Ashish Rajan: [00:00:00] Hello. Welcome to another episode of Classically Podcast. I've got Anur and Vinne with me. Thank you for coming to the show.

Ankur Shah: Good to be here. It's long time No see Ashish.

Ashish Rajan: I know it's been, what, six months? I know. It feels like Keep crossing each to those spots, but maybe because you're a repeat guest.

We'll start with Vinne Vinet this time. Please do. Could you share a bit about yourself?

Vinay Pidathala : Yeah, absolutely. Good to be here. First time here. Not unlike Uncle the Celebrity, that's going a little too far, but yeah. But thank you. Thank you for having me here. I work with Anur head of Security Research at Stryker.

I've been in security for a long time now. Prior to Stryker, I was at FireEye as one of the early threat researchers dealing with a lot of nation state sponsored attacks, zero days, and so on and so forth. Yep. Worked on some cutting and tech technology, sandboxing browser technologies.

I truly believe I'm very excited about what we do here at Stryker. I truly believe that AI agents are the next frontier for security challenges. Very excited about the space and very excited to talk to you about all things agent. So I'm loving it. Yeah. Nicole, what about yourself, [00:01:00] man?

Ankur Shah: Good to be here again. Again, co-founder and CEO Stryker know spent the last many years doing cloud security and all kinds of other security technology, and I'll spend the next decade doing AI security. That's the exciting new frontier

Ashish Rajan: until

Ankur Shah: we get replaced

Ashish Rajan: by ai.

Ankur Shah: Of course.

Ashish Rajan: Yeah. Fair. Decade beyond as well is how I was gonna say it.

Ankur Shah: Hey they'll I take comfort in the fact that they'll always be human in the loop. I'll be in the loop actually if nothing else, to just submit the approved button.

Ashish Rajan: Fair. 'Cause that's a good one. 'cause I wanted to start with, 'cause last time you came in, we were talking about AI security.

It was a 2020, I feel like it was a almost a 20, 24 edition. There's been so much that has happened in there. What's your 2025 edition version for? What is AI security? The 2025 edition?

Ankur Shah: Yeah. Look, I think before we talk about AI security, I think it's important to understand like in last six months what's happened in AI itself, right?

Yeah. When we last spoke, a lot of the customer conversation that we had was around what I call the, agen 1.0. Yeah. Which is a simple chat bot, [00:02:00] rag based application. At that time we talked about MCP had come out. We were talking a little bit about the agent. But something changed dramatically since February.

We now we've talked to hundreds cus of customers since then. And they can't stop talking about agents and MCP and this and that, so that's definitely changed. But just like last time, right? A lot of customers are talking about it, experimenting with agents, it's gonna take a little bit of time before it gates gains the mainstream adoption.

And so just like a agent take adoption is growing exponentially. The security conversations have. Turned from, Hey, looks like a nice tool. We'd love to have a conversation to, I need something yesterday. Can you help?

Ashish Rajan: Yeah. And what, how do you define it? 'cause I think, what was your. I guess first version of it.

And what is your, today's version of it? C? Curiosity?

Vinay Pidathala : Yeah, very similar to what Encore has stated. The first version where, you know what we talked about, simplistic chat bots, connected to a rag, which is just a simple tool [00:03:00] retrieval summarizing, answering questions, and so on and so forth.

But off late our conversations have steered towards these complex, more sophisticated agents that truly have the ability to execute and track with this environment, with external tools and so on and so forth. And that brings about its own unique set of security challenges, right? That's what we are trying to secure at Stryker.

So

Ashish Rajan: have the threat landscape changed as well?

Vinay Pidathala : It has. It has. So before we, I talk about the threat landscape, I just it's really important for us to distinguish between the simplistic chat Botts and AI agents. Yeah. So let's just Yeah. That, define that. Yeah. Yeah. And then get into the threat landscape.

So AI chatbots, simplistic chatbots are chat botts that have a conversational interface. There's probably a rag that has some enterprise knowledge databases. Yeah. Connected to it. It's capable of summarizing and helping the user. Yeah. And has a conversation with the user. Very helpful. And those were the conversations, like Concur mentioned that we used to have.

But AI agents have a level of agency that [00:04:00] we've that simplistic chatbots don't have, right? Yeah. They're multi-agent, meaning there are many different agents that talk to each other. They're autonomous in nature. They have the ability to interact with the environment using tools. They have, they exhibit agency like I mentioned before.

So that brings about new security challenges. Yeah. And I think your question was about threat landscape. Yeah. So look, because of its autonomy, because of the agency because of the tools, we see things like tool manipulation, tool misuse the ability for the agent to get manipulated through indirect prompt injection, through untrusted input.

