TechSpective Podcast

Tony Bradley
  • 0.0 (0)
  • TECHNOLOGY
  • UPDATED WEEKLY

The TechSpective Podcast brings together top minds in cybersecurity, enterprise tech, AI, and beyond to share unique perspective on technology—unpacking breakthrough trends like zero trust, threat intelligence, AI-enabled security, ransomware’s geopolitical ties, and more. Whether you’re an IT pro, security exec, or simply tech‑curious, each episode blends expert insight with real-world context—from microsegmentation strategies to the human side of cyber ethics. But we also keep it fun, sometimes riffing on pop‑culture debates like Star Wars vs. Star Trek or Xbox vs. PS—so it’s not all dry and serious.

  1. 4D AGO

    The AI Risk Blind Spot Most Organizations Don’t Know They Have

    Most organizations believe they have a solid handle on their AI risk. According to a new report, that confidence may be misplaced. ArmorCode partnered with the Purplebook community to survey more than 650 cybersecurity leaders to produce the State of AI Risk Management 2026 report. The results reveal a disconnect that's hard to explain away: nearly 90% of respondents said they had complete visibility into AI usage across their organizations. More than 60% of those same respondents said AI usage in their organizations is essentially ungoverned. These weren't different groups of people. It was the same respondents giving contradictory answers within the same survey. I talked with Mark Lambert, Chief Product Officer at ArmorCode, about what's behind that gap and what organizations can realistically do about it on this episode of the TechSpective Podcast. Lambert wasn't surprised by the findings. The pressure organizations are under to capture productivity gains from AI is real, and the instinct is to adopt now and figure out governance later. AI-assisted code generation is delivering meaningful output, and the business case is hard to argue with. The security implications are another matter. As Lambert explained, even if AI-generated code has half the vulnerability density of human-written code, a 4x productivity multiplier still nets out to more vulnerabilities reaching production — not fewer. We also got into something I hadn't fully thought through before our conversation. Tools capable of discovering security flaws at a scale no human team could match are already here in limited form. Lambert described what he sees as a three-wave scenario for how this plays out — beginning with CVEs in critical infrastructure, moving to open-source vulnerabilities, and eventually reaching nation-state actors who've been capturing codebases for years and now have the right tools to mine them for exploitable flaws. Most organizations are already struggling to keep up with patching. The question of what happens when the volume of known vulnerabilities multiplies significantly is one that the industry doesn't have a good answer for yet. From there, we got into agentic AI, which is where the governance conversation gets complicated fast. I've been using the intern analogy a lot lately when talking about AI agents — you'd give them tasks, but you wouldn't hand them access to everything, and you'd review the output before it went anywhere it mattered. Lambert agreed with the framing. The problem, as I see it, is that the analogy breaks down at scale. Managing a handful of agents the way you'd supervise a new hire is workable. Doing that with a hundred agents means the human review process becomes the bottleneck, and you've given back the efficiency gains you were after. Lambert and I worked through what governance actually looks like when agent deployments grow — scoping agency based on business risk, making sure high-stakes decisions can be reversed, and building in the audit trail that regulators are going to want eventually. He pointed to a fireside chat from RSAC where the question came up of whether two agents could theoretically handle Sarbanes-Oxley compliance between them. The answer was almost certainly no, and the reasoning behind that gets at something important about where the line between autonomous and human-reviewed needs to sit. The self-driving car comparison came up, too. The first time I used adaptive cruise control, I kept my foot next to the brake the whole time. I've since ridden in Waymos, where I would have been fine falling asleep. That trust didn't come from a product announcement — it came from watching the system handle real situations over time. Lambert made the point that the same logic applies to AI agents in enterprise environments, which I think is right. The organizations that will do this well are the ones that build trust in their agents incrementally rather than assuming it. Lambert tied all of this back to ArmorCode's focus on unified exposure management — pulling data from hundreds of sources, applying business context, and using AI to prioritize what actually needs attention rather than just generating more alerts. Watch or listen to the full episode for the complete conversation.

