Episode 23: Nobody read the report

Episode 24: 2 Years, 24 Episodes & The State of Security in the Age of AI

In this episode, we celebrate our 2nd anniversary and Episode 24 of Distilled Security! We cover the Vercel breach, how a Roblox script led to compromised Google Workspace credentials via an unauthorized OAuth connection. Then we dive into HackerOne, pausing their own bug bounty program, overwhelmed by low-quality, AI-generated submissions. And we close out with the State of Vibe-Coded Security—4,783 AI-assisted apps scanned, 727 critical issues found, and the real question: are you vibe coding or vibe deploying? Plus, a quick look at Claude for Security dropping into public beta and what that means for the industry. All of that, and we crack open a Peerless Double Oak to toast two years of Distilled Security. 🥃 ⏱️ TIMESTAMPS: 00:00 – Intro & 2-Year Anniversary 🎉 01:26 – Behind the Scenes & Favorite Moments 08:26 – Podcast Metrics & Global Reach 24:20 – BSides Pittsburgh 2025 Update 🛡️ 34:31 – The Vercel Breach & OAuth Risk 58:57 – HackerOne Pauses Bug Bounty 1:16:05 – Spirit: Peerless Double Oak 🥃 1:20:27 – Vibe Coding vs. Vibe Deploying 1:26:46 – Claude for Security & AI News 1:41:27 – Cheers to Two Years! 🥃 🎙️ Hosts Justin Leapline – @justinleapline Joe Wynn – @wynnjoe Rick Yocum – @rickyocum 📬 Send Us Your Questions! ask@distilledsecuritypodcast.com 🌐 Connect with Us Website: distilledsecuritypodcast.com X: @DisSecPod Email: hello@distilledsecuritypodcast.com 👍 Like, comment, and subscribe for monthly security and compliance insights

Episode 23: Nobody read the report

In this episode of the Distilled Security Podcast, we break down the Delve scandal—flawed SOC 2 reports, copy-pasted content, and oversight failures that expose deeper issues in compliance-as-a-service. Joined by Matthew J. Schiavone, we examine auditor accountability, quality review gaps, and key differences between SOC 2 and ISO 27001. We also cover what companies should demand from auditors, the role of automation, and whether this scandal will drive real change in the industry.  Topics Covered * The Delve scandal—leaked reports, copy-pasted audits & pervasive deficiencies * The AICPA peer review process & AC Corp's adverse findings * SOC 2 vs ISO 27001—oversight models, witness audits & accreditation * The incentive structure driving compliance to the bottom * Compliance automation — what works, what doesn't & AI's real role * What to ask your auditor before signing anything * Trust centers — done right vs. compliance theater * Is SOC 2 dead? What needs to change & who has to change it Hosts * Justin Leapline – @justinleapline * Joe Wynn – @wynnjoe * Rick Yocum – @rickyocum Hosts * Matthew J. Schiavone - (Sikich)  Connect with Us * Website: distilledsecuritypodcast.com * X:  @DisSecPod * Email: hello@distilledsecuritypodcast.com

Episode 22: Is AI Good for Security, CIRCIA Starts the Clock, and the M&A Problem Nobody's Talking About

In this episode of the Distilled Security Podcast, we tackle four topics shaping the cybersecurity landscape — from AI's real impact on defense to a wave of regulatory and market changes every security team needs to be tracking. 🔹 Is AI Good for Security? — Anthropic's model finding hundreds of zero days, stock market panic after Claude Code's launch (CrowdStrike down 11%), the "hard things easy, easy things hard" reality of AI, why human-out-of-the-loop isn't ready yet, the coming spike in vulnerability disclosures, and how defenders should be using AI for better hygiene 🔹 CIRCIA Final Rule (May 2026) — The federal incident reporting law hitting critical infrastructure, 72-hour incident and 24-hour ransom payment notification clocks, how "substantial cyber incident" triggers differ from materiality, mid-market companies falling in scope, overlapping timelines with HIPAA/SEC/state breach laws, and building your incident response playbook now 🔹 Protecting Yourself Against a Changing Compliance Landscape — CMMC Phase 2, HIPAA overhaul, CCPA audits all converging, why a unified security program beats framework-by-framework chasing, evidence over policy in audits, engineering continuous compliance through automation, and the reality of doing this without dedicated staff 🔹 Cybersecurity M&A / Consolidation Problem — Google acquiring Wiz for $32B, 10% of the cybersecurity industry changing hands, operational benefits of fewer vendors vs. pricing pressure and talent drain, the OneTrust "sticker on the side" integration warning, Cisco's Startup Studios model, and why consolidation only works if they don't break what made the acquisition special 🥃 Spirit Review: WhistlePig 12 Year Old World Rye PA Fine Wine & Good Spirits Select — Finished in Madeira, Sauternes & Port barrels, 86 proof https://www.whistlepigwhiskey.com/ 📬 Send Us Your Questions! ask@distilledsecuritypodcast.com 🎙️ Hosts Justin Leapline – @justinleapline Joe Wynn – @wynnjoe Rick Yocum – @rickyocum 🌐 Connect with Us Website: distilledsecuritypodcast.com X: @DisSecPod Email: hello@distilledsecuritypodcast.com 👍 Like, comment, and subscribe for weekly security and compliance insights.

