prepared" environment * 24:32. "One to one" cyber defense as a losing battle * 27:25. The importance of knowing your dependencies with open-source software * 33:15. Threat actor economics and the ongoing debate around responsibility in cybersecurity Resources * Mythos AI: What Actually Matters for Cybersecurity Leaders [https://www.cisecurity.org/insights/blog/mythos-ai-what-actually-matters-for-cybersecurity-leaders?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Secure by Design [https://www.cisecurity.org/topics/secure-by-design?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * CIS Community Defense Model 2.0 [https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Episode 185: AI Prompt Injection from a Risk Perspective [https://www.cisecurity.org/insights/podcast/episode-185-ai-prompt-injection-from-a-risk-perspective?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Living off the Land: Threats Looming From Within [https://www.cisecurity.org/insights/blog/living-off-the-land-threats-looming-from-within?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Turn Intel Into Action: CIS Controls and the 2026 Verizon DBIR [https://www.cisecurity.org/insights/webinar/turn-intel-into-action-cis-controls-and-the-2026-verizon-dbir?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Implementation Guide for Small- and Medium-Sized Enterprises CIS Controls IG1 [https://www.cisecurity.org/insights/white-papers/implementation-guide-for-small-and-medium-sized-enterprises-cis-controls-ig1?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] * Information Technology and Information Security Governance [https://www.cisecurity.org/insights/white-papers/information-technology-and-information-security-governance?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_190-0603_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 189: The Present and Future of AI-enabled Pentesting

In episode 189 of Cybersecurity Where You Are, Sean Atkinson sits down with Ed Skoudis [https://www.linkedin.com/in/edskoudis], President of SANS Technology Institute. Together, they discuss the present and future of pentesting enabled by artificial intelligence (AI). Here are some highlights from our episode: * 00:39. Introductions to Ed * 01:49. The promise of AI-enabled pentesting in creating more secure infrastructure * 04:52. AI-enabled and AI-centric workflows in the realm of penetration testing * 08:03. Wranglers, matadors, and centaurs, oh my! Metaphors for AI-enabled pentesters * 13:00. How AI can assist with reporting, enumeration, and scanning as part of a pentest * 14:57. AI-enabled source-assisted pentesting and the types of vulnerabilities it finds * 19:50. A learning opportunity for the broader cybersecurity community * 23:44. How AI and human analysts could split the workload in a future penetration test * 25:54. AI-enabled pentesting vs. AI pentester in a box * 29:51. Why "human in the loop" might be too passive a phrase * 30:37. The use of AI for source code development Resources * Mythos AI: What Actually Matters for Cybersecurity Leaders [https://www.cisecurity.org/insights/blog/mythos-ai-what-actually-matters-for-cybersecurity-leaders?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] * Secure by Design [https://www.cisecurity.org/topics/secure-by-design?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] * SEC543: AI-Assisted Source Code Analysis and Exploitation for Penetration Testers [https://www.sans.org/cyber-security-courses/ai-source-code-analysis-exploitation-pentesters] * Episode 108: Gaming and Competition in Cybersecurity [https://www.cisecurity.org/insights/podcast/episode-108-gaming-and-competition-in-cybersecurity?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] * Episode 59: Probing the Modern Role of the Pentest [https://www.cisecurity.org/insights/podcast/episode-59-probing-the-modern-role-of-the-pentest?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_189-0527_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 188: DBIR 2026 Insights and Collaboration with CIS

