Full Metal Packet Cybersecurity Podcast

Control D

Full Metal Packet is the go-to cybersecurity podcast for security leaders who want the truth about what it takes to defend at scale. Hosted by Yegor and Alex, the founders of Windscribe (trusted by 90M+ people) and Control D, this show pulls back the curtain on how operators actually handle breach incidents, reduce noise, and prepare for the post-AI security world. Season 1 features CISOs, DFIR commanders, and security architects from SaaS, healthcare, government, and hospitality. Each episode dives into: - Breach Incidents → the first 72 hours that define an outcome (de-identified and NDA-safe). - SecOps Therapy → the frictions nobody talks about: burnout, broken workflows, and the fixes that matter. - Security Futures → fresh perspectives on what’s underrated, overhyped, and coming next in a world reshaped by AI. No vendor fluff - just operator-grade conversations that security professionals can apply immediately.

  1. vor 4 Tagen

    LockBit Hit Us: A CISO's Real-World RANSOMWARE BREACH STORY | Zach Lewis

    Zach Lewis, CIO and CISO at the University of Health Sciences and Pharmacy in St. Louis, breaks down the LockBit ransomware attack that hit his university in April 2023 and how it impacts CISOs and security leaders navigating the same threat today. ◼ Incident response takeaway: why the first 24 hours matter more than any tool in your stack ◼ Threat intelligence insight: how LockBit's negotiation tactics and "customer support" model actually work ◼ Real-world application: the backup failure that nearly ended recovery, and the policy violation that saved it ◼ Identity security lesson: how cached credentials let attackers escalate from one phished laptop to full domain control ◼ Post-incident rebuild: the break-glass accounts, data governance, and password manager overhaul that followed Zach walks through the full incident: discovering the ransom note on the hypervisor, the scramble to restore Active Directory on an esports gaming PC, refusing a $1.25M ransom demand, and the data governance and identity security overhaul that followed. (00:00) – Introducing Zach Lewis, University CISO (02:06) – Balancing CIO and CISO Roles (03:32) – Common Ransomware Misconceptions for Leaders (06:18) – Ransomware Industry Trends and Economics (07:44) – AI-Driven Phishing and Social Engineering (09:36) – Misdiagnosing a LockBit Cyberattack (10:30) – Ransom Note Found on Hypervisor (12:56) – First 24 Hours of Incident Response (15:20) – Impact on Students, Faculty, Systems (19:14) – Restoring Active Directory on Gaming Hardware (21:59) – LockBit Negotiation via Tor Network (24:50) – Backup Failures and Recovery Breakthrough (27:41) – Decision to Refuse Ransom Payment (34:20) – Root Cause: Phishing and Cached Credentials (41:38) – Why Only Partial Data Leaked (49:39) – Post-Incident Security Program Overhaul (1:04:45) – Final Advice for Security Leaders Guest ⬇️ Zach Lewis: https://www.linkedin.com/in/zacharylewis1/ Hosts ⬇️ Yegor Sak: https://www.linkedin.com/in/yegor-sak-725330b2/ Alex Paguis: https://www.linkedin.com/in/alex-paguis-53a21815/ Powered by Control D

    LockBit Hit Us: A CISO's Real-World RANSOMWARE BREACH STORY | Zach Lewis
  2. 30. Juni

