The Hidden Role Hackers Are Playing in Solving Human Trafficking and Saving Lives

Cyber Changes Too Fast

How's it going, Chris? It's great to get you on the podcast. I feel like we've been trying to get this thing scheduled for quite a while now at this point, but I'm really excited for our conversation. I think it's a really relevant topic.

Joe, I am as well. Thanks for having me on. I've been looking forward to it as well.

Yeah, no, it's it's always a good time. You know, it's it's fascinating. Like when I started this podcast, like the there were so many unknowns, you know, with it, right? Where how am I gonna find people? Who would want to come on? What kind of conversations am I even going to have with people? You know, all that stuff, right? And now we're now we're here talking about cyber warfare in 2026, been doing this thing for five years, like it's just a crazy, crazy thing. Like someone brought it up to me the other day. They're like, haven't you been doing that for a while? Like, wait a minute. Yeah, I have.

Yeah, right. You know, and and it's and you know, you're and I were just talking about a few minutes ago. Every day is a new topic. There, there is, I mean, you know, you you look back 15, 16 years ago, people didn't even want to buy. I mean, right in the middle of 2008, you know, companies are consolidating. They're like, I don't even know if I want to have a good firewall in my environment. And then now, fast forward 16 years ago years from now, I mean, it's the the entire thing's changed. And and it'll continue to, but now it's changing faster than we, I think, could ever imagine.

Yeah, that is probably the biggest, you know, that that's the biggest challenge, right? I was literally, you know, just talking about this with a with a company of how quickly it is it's changing. You know, security people are used to the environment changing rapidly, they're used to new topics coming out, having to master them relatively quickly. I mean, you know, really when we're thinking about it, you know, when when zero trust became a thing, right, you still had time to figure it out. You know, you had six months before you had to like realize how to spell zero trust, right? Yeah, yeah, right. But now it's literally like one day LLMs come out, the next day we're on Twitter or X looking at jailbreaks of LLMs that are leaking like customer data and stuff like that, right? I mean, it's a crazy world right now.

Right. It's crazy. And and then you have ClaudeBot come around, it turns into open claw, and you got you got people now creating applications that have access to significant amounts of data that were not aggregated in the same place. I mean, the guy last week, you know, hitting 7,000, you know, vacuums, iRobots in people's homes and having access to their floor plans and their microphones and everything else, which by the way, no one knew that there were microphones inside the vacuums, right? So I mean, unless those of us that take them apart knew, but not everyone else did. And so, yeah, it's it's it's it's moving extremely fast. And, you know, every day now you you don't just have the issue of identity theft of an individual, you have identity theft of an AI agent that has access to all of these things. And man, it's gonna be a it's gonna be a wild ride over the next five years.

That's a really good point. Identity theft of an AI agent. Well, well, maybe before we go further. Can of worms. Yeah. Why why don't we circle back?

Open that up, yeah. Right?

Yeah. Yeah, why why don't we why don't we circle back and and hear how you got started in the space? Yeah.

So I, you know, I've I've been interested in in IT things, right? Computer systems since I was a little kid. My dad, you know, I remember he brought a Commodore home, Commodore 64. We had a Tandy 1000, you know, these floppy disks were something I was used to as a little kid. I wrote my first program uh out of a magazine, and it was, it took me like two or three days to write this in because I'm just, you know, finally get it to work and it prints an ASCII version of a wizard on the screen. And I thought it was the coolest thing of all time. I'm like, that, this is the most amazing thing ever. And I just got excited about it. And I, you know, as a kid growing up, my dad, you know, I remember we we built our first 386 with a turbo button, and you know, we had a plotter and we printed out the, you know, the space shuttle. It was a thing back then. And it was just, it was just this cool time of seeing things you thought about go into something and then have it come out onto a piece of paper in a tactile way, right? And got to go to BBSs and, you know, just like, you know, you get into BBSs, go to go to, you know, meetups, saw people writing programs, and it was just this whole new world that I could create something, but I never thought about it as a career. It's the craziest thing, right? And then fast forward, got a job at an ISP and started, you know, dial up. Uh, we were competing with Amazon and just saw sat in the pit. We were doing tech support, trying to get people connected to the internet, trying to figure out how to make those things work, you know, get people on. And then I got out of it. I got a job in doing something else. And I ended up actually routing trucks at a at a at a trucking company that ended up uh being a central key point of where uh frozen food went across the United States. And I was sitting there and just my brain thinking, and I'm like, man, you know, what would happen if someone took our warehouses down? Right. Like food would get destroyed. It wouldn't go across the United States. What would happen if, you know, I'm like, well, how do we how do we freeze this place? You know, like, well, it's ammonia control systems. And I'm like, oh, so I'm looking at that, trying to learn about those. And and then one day, sitting there routing trucks, and our our shipping computer goes down. And I start hearing my GM screaming and he goes, Man, we're losing$100,000 an hour. I'm like, why? He's like, we I got trip, I got trucks in the yard that are that, you know, they're frozen and they're, they're, they're, they're thawing out. I've got trucks that are not shipping around. Like, we've got to, we've got to solve some of this stuff really quickly. I don't know what to do. And our closest IT team is four and a half hours away. And I'm like, whoa, really? And he goes, yeah. And I'm like, well, I can go fix your computer. So I I start walking down there and he actually yells at me, he goes, I just lost 25 grand, run. And so I run down this dock and I reseat the RAM, take some dust out of it, and it works. And by the time I got back to my desk, I had a job. And one of the first things we had to do was deploy new firewalls and switch over from hubs into switches. And it was the coolest thing. And, you know, to me, but what really blew my mind is these ammonia control systems. Because when you put firewalls in and you start having logs, you start looking at these things, you start seeing that people are actually trying to attack these systems. These systems have valve controls. And if you could take over the Windows 95 machine that runs them, which even today, a lot of these run by Windows 95 machines, you can open that valve and release ammonia and melt people's lungs. And that was the moment for me. That was my impetus moment where I realized that all these amazing things that I saw as a kid, that making new things, making programs, all the opportunities to just create something out of nothing, that there was a counterpart to me that was evil. And they were so evil that they would remotely want to melt people's lungs they've never met. And that blew my mind. And that made me go, okay, I gotta, I gotta do something about this. So my career just progressed, became a, you know, they were the, you know, get, you know, moved different companies around and started leading security at this organization in the automotive industry. And I saw it again, you know, people trying to steal people's data and their identities, people they never met and do bad things to them. And uh, and I thought, man, you know, this industry at the time, and I was looking around, we are spending hundreds of thousands of dollars a year on cybersecurity. The first time we saw these threats wasn't in our firewalls, it wasn't in our logs, it wasn't in any of these things. It was in the team, my team, going and looking and finding them. And uh, this was back, you know, early 2000s. And what we really got to realize is that a lot of what the cyber industry was doing was really post-breach event analysis. They weren't really trying to find the threat actor on the front end. And we dug into that, found that there were tons of reasons why, and just decided that I was gonna try to do something about it even more and jump out into the industry, start a company, and here we are. 16 years later, I've been the CEO vigilant for for that long, and it's been a bit of quite a wild ride.