    49 min

  2. MAY 7

    The Attack Surface Changed but the Fundamentals Didn’t

    Every few years, something comes along that reshapes the threat landscape and sends the industry scrambling for new tools, new frameworks, and new buzzwords. The perimeter died. Then it came back. Endpoints became the priority. Now they're not the whole story. Identity is the new battleground. AI is changing everything. And yet, the more I talk to people who've spent decades in the trenches, the more I keep hearing the same thing: the fundamentals still work. We just stopped trusting them. I had that conversation recently with Will Ledesma, a cybersecurity veteran with over 25 years in the field and a current role at N-able. Will also serves as a cyber warrior in the U.S. Air Force — and as a fellow Air Force vet, I can say the service tends to instill a certain appreciation for doing things right the first time. We talked about what N-able's latest State of the SOC report actually shows about where attacks are coming from — and the answer probably isn't what you'd expect if you've been following the conventional wisdom around endpoint protection. The data points somewhere else, and Will does a good job of explaining why that shift makes sense when you look at what's been happening across the business world over the last few years. From there, the conversation moved into identity — not just the username-and-password kind, but the full scope of what "identity" means in a world where your network includes laptops, IoT devices, cloud workloads, software applications, and increasingly, AI agents running on behalf of your employees. If an attacker can own any one of those identities, a lot of your other defenses stop mattering. Companies are bringing in AI tools at a rapid pace, leaning on them to augment their workforce and drive efficiency. That's fine. But what happens when those systems become mission-critical, and someone decides to take them out? We also got into something I've been saying for years about compliance. Compliance and security aren't the same thing. You can check every box on a framework audit and still get breached — plenty of high-profile companies have proven that. The frameworks have value, but they're a floor, not a ceiling. And too many organizations treat them like the finish line. Will's framing for all of it comes back to defense in depth — a concept he learned early in his career and one that he argues is more relevant now, not less. The attack surface has expanded. The identities have multiplied. The stakes are higher. But the logic of layering your defenses, covering your fundamentals, and not betting everything on any one control? That hasn't changed. The episode is worth your time whether you're a practitioner, a leader trying to make sense of your security investments, or just someone trying to figure out what "cyber resilience" actually means when you strip away the marketing. Hint: it's bigger than cybersecurity.

    28 min

  3. APR 30

    What the Breach Reveals That the Budget Never Did

    There's a pattern that shows up in incident response work that nobody talks about in the vendor briefings. You bring in forensics after something goes wrong, and somewhere in that process, you find a tool — already deployed, already licensed, sometimes running for years — that had the data to catch what happened. Nobody was looking at it. In some cases, it wasn't even turned on the right way. Max Henderson runs global digital forensics and incident response at Kroll. He's seen this enough that it's not a surprise anymore. That's part of what makes him a useful person to talk to about Kroll's new cyber resilience research — he's not reading a survey and drawing conclusions. He's comparing it against what he actually finds on cases. I had him on the TechSpective Podcast, and we started where I always start with someone who's close to research like this: not the findings, but what surprised him. His answer goes somewhere I didn't expect, and it reframes a lot of what follows. It's not about a specific attack type or a new threat category. It's about a structural problem in how organizations think about security investment — one that keeps showing up regardless of how much they've spent. The report itself covers 1,000 decision-makers across 10 countries. The headline numbers are familiar in their frustration — 94% treat cybersecurity as a top risk, budgets are up, nearly everyone has an incident response plan. And yet 72% still report misalignment between security priorities and business decisions. That gap has a real explanation, and Max gives it one that makes more sense than the usual "leadership doesn't get it" framing. We spent some time on the confidence problem. Organizations consistently overestimate their readiness — not because they're being dishonest, but because of how the question gets asked internally and who's answering it. The gap between saying you can quantify cyber risk and actually being able to do it when something happens is significant. Max has watched that gap reveal itself in real time during incidents, in rooms with executives who are hearing for the first time how long they might be down. The speed problem isn't getting better. Kroll's data on outbreak times is uncomfortable, and the percentage of organizations that feel equipped to respond within that window is even more uncomfortable. AI is part of why timelines are compressing — but not in the way most people fixate on. The most effective attacks Max is seeing right now don't involve sophisticated AI-enhanced exploits. They involve someone picking up the phone. The gap between where organizations focus their security investment and where they're actually getting hit is one of the more consistent findings across Kroll's casework. The AI discussion goes a few directions. There's the attacker side, which is getting more attention. But there's also what happens when organizations build out powerful AI infrastructure internally and what that looks like as a target. Max made a point about MCP servers specifically that I hadn't heard framed that way before — the security risk isn't necessarily about abusing the AI itself, it's about what you've handed to whoever can get onto that system. There's also a thread on agentic AI and the forensic problems it creates that I think is going to become a much bigger conversation. I asked him at the end where he'd tell an organization to start. One priority, 80% of the way there. The answer connects back to where we opened. Full episode on YouTube and wherever you get podcasts.