    Capital One Breach Explained: The 1% Cloud Security Gap That Failed

    How did the 2019 Capital One breach happen? Ross Young explains how a WAF misconfiguration and unfinished cloud migration exposed a critical security-control gap. CISOs will learn how to measure tool effectiveness, redirect wasted security budget, and add safeguards for autonomous AI agents. Ross Young is a former intelligence officer turned enterprise CISO. He was at Capital One during the 2019 breach, authored Cybersecurity's Dirty Secret: Why Most Budgets Go to Waste, and is now co-founder & CEO of Clear Capabilities, building AI agents to automate the parts of security that drain teams dry. In this episode, Ross explains: ◼ The exact WAF misconfiguration that enabled the Capital One breach and why it's probably still hiding in your environment ◼ Why your security tools are likely only 40–72% effective, and how to calculate your true effective protection score ◼ Which security categories are largely security theater (DLP, third-party risk management) and where budget should actually go ◼ How AI is shifting the speed of attacks vs. defenses and what defenders must do right now to keep up ◼ Why AI agents need kill switches, audit trails, and rollback processes before they ever go live Time Stamps (00:00) Introduction: Ross Young's Path From Offense to CISO (00:29) Inside the 2019 Capital One AWS Breach (07:14) Evidence Every CISO Should Collect After a Breach (08:26) The Swiss Cheese Firewall Problem (11:17) Misaligned Incentives Between Developers and Security (13:10) Risk Acceptance: The MRI Machine and the CFO's Math (17:55) Murder Boards: Killing Underperforming Security Tools (24:18) Why Vendor Choice Matters Less Than Configuration (28:32) Where Security Budgets Should Actually Go (32:39) AI Is Closing the Attacker-Defender Speed Gap (36:25) Stopping Deepfakes and Phishing With Process, Not Tools (43:51) AI Agents Are the New Phishing Target (47:37) Building a Kill Switch for Rogue AI Agents (51:51) Introducing the OWASP Threat and Safeguard Matrix (58:50) One Thing Every CISO Should Fix This Week (59:48) Ross's New Venture: Clear Capabilities Connect with Ross Young on LinkedIn: https://www.linkedin.com/in/mrrossyoung/ Hosts ⬇️ Yegor Sak: https://www.linkedin.com/in/yegor-sak-725330b2/ Alex Paguis: https://www.linkedin.com/in/alex-paguis-53a21815/ Powered by Control D

    Capital One Breach Explained: The 1% Cloud Security Gap That Failed
  3. 16. Juni

    Cybersecurity Threat Modeling: A Navy Officer’s Playbook for When Patching Fails

    How should security teams manage vulnerabilities when patching is impossible or incomplete? Ben Lipczynski explains contextual threat modeling, legacy-system risk, and defense in depth. Security leaders will learn how to identify critical systems, reduce hundreds of scan findings to meaningful actions, and prepare around operational consequences. Ben is the Director of Security and Regulatory Services at Origina and a former British Royal Navy officer with 12 years operating nuclear submarines and global networks. He brings an operator-level perspective on what separates a contained incident from a months-long operational nightmare. He explains: ◼ Why siloed teams and poor system knowledge cause more breaches than sophisticated attacks ever do ◼ Why upgrading to the latest version often introduces more vulnerabilities than it removes ◼ How 700 scan findings came down to 20 real actions after proper contextual analysis ◼ Why the CVE volume problem is about to get significantly worse and what to do about it ◼ Why defense in depth, not patching, is the only strategy that holds up when an attacker gets inside Time Stamps: (0:00) Introduction (0:53) What corporate security teams get wrong vs. the military (2:22) The submarine mindset: 90% training, 10% operations (4:48) Operational clarity in the military: everyone knows the mission and their role (6:59) Military structure vs. corporate agility — opposites or the same need? (10:38) Why Ben left the Navy for cybersecurity (14:32) "Take a marching pace" — thinking before acting in incident response (18:09) The iPad water treatment plant story — OT connectivity creep in the real world (25:30) The myth of N-minus-one: legacy doesn't mean insecure (28:10) Open source dependency risk — 60% of vulnerabilities aren't in the core code (31:01) Slop squatting: attackers pre-registering AI-hallucinated package names (33:00) What to do when you can't patch — contextual risk-based defense in depth (36:26) The patch validation problem — exploits now arrive within hours of a CVE (44:00) Fully patched, still taken down — architecture beats updates (51:26) Log4J case study: why deleting the library beat the patch cycle (55:23) Practical advice for security teams managing legacy systems (1:02:22) The CVE volume crisis — is the current patching model even tenable? (1:07:21) Bold prediction: CVE text itself will become an attack vector for AI agents Connect with the speakers ⬇️: Ben Lipchinski: https://www.linkedin.com/in/benlipczynskisecurity/ Yegor Sak: https://www.linkedin.com/in/yegor-sak-725330b2/ Alex Paguis: https://www.linkedin.com/in/alex-paguis-53a21815/ Powered by Control D

