Full Metal Packet

EX-FBI Agent Breaks Down Breach Realities: Identity Is The New Malware

Devon Ackerman is the Global Head of Digital Forensics and Incident Response at Cyber Reason and a former FBI Supervisory Special Agent focused on counterintelligence and cyber investigations. He is also the author of Diving In: An Incident Responder's Journey and one of the most experienced breach investigators working today. In this episode, Devon walks Alex and Yegor through exactly how modern intrusions unfold in the real world, from the first point of entry to full compromise, and what most organizations are still completely missing until the damage is done. He explains: ◼ Why attackers ditched malware and are stealing identities to hide inside normal user behavior ◼ How one phone call to a help desk bypassed MFA and gave full network access without a single alert ◼ Why phishing kits intercept your authentication token, not your password ◼ Why hardware keys stop most kill chains cold and where that still breaks down ◼ The four threat actor categories and why each one requires a different defensive response Time Stamps (00:00) Devon Ackerman Introduction (01:48) Why digital forensics and incident response belong together (04:28) How modern investigations have changed in the last 5 years (06:49) Are attackers moving faster than defenders? (08:41) Can digital forensics become proactive? (11:31) Will AI turn cyber defense into a war of bots? (14:50) Why security adoption still lags behind new threats (16:43) Identity becomes the primary attack surface (19:56) War story: help desk social engineering, password resets, and disabled MFA (22:52) A real vulnerability exploited within 12 hours (25:18) What happens when CVE-to-exploit timelines shrink to minutes (28:29) How adversary-in-the-middle MFA phishing works (33:16) Why MFA bypass is really about intercepting authentication (35:54) Hardware keys and where phishing kill chains usually stop (39:14) Hacktivists, nation-states, organized crime, and initial access brokers (42:47) The economics of selling access vs exploiting it yourself (46:56) Devon’s final advice for defenders: reduce blast radius Connect with the speakers ⬇️ Devon: https://www.linkedin.com/in/devonackerman/ [https://www.linkedin.com/in/devonackerman/] Yegor: https://www.linkedin.com/in/yegor-sak-725330b2/ [https://www.linkedin.com/in/yegor-sak-725330b2/] Alex: https://www.linkedin.com/in/alex-paguis-53a21815/ [https://www.linkedin.com/in/alex-paguis-53a21815/] Powered by Control D [https://controld.com/]

Cyberwarfare Is Not What CISOs Think: How to Protect Your Crown Jewels

Matan Eli Matalon breaks down AI-driven cyberwarfare, Iran-linked threat intelligence, and what CISOs must protect when attackers are trying to cause disruption. This episode had to pause mid-recording after Matan, a former CISO who reverse-engineered Iran’s Handala malware, received a missile warning and had to take shelter. We picked the conversation back up the next day. Matan Eli Matalon breaks down what cyberwarfare actually looks like on the ground right now: why Iran-linked groups are winning with basic techniques and propaganda, how AI is giving attackers a speed advantage defenders can't match, and what CISOs need to stop doing if they want to protect what actually matters. He explains: * Why groups like Handala choose quantity over sophistication and how that makes them harder to defend against * How AI removes friction for attackers without changing the attacks themselves and why defenders can't keep up * Why protecting everything equally is the fastest way to protect nothing * The 3-step CISO framework: define failure, map every attack path to it, validate it's closed Timestamps: • (00:00) Intro - Cyberwar is already here • (03:00) Disruption over dollars • (06:45) The Handala playbook exposed • (08:07) Inside Handala’s malware • (10:29) AI didn’t make hackers smarter, it made them faster • (12:20) Anthropic’s leaked “Mythos” model • (13:48) Stop protecting everything, protect what can kill you • (18:00) AI is breaking your security perimeter from within • (22:20) The house analogy that changes how CISOs think • (34:25) The CISO isn’t the department of no • (46:45) Agentic AI is a black box and CISOs hate it • (51:05) Slop squatting: the attack no one’s talking about • (54:00) The Iranian hack that almost took everything down • (1:00:00) When the goal is deletion, not data theft • (1:03:18) The backup that wasn’t • (1:06:30) The 3-step framework every CISO needs • (1:08:25) Why this 28-year-old chose defense over offense • (1:10:50) Cybersecurity in 3 years: Matan’s prediction Connect with Matan Eli Matalon on LinkedIn [https://www.linkedin.com/in/matan-eli-matalon-413081186/] Powered by Control D [https://controld.com/]

