Ep 141: AI Hackers Are Here; Cybersecurity Legend Kevin Mandia Is Building the Answer

During our podcast, over a thousand Americans are going to get duped, scammed, and lose money in the cyber domain. Every few days, our experts are startled at what AI agents can do. People call you all the time. It's very often a billion-dollar problem. If you've been hacked and you know it, you hire a man to come in to figure out what happened. You sold your company to Google. What made you want to get back in the arena with AI? With AI coming, you can automate human thought. You're going to have swarms of agents that can communicate and think and instantiate normal and learn and have total recall. One of my big fears for 2026 is that these things are getting so much better that a lot of corporations and governments aren't ready for it. The beast is going to come out of the cage. Kevin Mandia is a cyber warrior that every Fortune 500 CEO has on speed dial. He was the founder and CEO of Mandiant. Everyone knows the name who works in the cyber world. If there's a break-in, if there's an attack, if there's bad guys coming to get you from North Korea or China or Russia or some other place, Kevin's the guy you call if it's a really serious situation. He sold his last company to Google. Today, he's working with the very top AI talent in the world. We're in a very interesting area where these AI agents, it turns out, are even better hackers than anything we've seen before. In order to save our companies and save our governments, we're going to need to build the ultimate weapons with this AI. Let's hear from Kevin about it. Welcome to American Optimist. Really excited to have my friend Kevin Mandia with us today. Kevin, thanks for being here. Hey, it's great to be here. I'm going to be an optimist today. I love it. Kevin, you're a legend in the cyber world. You were founder and CEO of Mandian. You're running Arminen now. I want to go back and talk about your history, how you got your start in the cybersecurity world. You were in the Air Force originally, right? I was. I mean, I wanted to be a legend in beer pong or a legend in football, but hey, cybersecurity came my way. So you do what you got to do. But I started my career in 1993 in the Air Force. You know, I got stationed at the Pentagon. And at that time, we called cybersecurity, computer security. And all I can tell you, Joe, is, you know, I was first in line as a second lieutenant butter bar at the Pentagon to see in 06 to get my assignment. or as it felt at that time at the age of 21, 22, you know, you're sentencing. What am I going to be doing for the next few years? And I'm a sucker for there's only one left. He gave me six job offers. Like you can do this, you can do that. You know, you could be a job programming language guy. You can be, you know, I was a comp sci guy and he gave me all these options, but he said, there's one slot left to do computer security. And I remember thinking one slot left, I better take that one and you know because it's the commodity uh but if it's your job you get good at so i can tell you the fastest way i can tell my history is i started doing computer security in 1993 and that was about the year we started putting eyes on our network in the military who's doing what on the military we started monitoring we all first started getting online right i think i think i got aol in 1993 this is the very beginning wait what was that called yeah well yeah hey growing up in you know the dc area we know a lot about aol but uh i lived with the whole thing you know the first couple intrusions happened in 88 with the Hanover hackers and Cliff Stoll and those sort of things you have the Morris worm actually I think Cliff Stoll was 84 Morris worm was 88 guy at Cornell you know right in a worm that had a finger demon buffer overflow and kind of spread them across Unix machines by 93 I'm sitting at the Pentagon looking at log files TS log file secret log files figuring out who's doing what and by 1995 I'm responding to my first ever computer intrusions as an air force special agent in the air force Office of Special Investigations. Who was doing the intrusions in 1995? Is this random kids or was this China? Like what? You know, you love to think, hey, it's just kids, right? You know, it's hey, or the infamous, it's the guy in the hoodie in the basement. It was not. It was definitely China and the SVR out of Russia. I think by 1995 until now, I would say on a daily basis, either I or someone I work with has been responding to an intrusion from a Chinese actor looking for the government. So we've had a, I guess that's 31 year run now of daily combat in the cyber domain. It's a contested domain and all modern nations have a doctrine on how to operate in cyber. So I can tell you it was for me, the SVR was first, China was a rapid second. And the first time I responded to Chinese government hacking was 1996. Did you ever meet any of these guys from China or Russia? Not that I'm aware of. I may have bumped into them at a mall. But what's interesting about this, and it'll sound weird, you do get a mutual respect. As you're responding to the breaches and you see the art of espionage, the art of intrusion, you recognize talent when you see it. And I do believe, you know, Russia had the crown early 1990s, early 2000s. The best intrusions I saw was Russian operators on our networks. Later in my career, especially around 2019, 2020, China, you