Automating Offensive Security with XBOW

Automating Offensive Security with XBOW

In this episode, Nico Waisman [https://www.linkedin.com/in/nwaisman/], CISO at XBOW [https://xbow.com/?utm_source=cisoseries], explains how XBOW uses autonomous AI agents to run continuous, incremental penetration testing without triggering false-positive avalanches or taking down production systems. Joining him are Jacob Combs [https://www.linkedin.com/in/jacobcombs/], CISO at Tandem Diabetes Care, and Davi Ottenheimer [https://www.flyingpenguin.com/], president at Flying Penguin [https://www.flyingpenguin.com/]. Want to know: * Why can't traditional pen tests keep up with modern attack surfaces? * How XBOW's attack credit model maps to the way security teams already size testing effort? * What stops an autonomous pen testing agent from causing real damage in production? * How incremental testing works when a new pull request changes the application? * Where XBOW is headed on prompt injection and LLM-specific vulnerabilities? * How you audit what the AI actually did during an assessment? * What novel vulnerability chains are emerging as AI reasoning models get more capable? Check out the episode for the answers you need. Huge thanks to our sponsor, XBOW

Rethinking Tabletops with Reflex Security

In this episode, Cassio Goldschmidt [https://www.linkedin.com/in/cassiogoldschmidt/], co-founder and CTO at Reflex Security [https://reflexsecurity.io/], explains how Reflex replaces static, script-driven tabletops with adaptive AI-driven simulations that fight back, measure real human behavior under pressure, and surface the gaps that scripted exercises never reach. Joining him are Nick Espinosa [https://www.linkedin.com/in/nickespinosa/], host of the nationally syndicated Deep Dive Radio Show [https://podcasts.apple.com/us/podcast/the-deep-dive-radio-show-and-nicks-nerd-news/id1262505658], and Jay Wilson [https://www.linkedin.com/in/jaywwilson/], CISO and CIO at Insurity [https://insurity.com/]. Want to know: * Why do traditional tabletops train teams to know the plan rather than execute under pressure? * What's the difference between a team that panics and a team that chokes, and why does it matter? * How does Reflex use AI agents to adapt the simulation based on what the team actually does? * Can you run separate tabletops for technical, legal, and executive audiences without multiplying the workload? * Is there a risk that security leaders optimize for the AI's score rather than genuine preparedness? * How does an AI agent joining a video conference change the way a tabletop runs? * How hard should training be relative to the real thing? Check out the episode for the answers you need. Huge thanks to our sponsor, Reflex Security https://reflexsecurity.io/ Most tabletop exercises are static, predictable, and easy to pass. Reflex Security [https://reflexsecurity.io/] built the first tabletop that fights back, throwing teams into dynamic simulations against intelligent AI adversaries that adapt to your every move. With Reflex, your team can move from checkbox exercises to real crisis readiness.

Securing Mobile Apps with Guardsquare

In this episode, Ryan Lloyd [https://www.linkedin.com/in/michael-olechna/], Chief Product Officer at Guardsquare [https://hubs.la/Q049Mr580], explains how the platform combines code obfuscation, runtime integrity checks, and real-time threat monitoring to secure mobile apps at the binary level, integrated directly into the CI/CD pipeline. Joining him are TC Niedzialkowski [https://www.linkedin.com/in/tc-niedzialkowski/], Head of IT & Security at Opendoor [https://www.opendoor.com/], and Montez Fitzpatrick [https://www.linkedin.com/in/montezfitzpatrick/], CISO at Navvis [https://www.navvishealthcare.com/]. Want to know: * Why does organizational apathy around mobile app security persist even as mobile becomes the primary customer channel? * What's the difference between app integrity and code integrity, and why does it matter for defending against repackaging attacks? * How does obfuscation function as a real security control rather than just security through obscurity? * How does Guardsquare fit into the CI/CD pipeline, and what does the actual build overhead look like for development teams? * What API and webhook capabilities exist for routing threat monitoring data into your existing security stack? * How does Guardsquare's mobile app attestation model bind server-side APIs to verified legitimate app instances — and why does that matter for stopping bots and credential theft? Huge thanks to our sponsor, Guardsquare Guardsquare delivers mobile app security without compromise, providing advanced protections for both Android and iOS apps. From app security testing to code hardening to real-time visibility into the threat landscape, Guardsquare solutions provide enhanced mobile application security from early in the development process through publication. Learn more about how to protect your app at Guardsquare.com [https://hubs.la/Q03_0XJK0].