Confronting Evil In Tech

Human Trafficking And Dehumanization

So, well, yeah. Yeah, it's interesting how you put it that way, right? Where some random person would take over a controller, melt people's lungs that they don't know, probably halfway around the world for no reason. Yeah. Right. And yeah, I I had Jim Lawler on a couple times now. And I think one of the times that I was talking with him, because he's a former CIA guy, took down AQCon's chemical weapons program, you know, he was like testing it on his own people, just horrific things. And I brought it up to him. I said, I don't understand how a human can like even get to the point in their mind where they where they like rationalize that or think that that's okay, or you know, like what whatever they're doing in their head to make it be like, okay, I have to test this this chemical weapon on my people, right? Kill thousands of people doing it, or I have to take over this controller, or I should, or I'm bored and I want to, like, whatever that reason is. I just don't understand how someone's mind can get there. And he said, He he literally told me, he said, the only thing that we could even relate to it is like their brain is just wired completely differently. Because 99% of the population would never do that, they would never consider even doing that. But it's that 1% where I mean, and he was like theorizing. He's like, maybe it's a chemical imbalance, maybe it's their upbringing, like whatever it is that rewired their brain to make them think that that's like acceptable in some way, you know? Yeah.

Yeah, there's you know, uh, it's uh it's been an interesting roading for for me the last couple of days, years. With Vigilant, when we started, one of the things we wanted to do is is really, you know, do do cyber well, keep companies in business. We've we've been able to do that in in amazing ways. Uh, but then we wanted to take our profit. We we decided never to have um any outside investors and on purpose because we wanted to be able to control the what what the path we were taking to make sure that we weren't devaluing cyber to to the the end user. But we took our profit and we we invested it into orphan care. And in the last couple of years, we've been investing that into anti-human trafficking efforts. And I became a human trafficking investigator. I went down to the International Association of Human Trafficking Investigators last year. And so I'm just a couple years into this world, but I think it's related to what we were just talking about there is that there's these stages that people go through. You know, when you're when you're attacking someone remotely, it there's almost this dehumanization of the person on the other end. You're not seeing them face to face, you're not seeing them, you know, in person, you don't know their name, you're just flipping a button or a switch and it just shuts something down, right? Now, you know, a couple years ago we had a baby die in a ransomware attack. You know, the umbilical cord was run her neck and and the alerting didn't happen to alert the nurses, right? I'm sure the ransomware group didn't intend for that to happen, right? But it still did. When you get into the world of human trafficking and and and things along those lines, you start to see this that mindset go from this dehumanization into this physical, like, you know, face-to-face world. And I think I think to your point, I think their someone's mind just degrades over time the more and more that they do something along those lines. And I think we're wired as humans for greater and greater rushes in some ways. And I think that that's how that that starts to happen. But, you know, it it it's it is it is a it is a weird thing to me because I, you know, it's it's not something I, you know, you and I wouldn't just go want to flip a switch and just take down an entire organization or potentially kill people. It it's a weird thing that someone would, but it is it is a it is a thing that good men and good women and and good people have to step up and they have to realize there is this evil thing out there, and they are driven in a different way with the same technology that we are driven with, and we have to have to find ways to fight it.

Right. Yeah, we're kind of playing with the same tool set at this point. Same tools. One's using it for bad and one's using it for good, and they're kind of going up against each other, right?