know, really rapidly graduated to great capabilities and great surreptitious ways to access networks. At PayPal, when I was there as a kid, I think the Russians were a bigger threat. There were some Chinese stuff, but the Russian networks were like stealing the most money back then. You know, I responded to and worked on a case, Alexei Ivanov and Vasily Gorchkov are two Russian hackers hacking and extorting U.S. companies. But they had whole scams to buy and sell stuff with stolen credit cards on PayPal. Oh, yeah, that was massive. Yeah, you got it. I mean, the whole thing, you look at their machines, there's no Microsoft Word on it. There's no email on it. But there sure as heck is a bunch of scripts to fraudulently buy and sell things. But that was back in 2000, 2001. Tell us one of your favorite early war stories from the 90s or 2000s. Like when did this really start to get more dynamic and complex for you? Well, I can tell you in 1996, when I responded to intrusions, I remember one of the first intrusions I responded to was China. You know, back then it was there was almost nobody responding to intrusions. It was kind of like a so what? Like, who cares? These guys are breaking into military systems. What are they doing? Flag officers aren't really using email. There's not much there. The reality is there was stuff there. I think one of the first major cases that I responded to, I went, okay, now I get it, was that the Russians broke in and they were exporting display. In other words, they were running our weapons modeling and simulation software from Russia and seeing how it worked. Wow. You know, and so then you went, okay, I see how. And we didn't export supercomputers back then, Joe. I don't think we do today. You know, like the Kray C90s and the Origin 2000s. So if you wanted access to those, you had to hack in and access them. And so you had to hack the mad scientists working at, you know, NASA and other places to get access to those things. And they were very open systems. So I would tell you the first couple of years that I responded to breaches, not a lot of people responding to them. You had to answer the question, what happened? And that was read the freaking manual. I remember showing up and one of the things the Air Force did really well by 1996. if there was an intrusion on base, you know, the one star cared, the base commander cared, and you had to brief that person inconveniently often, inconveniently early in the morning. So I remember, you know, four or five in the morning back then we did, you know, PowerPoint was freelance, making slides early, but everything evolved by, you know, I could answer this question over 20 minutes. The reality is by 1998, the criminal element is online and making money. These guys are making enough money to spread. It's spread. Oh, absolutely. People are going online unarmed and unprepared. You know, Windows NT was getting popular and you could start a website and accept credit card numbers and sell anything. That brings the criminal element. So I've always believed you're always going to have a certain amount of crime. You're always going to have a certain amount of espionage. And both of those, the cyber domain is perfect for both operators in those two domains. You know, wherever command and control goes, you're going to have the warfighter go. That's in the cyber domain. Wherever you have information go, you're going to have spies go. That's in the cyber domain. and wherever money goes crime follows that's in the cyber domain so before we started we were just chatting and and you had to turn your phone off because people call you all the time like and sometimes when they're calling it's very often a billion dollar problem like it's the fortune 100 they call you how did they get to that point like you started this company mandiant like what happened so i'm in the air force from 1993 to 1998 when i get out of the air force in 1998 one of the things i did is i trained a lot of fbi agents starting in 1998 as a contractor uh the fbi is a critical component to imposing risks or repercussions to folks who compromise networks. And that's why for multiple decades, Joe, you are not hacking from the United States. If you were, you got caught, there were penalties. You could not really act anonymously effectively in the US. We could pierce anonymity and do well. So I'm training FBI on how to compromise networks and then how to investigate those compromises. Kind of like back when they did bank robbers, they kind of, if you can investigate bank robbers, you're probably pretty good at robbing them if you could figure it out. It makes sense. So we were doing that for a while. And then right around 2004, the reason I started Mandiant, self-funded company profitable since day one, is we had a premise security breaches were inevitable. What we had seen was, and unfortunately the first generation of cybersecurity was antivirus. And I literally believed that antivirus was so easy to circumvent. We could teach FBI agents in the classroom who were not malware developers how to circumvent antivirus in under three minutes. Compress and encrypt malware, and you got past antivirus. So I remember thinking if you believed antivirus was protecting your systems, it was like believing in the Easter Bunny. You know, I mean, it's just doesn't, it's not gonna work. So I sitting here on the front line seeing that So the premise Mandiant had in 2004 