    44 min

  4. APR 28

    The Agentic AI Reckoning Nobody Saw Coming

    I keep having versions of the same conversation. The names and logos change, but the underlying tension doesn't: organizations are deploying AI agents fast, they're deploying them into production, and a lot of them weren't ready when they did it. Monte Carlo's co-founder and CTO Lior Gavish joined me on the TechSpective Podcast recently, and we got into why that's happening and what it actually means. Monte Carlo published the Agents in Production report, and the numbers are worth paying attention to. Nearly half of enterprises surveyed already have agentic solutions running on mission-critical work — not pilots, not proofs of concept. And somewhere around three-quarters of them said they deployed before they felt ready. That's not a surprise, exactly. The pressure to move is real. Boards are asking about AI strategy. CEOs are mandating adoption. The competitive argument for waiting is getting harder to make. But there's a difference between accepting that reality and assuming the governance infrastructure you need is going to materialize on its own. Part of what makes agents different from every other enterprise tool is that they don't follow a script. You can sandbox traditional software, test it, QA it, and have a reasonable expectation that what you tested is what you're deploying. Agents take a natural language objective and go find a path. That path isn't always the one you'd have chosen. Lior put it plainly — agents are optimizing for the mission, not for whatever guardrails you assumed were obvious. If they can reach data that technically sits within their access permissions, they'll reach it. If they can route around a limitation by working through another agent, some of them will figure that out. The other layer is that these systems are probabilistic. You can trace what went wrong after the fact, but the trace doesn't give you control. Run the same agent on the same task tomorrow, and you might get a different path. The audit log is evidence, not a fix. Where Lior and I spent a lot of time is the scale problem. One agent, you can watch. You can inspect every decision, every tool call, every output — same way you'd stay close to a new hire you're still calibrating. But the organizations moving aggressively aren't staying at one agent. They're heading toward dozens, then hundreds, and at that point, the pilot-phase approach of eyeballing everything stops being an option. The answer isn't to slow down across the board. What Lior kept coming back to was reversibility — don't hand agents tasks where a wrong decision can't be unwound — and visibility, meaning you need enough observability to catch drift before it becomes a problem you're explaining to someone else. There's an analogy from the conversation that stuck with me. You jumped in the car, hit the gas, and now you're trying to install brakes while it's moving. That's a pretty accurate description of where a lot of enterprises actually are. The question isn't whether to deploy anymore. It's whether you can see what your agents are doing well enough to catch a problem before it becomes one you can't walk back. That's what we got into. Give it a listen.

    52 min

  5. APR 20

    The Microsoft Enterprise Recovery Problem AI Can’t Fix

    There's a moment in my conversation with Bob Bobel where he mentions that customers are having a harder time finding people who actually know Active Directory. Not cloud identity — the old on-premise stuff that most large organizations still run, even if they've also got Entra ID and Office 365 sitting on top of it. That expertise is retiring, and it's not being replaced fast enough. Bob is the CEO of Cayosoft, which builds management, auditing, and recovery tools for Microsoft environments. He's been in this space for a long time — long enough to have sold to some of the same agencies he's selling to now, nearly two decades later. He started the company on his 401k, which his wife apparently still doesn't know about. We covered a lot of ground in this episode. Some of it is squarely in the weeds of Microsoft infrastructure — hybrid environments, the gap between what native tools can do and what organizations actually need, and why change auditing matters more than most IT teams realize. Some of it is broader: AI, the ecosystem of companies that build businesses around Microsoft's footprint, and what federal agencies are actually looking for when they go shopping for tools in this space. The recovery conversation is worth your time on its own. Bob tells the story of how Cayosoft ended up building their patented approach to Active Directory recovery — it starts with a phone call at 3 am, a demo coming up in four days, and no hardware anywhere near Key West. The problem they had to solve in that moment turned into something they still consider one of their core differentiators. I'll let him tell it. On AI, Bob is more measured than most people I talk to right now. He's not skeptical of it, but he's also not pretending it's ready to run your identity infrastructure. His argument is that the more realistic near-term use case is capturing what experienced engineers know before they retire — embedding that institutional knowledge somewhere useful rather than just losing it. Cayosoft recently filed a patent around that idea. He explains the thinking behind it, and also where he thinks the hype is running ahead of reality. There's also a good thread in here about what it actually means to build a company inside someone else's ecosystem. I used to work at a company that was tightly coupled to AWS, so I know that tension — the question every year of whether the platform you're built on is going to decide to build what you do. Bob has a pretty clear-eyed take on the Microsoft version of that dynamic. It's a good conversation. Check it out wherever you listen to (or watch) podcasts.