And maybe this is a good segue into the attack itself Yeah. That we discovered, which is data exfiltration. In our customer testing of an enterprise agent, we were able to actually through indirect prompt injection exfiltrate data sensitive data out from the agent. So we were able to send some malicious emails to the agent.

Manipulate the agent, make the agent think that there was sensitive data in a file sharing service. Yeah. Read that sensitive data [00:05:00] and through one of its tools, exfiltrate data out to the attacker. So as you can see, there's there's this unique threat challenges that come with this sophisticated architecture.

Interesting.

Ashish Rajan: So a lot of, how much was it autonomous? I guess how much of it was autonomous? Because to your point about, and maybe actually maybe a better place. 'cause I realize you mentioned agency, people don't even know what agency is. How do you describe agency?

Vinay Pidathala : Agency is a level of control that the agent has, right?

Yeah. It can take without any user confirmation. It can make decisions on its own. Yeah. It has self-learning capabilities, it has amount, it has memory attached to it, so through that memory it can learn and respond to users. Much better in a more sort of conversational manner, so on and so forth.

Ashish Rajan: Yeah.

Vinay Pidathala : So autonomy is what you had asked for. Yeah. In this specific attack, it was completely autonomous in that, in the sense that at no point in this attack was the user asked for a confirmation.

Ashish Rajan: Yeah.

Vinay Pidathala : Or were any of the guardrails triggered. So in that sense, it was completely. In nature. Interesting.

Ashish Rajan: And do you [00:06:00] find, and maybe a question for you, Anka, do you find in the customer conversations you're having, are people aware of how aware of are they of the landscape at the moment in terms of. The autonomous threats are still in play.

Ankur Shah: Look, we're in early days without a doubt. What I've been encouraged by, today I talked to one of the largest healthcare companies, CISO this morning, and the level of sophistication he demonstrated about the subject matter was amazing, right?

Like they, they all understand it, right? What is not well understood, and it's a bit of a head scratcher, really is, when they hear these steps of attack. Then they immediately fall back to I gotta get the identity right and this right and that one of my key learnings in the last six months of many customer deployments is the nature of the risk is proportional to the gentech utility.

The more useful it is, the more prone to risk it is the dumber. It is. Less prone it is to attack. Now this is intuitive, but that's a big choice that an enterprise has to make.

Ultimately, we [00:07:00] know in technology landscape over the last three decades, utility function almost always prevails.

We want things and these tools to be useful. So our guidance of the enterprises is that look, the answer to this question is not really shut it all down and don't give it access to Google Drive and web search. Then you're gonna have a lame chat bot. Yeah. That just some simple drag retrieval.

Ashish Rajan: Yeah. And it's

Ankur Shah: not very useful. You're not gonna get the productivity or revenue gains and goals that you want to make it very useful. Give it autonomy. Yeah. But have guardrails in place. That's your final backstop. That's why you make sure that what it's doing is done responsibly. Now, obviously, don't do silly things but by and large, you have to give it access to your internal wiki docs and share drives and web search, and that's how it can think and make some really execute some really compelling tasks.

Ashish Rajan: Yeah. And I wonder. The, I put a risk question in mine as well. How is the risk exposure changing here? To your point now you have shared drives, connected Google Drive, [00:08:00] connected. To your point about shared resources being connected as well, is there an understanding of the new level of risk that it's opening up or is it still being lumped into the existing risk posture we've always had before?

Maybe it's a question for bene.

Vinay Pidathala : I think the awareness is definitely starting to come about. Yeah. I think people are starting to understand you the capabilities of the agent and the risks that it brings about. Yeah. We of course have the job of educating the customer as well through our research and stuff.

But I would say customers, that, some customers, most customers are sophisticated enough to understand the risk, but there are some misconceptions with regards to. Thinking that these sophisticated agents thinking of it as just an input output problem. Whereas in fact, the agent does a lot more, right?

Like it reasons, it plans, it thinks it executes tools. So it's more than just an input output problem. It's not just looking at the input and just the response of it. That's not the only risk that's happening.

Ashish Rajan: Yeah. There's

Vinay Pidathala : actually things that are happening internal to [00:09:00] that agentic system. Yeah.

That requires a level of understanding and a level of, sophistication to actually defend against those risks. So the customers have to shift their mindset a little bit. Yeah. Into thinking that these are not just simple chat bots.

Ankur Shah: And look, one thing just to add to what Renee said, like just upleveling this, right?