Right. And we're both creators.

Yeah.

Isn't that crazy? I mean, we're creating and we we have the same passion about the technology. You know, we stay up all night doing it, right?

But for different reasons.

Yeah, it's uh Yeah, the the human trafficking that you mentioned, I I mean, that's just I feel like that's one of the like most horrific things that uh that could happen, you know? Like I I guess I'm a young, I'm a young dad. I got two kids now, right? And right around when my my firstborn was born, I think that movie like Sound of Freedom came out, right? And I I mean, you know, I don't think anyone walked out of that movie theater like with a dry eye, right? Like that's just crazy to think that something like that even exists in this world. Yeah. And I was talking to a friend who's, you know, kind of on the on the other side of the spectrum, so to speak, from me, and he's like, Yeah, it's getting you know over overemphasized right now in the media or whatever, and it's not that common and this and that. And I'm and he, you know, to his credit, I think he was trying to stay positive mentally around it. You know, that's probably a really hard thing for people to understand, like, oh, this is actually something that's a little bit more common than uncommon, you know what I mean? And uh, my only response was, but isn't isn't one horrific, like one victim horrific? Like that's right, that's absolutely terrible, you know? And me being in security, I'm immediately going down the rabbit hole of like, okay, well, how do I find my kid? Right? How how do I how do I hack my way into whatever I need to hack it into to get my kid? Because I can't rely on you know law enforcement necessarily to like step up and act with you know urgency and whatnot. How do I get to them? Yeah. And so like I went down that whole that whole rabbit hole and I had to like kind of pull myself back because like I started going into these rabbit holes, and it's like I need to like come out and restart my brain, you know.

OSINT Volunteers Helping Find Kids

Yeah. Yeah. I mean, we're we're just you know, we're yeah, like I said, we're two years in to really starting to to partner with other organizations and and and just find ways to stop it. It is a dark, dark path. And you know, in like it's it's a it's a crazy place, and in and just the things people do to other people are are just insane. Um, you know, in in the state of Ohio, there are 17,000 kids go missing a year in the state of Ohio. 17,000. Some are runaways, some are abducted. Uh most are not found. Uh my my wife and I, because we started vigilant in wanting to do those things, it's actually evolved. We started this thing called FFI Forensic Fusion Initiative uh here in Ohio. And what we do is we wanted to get people that were technical and non-technical together. And let's teach them how to do OSINT. And so we did. And that was two years ago. And uh so we meet once a month, get people together. And so I would say some of the non-technical people have been some of our best people. Uh, we partner with the FBI, uh, so they come and it's been really successful there as well. Through this whole thing, we found a few things. Law enforcement is significantly under under significantly. I mean, think about it. In the state of Ohio, we have just a few FBI agents that are even focused on human trafficking. That's and there's so many different forms of human trafficking. But then you take law enforcement, and they have no skill set to do that. They don't know how to do OSINT, they don't know how to find things. But the thing is about it is our community does. Like our community has a skill set to be pissed off enough to go hunt, hunt and find these kids and to shut these networks down. And, you know, that's starting to grow, which is really cool. But, you know, we've been teaching these groups, and we had four arrests in the last year. And and then the coolest thing was just recently, the the last meeting we had, we had two of our, we had two groups, we break people up, and then we we take missing, missing children and we just give them a a kid. We say, okay, go do as much OSINT as you can, and then we'll give that information to law enforcement and see if we can help, you know, do that. You know, one group of people of seven people put 14 hours of OSINT towards, you know, towards that case a night, you know, that we meet. So it's pretty cool. And then you do we just break up into groups of seven. And one thing that was really crazy is we had these two groups and you you overheard them, and all of a sudden they went, no way. And these two groups were uh, you know, each working in a different case. And they found that these two girls, both from Cincinnati, both were looking for plastic surgery on these forums out on the West Coast, both came into contact with these, with these plastic surgeons in another area of the world. I won't say where it is. And they both had like 10 or 11 followers. Those two plastic surgeons from that other area of the world both followed these two girls. So that's a missing link, right? And then you give that to law enforcement, and now they can start checking it out. But, you know, our our community has these skill sets, you know. But to your point, the flip side of that is there's a, there's a it's really hard to do sometimes because the things you run into are really, really dark. And and you gotta, you gotta, you gotta protect yourself. So anyone that's thinking, hearing this and is going to let's go dig into that, make sure you're doing it with a group of of people that you can connect with because it's it's a dark world. Yeah. But I know we didn't intend to go down that path and talk about the we were talking about the human psyche, but yeah.