Verifying Identities with Trusona

In this episode, Ori Eisen [https://www.linkedin.com/in/orieisen/], founder and CEO at Trusona [https://www.trusona.com/?utm_source=webinar&utm_medium=referral&utm_campaign=iid_awareness&utm_content=ciso_series], makes a case for getting out of the AI detection arms race entirely. He argues that trying to catch AI-generated fakes with AI detection is the antivirus playbook, and we know how that ends. Trusona instead anchors verification to authoritative sources, DMV records and physical-world signals, things AI can mimic on screen but can't actually own. No pre-registered devices required. And it works in both directions: attackers calling your help desk, and attackers calling your employees while pretending to be IT. Joining him are Eduardo Ortiz [https://www.linkedin.com/in/eduortiz/], VP and Global Head of Cybersecurity at Techtronic Industries [https://www.ttigroup.com/], and Mandy Huth [https://www.linkedin.com/in/mandyhuth/], SVP and CISO at Ultra Clean Technology [https://ultracleantech.com/]. Want to know: * Why do MFA and SSO still leave gaps attackers walk right through? * How Trusona verifies identity with no pre-registered devices or tokens? * Why building AI detection on top of AI fakes is a losing strategy? * How is a false rejection rate of zero achievable without locking out real employees? * What deployment actually looks like, and how fast you can be live? * Which departments beyond IT need identity verification, and where do you start? * How to measure the business value of this beyond just counting blocked account takeovers? * Why is a solid help desk protocol still not enough on its own? Huge thanks to our sponsor, Trusona GenAI supercharges identity impersonation and social engineering attacks – rendering legacy identity verification methods obsolete, especially in high-risk workflows like IT Help Desk password/MFA resets, vendor payment changes, remote employee hiring, or customer account access. Trusona [https://www.trusona.com/?utm_source=webinar&utm_medium=referral&utm_campaign=iid_awareness&utm_content=ciso_series] ATO Protect empowers your team to thwart these attacks across business units and channels. GenAI supercharges identity impersonation and social engineering. It's rapidly eroding traditional authentication, especially in high-risk workflows like help desk password or MFA resets, vendor payment changes, remote employee hiring, and customer account access. Trusona's ATO Protect [https://www.trusona.com/?utm_source=webinar&utm_medium=referral&utm_campaign=iid_awareness&utm_content=ciso_series] addresses deepfakes and social engineering directly—without adding friction or relying on legacy MFA.

Transitioning to Quantum-Safe Encryption with enQase

All links and images can be found on CISO Series. [https://cisoseries.com/transitioning-to-quantum-safe-encryption-with-enqase/] In this episode, Raj Patil [https://www.linkedin.com/in/rajeshpatil/], CTO at enQase [https://enqase.com/], explains how enQase's full-stack platform helps enterprises implement quantum-safe security through a structured, integrated approach. This covers everything from cryptographic asset discovery and governance to out-of-band key generation for network appliances, without requiring organizations to rip and replace existing infrastructure. Joining him are Ross Young [https://www.linkedin.com/in/mrrossyoung/], co-host at CISO Tradecraft [https://www.cisotradecraft.com/], and Adam Palmer [https://www.linkedin.com/in/globalciso/], CISO at First Hawaiian Bank [https://www.fhb.com/en/about-us]. Want to know: * Why is the post-quantum cryptography transition harder than simply implementing new standards? * What three factors should frame every CEO conversation about quantum risk? * Where should a highly regulated enterprise start, and what can reasonably wait three to five years? * Why should we be planning for "harvest now, decrypt later" attacks right now? * How do you build and track a cryptographic bill of materials across hundreds of applications and devices? * Why is crypto agility more important than picking the perfect algorithm? Huge thanks to our sponsor, enQase https://enqase.com?utm_source=cisoseries The enQase Platform empowers enterprises, defense organizations, cloud providers, and critical infrastructure operators to seamlessly adopt quantum-safe technologies while achieving crypto agility across their ecosystems. By combining quantum-grade hardware with software-defined control and interoperability, enQase ensures alignment with NIST standards, delivers unmatched flexibility and compliance readiness, and reduces risk across data, network, and compute layers, all while maintaining business continuity and operational resilience in an evolving cryptographic landscape. Learn more at enqase.com. [https://enqase.com?utm_source=cisoseries]