Since the internet era, right? When web got created, every enterprise, oh my God, like people are gonna website, and the last two decades was the SaaS era. Oh, people are gonna have Google Drive and Slack. Oh my God, what are they gonna do? Oh my God, should we shut it down?

Everything is enabled. Everything is on, right? And yeah, like we try to do best we can to make sure people don't do stupid things like on a Google Doc, share it externally or send an email, whatever. But by and large, yeah, like breaches have happened. It's unfortunate, but like by what is, if you're not paying attention, what is really happening in this time and why this time is actually different is.

In the past if a malicious actor got hold of that or some user did a silly thing, it was a manual weeding through rubbles of data to find a gold mine. With these [00:10:00] autonomous agents with agency, you can do at scale stuff. Like your A SSH keys were always there on your Wiki docs in Google Drive, but a malicious actor really had to try really hard.

Now all of that is sucked in.

Ashish Rajan: Yeah.

Ankur Shah: So to the extent that I can directly or indirectly ask the ai Hey, can you figure out a way like to get me all these AWS secrets and codes and this, that, and the other? That's just one of many examples. Yeah. So that's the. Scary part. That's the interesting part, right?

Like productivity gain unlike anything we have seen in human history. Yeah. Security risk unlike anything we have seen in the human history.

Ashish Rajan: Yep. And to, to what you're saying earlier, because you work in the research space, a lot of people almost look at this as most elements are classified or at least looked at as a black box.

How do you research this black box? I guess

Ankur Shah: that's a very good question. So make sure you don't give him any of our secrets,

Ashish Rajan: like TNC coming in. That's always there. Oh, yeah. Yeah. It's more funny because people, I think where I'm coming from is that, yeah. [00:11:00] So for context, we had, yeah, the security research, the threat research team from Microsoft yesterday.

We got people from Google coming in. Yeah. It's more coming from, people are wanting to know more about, Hey, what are we researching here? Like I think if that's classified quote unquote as black box, are we focusing on the frontier models, the open source model? And obviously I'm trying to answer here, but.

I love to hear your version, man.

Vinay Pidathala : Yeah. So we are more focused on the enterprise application itself that is connected to a lot of frontier models and the AI application agent that is deployed at an enterprise Yeah. Themselves. To answer your question, it is a black box. Yeah.

But we have the good fortune of having some of the best cybersecurity researchers and also some of the good, best like AI researchers and the culmination of those two skill sets brings about. Unique insights and unique research which you must have seen with our latest published article that got published.

That, that gives us the ability to simulate some of these attacks from our past experiences combined with the AI experience. So it brings about like new [00:12:00] different scenarios that we can now test against these apps. Yeah. Agent cap. And we are learning as we evolve, right? We are also researching these new threats, but that past knowledge Yeah.

Combined with this new ai frontiers. Is helping us come up with these new attack tactics and research. Yeah. And

Ankur Shah: Just the, I think the point you bring up is very good one because the attack surface is literally infinite. Yeah. You, can you like, which direction do you go?

You can try a lot of things. One of the big guiding principle was that, yeah, like we've built some applications ourselves, but like super fortunate to have bleeding edge agents, customer agents we're testing against. So these are very real world attack scenarios where employees who are using these agents, asking some whatever questions to exfiltrate the data I think we've figured out some things.

There's a lot of things in this canvas that we still have no idea.

Ashish Rajan: Because the reason I ask that question also is because a lot of people. At least the [00:13:00] cybersecurity industry believes in the whole third security research. We've always believed in it. Your point, the previous SaaS version, the one version before that, the cloud version.

Yeah. It was all built on research and a lot of people are wanting to find out, Hey, how do I trust a black box output? And going back to the input output thing, where a lot of people have started figuring out open ended the whole, Hey, I can see the thought process of the quote unquote transparency.

'Cause the risk posture at the moment is to, what you said is quite misunderstood to a large extent. And even though we may know that, hey, there's a possibility, how does the CSO plan for this? Because that's where I was going with this, where it's it's a black box. Yeah. We have great people researching this as well, but I have a day zero problem right now while I figure this out.

So how do you advise other CSOs to approach this?

Ankur Shah: Look I, it's a really good question because there's like all kinds of, I was just looking at a requirement document from a ciso from a customer. It is well-reasoned document, but it was so technical, prevent [00:14:00] memory poisoning of this and that, and it had like literally a hundred requirements, all hypothetical scenarios, things that can happen.

How do you prioritize What's the most important thing? Our recommendations are like fairly straightforward, which is, make sure you continuously test your app. Yeah, not one time just do a continuous testing and then have guardrails. What specifically are we testing for? What are specific guardrails?