No, I mean it's it's a part of part of your journey, you know. And it's a I want to say it's a fascinating side, right? But it's a side of security that I think a lot of people don't want to talk about. And some people don't even realize that, like, hey, hackers play a very big part in actually solving this problem, you know, because I feel like I don't know, decades prior, right? It was like a shadowy, dark world. No one really knew about it. Everyone kind of knew that it was happening. You hoped, obviously, that you were never the victim of it, you know, but there there wasn't there wasn't like a band of hackers that are tracking these people or trying to investigate them or anything like that. Law enforcement is only so big, they only have so many resources, and especially, you know, with different cities defunding the police or limiting the budget and all that sort of stuff, you know, like it's like, hey, are we gonna pay for one more person on the child sex trafficking team, or are we gonna pay this other cops overtime? I mean, that's right. The balance that they're doing, right? Right, right. Both are needed, both are absolutely needed. Yep. So yeah, it's it's interesting. And maybe my only experience with with OSIN, I don't want to say my only experience, but uh, I was talking to someone and they got kind of like frustrated with me because I was saying, like, hey, you know, when you challenge a hacker, there's something wrong in our brains as hackers that like when you challenge it, you know, they immediately start to try and prove you wrong, right? And uh someone was challenging me, like, oh, you can't find me on social media, you can't, you're not gonna be able to track me or find any details or anything. And I was like, what? Like, what are you what are you doing right now, right? Right. And right in front of them, I just like pulled up their home address, their phone number, like all this information, right? And I was like, I just did this in 10 minutes. Like you weren't hard to find, you know? Right. And I I also emphasize I'm like, I'm not a hacker, like I don't do this for a living. I do this for fun, right? So yeah, it's it's it's an interesting world, especially when you challenge people with that mindset, you know? Yeah, what happens?

Yeah, big time. You know, and and you look at the you look at that industry, right?

Jeez.

So each each person can generate like$20,000,$30,000 a, you know, a year for the for the trafficker. So to them they're money, right? And you know, they dehumanize it's it's this whole thing of dehumanization. Like it's it's always dehumanized. I think it all comes down to dehumanization, right? Regular hacking against companies, hacking against, you know, abducting children, abducting w women, men. But when you think about$236 billion in the industry, they have people employed in these organizations that are hackers, that are defenders, that are red teamers, that are blue teamers. And when you think about, you know, what we've experienced is when we're working with some of these groups that go get these children or go try to take down the networks or whatever, they're significantly under tech because technology is so expensive, right? Like for some of these platforms that they use, we need use it, it's fifty thousand dollars. A year per seat, right? And they just don't have the that funding. So, you know, you have, and that's where just a significant amount of volunteer work can can happen from our industry, right? You know, to help out. Uh that's why we started FFI, because we're like someone's got you know someone's got to start helping do this, you know, and and there are other groups like us that are out there. We're not the only ones. You know, it's but we have to realize that like they have the hackers. So when an agency has a safe house or they have, you know, you know, care, you know, care after they bring some bring someone out of the that that world or or they're even just going to do a mission or they're working on something, they're getting they're getting attacked all day long. You know, the the evil traffickers can break into these groups and they can steal their information. Now they know everything they're gonna do. And and I'll say a lot of these groups are significantly underprotected. So it's you know, it's it's it's bad in that world and it's bad in the the business world, you know, with with hacking as well. It's it's the same, the same perpetrators on both sides.

AI Attacks Without Signatures

Wow. I would never have I mean, and I don't know why I wouldn't have expected it, but I never would have expected that they have you know professional security teams on that side. It makes sense because of the money that's passing through and whatnot, but yeah, that's crazy. Yeah. It's just unfortunate, right? But to kind of shift gears, right? I was you know, I was talking with someone, it was literally like two days ago, about AI attacks, AI, you know, kind of supercharged cyber attacks. And I had someone on the podcast a couple months ago who he literally used to work for Kaspersky. The episode's probably going out on Monday.

Nice. I'm exactly.

Yeah, he you know how essentially like all that he does is break down and reverse engineer these attacks and malware and whatnot. And he said they don't even know if AI attacks are occurring right now because there's no like signatures with them that they can like easily identify. And so he thinks that a lot of organizations are actually getting hacked by AI right now, but they don't know. And so we're we're in this weird gray place in the world where, yeah, the technology is great at all, right? But like we have to remember there's bad actors in the world, whether it be a lone hacking group somewhere, you know, in the world or China or Russia or you know, North Korea using, you know, this technology to then go and and launch what will become some of the most you know disruptive cyber attacks that we've ever seen. I I mean that's just the reality that we live in. And I feel like everyone in security is kind of holding their breath right now at this point, kind of saying, like, well, let's wait and let's wait and see, right? Because if we're extracting data from LLMs that are supposed to be ultra secure, right? They're funded by billion, multi-billion dollar companies, they have you know 100 billion valuations and they're not able to stop these sorts of attacks, what's going on on the other side, especially with like open claw now, right? Yeah, right. So what if I just have an army of a thousand of the best hackers in the entire world and I say, find a way to get into this company, right? Yeah, is there anything that I could even do at that company to stop that attack to prevent it?