was it is critical to own that front line See what adversaries are doing in the cyber domain which I had seen since 1993. So I realized I was lucky enough to be in the military where I had a front row view of, hey, China and Russia are really doing this. It wasn't making the press. There wasn't really severe impact or to breaches back then. The business impact start in the late 90s, you know. and so with that background i felt let's respond to every security breach that matters and believe it or not mandiant was actually an endpoint company i just executed so poorly on that dream nobody knows it you know but we were building an endpoint to detect what semantech and mcafee missed and i fundamentally i'll leave you with this i think semantic mcafee had flawed models no offense to those companies i respect them both but the flaw was this they were like if our antivirus misses something and you find it you submit it to us and our databases will get better well nobody catches it it's already too late the average human sitting in their home is not going to find malware so what we were is we're going to respond to every breach that matters find and we already knew how to circumvent all the endpoint safeguards and we'd build a better endpoint that it would detect you know with that front row seat to what adversaries were doing we would detect what everybody misses and since that time uh george kurtz and crowd strike kind of went on the build what i had hoped to build so that's you know george and you are allies in your new chapters totally yeah the and then google ended up buying buy me i guess it emerged a fire i google bought it ultimately and like what happened well yeah you just fast forwarded from 2004 and i started manually let's respond to every breach that matters the reason we were successful is nobody believed in the premise cyber security breaches are inevitable yeah everybody believed that hey you're wrong we're going to stop this stuff it's not going to happen and then just said they needed you to fix it what that happened yeah we'd answer two questions what happened and what to do about it and that's important meaning we'd have to remediate it as well we couldn't just say hey joe you got 10 darts sticking in your back and you know we got to kind of pull them out make sure they can't get in again you got it absolutely and retest networks and make sure it doesn't happen again the unfortunate reality in the cyber domain for a lot of companies it's it's hard to know or appreciate the threat till something bad happens and then you go okay now I get it. And a lot of companies accidentally underestimate the threat. I mean, I lived through a breach in 2020, Joe, and I'll never forget one of the startling moments of my career. When I was CEO of FireEye, we were compromised by the SVR. There was a backdoor put in SolarWinds software, over 18,000 companies downloaded the Trojan version of SolarWinds and we were one of them. And when we detected that, I'll never forget calling customers and telling them, hey, listen, we've had an intrusion, you know, and here's what we're doing about it. And I remember one of our customers in the financial services literally said, how did you let this happen? And I almost lost it. I said, let this happen. We didn't let this happen. Where have you been for 20 years? When a nation state targets a company, guess who wins? The nation does, not the company. Where have you been? And this was a security professional. Here's the reality in cyber right now. You cannot expect great blue chip companies that constantly every day pitch a perfect game on defense against nations that are targeting them. It's just an unfair fight. So I've lived through that. But going back to Mandiant, we own the front lines of incident response, it's called. What happened and what to do about it. And that became a valuable thing to kind of own. We became the seal of approval. If you've been hacked and you know it, you hire Mandiant to come in to figure out what happened. And when you go public and tell your shareholders and tell the world, here's what happened and here's how it won't happen to you if you do the following. We really kind of furthered that discipline along. It sounds like you have a really interesting job where you don't even know what a day is going to hold. Tell us about an interesting day at work. Well, I've had a lot of interesting days. Here's the good news. Being a public company CEO has its downsides. You do your quarterly reporting, you talk to a bunch of shareholders. And I've always liked in that moment too, if the Miami Dolphins lost, I never got to call Dan Marino and yell about it, right? But you do get to call the CEOs and yell at them. And let's just say I didn't always have great quarters. Did our best though, believe it or not. But I can tell you what was the best thing about my job is that anytime, Joe, I can get involved in any case, my phone would ring and I'd get things like, we think North Korea did this intrusion. And I'd be talking to my guys going, you've got to be kidding me. There's no way they did it. No, I think they did. You got to come see this. It's like Sherlock Holmes. I can tell you one where a government agency hadn't seen the SVR on a network in years. They were so good. The rules of engagement were if we showed up to investigate the SVR, it's like they knew we were there and they never let us observe their trade craft. They just