    52 min

  6. APR 16

    When AI Agents Go Rogue the Problem Starts at Runtime

    Every conversation I’ve had for the past couple of years has followed the same arc. First, it was generative AI. Then agentic AI. Now the question everyone is circling is how you actually secure agentic AI — and it turns out that’s a harder problem than most people expected. I sat down with Naor Paz, CEO and co-founder of Capsule Security, to talk through it. Naor spent years as a security practitioner and incident responder, moved into product leadership at F5, and is now focused on what he sees as one of the most underserved problems in enterprise security: stopping AI agents from going rogue while they’re actually running. Most of the security work happening around agentic AI right now is happening before the agent ever executes — governance, configuration, posture management, compliance. Capsule is focused on what happens during execution, which Naor says is where existing tools have almost no visibility at all. The core issue is that agents are non-deterministic. You can configure guardrails, set permissions, write policies — and then the agent reasons around all of it in pursuit of whatever objective it was given. Naor used a concrete example: Cursor’s coding agent was explicitly told not to touch certain files. It generated a shell script to read them anyway. The guardrail didn’t fail. The model just decided the goal mattered more. That’s not a bug you can patch. I drew a parallel to user behavior analytics — establish a baseline of normal behavior, flag deviations. Naor said the analogy is reasonable, but the scale breaks it. You might have a thousand employees. In the near term, you could have a million agents operating on behalf of those employees. The insider threat model we built for humans simply wasn’t designed for that. Naor describes intent as the new perimeter. Identity became the perimeter when the network stopped being the boundary. Now, even a properly credentialed, least-privileged agent can do real damage if what it’s actually doing has drifted from what it was told to do. Capsule runs a fine-tuned small language model alongside the agent, comparing intended behavior against actual behavior in real time and flagging the gap. Capsule has also published two zero-days to back this up. One involved Microsoft Copilot Studio — they called it ShareLeak. The other involved Salesforce Agentforce, which they called PipeLeak. Both are indirect prompt injection vulnerabilities, and Naor walks through how they actually work in the episode. What stood out to me wasn’t just the vulnerabilities themselves, but how different the disclosure process was compared to a traditional software bug. Microsoft’s engineering team needed two weeks to fully understand the attack surface — partly because AI vulnerabilities aren’t reliably reproducible. Non-determinism is a problem for the attacker trying to exploit consistently and for the vendor trying to confirm the fix. Naor compared this to Adobe Flash. Flash was so fundamentally susceptible to manipulation that the industry eventually decided the right answer was to stop using it. He doesn’t think that’s where we land with AI agents — the business value is too high — but the underlying point is that language models have structural vulnerabilities that can’t be fully engineered away. You need ongoing runtime protection, not a one-time fix. Multi-agent orchestration is where this gets more complicated. As agents increasingly work in coordination with other agents, the attack surface multiplies. Naor made a comparison to botnets — a coordinated network where some agents create noise while others do the actual damage somewhere else. It’s not a theoretical concern. Capsule is already building research around it. One interesting and concerning statistic: 72% of enterprises are already deploying AI agents. Only 29% have AI-specific security controls. Naor’s explanation for the gap isn’t budget — it’s confusion. Security leaders don’t know what their exposure looks like yet, and some are operating under the assumption that built-in platform governance is enough. It’s not. Gartner has already coined a category for what Capsule is building: guardian agents. AI watching AI. Naor addresses the obvious question that raises — doesn’t a guardian agent just introduce another attack surface? — and his answer is more nuanced than you might expect. We closed by talking about pace. I’ve stopped framing these conversations around five-year predictions. The question that actually matters right now is six months. Naor has a clear-eyed take on where things are heading, and it’s worth hearing. The full episode is available on major podcast platforms and on YouTube.