Visibility Versus Observability

I mean, maybe not. You know, it's it's it's a it's a crazy I'll say this. When you look at the cyber industry, I I really, and it this is controversial, I'm gonna say it anyway. It's broken. You know, it is a it is an industry that detects after something happens. We build Intel and then we go try to detect it. It's an industry where any hacker out there can go buy the same tools we have, they can, you know, buy the same applications, the same firewalls, they can throw their stuff at it. And based on the fact that it didn't detect it, they know they can go use it in the wild until it's detected, and then they just stop. And what's really crazy about it is, you know, cyber in general, because we have pri it's all based on processing power and time, is that, you know, if they're not, you're not loading everything with every single detection out there, right? So it's it's really like we do the flu every year. It's like, well, what do we think is going to hit, right? Or what are the best practices? And so the cyber industry generally runs in behind these attacks. And the primary reason for that, I think, is because if you look at organizations, they're no longer capable of identifying some of these things. I would actually contend that we were probably better in an industry to detect the AI attack of today about 10 years ago. And the reason for that is because we didn't combine everything into a unified firewall. We had a separate IDS, a separate IPS, we had a firewall, we had layers of security. We operated security under the OSI model, right? Where we we did detection at all of those layers. But you look at today's world, most companies, because they move things to the cloud, especially their data they're at, they're processing, they don't do full stack network detection anymore. They don't have PCAP of their localized environments. They don't have network flow data that they can look at and analyze against what they're seeing inside their endpoints. I mean, this year alone, the primary, like larger, more effective attacks that we've detected have all been on the network weeks before an endpoint even detected at all. And so I think we are in a position, you know, primarily this industry and organizations, because they've removed network, because most detection is now virtualized. Even when you do like BDOMs on a firewall, you're really virtualizing your stack. Almost every system that you have that people do detection on runs processors that can't do full packet inspection. You can't do deep layer inspection. So the the I think the marketing fluff is the word observability. And we've replaced visibility with observability, right? Like you could put me in a box and I have 100% observability in the box, right? My visibility is significantly diminished. But if I tell you, hey, it's a great box, I have 100% visible observability, you could be like, oh, that sounds awesome. You have 100% observability. But in reality, you have a significantly limited, limited visibility. So unfortunately, you know, Joe, I would say that I don't think most organizations are prepared or even have the capabilities today to even detect what's happening from an AI standpoint in their environments. If they did do full stack, I think they would have a better chance.

It's interesting that you put it that way because the last, you know, probably five, eight years, we've been consolidating the tech stack and the capabilities into these centralized platforms, assuming that we were enhancing security.

Right.

And I mean, that that was the mentality of it, right? Right. Right. Because security teams complained, hey, we have too many tools, we can't log into all of them at once and monitor them all. It makes sense, though, your logic of having those separate technologies because it, you know, it it's theoretically, it's like doubling, tripling, quadrupling your chance of being able to actually detect it because these separate technologies are looking at it in a different, in a different manner at different layers of the OSI model. Yeah. I mean, I almost feel like the OSI model is almost extinct at this point to some extent, right? I mean, like, unless you're living in the Stone Ages and you're solely on-prem, then I guess the OSI model matters. But with the cloud, I mean, does it really matter? I mean, I'm not even thinking of the OSI model anymore, you know?

AI Agents With Admin Privileges

It still does, but the thing is that it like even if you're in the cloud, you're still in someone else's full stack, right? Right. And so the the issue is you don't have telemetry data from all those layers in across wherever your data sits. And that's, I think, one of the decision points that, you know, I mean, you look at a lot of companies. A lot of companies went cloud. The cloud they were really looking for was really just leasing someone else's servers. They weren't looking for hyperscalers, right? But they bought hyperscalers. And that's why their cost hyperscaled, right? And now they're like, oh crap, our costs are so high. What do we do? But the other part of it is that a hyperscaler by nature is spinning up servers, turning them down, putting them all over the place. And so your tech footprint gets massive really quickly based on your usage. And so a highly successful SaaS company, right, is gonna have a much larger footprint. They have more data, more clients. So their risk goes up, their exposure gets massive really quickly, almost in an uncontrollable way. And so their very success puts them at risk. So the OSI layer still exists. The problem is we don't have telemetry from all of those places. And and the it the big issue with it is even if you did pull telemetry from there, you're not unifying that data that you're getting. So you're getting tons and tons and tons and tons of data that is overwhelming for your security technologies. And even if you said, hey, I'm gonna throw this at AI, what a lot of people don't realize is that you know, AI is it's trained to be quick and fast. And so even when you throw AI right now today, it's still processing power or issue. You throw AI at a big stack of data, it's not gonna process all of that in the time frame you need it to, right? In the way you need it to, you know, and learn at the same time. Right. And so, you know, it's it is a it is a it is a it is harder now because our our tech footprints are larger. And I would even contend that a lot of companies made their tech footprints larger and they didn't really need to. And, you know, because you know, they they they approached the growth of their organization in a way that was more like I said, hyperscaler minded instead of really, I just need to lease some servers somewhere because I don't want to have a data center in my in my office and I want higher availability. Right. So I think there's there's that. Uh I think the other thing, like we talked about it, you know, a little earlier, you know, back to that, that, that AI identity issue is that now, you know, as you put agents inside your organization or agents inside your platforms, those agents now have access to things that you as a human do. Right. We saw that with OpenClaw, is that you know, people put, you know, they installed OpenClaw, gave it access to everything, and then all of a sudden, anyone that could access OpenClaw, right, which we found because the open, open all the API keys were up on a superbase, right? And the you know, database. And it they got people got access to it now that that the attacker now had access to everything that that that agent had access to, which is which is pretty scary. But when you look at how some of these systems run, even Kapersky, for instance, right? You know, and I I I'm so excited to hear that your your uh your talk, but the US government got crazy about Kapersky because it was running as an ad, you know, it had to run as root on every system that was out there. So what if someone compromised Kaperski? And now what we're doing is it's the exact same thing. We're putting AI agents on our laptops, on our systems, on our Mac minis, wherever. We're giving it admin access. Well, what happens if that AI decides that, hey, I want to unhook the EDR process for a few minutes so I can execute something because the EDR is in my way, right? And then it runs it and puts it back. Well, that's exactly what an attacker does with EDR, right? So so now if I'm an attacker, I can take over that AI agent, I can just tell it to unhook the EDR, and now your EDR is not gonna see anything at all. So that's why going back to these full stack layers is that, you know, I mean, AI is happening at crazy rates. It's making changes that you don't even know. And if those changes create an open hole that you don't know is there, you're just not gonna know at all.