You talked about a lot of the applications, it's still the PII injection toxicity, et cetera. But we've added capabilities around tool manipulation, tool vulnerability, exploitation to the extent that you did these five, six basic things. That makes 90% of your problems go away. And I'm trying to make it simplistic because that, that at least gives you the comfort you can sleep at night kind of thing.

Ashish Rajan: Yeah.

Ankur Shah: There is an endless long tail of problems to be solved. Yeah. Yeah, fix your data governance and identity access and all that stuff. And I always tell this how was your last identity? Stuff working out for you, right? Like you've got all kinds of problem, you need a final [00:15:00] backstop. Do simple things, get four or five stuff.

Then we have customers who have like healthcare customers who said Hey, look I'd like to make sure that when the AI agent responds, every response is F FDA approved, and they have an internal rack system in which they maintain the entire data sets on what's allowed, what's not allowed.

Can you test it? And can you provide guardrail against that? That's a nice long tail problem. Yeah. Must be solved. Should be solved. But start with the basics is where I go, but I'm, I'd love to get, vi NICE's perspective also. Yeah.

Vinay Pidathala : Yeah. Look, I think you wanna start off by testing your application, right?

Yeah. Like Anco mentioned. The data behind these applications are changing rapidly. The model providers are changing.

Ashish Rajan: Yeah.

Vinay Pidathala : Every day you hear something new, right? Yeah. So you wanna start off by knowing what you wanna fix and starting to test those agents is a good first step. And then like uncle mentioned, we have a lot of capabilities to protect against all of these new sort of agent ai, agentic, native threats, like tool manipulation, tool misuse, and things like that.

So focusing on those. Priorities would, is the right [00:16:00] first step Yeah. Processes.

Ankur Shah: And look, even after sort of 20 years, customers, what they want and the customers are always right. But like I, I keep hearing the shadow AI and shadow MCP and all that stuff. Like they, they're important problem to solve.

How has discovering Shadow SaaS app served you better or worse? Yeah, like how has shadow devices, like in your enterprise served you well? It's comfort food. Yeah. Kinda stuff like I, okay, I guess I know what's going on, but does it really achieve the security outcome and prevent the next breach?

I don't like, I don't think so. So like again, prioritize. Yeah. Get to the shadow problem. Get to the hygiene problem. Yeah. But get to real world testing. Continuous red taming of the app. Get the guardrails in place. Then you can figure out like your hygiene stuff. Visibility stuff. The shadow stuff. The world is moving so fast, you don't have enough time to tell people what to do and what not to do.

Yeah. I was talking to a funny story. I was talking to a company and they're like, yeah, like the CEO has a mandate. Everybody needs to be vibe [00:17:00] coding, including the sales teams. It's what do you mean? Yeah, the sales team, I'd like to see if you build a next gen CRM using vibe coding. These sales guys are like getting like really excited by coding a lovable and rep plate.

And he is Hey look, we have a application security process where everything goes through the gate and we do supply chain security and this is complete wild west. I have no control, I have no idea. And cursor replicate where they're pushing the code, et cetera, et cetera. Yeah. Yeah. There's a little bit of a madness going on.

I understand we need to reign in that kind of shadow behavior. Yeah. But starting simple, get the detect and blocking function in place and testing function, I think they'd be fine.

Ashish Rajan: And I guess others. Current security models failing at this with the AI world. 'cause I, at least the way I see it, is like we are not creating new AI, core AI native applications in more, most enterprise.

Yeah. We are just basically uplifting an existing application to be more AI embedded or have AI capabilities. Yeah. Which already has had a security model, a threat matrix done on it for a long time. Yeah. So is that not working at this [00:18:00] point in time or So, so I wouldn't use,

Vinay Pidathala : Failing. That's pretty strong of a word.

I would think So. A lot of these agentic applications have the web application capabilities framework on which they're built on. Yeah. And they have backend services and so on and so forth. Some of these existing services like legacy services Yeah. That, that are called by the agents as tools.

We need to build on top of the threat model that already exists. Yeah. More specifically, the threat models that we need to look at for these agent capabilities need to focus on how natural language as a. As an attack vector can create all these problems. Yeah. Or autonomous chaos as we call it at Stryker.

So you need to model for that new vector on top of what you already have as a threat model for these applications. You start off there and then we'll reach a point in this evolution where everything is. AI native. Yeah. And that at that point you probably have to shift your mindset into thinking of a completely different threat model.

But till we reach that spot, you have to do threat model Plus. Plus. Yeah. Is it [00:19:00] would be my opinion. Just don't get rid of what you have currently. Yeah.