didn't do it. In August of 2015, one of my teams calls up and they'd always heard me say, I've tapped the SVR a bunch of times and they just evaporate. They're ghosts. And they're like, they're not ghosts on this one. And their whole doctrine changed. I remember I literally flew in. I was like, I don't know what's on my calendar today, but I'm getting the hell out of here. I'm flying to DC. I'm going to show up. I'm going to see what my team's doing. We saw, it was no doubt in my mind. I was looking, that's the SVR operating. They know we're seeing what they're doing and they didn't care. Those moments to me, the rules of baseball changed. You know, I had 20 years of responding to SVR. They never hacked and then released data. They suddenly did that in August, 2015. They always hacked for security reasons. And all of a sudden we're responding to them hacking universities. I'm like, oh, they increased scope. And then they always did, in my opinion admirable counter forensics you're like where are they they're gone they would always go away it was almost like a gentleman's agreement it caught us we're out for a month we'll be back in a month but then they came relentlessly every day those sort of things have happened and i'll leave you with this i've had ceos call some of the best calls i've ever had i don't even know how to get my number i'll answer my phone i'll be driving on the highway or walking my dog both of those have happened we're like a fortune 100 ceo goes we're getting ransomed they don't even say their name they're like we hear you're the guy to call we're getting ransomed and a couple expletives we're not paying you know what i mean and you just go i get it by the way that's important to know you just go okay they're not going to pay that's where they're at they're aggressively taking a stance but that derails your whole day because then they go can you get people here and you're like oh yeah i think and you usually have to rob peter to pay paul in those instances but i've had many days where you get a call and the problem being presented to you becomes your 100 problem i personalize it so when i get a call from a ceo i'm being ransomed and damn it i'm not paying all of a sudden my internal dialogue is like damn it we're not paying you know what i mean so it's a fun job in that it's kind of like you get to be gi joe you you got somebody's got to show up and help these people you know what i mean nobody deserves to be hacked nobody deserves to be shut down nobody deserves to have their email posted online and read by the press i mean it's ridiculous uh we've got thousands of cyber security professionals that have answered the call and uh that's the good thing so everyone in the business knows your name because of that like all the top guys are calling you how do you keep up with that when there's hundreds of people calling you a different break that's going on yeah um so one of the things that i've always had is the i don't know it's empathy sympathy or all of it i feel the same violation a victim does literally when they get breached nobody deserves it i don't care it's kind of like you don't deserve to be robbed because you had a few drinks at a bar and you walked out and you're a little bit susceptible to it. I've not responded to breaches where people were negligent. You know, some of the biggest breaches where you have someone beaten up, how could they let this happen? Like the story I just told you, almost every CEO I've met and every sister I've met is trying to prevent the inevitable breach. They're hiring good people. They're buying technology. We're getting better at it. And, you know, so every time I get a call, it's kind of like it's good versus bad. I mean, it's good versus evil. It's like there are people with no risk or repercussions during our podcast. Probably over a thousand Americans are going to get duped, scammed and lose money in the cyber domain from folks that are untouchable to our law enforcement. Why are they untouchable? They're in Russia. You know, they're in other nations where they have a safe harbor. You know, North Koreans are hacking for profit. Literally government agents in North Korea in uniform are hacking to steal Bitcoin. You've got, and we are the tackling dummy in cyberspace, you know, our consumers and our folks and our organizations. And it's frustrating. People take advantage of the immunity. The fact that there can be 10,000 miles away, have scripts running and make money off of it. So there are a whole, probably thousands of people that make their living off cybercrime. Have you ever got any of those guys arrested? I think the FBI pursues them as much as possible. I think companies like Google and Microsoft and others and Amazon, everybody wants to impose risks or repercussions. We could always do better because that's why nations were formed, right, Joe? Protect citizens from bad guys. Yeah, I'd want to reach out and get the bad guys. You got it. And I think you got to do that, but it's hard to pull the levers. I remember when North Korea hacks into a company, I always scratch my head and go, what lever is there diplomatically? I don't know. And what lever is there for Russia right now? And I don't know if there are any, but you got to make it. Here's what I can tell you the win is for the United States. Anyone who hacks in the democratized West should not get away with it. That you have to impose risks or repercussions