    Cybersecurity Threat Modeling: A Navy Officer’s Playbook for When Patching Fails
  4. 28. Mai

    ISO 27001 Compliance vs Security: What CISOs Must Fix in 2026

    What is the difference between ISO 27001 compliance and operational security? John Verry explains compliance theater, shadow AI, and the role of ISO 42001 and the EU AI Act. Security leaders will learn how to operationalize controls, inventory AI use, and govern agentic systems without adding unnecessary GRC complexity. John Verry is the Managing Director at CBIZ Cybersecurity, ISO 27001 certified lead auditor since 2006, and has guided hundreds of organizations through ISO 27001, SOC 2, CMMC, FedRAMP, and HITRUST. He has seen firsthand what separates organizations that get genuinely secure from those that just collect certifications. John explains: ◼ Why you can be fully compliant and completely insecure at the same time ◼ Why operationalizing your security program inside tools your team already uses matters more than buying another GRC platform ◼ How 65% of SaaS platforms now have AI built in and why most organizations have no inventory of it ◼ Why the EU AI Act's August 2026 deadline is real and what organizations need to do now ◼ Why agentic AI shifts the risk from hallucination to autonomous business decisions made at scale without a human in the loop Timestamps (00:00) Introduction (06:27) Meet John Verry: Managing Director at CBiz Cybersecurity (07:47) What compliance theater actually means and why it matters (09:34) Security is a journey, compliance is a destination (12:30) The most common mistakes companies make after getting certified (15:07) What it actually takes to operationalize a security program (17:34) The merchants of complexity problem and why less tooling wins (20:50) Third party risk management and the hidden operational debt of every new vendor (22:19) What shadow AI is and why most organizations still do not know they are using it (28:21) How to balance moving fast on AI with slow-moving compliance frameworks (31:40) Why ISO 27001 updates slowly and why that might actually be a good thing (36:41) How to risk model different types of AI from Grammarly to agentic systems (40:14) Why shadow AI is lower risk than deeply integrated AI but still dangerous (43:29) Sycophantic AI behavior, what causes it, and why it creates real danger (52:29) AI coding AI, the hard takeoff, and the model collapse problem (54:24) EU AI Act deadlines, ISO 42001, and why AI compliance urgency is now (58:44) How ISO 42001 works as an extension of ISO 27001 (01:01:27) When auditors do not understand AI governance and certifications become theater (01:02:28) The main blocker stopping CISOs from escaping compliance theater (01:05:41) The next 12 to 18 months: why the era of agentic AI is already here (01:07:48) Closing thoughts: What should actually scare every CISO right now Connect with John Verry on LinkedIn https://www.linkedin.com/in/jverry/ Hosts ⬇️ Alex: https://www.linkedin.com/in/alex-paguis-53a21815/ Yegor: https://www.linkedin.com/in/yegor-sak-725330b2/ Powered by Control D