Ankur Shah: Yeah. Look at the heart of your question is also like the look model providers, bar done, open air, anthropic has some of the best researchers, safety researchers, right?

Bulk of that talent is focused on safety. And they do their darn best. I, I give them a lot of credit. This is a tough job, but look Sam Altman, like a couple weeks ago when they launched the agent capability, he tweeted about it. He was just look guys, like we're gonna give you guys a superpower.

Like buyers beware. The landscape is like literally infinite. You wanna be very careful with what you try with this agenda capability. What kind of drive do you hook into a chat? GPT agent? Buyers beware. And part of the thing is also because it's talent safety research is different from security research, like at Stryker FireEye, Microsoft Research, Menlo Meta.

25 years of offensive security research. You can't you can't learn it overnight. Yeah. You know what is automatic to us? [00:20:00] Like with the AI teams, that's not automatic, right? The best of the best one work in security company. And if you're in the hallways of any of these model company, it's ship.

You gotta go fast. Let's go. Yeah. Model. We gotta have the next agent. If they take too long in security research, they're gonna miss the boat. So I think they're gonna try the hardest. But I think I, I feel like companies like ours have to do their job on security side.

Ashish Rajan: So for people who are trying to build a AI agent funny 'cause I think, maybe last week or a couple of weeks ago, I had a conversation with someone who's been asked to come up with a threat model for AI agents. And basically they were asking the question for, Hey my company wants to open the doors for AI agents bef until now we just chat GPD.

Now we are quote unquote, you wanna be a gentech? How do you even start like that conversation of, because there's a few things to be done. The A is a technical assessment of. Addressing the part, but then there is the whole, how do I get people on board and the idea that, hey, this is a good thing, it would not slow you down.

So I'm curious on the technical side and as well as on the board and I guess bring the leadership on board [00:21:00] side as well. So maybe if you wanna share what the if I'm someone who's a CSO trying to build AI security or AI agent into my organization, what should I think about from a security perspective?

Some of the tactical things, strategic things. 'cause to your point, there's a model coming on every month. Am I changing my strategy every month or where am I going with it? So maybe if we start with technical and love to hear approach or the board part as well.

Vinay Pidathala : Yeah, sure. A lot of the customers that we talk to kind of figure, have a way to abstract the model calls from the application itself.

They've. They can change models at the backend without affecting the application and so on and so forth. So that, that's built into it. I think your question is more about how do you look at risks for the application themselves. Yeah. If I may, if I understood that correctly.

Look I like we talked about before, I think they need to do, cover their fundamentals, cover your bases, right? All the things that you. Did before don't drop them all of a sudden. Do your, just because ai just because AI is in the picture, don't drop your data classification and so on and so forth, but, or they do have to account for [00:22:00] these agent, native agent stuff, funda fundamentally. Agents can reason, plan, execute. How do you account for all of that stuff? Yeah. And now the threat vector is natural language. So you need to simulate these attacks in a controlled environment. Look for tool misuse look for what the agent can access, what it's capable of.

Doing, you want to understand the impact of that agent in a holistic fashion, right? Yeah. And for that, you need to test the agent in a control manner. And that's what we would recommend as the first, very first step. Just get visibility into what your application does. Yeah. Then you can build on top of that.

Ashish Rajan: Because I was thinking about instant response as a concept as well. To your point, applications have had incidents all day long. AI just means that to you. There's a new air attack factor that you have opened up yourself to. What would what would some of those components look like for AI agents as well?

Are we building a playbook or

Vinay Pidathala : The, everything needs to be thought in a new manner. Yeah. As a practitioner [00:23:00] myself and if you talk to any practitioner, they'll tell you that they need a lot of data

Ashish Rajan: Yeah.

Vinay Pidathala : To triage their incidents effectively. What does that data mean in this agentic world?

Without the reasoning steps, without the trace. And without understanding how that agent actually got to calling that tool. Yeah. And why that tool was misused. Triaging an incident becomes tough. That's why we need forensic capabilities. Yeah. Built into products that you use. So you need that entire observability and that's why we spent a lot of our time helping the.

Practitioner gaining visibility into a lot of that stuff. So that when an incident occurs, they have full trace into how that incident occurred. Yeah. Cut.

Ankur Shah: Can we, can you re-ask the question? I would respond with star framework.

Vinay Pidathala : You want me to,

Ankur Shah: because I think where he is guiding you is also I think is opportunity to say Hey, look like you gotta have a framework.