to those folks. The best deterrent for all cybercrime, I don't think you can deter espionage. That's a field goal. It's through the goalpost. nations will spy But when you look at the criminal element and ransomware and things like that nobody wants to tolerate that We have to have a structure in place where nobody gets away with it if they in a nation in the West Sounds like something good to work on I want to ask you a little bit about talent as well So we obsessed in Silicon Valley with talent and the very, very best are the ones that build the top companies. And one thing you used to talk about is that I guess there may be like 150 people in the world who like really knew all this stuff really well in cyber. And you, I guess you have like 40 of them at Mandiant. Like tell me about that. Well, whenever I said it must've been a long time ago, right? Because things have changed. Early on when I started the company, there's very few people responding to security breaches. I knew them all. You had a small group at Verizon doing it at a company that was once called Cybertrust. You had a few other small groups doing it out of Chicago. And we knew each other. You could call them up, hey, what are you responding to? What are you seeing? But it's ballooned since then. So whenever I said that decades ago, now there's thousands and thousands of good folks. But here's what I can tell you. When you're responding to breaches, you're at the high end of the food chain. You have to have no windows. You have to know Unix. You have to know routers. You have to know infrastructure. If you don't know it, you better read the freaking manuals and figure it out because the stakes are high. We don't do security to be compliant. We do security to protect ways of life. We do security to protect our businesses and let them operate. So I've responded to breaches, Joe, where people have asked, will the company be solvent after the breach? And that crap shouldn't happen, you know? So looking at talent, security, you got to get it right. and what I've learned over time is if you're doing brain surgery, you want a brain surgeon. You don't want to throw a bunch of other people at 50 to a hundred people that don't get brain surgery. You're not going to work. Aren't going to make good brain surgeons. That being said, you want to scale the talent. And I've kind of lived through that. And when we talk more about AI, I talk about a way to scale talent. It's emerging tech because we had to scale it the old fashioned way. We would respond to breaches and figure out the fingerprints and trace evidence of every breach we responded to that led to us having a threat intelligence unit that threat intelligence business became hundreds of millions of dollars for us but it was really a sidecar to we just needed to scale you know we needed to show up and go who are we up against and look at the fingerprints and go ah it's this group and we could bucketize the trace evidence and just track people faster you know but with emerging tech and the shift change into ai my god you'll be able to scale expertise well let's talk about let's talk about that because you you sold you sold your company to google and and and you know all of a sudden all these new possibilities have emerged the last few years so so like obviously there's new threats what made you want to get back in the arena with ai well i can tell you for all the founders out there i didn't sell my company and see if you build a great company and you're public first off your public company you are for sale every day and your price is published out front and like like your house is for sale the for sale sign you know it is what it is but if you build a great brand and you're the best in the world at something things like getting bought by google can happen um you know so that did happen but you you look at post google and i enjoyed my experience there but when you're a founder and a public company ceo and you get bought a lot of times you know you go in like a lion and you come out like a lamb sometimes you're like i'm ready to change the world and it's hard to do that when you go to you know companies with a lot of incumbents and a lot of great talent um you know so there's always There's another chapter usually, you know, so I'm, you know, getting into that next chapter. What's made it interesting to go in again? Because I think obviously you made a lot of money. You've done really well. Like are there new threats with AI? Are there new possibilities? Joe, it is impossible to sit on the sidelines when you see the AI shift change comment. Are you kidding? Like, oh, I could be no offense. I could be an investor. You know, maybe that's what you do all the time. But for me, I was sitting there going in security. I haven't actualized my dreams yet. We still have victim companies and you can see the future crystal clear right now in cyber. You're going to have AI agents on offense automating incredibly talented humans. You know, like literally that brain surgeon analogy, AI agents will be that. And you're going to have swarms of agents that can communicate and think and instantiate normal and learn and have total recall and operate at a scale and scope. where as we go from human-led offensive operations in cyberspace for crime and espionage to AI-led, agent-led espionage and cybercrime, that shift change is real and we've got to create systems that prepare us for it. It