Episode 21: AI Notetakers Are Illegal, GRC Tools Are Lying, and ISO 42001 Changes Everything

In this episode of the Distilled Security Podcast, we break down three converging forces reshaping how organizations manage AI risk — and what you need to do about it now. 🔹 BIPA + AI Notetakers — A class action lawsuit exposes unauthorized biometric data collection, why a single Illinois meeting participant creates liability, the Shopify wiretapping dismissal, and the steps you should take today to audit your AI tools 🔹 GRC Engineering Meets AI — Real AI compliance tools vs. vaporware, using LLMs for policy drafting and control mapping, the hallucination accountability problem, building AI guardrails as code, and the NIST RFI on AI Agent Security (comments due March 9, 2026) 🔹 ISO 42001 Deep Dive — The first AI Management System standard, how it differs from ISO 27001, AI Impact Assessments vs. traditional risk assessments, stakeholder engagement requirements, and why certification is becoming essential for EU AI Act compliance 🥃 Spirit Review: Redbreast 12 Cask Strength https://www.redbreastwhiskey.com/en-us/whiskey-collections/redbreast-cask-strength-whiskey/ ⏱️ Timestamps 0:00 Intro & Episode Overview 2:04 BIPA & AI Notetakers 25:08 GRC Engineering Meets AI 1:07:15 🥃 Spirit Review: Redbreast 12 Cask Strength (Irish Whiskey) 1:11:17 ISO 42001 1:49:30 Outro & wrap-up 🎙️ Hosts Justin Leapline – @justinleapline Joe Wynn – @wynnjoe Rick Yocum – @rickyocum 🌐 Connect with Us Website: distilledsecuritypodcast.com X: @DisSecPod Email: hello@distilledsecuritypodcast.com 👍 Like, comment, and subscribe for weekly security and compliance insights.

Episode 20 : 2026 Kickoff: Security Resolutions, Key Deadlines, and Don’t Mislead the Feds

In the first episode of 2026, the Distilled Security team kicks off the year with a practical discussion on security priorities, key compliance dates to watch in 2026, and why misleading the government on cybersecurity compliance can have serious consequences. The conversation focuses on simplifying security programs, returning to core fundamentals, and learning from real-world enforcement and regulatory cases. The episode closes with a holiday pour and a preview of format changes coming next. ⏱️ Timestamps * 0:00 Intro & episode overview * 0:33 2026 security resolutions: simplify & back to basics * 5:45 “Science projects”: removing emotion from decisions * 8:36 Justin’s goals: family, travel, business & AI workflows * 17:52 EOS + Atomic Habits workbook (goal planning) * 23:54 Key compliance dates to watch in 2026 * 31:45 California privacy updates & risk assessments (CCPA) * 35:39 EU AI Act + NIS2 enforcement ramp-up * 42:48 Drink break: High West “A Midwinter Night’s Dram.” * 45:04 Don’t mislead the feds: FedRAMP, SolarWinds, CMMC—wrap-up to 1:20:12  🎙️ Hosts * Justin Leapline – @justinleapline * Joe Wynn – @wynnjoe * Rick Yocum – @rickyocum 🌐 Connect with Us * Website: distilledsecuritypodcast.com * X:  @DisSecPod * Email: hello@distilledsecuritypodcast.com 🥃 Drink of the episode: High West A Midwinter Night’s Dram