So when you say threat model for an agent. What is a framework like, [00:24:00] okay. Hey, look at this. So come up with a five, six punch list of items like 1, 2, 3, 4, 5. It'll be easy to audience to gr, right? Yeah. That's where you're, yeah. And you can say, Hey, we've built a start framework where we're looking at things at the model layer level, tool level, web level.

Sure. And if you wanna organize your thought, he can. Yeah. Yeah. Take a second. Okay.

Vinay Pidathala : Sounds good. I'll talk about both the framework in terms of. Testing the application. I would combine that

Into one framework. Okay. Hey, look, think

Ankur Shah: about, yeah. Because at the highest level, it's one security ENT framework that you know, takes into account.

I, web layer, prompt layer, gentech, tool layer, model layer, and the data layer user. And I think actually she's gonna want you to say identity layer as well. No, I think it's an important layer. We do have that. We do have that, yeah. Yeah. So you can just say, Hey, look like they have identity, so like then people can think in frameworks.

Okay. Got it. I also think, by the way, I didn't say this, but I think you should explicitly say [00:25:00] this, said look, before we come what what is Angen application? Like with app, there is no code. So so go back to a power. It's web layer model layer two layer database and identity layer.

And then just walk 'em through that. Yep. Okay. Yeah. No. The money.

Ashish Rajan: Because I think, so one of the reasons for me to ask the question is also, 'cause I had to go down the same path with the seven layer framework for, 'cause your point about conversational agents and non-con agents. Yeah.

It's easy for us to put a thread model framework where people can look at that. Go, what am I really doing here? 'cause I, that's yeah, he's right. Yeah. His framework makes it easy for people to absorb the information. Yeah. So if you can start the answer whenever you have your thoughts organized.

Ankur Shah: Yeah. The app layers. And then those layers are the one that you have to model thread around Hey, can somebody web layer, model layer? Yeah. And then

Ashish Rajan: you talk about, because you already mentioned the attack factor already. Yeah. And how that has changed. Yeah. And so you can talk about the fact that, start with the, Hey, how do you describe the application, as you said?

Yeah. With the different towers. Then go into, Hey, how do I approach security for this is [00:26:00] the framework I would use. Exactly. Because that becomes like the A We can cut into a clip. Yeah. That we can be, you guys can promote as well. And then plus it's easy for the other person to consume the information as well.

Yeah. Yeah. Okay. Sounds good. Whenever you're ready. Yeah.

Vinay Pidathala : Just gimme 30

Ashish Rajan: seconds or so. Yeah. Yeah. Sure man. Do you guys already have a framework or tower? Do We do. We

Ankur Shah: published it and we're gonna have a, early days of. Working with Oasp and all of these guys to actually publish that kind of stuff.

Yeah.

Ashish Rajan: Yeah, because I was gonna ask about the CVE space as well. 'cause there's no, I know. Official database for this kind of space, right? Yeah.

Vinay Pidathala : There's some offshoot called AI VDB, but that's. Pretty much focused on the framework like on the L chain crew, AI stuff. Yeah. Not so much on these new age threats, but how do you even come up with a vulnerability for this?

It's so dynamic in nature, right? Yeah. It's, how do I find

Ashish Rajan: vulnerability in English? Yeah. It's like that, like fair. I let you, and

Ankur Shah: sorry. When you talk about tool, I would recommend you say MCP. [00:27:00] So meaning tool, like m, ccp I think you have to name drop MCP just, it's just top of mind people.

Yeah, it's okay. One thing,

Ashish Rajan: totally two politician here, man. Just say no.

Ankur Shah: We get all technical about tool calling, but tool calling to CCP is the thing. So you can say, Hey look, the tool, with the user MCP vulnerability. So

Vinay Pidathala : yeah. Yeah.

Ankur Shah: Yeah.

Vinay Pidathala : Cool. Okay. I think I have it.

Yeah, go for it. If you think I'm yeah. Go

Ashish Rajan: for it, man. I think, 'cause they obviously had the question already, so you can just straight start with the answer.

Vinay Pidathala : Yeah. Look I. I think practitioners instant response they're always looking for a structured framework. Yeah. And having a structured framework helps them systematically address the problems with these applications.

So if you look at an AI application or an agent what are the layers that make that up? Yeah. You can think of it as a. The user, yeah. Clearly is is accessing that application or the agent through a conversational interface. The conversational interface itself is built on top of a web framework, web application, there's identity [00:28:00] attached to the user, right? Yeah. There's of course. The model itself. Yep. Which is a core component of the intelligence, with Agent Tick. Now it brings about reasoning planning capabilities. So that's one thing. And then there's access to tools like MCP, right? Yeah. That are now connected to the agent and they, the agent now has the ability to execute all these tools.