sounds like even just a few months ago, everything changed where the agents got good enough to work together to hack better than people. Is that right? I think here's where I can tell you having, you know, we're working on this is we've got experts and we've got AI native programmers in the room together. What I can say is we're almost every few days, our experts are startled at what AI agents can do, you know, writing their own Python code and refining it when they find a remote code execution capabilities or vulnerabilities. The amazing thing about AI shift change, it reminds me almost like when we all went to cloud, uh you know and we started using aws or something where instead of calling an it guy and waiting 15 days to get servers set up something was cheaper better and faster when we went to cloud and that's why cloud won out of you know doing everything on prem when it comes to ai i think you're going to get a whole bunch of security capability that's the same thing it's going to be better more consistent and cost less i mean it's a win win win across every aspect of efficiency and cost that you look at but if these agents are surprising even you with what they're figuring out based on what based on what you know they're getting cheaper every day too by the way yeah one of my big fears for 2026 and one of the reasons i want to have this chat is that these things are getting so much better that a lot of corporations and governments aren't ready for it and aren't ready for what's coming yeah i think when so they're not right but they know about it it's it's i haven't met a business leader that doesn't think ai is going to change cyber security they all know it and And sooner or later, the beast is going to come out of the cage on offense. And it's going to hit us in a way where we, and it already is in social engineering. Like you will have spear phishing or fake emails designed to dupe people that is context appropriate. I get these all the time. Comes from the right people. I get these all the time. They're indistinguishable in reality from emails you get. I mean, it's amazing what people can learn. You're going to start seeing social engineering automated where six seconds of Joe Lonsdale's voice is going to be used to get a help desk to do something. Yeah. You know, so you're going to have AI attacking on offense and it's asymmetric, by the way, that's the unfair fight. It is way more costly on defense than it is on offense. One person on offense can create work for millions of people. That's the asymmetry. So you'll get a cost. I think AI will advantage the offense in the near term, but everybody knows that. And everybody's waiting to be able to, we're going to have a total shift change in cybersecurity where you'll have AI agents on offense being the cheapest way to create that autonomous, no human in the loop confidence that your defense can stop the most modern attacks. But that's years away and it's being developed now. We have to develop it. Fast forward two or three years, Joe, you're going to see an autonomous defense crafted, trained by the world's best cyber offense, the hyper attack platform. Just to put our listeners at a little bit of ease. There's all these new ways that AI is going to be able to break into everything. Right. You are you are quietly in touch with the very state of the art with our governments and with some of our big companies. And they're coming to you for help on this. Yeah. Everybody's getting ready for it. And in reality, no modern nation, even the folks that can create this capability, China, Russia, others will leverage it. Even they don't want to really no one's ready for it. Well, they don't want it. They don't want it all out there. Yeah, you got it. It's everybody's going to hold the beast in the cage for a little bit. But if like someone in Eastern Europe gets access to an open Chinese model and they iterate on this criminal element, it's not going to be. So there's there's three. We categorize bad guys in three groups, right? There's there's a financially motivated. There's maybe there's anonymous vandals. And then there's a nation states. Which one are you most worried about for 2026? And there's also thresholds, too. Like if you have ideological conflict, that probably brings your offense to only 80 percent of its potential. But what if you have kinetic conflict? Does that unleash 20 percent more? Probably. There are certain industries that you would want as a nation's leader to withstand 100% of the cyber offense. You want the grid to stay up. You want utilities to function. You want your water to still be pumping. You want schools to stay. You want lives to be normal. So you got to figure out how do you protect critical infrastructure during times of real duress in the cyber domain. The criminal element's coming no matter what. You know what I mean? And every technical advance is embraced by a criminal element to make money and to advance their tradecraft. I think the first thing I would do is figure out how do you focus on critical infrastructure and make sure its risk profile can operate through a full court swarm of AI coming. And we're still early on in this, but I think it's going to happen incredible speeds. So you're going to have to see, and Joe, you're an innovator. We're also going to have to do massive innovation on defense. There is no question that in the future, you'll have AI agents on offense run by the