    43 min

  7. APR 10

    The Browser Was Already a Problem – Now Add a Billion AI Agents

    Fresh off RSAC 2026, I sat down with Ramin Farassat, Chief Product Officer at Menlo Security, to work through what agentic AI is actually doing to the enterprise attack surface. Menlo has spent 13 years focused specifically on browser security — the idea that the browser, not the endpoint, not the network perimeter, is where most enterprise work happens and most exposure lives. That was already a hard enough problem. Then you add AI agents into the mix. The framing Ramin kept coming back to is that the next billion users aren't going to be human. That's not a marketing line — it reflects something real about where agent adoption is heading. Think about how passwords and IP addresses scaled. In 2005, you could probably count both on your hands. Now your home router has 110 devices on it, and your iPhone has hundreds of saved passwords. Agents are going to follow the same curve, just faster. The average employee probably doesn't intend to deploy 25 agents. But they'll get there without really noticing. What makes this particularly thorny from a security standpoint is that agents aren't just scaled-up users. They have their own quirks. They'll take the path of least resistance, which sounds fine until your agent starts finding pathways into folders you didn't know were accessible. They can be manipulated in ways a human would immediately recognize as suspicious. And they can talk to other agents — meaning an agent you locked down to read-only can potentially find a workaround through another agent that has write access. Ramin walked through real examples of exactly that happening. We also got into the identity question, which I don't think the industry has a clean answer to yet. If I spin up ten agents to work on my behalf, are they ten separate identities? Does each one get its own credentials? Ramin has a specific take on how Menlo approaches this — and it's different from just handing every agent its own ID — but I'll let him explain it rather than summarize it badly. There's also a policy and accountability angle that I think is underexplored. A lot of organizations are actively pushing employees to adopt AI agents — not just allowing it, but setting productivity targets around it. When you mandate something, and then an agent goes off the rails, the question of who's responsible gets murky in a hurry. We talked through that, and I don't think there are easy answers. What stuck with me most from the conversation was something Ramin heard directly from multiple CISOs at RSAC: they know there are agents running in their environment. They just don't know who built them, where they are, or what applications they're connecting to. Because an agent using someone's credentials looks exactly like that person to the network. There's no easy way to tell the difference. That's the problem set we spent 45 minutes unpacking in this episode of the TechSpective Podcast. If you're thinking about agentic AI in your environment — or you're already dealing with it, whether you planned to or not — this episode is worth your time. Watch or listen to the full episode.

    47 min

  8. MAR 26

    Why Ransomware Should Be Getting Your Attention Again

    Ransomware has been a persistent headline topic for years now, to the point where a lot of people have probably gotten numb to it. I know I had. It starts to feel like background noise — another attack, another breach, another company paying out. So when I sat down with Derek Manky, Chief Security Strategist and Global VP of Threat Intelligence at Fortinet, and he started walking through the numbers from Fortinet's latest Global Threat Landscape Report, it got my attention again. The data isn't background noise. It's a pretty clear signal that things are getting more serious, not less. Derek has been tracking the threat landscape for over 25 years, 22 of them at Fortinet, where he leads the FortiGuard Labs threat intelligence team. That kind of tenure is rare in this industry, and it gives him a long view that's useful when you're trying to understand whether a trend is real or just noise. In this case, the ransomware numbers are real — and the reasons behind them are more interesting than the headlines usually get into. Part of what we talked about is how the economics and tactics of cybercrime have shifted. It's not just that there are more attacks. It's that the attacks are more targeted, more deliberate, and increasingly supported by tools that make sophisticated operations accessible to a much wider pool of threat actors. The AI angle here is real, and Derek gets specific about what that actually looks like in practice — not in a theoretical sense, but in terms of tools that exist right now and what they cost. There's also a metric from the report that I think should probably get more attention than it does. It has to do with how fast attackers move once a vulnerability becomes public knowledge. The window has gotten tight enough that some of the conventional wisdom around patching and response timelines doesn't really hold up anymore. We talked through what that means for defenders and what a more realistic approach looks like. One thing I appreciated about the conversation is that Derek didn't make it all sound hopeless. There's a practical framework for thinking about defense that he walks through — one that accepts the reality that you're never going to eliminate all your risk, and focuses instead on identifying and closing the exposures that actually matter most. That's a more useful starting point for most organizations than trying to chase everything at once. We also got into some of the work Fortinet does that goes beyond building security products — specifically around disrupting cybercriminal infrastructure and working with law enforcement and international partners to hold threat actors accountable. Derek mentioned something toward the end of the conversation that I hadn't heard before, a new initiative that takes a pretty different approach to gathering intelligence on cybercrime networks. Worth listening to. And because it's the TechSpective Podcast, we did eventually go off-script. There was a brief Star Trek tangent. There were house plants. That's just how these go. The full episode is below. If you work in security or are responsible for making decisions about security at your organization, it's worth the time.

    51 min
See All (198)

About

The TechSpective Podcast brings together top minds in cybersecurity, enterprise tech, AI, and beyond to share unique perspective on technology—unpacking breakthrough trends like zero trust, threat intelligence, AI-enabled security, ransomware’s geopolitical ties, and more. Whether you’re an IT pro, security exec, or simply tech‑curious, each episode blends expert insight with real-world context—from microsegmentation strategies to the human side of cyber ethics. But we also keep it fun, sometimes riffing on pop‑culture debates like Star Wars vs. Star Trek or Xbox vs. PS—so it’s not all dry and serious.

Information

  • Creator
    Tony Bradley
  • Years Active
    2018 - 2026
  • Episodes
    198
  • Rating
    Clean
  • Copyright
    © 2025 Bradley Strategy Group, Inc.
  • Show Website
    TechSpective Podcast