And so those are the sort of six key focus areas that we would recommend. And this, these focus areas we have come up through a lot of research, right? Yeah. Around six, seven months of of work put into it. And at each layer you need to pay specific attention. I'll give you an example.

At the user layer, you wanna see if the user themselves were compromised, right? Yeah. Or they're putting in some malicious prompts to eek out some posts. Sensitive data or so on and so forth. Yeah. At the identity layer, we all know we've been in the industry long enough to understand that credentials are the number one way to get into an enterprise and cause a breach.

Yeah. So now enterprises not only have to account for user [00:29:00] identity, but also account for agent identity, right? Because now agents have the ability to connect to these drives or so on and so forth. So how do you protect that? Yeah. How do you narrow down the scope for that? Models you wanna pick a model that is suscept is not susceptible to prompt injections, although, we've been able to prove that through some good strategies.

You can break through the model. So you wanna have a guardrail in place to prevent these kinds of things. At the web app layer you wanna make sure that your classic OAS top 10 vulnerabilities, you cover your bases with that, right? Yeah. And you test it robustly. Make sure those vulnerabilities don't show up.

'cause in our research, what we have found is we have actually written a blog on this. We call it lava. It's language, augmented vulnerabilities in applications, right? What that means is through prompting. Through national language, you can get the AI application connected to the frontier model to respond with exploit code, which when rendered by that application, can exploit that application.

Detonates [00:30:00] with you. Yeah. It detonates, right? So the interesting vectors now that you have to account for.

Ashish Rajan: Yeah.

Vinay Pidathala : And then lastly, you wanna have a data strategy in place, right? You don't wanna have sensitive data lying around here and there. You wanna have robust data classification. So I think that's the structured sort of framework Yeah.

That you wanna look through to that'll really help practitioners triage their incidents.

Ashish Rajan: Yeah, and I think, and maybe bring it back to what you were saying earlier about in terms of having a buy-in from the leadership on this as well, is one way to technically talk about a particular problem, but also to explain explain it to the leadership for.

Who wants to go at great speed? You wanna find a balance between innovation as the same time be safe as well. What's the, how are you seeing people find the balance between the two?

Ankur Shah: Yeah. Look, the most successful deployments that we have seen are the ones where product security or offensive security is in the same room with AI teams.

Ashish Rajan: Okay. And

Ankur Shah: we're super fortunate because we're so narrowly focused on [00:31:00] solving a couple problems really well, and we speak AI language, we speak security language. Yeah. So there's a lot of buy-in. So there is not a lot of friction. Obviously the larger the organization, the more friction between these departments where you have to justify.

Yeah. So usually again, early days, but we haven't seen a lot of these problems. But in scenarios where this ends up becoming problem, where customers hold their feet to the fire is accuracy and low latency.

They without AI teams, so AI team, like every POC, they test a Stryker they make it go through ringer.

And say can you have 99 plus percent accuracy that beats Frontier because they'll ask question, why can't feed this into frontier model and get a verdict?

Ashish Rajan: Yeah.

Ankur Shah: And we're like it's gonna take a couple seconds, it's gonna be slow. And those things are trained on safety, not security.

Ashish Rajan: Yeah.

Ankur Shah: Our fine tuned models are trace tested on security and safety both, and they're fast. So that's how we earned the trust of the AI team as well as the AppSec team then becomes easier. I, you had a question earlier on the board level stuff. I [00:32:00] think the wheels are turning and, history often doesn't repeats itself, but it rhymes nine years ago.

Cloud security is not a budget item now in ai. Like this is explicit budget ask, so there's no like convincing of the CE that hey, we need something. Yeah. The mandate is gotta be all in on ai. Question is priority because there are 10 different problems to solve. Yeah. Yeah. We think there are certain stack ranking.

Yeah. But customers have their own mind. Yeah. Yeah. They wanna start in different directions, but I think it's happening, so that's very encouraging. I am yet to hear anybody say, no, shut it all down. That's it. Like there, there is no convincing required. No. We have to enable the business.

Yeah. How best can we do it? Who's the partner we need in this process?

Ashish Rajan: Yeah.

Ankur Shah: Who's gonna help us accelerate that? That's the conversation.

Ashish Rajan: I think you kinda mentioned something interesting there as well. What are people focusing on, which is probably the wrong problem to start with if you're trying to address age index security.