good guys to train the Aon defense run by the good guys. Well, if I was a state with utilities I was in charge of, I'd want to be hiring guys like you to show me how you break into my utilities so I can fix it, right? You should never, the number one question every single CEO really asks when it comes to cybersecurity in many different forms is, are we secure? That simple. What worst case scenario What can happen The only way to answer that question is in a safe and simple way you shoot the bullets at the best to see what you can stop You have to simulate wartime You have to simulate, unfortunately, in the cyber domain, there's a pretty high level percolating hum of offense, even during times of peace. You got to really make sure you can withstand the attacks that are out there. And by the way, there's no other way to get unvarnished truth, Joe. If you want to know how good your security is, you just got to test it. You can't read the manuals and go with the 38 different products are running. We're good to go. You really need to know is our defense that's been kind of duct taped together and massaged over many years capable of withstanding a modern attack. So thinking about AI in terms of these attacks, you have different LMs, different capabilities, different rules. Right. So if you ask Klaude to generate an exploit, it's really hard to get it to do it. They're very big on that. Some other models will. i've heard xai although i say won't do certain things it's easier to get to do things the chinese ones might be even easier like what's the situation here with this i i think you know models leapfrog too right so you want to you want to always i think regardless you fast forward the models may have gates that prevent you from doing things but even those folks that make them probably need to remove some of the gating factors because it's so important to make sure there will be models that can think, learn, and do incredible things that aren't gated, that are going to be used by the criminal element. We don't want to sit there and use those models to create software that tests American organizations. So we want to use our frontier models. What I can tell you right now, based on a lot of R&D in this space, the frontier models are doing an exceptional job already in helping test the security of networks. And they're changing so fast joe i'm very confident regardless which frontier model you use um you're gonna find it's out pacing humans doing the work you know i mean if you think about what software is it's always been the automation of human process with ai coming oh my gosh you can automate human thought now you can literally in many ways automate the complex steps so there's no more if then else statements in software this stuff learns it learns when you train it it starts surprising us i can tell you one of the things that we did uh at my company where we trained an agent and we would just get a prompt and we type in questions and how clearly and how appropriately you would answer them after we trained it and so it's it's doing more than we expected sooner right now i know we're not not talking too much about your company yet because you're not putting it putting it out there too much in public but you're obviously hiring a lot of it right really top engineers doing a lot of amazing things what's the like what's the need for lots of engineers of ai's doing all this stuff how do you how do you think about this yeah that's a great question because i ran when i was at fire eye we had four or five hundred engineers i can't imagine having that many at this point i really can't 70 80 i you know i remember you we we want to build the whole hyper attack platform everything a nation state would build on offense we want to build and people be like you can't do that you're creating weapons we're creating them because you have to it's what you're up against and we have to create it to create an autonomous defense that can withstand the swarm it's coming that drone swarm and cyber will be coming and the difference with that total recall it has that humans don't have the instantaneous communication between different agents that have different objectives so they can coordinate at a speed humans cannot this has to be prepped for so you have to build it a lot of folks have said oh you can't build all that you absolutely can we'll prove that and i think you can build it and a here's what i will tell you i can compare and contrast yesterday's engineer from fire eye days to tomorrow well today's engineer and ai it's not 10x it's more than 100x productivity with an ai native developer working on software we've had over 100 commits in a day building our software we have a different demo every two to three days i never had that before it is one day maybe joe i'll have a metric there but the productivity today feels to me like hundreds of times greater than even three or four years ago that's amazing and it's partially you you obviously are starting with really really top ai talents and i'm making up to kevin mandy anecdotal it's not 10x though it's way more than 10x productivity how does this stuff roll out in general in our society so let's say you're gonna you're gonna build this the governments are going to use it corporations are going to use it like like what like a ceo who's listening to this like like what should they be thinking about dealing ceos want to know what can i withstand how good