The Web3 Security Podcast

Web3 CISO Open Source Dilemma: Why AI May Force Code To Go Dark | Haim Krasniker

StarkWare's CISO bootstrapped the Israeli Air Force's penetration testing team before spending years across mobile forensics at Cellebrite, email security at Proofpoint, and enterprise DevSecOps at Red Hat. That depth across offensive and defensive disciplines is rare in Web3, and it shows in how Haim Krasniker thinks about protocol security.

In this episode, Haim gets specific about the tradeoffs most CISOs won't say out loud: why real-time monitoring is nearly useless without pre-built enforcement mechanisms, why checking compliance boxes in Web3 is actively dangerous, and why the open source model for smart contracts may not survive the next wave of AI-assisted exploitation. He also shares a take on the future of bug bounty programs that Sherlock happens to agree with.

Topics discussed:

  • Postmortem culture from the Israeli Air Force as a blueprint for proactive security

  • Why Web3 incident response windows are measured in minutes, not hours

  • Designing withdrawal limits against false positive rates to protect users without censoring them

  • Running 300+ custom monitoring rules internally instead of relying on vendor defaults

  • Dev sandboxes as the security architecture for AI coding tools and CICD supply chain risk

  • Staked bug bounty submissions as a filter against AI-generated report flooding

  • The open source versus closed source debate as AI lowers the cost of smart contract exploitation

  • Native on-chain privacy through STRK20 as an institutional adoption prerequisite