In episode 188 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager sit down with Philippe "Phil" Langlois [https://www.linkedin.com/in/infosec-philippe-langlois], Data Breach Investigations Report (DBIR) Author at Verizon; and Charity Otwell [https://www.linkedin.com/in/charity-otwell], Director of the CIS Critical Security Controls® (CIS Controls®) at the Center for Internet Security® (CIS®). Together, they discuss some of the top insights of the 2026 DBIR and how CIS contributed to the publication. Here are some highlights from our episode: * 00:50. Introductions to Phil and Charity * 02:46. Vulnerability exploitation as the most common attack vector * 05:25. The role of artificial intelligence (AI) in threat actors' natural system thinking * 07:03. The need for clear governance and responsibility around vulnerability management * 08:58. Insight into the types of techniques threat actors research using frontier AI models * 13:43. A trending drop in ransomware payouts and organizations willing to pay attackers * 14:59. Why a healthy dose of distrust goes a long way in assessing attackers' claims of victims * 16:24. How two ransomware groups stand out above the norm * 17:49. The ongoing risk surrounding vendor, supplier, and other third party exposure * 22:34. The need for governance in managing data issues involving the use of AI * 27:14. Three ways in which CIS contributed to the 2026 DBIR * 34:02. How the 2026 DBIR informs the CIS Controls and parting actionable steps Resources * 2026 Data Breach Investigations Report [https://www.verizon.com/business/resources/reports/dbir/] * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * Episode 87: Marking 11 Years as a Verizon DBIR Contributor [https://www.cisecurity.org/insights/podcast/episode-87-marking-11-years-as-a-verizon-dbir-contributor?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * Mythos AI: What Actually Matters for Cybersecurity Leaders [https://www.cisecurity.org/insights/blog/mythos-ai-what-actually-matters-for-cybersecurity-leaders?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * Applying the CIS Controls to Real‑World AI Environments [https://www.cisecurity.org/insights/blog/applying-controls-real-world-ai-environments?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * CIS Community Defense Model 2.0 [https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] * The Conti Leaks: A Case of Cybercrime’s Commercialization [https://www.cisecurity.org/insights/blog/the-conti-leaks-a-case-of-cybercrimes-commercialization?utm_source=cwya&utm_medium=audio&utm_campaign=cis&utm_content=26-cis-episode_188-0520_podcast] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].

Episode 187: The Role of a CISO as a Strategic Storyteller

In episode 187 of Cybersecurity Where You Are, Sean Atkinson and Tony Sager discuss how the role of a CISO functions as a strategic storyteller of cyber risk while keeping the bigger picture in mind. Here are some highlights from our episode: * 00:51. Framing the conversation around CISOs' efforts to communicate with the business * 02:01. Translation: A nuanced practice of simplifying the story while still telling the truth * 02:41. The need for a CISO to bridge their organization's respective "culture gap(s)" * 04:13. Collaborative and dictatorial: Two different ways CISOs talk to a business * 06:07. The work of translation in motivating and informing action around perceived risk * 07:03. Security sampling: A story from Tony that reminds CISOs of the bigger picture * 09:55. Fewer wizards and more mechanics: What the cybersecurity industry needs today * 12:20. Two factors to consider: Politicking and the need to provide an accessible narrative * 15:49. Rapport and tradecraft as two critical tools supporting the role of a CISO * 18:09. Technical competence as a prerequisite for confidence in risk conversations * 19:20. The false sense of security from relying on comparative data with competitors * 22:14. The CISO as a strategic storyteller who helps the business make decisions * 27:03. The need for machinery to constantly rediscover and recreate trust * 30:15. A call to action for Boards: Build vernacular in cybersecurity risk space * 35:03. CISO as a strategic storyteller vs. CISO as an enforcer Resources * CIS Critical Security Controls® [https://www.cisecurity.org/controls?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * CIS Community Defense Model 2.0 [https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * Episode 183: The Role of CISO in Supporting Risk Translation [https://www.cisecurity.org/insights/podcast/episode-183-the-role-of-ciso-in-supporting-risk-translation?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * Episode 166: Foundations of Actuarial Science in Cyber Risk [https://www.cisecurity.org/insights/podcast/episode-166-foundations-of-actuarial-science-in-cyber-risk?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * Episode 121: The Economics of Cybersecurity Decision-Making [https://www.cisecurity.org/insights/podcast/episode-121-the-economics-of-cybersecurity-decision-making?utm_source=cwya&utm_campaign=cis&utm_medium=audio&utm_term=rep_tl&utm_content=26-cis-episode_187-0513_podcast-rep_tl] * NICE Workforce Framework for Cybersecurity (NICE Framework) [https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center/nice-framework-current-versions] If you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org [podcast@cisecurity.org].