  5. 12. Mai

    MFA Bypass Explained By Ex-FBI Agent: How Identity Attacks Evade Detection

    How do attackers bypass MFA and compromise an organization without deploying malware? Devon Ackerman breaks down help-desk social engineering, stolen session tokens, and adversary-in-the-middle phishing. Security and DFIR leaders will learn why identity-based intrusions evade traditional detection, where hardware security keys can break the attack chain, and how to limit the blast radius when credentials are compromised. Devon is the Global Head of Digital Forensics and Incident Response at Cyber Reason and a former FBI Supervisory Special Agent focused on counterintelligence and cyber investigations. He is also the author of Diving In: An Incident Responder's Journey and one of the most experienced breach investigators working today. Devon explains: ◼ Why attackers ditched malware and are stealing identities to hide inside normal user behavior ◼ How one phone call to a help desk bypassed MFA and gave full network access without a single alert ◼ Why phishing kits intercept your authentication token, not your password ◼ Why hardware keys stop most kill chains cold and where that still breaks down ◼ The four threat actor categories and why each one requires a different defensive response Time Stamps (00:00) Devon Ackerman Introduction (01:48) Why digital forensics and incident response belong together (04:28) How modern investigations have changed in the last 5 years (06:49) Are attackers moving faster than defenders? (08:41) Can digital forensics become proactive? (11:31) Will AI turn cyber defense into a war of bots? (14:50) Why security adoption still lags behind new threats (16:43) Identity becomes the primary attack surface (19:56) War story: help desk social engineering, password resets, and disabled MFA (22:52) A real vulnerability exploited within 12 hours (25:18) What happens when CVE-to-exploit timelines shrink to minutes (28:29) How adversary-in-the-middle MFA phishing works (33:16) Why MFA bypass is really about intercepting authentication (35:54) Hardware keys and where phishing kill chains usually stop (39:14) Hacktivists, nation-states, organized crime, and initial access brokers (42:47) The economics of selling access vs exploiting it yourself (46:56) Devon’s final advice for defenders: reduce blast radius Connect with the speakers ⬇️ Devon: https://www.linkedin.com/in/devonackerman/ Yegor: https://www.linkedin.com/in/yegor-sak-725330b2/ Alex: https://www.linkedin.com/in/alex-paguis-53a21815/ Powered by Control D

    MFA Bypass Explained By Ex-FBI Agent: How Identity Attacks Evade Detection
  6. 28. Apr.

    Cyberwarfare Explained: How CISOs Protect Critical Systems

    What does modern cyberwarfare look like for security leaders? Matan Eli Matalon explains Iran-linked attacks, disruption campaigns, propaganda, credential abuse, and AI-enabled attacker speed. CISOs will learn a three-step framework for defining business failure, mapping attack paths, and protecting critical systems. This episode had to pause mid-recording after Matan, a former CISO who reverse-engineered Iran’s Handala malware, received a missile warning and had to take shelter. We picked the conversation back up the next day. Matan explains: Why groups like Handala choose quantity over sophistication and how that makes them harder to defend againstHow AI removes friction for attackers without changing the attacks themselves and why defenders can't keep upWhy protecting everything equally is the fastest way to protect nothingThe 3-step CISO framework: define failure, map every attack path to it, validate it's closed Timestamps: • (00:00) Intro - Cyberwar is already here • (03:00) Disruption over dollars • (06:45) The Handala playbook exposed • (08:07) Inside Handala’s malware • (10:29) AI didn’t make hackers smarter, it made them faster • (12:20) Anthropic’s leaked “Mythos” model • (13:48) Stop protecting everything, protect what can kill you • (18:00) AI is breaking your security perimeter from within • (22:20) The house analogy that changes how CISOs think • (34:25) The CISO isn’t the department of no • (46:45) Agentic AI is a black box and CISOs hate it • (51:05) Slop squatting: the attack no one’s talking about • (54:00) The Iranian hack that almost took everything down • (1:00:00) When the goal is deletion, not data theft • (1:03:18) The backup that wasn’t • (1:06:30) The 3-step framework every CISO needs • (1:08:25) Why this 28-year-old chose defense over offense • (1:10:50) Cybersecurity in 3 years: Matan’s prediction Connect with Matan Eli Matalon on LinkedIn Powered by Control D

    Cyberwarfare Explained: How CISOs Protect Critical Systems
  7. 8. Apr.