Wow. That is it's interesting because I I think last week one of the open AI engineers actually posted, you know, something with ClaudeBot, right? Where ClaudeBot had access to their email, supposed to be, you know, more of an assistant, help them get through the inbox, and ClaudeBot decided this is garbage, it's a mess, let's just start over and we'll going forward, we'll do a better job, right? Right. Yeah. And it ignored all the commands to stop, you know, all the commands to even kill the process. Like the engineer said, I manually killed the process, and ClaudeBot started it right back up and went forward with deleting all the emails. And so she within like a span of like 15 minutes, she lost all of her emails, you know, in her account. I'm sure that there's a backup somewhere. But that's a crazy, it's a crazy thing to think, too. And I, you know, I was gonna install it myself on like one of my MacBooks, and in the prompt, it said this will give it full access to disc. Yeah, right. And I said, full access to disc. I can't limit this thing. Next, next, next, finish. Right. Like, yeah, right. I immediately stopped. Right. And like my neighbor, because my neighbor is also an IT, he went and bought a Mac a Mac Studio, and he's throwing it on there, and I was like, I was telling him, I was like, you gotta be careful with that thing. Because like it needs access to everything. If it has access to everything, you know, and it just determines it doesn't need it, it'll just remove it, you know?

Yeah, right. Yeah. And it's and it's awesome. I mean, you can, you know, we've installed it, we've tested it out, you know, we're we've been, you know, coding with AI for a while within context and things like that. You have to, you have to really, you have to really understand context, you have to understand long-term memory and storage and context for the agent. Like, there's a lot. We should absolutely be adopting it in the cyber industry. You should absolutely be adopting it in coding practices and things along those lines. But you have to, it is the Wild West right now, and you have to adopt it in a methodical way. And because it will do exactly what you tell it to do, right? And you know, if you give it full access and it thinks it has full access, it's gonna go do things to do what you asked it to do. And we have to not be naive in that, in that aspect. Just yesterday, an article came out yesterday that if you know they did AI simulations with uh nuclear warfare, and in 95.6% of the simulations, there was global thermal nuclear war annihilation. You know, we saw it in you know war games. You know, if you ever watched that movie, I watched, you know, it came out when I was a little kid. That was fascinating to me. Silicon Valley literally had an episode on this very thing, right? Where Anton, their AI, deleted all their code because he said, hey, clean up our bugs. And it thought the easiest pathway to do it was to delete all the code and start over. And so, you know, a big uh cloud provider that just happened in a 13-hour outage to them, you know, about a month ago, caused by that. So, you know, it's it's a good thing. We should not be afraid of it. We should adopt it and and help us maximize it. But I I do believe back to that dehumanization, you know, it all comes back to these things, is we have to realize I think I believe humans have an innate aspect to them that is not replaceable by a machine. And so if we find ways to accentuate that in that innate uniqueness and and not replace the value of a human, but next it, I think we will, I think that's the end game here with AI. I think we're going to see a lot of, because it is the Wild West, we can see a lot of people replacing people with AI. I think we're gonna come back and go, that was a bad idea. And, you know, and then you're gonna see things kind of normalize, you know, in the next five years-ish. But, you know, and and frankly, I'll say this. Of course, all the AI companies want to say things like, it's gonna replace people's jobs. Why? Because then we will have to pay them to do those jobs, right? And so we have to see through the marketing and we need to look at how do we use the technology well, but it's, you know, in the hands of an attacker, it's a dangerous thing because they don't care, right? They can be like, go do this. And if it creates havoc, that's what they wanted to do in the first place. You know, on the defender side, we have to be careful. We can't be like, go defend, because it could it could create havoc.

Yeah.

It's like, what is it, three years running an anthropics CEO is saying that we're still six months away from no more devs, right?

Jobs Shift And Entry Gets Harder

Right, yeah, right, yeah, right. It's like I'm not gonna hold my breath at this point, you know? Yeah, yeah. Right. And, you know, people that are the where it will, I think, affect people is I think the barrier of entry is gonna be harder for people that are younger because you're you can take experts, give them AI agents, and do crazy amazing things. We have to not leave the next generation in the wake, right? We need to we need to find ways to say, okay, you're not gonna code at this level, but here's how we can bring you along so you can.