am i at security am i secure can i you know the frontline headline i just read about on the breach does that am i prepared for that it's all the same question how do i withstand an attack today and you you know i've been in a lot of boardrooms and chief information security officers usually brief their ceos with these four-dimensional pie charts that show we're green in these areas and we're red in these areas we're yellow in these areas and the problem with that is a ceo doesn't know how to feel if they see green they don't believe it if they see red they're ticked off they're like why are we red in access control if they see yellow they're like what's yellow you know and then people change colors to not be alarmist here's reality the only unvarnished truth ceos really want to do is can someone hack in and steal my email can someone hack in and get to our critical assets or cover data and steal it those things should be tested every time your network changes or the threat changes and ceos get that and they want to test it but there's never been a way to do it without humans and it's and humans can only do one way in at a point in time with ai coming it's going to be here's all the ways people can get in all the time and you have to fix it because that is coming the day where a human would break in and if you were 10 minutes behind the human on defense you could stop the impact of a breach is going to end there's going to be an agent that breaks in then another agent uploaded because it had remote code access remote code execution and that agent's going to work about a thousand times faster than a human so you have to compress that window of exposure down to microseconds that's coming it's just coming and so companies get that and if you're a ceo listening to this it's called red teaming the you'll wonder am i compliant that's table stakes if you're in a regulated industry you want to be compliant that's that's the start for cyber security you want to follow standards or legislation you want to benchmark yourself and you'll get that three-dimensional chart on how good your controls are and how well you withstand it but a lot of mature security programs the ceos get debriefed on a red team that has a real objective like could you shut the trains down could you shut the water off could you impact the quality of a product via an intrusion and those things boards get that joe like could somebody break in yes or no it's very binary if the answer is no feel good at three to four former operators on offense couldn't break into your network in five to six days it's pretty i'd feel pretty damn good that's the best you can do by the way i don't know what else you're supposed to do and um and that does withstand third-party inspection if something bad happens as a CEO you can say you know what i tested that five days ago great talent and they didn't find it what more do you want me to do my products that i bought didn't stop it they couldn't find it um so to me red team the network uh in it and it doesn't need to you know in the future will be red team everything all the time but for now it'd be reduce scope here's the apps that matter most the customers that matter most or the people that matter most and just see how secure that really is and it is not just a compliance dashboard that makes sense we got the very best people seeing if they're breaking i guess you know i want to talk a little bit about optimism for the future there's a lot of fear of ai right now yeah in public uh obviously we're talking about some scary things ai could do what's the case for the public being optimistic about ai like how do you think about this well you don't even have a choice ai is coming it's it's enabling people to do amazing things right it just so happens in the cyber domain it's the answer to both offense and defense that's the reality and joe unfortunately the cyber domain being a contested domain like air land and sea it will get weaponized in the cyber domain there's nothing we can do about that you know that this is not something people need to be concerned about because the future is obvious the good guys do have to weaponize it because they can train the defense on it if the good guys have the best weapon in the cyber domain that means the good guys will have the best defense in the cyber domain so that's what you want to do if you're a football team wouldn't it be great to have tom brady and his prime on the other side training your defense you get pretty damn good at defense so that's what we have to do it will be computers on offense at compute speed trying to break in so get ready for it and on defense just have an autonomous way to respond and it's no different than arms throughout history you know the anglers create the long bow and the french go oh crap what's that we got to come up with some defense against it you know uh unfortunately technical technological advances advance criminal element advance uh militaries um ai is no different in the shift change it's just how it's used but the answers are obvious and we we're going to be a part of building it i love it as the answer is the good guys have to be stronger than the bad guys absolutely and it really works joe that's the thing it really works get the good guys to develop the platform that can help us defend ourselves period well we're lucky to have good guys like you as leaders on our team thank you Kevin. Thank you. Appreciate it.