    AI in Cybersecurity 2026: Threats CISOs Must Prepare For

    How is AI changing cybersecurity in 2026? Former Intel CISO Matthew Rosenquist examines AI-enabled social engineering, faster exploitation, ransomware, shadow AI, and MCP server risk. Security leaders will learn how to govern autonomous tools, adapt defensive operations, and position the CISO as a strategic business partner. He explains: Why AI is a force multiplier for attackers first and what that means for defendersHow the vulnerability discovery-to-exploit window has collapsed from months to hoursThe evolution of ransomware into AI-powered blackmail and extortionWhy MCP servers are the next major attack surface nobody is talking aboutThe CISO identity crisis and how to shift from cost center to business partnerShadow AI, prompt injection, and why privacy is on life supportWhat the CISOs who survive AI disruption will do differently from those who don't Episode Timeline: (00:00) Intro and why 2026 hits different for cybersecurity(14:40) How Matthew builds his annual predictions across 4 domains(16:37) Why AI is the first force to dominate all four at once(18:53) Social engineering at scale: AI's first killer app for attackers(21:14) Zero days for $6 and the collapse of the exploit window(24:14) Why human inertia is still the defender's biggest enemy(33:54) Security by design and shrinking the zero day pool(43:39) When tools have agency: the blurring line between AI and humans(51:30) MCP servers, shadow AI and the governance gap no one is closing(58:00) A real world AI phishing attack that almost fooled a security expert(01:05:33) How ransomware is evolving into AI-powered blackmail(01:37:39) The CISO identity shift from cost center to competitive edge Connect with Matthew Rosenquist on LinkedIn Powered by Control D

    AI in Cybersecurity 2026: Threats CISOs Must Prepare For
  8. 24. März

    How to Build a Security Program That Scales: A Veteran CISO’s Playbook

    How do you build a security program as a company scales? Veteran CISO Randy Barr explains security budgets, tool sprawl, insider threats, incident war rooms, and AI risk. Security leaders will learn which controls growing companies need first, how to prepare for operational incidents, and when another security tool is the wrong investment. Randy Barr has held the CISO title at over 10 companies — including Cisco, Zoom, and BioRender — and has seen every version of how security programs succeed and fall apart. He now leads security at Sequence Security, focused on API security, bot management, and AI protection. In this episode, Randy takes us through what security teams think they're doing well but aren't, what incidents actually look like at scale, and why AI is rewriting the rules faster than most organizations can keep up. Randy explains: Why compliance and security are not the same thing — and confusing them is dangerousHow insider threats often hide inside your own growth and broken processesWhat a war room actually needs to function under pressureWhy MCP servers and prompt injection are the next wave of incidents no one is ready forHow to build a CISO career that doesn't burn you out Episode Timeline: (00:00) From ASP to cloud to AI — how the security industry has shifted(07:33) Why 80% of internet traffic is now machine to machine(09:46) What most startups get wrong about security programs(15:01) How to make the business case for a security budget(19:36) When buying more tools is actually the wrong move(28:30) War story: stolen servers sold online by an infrastructure manager(36:25) War story part 2: third-party contractors scripting their own reimbursements(42:00) The website defacement that launched Randy's security career(46:11) What a good incident war room actually looks like(53:50) Shadow AI, MCP servers, and the prompt injection risk no one is tracking(01:02:00) Where AI can genuinely replace manual security work(01:12:43) Advice for new and experienced CISOs on what actually matters Connect with Randy on LinkedIn Powered by Control D

    How to Build a Security Program That Scales: A Veteran CISO’s Playbook

Info

Full Metal Packet is the go-to cybersecurity podcast for security leaders who want the truth about what it takes to defend at scale. Hosted by Yegor and Alex, the founders of Windscribe (trusted by 90M+ people) and Control D, this show pulls back the curtain on how operators actually handle breach incidents, reduce noise, and prepare for the post-AI security world. Season 1 features CISOs, DFIR commanders, and security architects from SaaS, healthcare, government, and hospitality. Each episode dives into: - Breach Incidents → the first 72 hours that define an outcome (de-identified and NDA-safe). - SecOps Therapy → the frictions nobody talks about: burnout, broken workflows, and the fixes that matter. - Security Futures → fresh perspectives on what’s underrated, overhyped, and coming next in a world reshaped by AI. No vendor fluff - just operator-grade conversations that security professionals can apply immediately.