Yeah. Yeah. No, that that is that's a really good point, too. And it's it's critical too to for companies to keep in mind, like, hey, this isn't an exact like one-to-one replacement. This is a optimization factor, this is a power factor, you know, for your people. And that's what NVIDIA CEO was saying too in several interviews at this point, where he was saying like a lot of these companies are replacing people with AI, and then they're trying to bring people back in because they realize oh, the AI wasn't like fully aware of this thing, you know. Right, right. Which we're we're seeing a lot of that now, especially like for instance, you know, with the what was it, the AWS outage, right? A stupid mistake that honestly, like a day one engineer would probably make, maybe, probably not even, because of all the controls in place, right? This AI makes it immediately because it has like full access and no one's you know able to keep it under control. And here we go with a 13-hour outage that costs, I don't know, however many billions of dollars to companies that are still only in US East One, yeah, you know, like only Amazon's biggest, biggest availability zone. Right.

Yeah. It's it's nuts. I mean, now with that, I mean, if companies, instead of just replacing things with with with AI, or we replay replace people with AI, if they focused on their systems and make sure their systems are solid and they have people own those systems, and then they look at it and go, well, where's our opportunity for optimization? And then look at it from, well, what's the return on the investment I can make of doing this? Then you can actually start to evaluate like, how did AI actually help our organization become more efficient? But if you just pop it in there and you're like, everybody use AI, here's some cloud licenses, you're you're never gonna really understand. And in fact, you'll probably one thing I've been thinking about is how many companies, you know, are are 10xing their death as a company because they they basically next things that were not right because they didn't look at it clean enough, and and AI is just running with it, and it's just gonna take them down, you know, and they're they'll be their the death of themselves.

How Cyber Warfare Evolves

Yeah. That's a really good point. Where do you think, you know, where do you think cyber warfare is gonna be evolving to? I ask because, you know, maybe the last real, I don't even want to say engagement, but the last real like cyber warfare kind of signal that we saw was, you know, when Russia was about to invade Ukraine. Arguably, I'm sure America did some stuff to Venezuela to get Maduro. Sure. That doesn't allegedly. Yeah, that doesn't, you know, surprise me at all that they would have done something like that. But where do you think it's going now with AI in the state that it's currently in?

Compliance Is Not Security

So I think I'll say this. When you look at warfare, warfare's warfare has been done for thousands and thousands of years. And the methodology of warfare, like for me, like when I got into cyber. One of the first things I started doing was I started studying land warfare. Right. I started studying tactics and methodologies and understanding because it has been something that's been learned over thousands of years of what types of tactics work, what types of strategies work, higher visibility matters, right? Back to that visibility observability thing, right? It all ties into real, into actual warfare. And so where I think with AI, it doesn't change the strategy of warfare, right? You know, if I'm a nation state and I want to take down a power grid, I'm still gonna do it low and slow, right? I'm not gonna do it like a tidal wave, because if you do a tidal wave, people have time to see you coming and try to shut you down, or you may not shut down enough of them. But if you really want to shut down everything, well, it's still the same thing. Low and slow, positioning, get C2, right? Command and control, have the ability to maintain the That persistence, you know, discreetly so that people don't detect you. And then position yourself enough to the point that you can then give those persistence points to an AI agent that you trained and then say, turn it all off. And then it's going to be all off, right? Because at the end of the day, if you can shut down, you know, warfare today is so highly technical, it's so highly uh precise, it's so highly integrated with warfare and battlefield communications that all you really have to do is take down communications, right? To take down, to shut down war systems. If you're going to take down a nation, you shut down their financial system from an internet cafe somewhere, right? You know, those soists, right? And you can do that remotely. But but it all comes down to the same tactics, the same. What AI does is it allows less people to do the effect of more, right? So where an attack used to take maybe 200 hackers, might it might take one now, right? With 200 agents. So what what it does is it puts, you know, similar like when uh the Soviet Union broke up, you know, a lot of these factions, you know, that were that made up the Soviet Union, they weren't getting paid anymore. So they became, you know, organized crime units, right? You know, and all over the world. And so you're now making it to where the amount of people it takes to do something is less on the evil side. And and I would say the the second thing to that, so the first thing is you have more empowerment, but the tactics and strategy haven't changed. What has changed and what will change is this is that the attacker, where in, you know, we've we've all heard the, you know, they have to get they only have to get it right once, we have to get it right, you know, every time, you know, they can be wrong a lot, we have to be right every time. That that's what's changed in in the fact that, you know, it what AI has done is it's compressed time. And so for an attacker, they still have all the time in the world. So they can have an AI agent low and slow quietly learn about an organization or people or whoever over months and months, and then they're still going to attack, right? But now they can do that with a thousand companies instead of just one. On the defender side, you're sitting there watching. And if your AI platform is consuming all of these logs that happen all the time, right? And it's building these baselines and it's learning, which by the way, if you're using it for defense, it takes 60 to 90 days, right, for your AI systems to learn about what happened today so it can defend against it. If you're defending those things and learning's happening here and you have a delay and the attacker attacks today, your systems aren't going to learn about that attack because that AI is going to know it needs to evade another AI for weeks or months. And so the tide has changed for the attacker to where they're just able to do more with less. And on the defense side, we're in the same boat, but it's almost worse because you can put a ton of AI agents at detector, right? But they still need time to learn. And you have and they're up against an AI platform that has taken all the time in the world before it decided to attack. Does that make sense? Yeah. Yeah. So I think cyber warfare is going to get real crazy. And I think people are going to have to realize, like we said earlier, you got to start doing more full stack detection. You're going to have to start getting rid of the fads in cybersecurity. You are going to have to uh you know minimize your attack footprint. You're going to have to understand where your weak points are much quicker. And I will say this all the compliance in the world isn't going to make a company secure. You know, it will help you reach a baseline, but it is not what's going to stop you from getting attacked or hacked by hackers equipped with AI agents.