AI Is Rewriting Cybersecurity in 2026

Matthew Rosenquist, longtime security strategist and former Intel CISO, gives his insights into why 2026 is unlike any year before it in cybersecurity, and what security leaders need to do right now to stay ahead. He explains: * Why AI is a force multiplier for attackers first and what that means for defenders * How the vulnerability discovery-to-exploit window has collapsed from months to hours * The evolution of ransomware into AI-powered blackmail and extortion * Why MCP servers are the next major attack surface nobody is talking about * The CISO identity crisis and how to shift from cost center to business partner * Shadow AI, prompt injection, and why privacy is on life support * What the CISOs who survive AI disruption will do differently from those who don't Episode Timeline: * (00:00) Intro and why 2026 hits different for cybersecurity * (14:40) How Matthew builds his annual predictions across 4 domains * (16:37) Why AI is the first force to dominate all four at once * (18:53) Social engineering at scale: AI's first killer app for attackers * (21:14) Zero days for $6 and the collapse of the exploit window * (24:14) Why human inertia is still the defender's biggest enemy * (33:54) Security by design and shrinking the zero day pool * (43:39) When tools have agency: the blurring line between AI and humans * (51:30) MCP servers, shadow AI and the governance gap no one is closing * (58:00) A real world AI phishing attack that almost fooled a security expert * (01:05:33) How ransomware is evolving into AI-powered blackmail * (01:37:39) The CISO identity shift from cost center to competitive edge Connect with Matthew Rosenquist on LinkedIn [https://www.linkedin.com/in/matthewrosenquist/] Powered by Control D [https://controld.com/]

Incidents at Scale: What CISOs Get Wrong

Randy Barr has held the CISO title at over 10 companies — including Cisco, Zoom, and BioRender — and has seen every version of how security programs succeed and fall apart. He now leads security at Sequence Security, focused on API security, bot management, and AI protection. In this episode, Randy takes us through what security teams think they're doing well but aren't, what incidents actually look like at scale, and why AI is rewriting the rules faster than most organizations can keep up. He explains: 1. Why compliance and security are not the same thing — and confusing them is dangerous 2. How insider threats often hide inside your own growth and broken processes 3. What a war room actually needs to function under pressure 4. Why MCP servers and prompt injection are the next wave of incidents no one is ready for 5. How to build a CISO career that doesn't burn you out Episode Timeline: 1. (00:00) From ASP to cloud to AI — how the security industry has shifted 2. (07:33) Why 80% of internet traffic is now machine to machine 3. (09:46) What most startups get wrong about security programs 4. (15:01) How to make the business case for a security budget 5. (19:36) When buying more tools is actually the wrong move 6. (28:30) War story: stolen servers sold online by an infrastructure manager 7. (36:25) War story part 2: third-party contractors scripting their own reimbursements 8. (42:00) The website defacement that launched Randy's security career 9. (46:11) What a good incident war room actually looks like 10. (53:50) Shadow AI, MCP servers, and the prompt injection risk no one is tracking 11. (01:02:00) Where AI can genuinely replace manual security work 12. (01:12:43) Advice for new and experienced CISOs on what actually matters Connect with Randy on LinkedIn [https://www.notion.so/FMP-Episode-5-Randolph-2eaf9107c71980f783eff157ece962e0?pvs=21] Powered by Control D [https://controld.com/]

Incident Response: EU vs. US Policy Gaps

Alejandro Rivas Vazquez has spent nearly two decades running DFIR services and now advises on preparedness through his boutique consultancy, VeraBeam. He’s sat in boardrooms, testified as an expert witness, and been on the phone at 1am when OFAC changed the rules mid-ransomware negotiation. In this episode, Alejandro breaks down why the EU and US approach cyber incidents from fundamentally different starting points, and what happens when those worlds collide inside a real investigation. He explains: 1. Why lawyers belong in the room (and exactly when they don't) 2. How the EU's hyper-regulation actively hinders incident response 3. Why business email compromise costs more than ransomware — and gets less attention 4. What preparation actually means before an incident hits 5. How DFIR is professionalizing, and where AI fits into its future Timestamps 1. (00:00) Alejandro's path from Big Four IT risk to DFIR 2. (07:45) How Operation Night Dragon changed the industry 3. (16:20) Boardrooms, expert witnesses, and CISO liability 4. (25:35) EU vs. US: regulation-first vs national security-first 5. (32:15) When Europe's privacy laws block your own investigation 6. (41:48) CISO personal liability: insurance, risk acceptance, and burnout 7. (54:18) War story: business email compromise and the board member who went rogue 8. (01:01:45) The single decision that separates contained from catastrophic 9. (01:09:26) Midnight OFAC call during an active ransomware response 10. (01:14:00) Why DFIR merged and where the profession is heading 11. (01:20:09) AI as force multiplier: threat, opportunity, and the hallucination danger zone 12. (01:33:53) Practical advice: what EU and North American CISOs should do this quarter Connect with Alejandro [https://www.linkedin.com/in/arivasvasquez/] on LinkedIn Powered by Control D [https://controld.com/]