Right. I feel like almost compliance has to a degree held back security, even, right? Because now organizations are purchasing technologies, doing all these initiatives and whatnot, really around the compliance requirement rather than taking that extra step and saying, okay, we're going to do X. It's not even included, you know, in the compliance part, but we're going to do this because it secures it in this way, you know?

Yeah.

Very few companies. Maybe I've been at one company that's actually, you know, done it the right way where it's like, yeah, we're going to meet these compliance requirements, but we're going to be so secure that we don't even worry about the audit. And, you know, the company was audited nonstop all year long, every single year. And no one cared. You know, like we had a whole compliance and audit team. Yeah. Right. There was never a time that we couldn't answer a question, show proof and evidence, you know. There was like never a time where it was even a question, you know, at some point of if we met the requirement.

Yeah. That's a good point. Security equals compliance, but compliance doesn't equal security.

Right.

Right.

It just means that you met some check bark, some, some checkbox, you know. Now I mean I've I've seen companies from the inside that literally just meet the compliance requirement and then they start, you know, turning those tools back off to, you know, make sure that their environment operates because they never took the time to configure their environment properly.

Right. Yeah.

Right.

So would you say, like, you know, would you say that if a company is worried about passing an audit, then they're probably nowhere near secure. Yeah. Yeah, that's safe to say.

Yeah. As a security professional, when I'm owning a domain, when I'm owning, you know, whatever it might be, right? I mean, I know that thing inside and out. I know what compliance controls it's going to meet. I know which ones it's going to struggle with. I know which ones I have to answer with what evidence and whatnot. Right. As an organization, if you're struggling to meet those requirements, because it is typically such a low bar, I mean, auditors are so flexible too, a lot of the times. You know, they'll be like, look, can you just show me something with this kind of permission? No, they're not even looking for context a lot of the times. Yeah. If you're worried about being able to prove that, I'm really worried about your overall security posture.

Yeah, right. Do you think so do you think that do you think that AI will replace auditors? Yeah, probably. Yeah.

Because, well, they they would have to change how they do things, you know, because like right now, literally, all that auditors are doing are saying, show me proof. They're asking you questions, they're giving you examples. That's nothing that an AI bot can't be trained to do in 60 days, and now they know, okay, for this compliance requirement, you ask this question, you should get this proof. It doesn't even have to check the proof. Maybe a human on the back ends the proof, you know?

Right, right, right. Right. So you're saying that unless the site unless the compliance industry changes, then AI could replace the way they do compliance today.

Yeah, totally.

Yeah.

It could totally be offset, I think, in my opinion.

Yeah, I think you're right. I would agree with that.

Yeah.

Because it's just your point, it's just finding things, rooting it out. You can dump a ton of documents into it. It's going to read through all your security policies and everything else, make suggestions. It's going to probably be even faster. You know, I mean, well, it would be way faster. You know, and then it would, yeah.

That's I wouldn't be surprised if someone's creating some AI compliance tool right now. Yeah. You know, that's going to offset the integrated.

They they just they just listen to your podcast and they're going to go do it right now.

Where To Find Chris

Yeah. Free, free little multi-billion dollar nugget right there on security unfiltered. Right, right. Well, Chris, you know, we're we're unfortunately at the top of our time, but I've really enjoyed our conversation. I mean, I think I want to have you on a little bit more regularly to talk about what you're seeing evolving in the space and whatnot. I think that would be you know fantastic to just get your insights on it. I'd love to. It was a great conversation.

I I really enjoyed it. I could probably sit here and talk to you all day long.

So that was we go another hour with ease, but unfortunately, we both likely have meetings coming up. We do. We do. I do as well. Well, Chris, before I let you go, how about you tell my audience where they can find you if they wanted to reach out to you and where they could find your company if they wanted to learn more? Sure.

Uh you can find our my company, vigilantnow.com. It's just go to the website, you'll learn learn more about us. You can hit me up on LinkedIn and send me a message, get on there not as not every day, but but quite frequently. And I'm actually starting, I just got cybersecurity CEO up on TikTok, Twitter, and uh YouTube. So I'm gonna start doing some some more content there. I've actually been heads down defending companies for 16 years and haven't really done a whole lot there. So, but uh but hit me up on LinkedIn. If you're interested in FFI, we we did do in closed sessions last year, the Forensic Fusion Initiative, where we just teach people OSINT and we uh pick some cases and we go after it. I would love to chat with you about that. Hit me up on LinkedIn and you know, we we have a meeting coming up in in March, the first the first meeting of the year. We took the first two months off. Uh, but we do those remote. We allow remote attendees now. So if you're interested in helping there, let's let's go find some missing pit meet missing people. Uh it's you know, we the cyber industry really has a skill set to do this, and we just have to be willing to put our time towards it.

Yeah, absolutely. Well, thanks everyone. Everything that he just mentioned will be in the description of this episode. So make sure that you go check it out and you know learn more if you're if you're interested in that sort of thing. Well, thanks everyone. I appreciate everyone watching this episode.