Ankur Shah: Yeah. Look I said this early on and again I'll say it again. Customers are always right. They, their fears [00:33:00] come from a good place. Okay. But, I of, the one thing I wish they didn't mention as much is the shadow ai, shadow MCP. It's just every new technology shift, we are all worried about this unknown.

Yeah. And yeah. That's oh, don't go to deep seek.com.

Ashish Rajan: Yeah.

Ankur Shah: Don't download random MCP servers. Sure.

Ashish Rajan: Yeah.

Ankur Shah: You shouldn't do that. Train the teams on that. But that kind of hygiene stuff, blocking and tackling doesn't give you the outcome. Yeah. If you wanna be really enabler. Like you want organizations to be humming on this one, and that's why, the priorities have to be continuous testing and guardrails.

That's the Nirvana. And look, I did, I preached shift left, as for eight years. I can't come up with a proper shift, shift left strategy. In this world, there is none.

Bulk of the problems will happen at inference time. The best thing you can do at Pre-Pro is testing. What can you do?

Yeah. You can like in your pipeline, like what is the code pipeline in the Entech era? I don't even know what that is. Yeah. What that looks like.

Ashish Rajan: Yeah. I think there's a whole saying around a lot of people writing the last piece of code that would ever be [00:34:00] written by humans as well.

Yeah. Yeah.

Ankur Shah: We, I don't know if you saw a tagline like AppSec is dead long Live Gentech security.

Ashish Rajan: There you go.

Ankur Shah: There is no open source code. There's no custom code. So what kinda application security. And I think look, let's this source have to ask themselves a very hard question when they go for the budget, which is that do I need a, tons of money for something that's, say yesterday's technology or lots of money for something that's gonna be future.

Ashish Rajan: Yeah. You have to decide that. So these are, it's a great topic I can keep going on about this as well. But that's all the technical questions I have. I've got three fun questions and Chris done this before, so it'd be surprise for you. I'll start with Vene first 'cause you've gone through this around once before

Ankur Shah: Ashish, we didn't cover one important thing.

Which one? Which is, what did you guys announce at Black Hat? Hey, can you tell me a little bit about your black hat? Okay, I see. Yeah, I can include that. Yeah. And we'll do a soft plug. Yeah. It's not gonna be, I, we'll frame it as a problem and then because, so the way to frame this discussion is that so far we've talked about the what to look for.

You wanna talk about like how do you like, because in the prompt [00:35:00] world, it was a simple. Firewall problem. Yeah. And I Chase says, yeah, like last I checked 1995, this is not firewall issue. Yeah. So then how did you guys solve this? Because sounds like you guys went on a limb and says your industry's first.

Yeah, because we launched Industries first attack agent and Defend agent. Tell me more about that.

Ashish Rajan: Yeah, I was gonna frame it as more what was the problem that you were trying to solve in 2024, and where are you going with this? Because where I'm going with that is, yeah. I'm asking you from a future perspective, like where do you see this going?

And I think that's where I was coming from. Correct.

Ankur Shah: And I think that's fine. Like I don't even want you to ask a complete shameless plug on Stryker. Like I would not even prefer that. Yeah. But it's just hey, look like, hey, look. Yeah. So frame it however you want. Yeah. I get that. I'll bring it back to that's why we launched Attack and Defend agent.

Yeah. Because that's a. We can spend 10 minutes on that. It's a lot of fun stuff in both areas. Yeah. And then you can cut and chop previous stuff, whatever you want. If you wanna stick to the timelines. Yeah. Yeah, that's fine.

Ashish Rajan: So I, I guess a question that I have for you guys is also from a perspective of, obviously when we spoke last time, yeah.

There was a [00:36:00] certain version of AI agent security that people were talking about, and you guys had a particular focus. Where are you guys headed now? Where is this going for you guys?

Ankur Shah: Yeah, look super excited about what we launched at Black Hat. With our attack and defense agents for Gente application were where the industry's first to launch both of these Gente capability.

Just like you can only secure ai with ai, you can only secure agents with agents.

Ashish Rajan: Yeah.

Ankur Shah: So our attack agents are basically, they for a given agent application, they do a full on reconnaissance, understand exactly tool MCP uses, et cetera. And just go after them with an explicit intent to ex exploitate the data and do all kinds of nefarious stuff.

On the defense agent side, things were a little bit tougher because the world was slightly simpler earlier this year. You can put something between prompt, input, outputs call it a day, the gentech world you have really the humans asking agents to do a task.

Ashish Rajan: Yeah.

Ankur Shah: In between. What happens is that agents are talking to each other, they're talking to the tools, MCP there's all kinds of callback reasoning [00:37:00] happening.

How do you collect all these traces and then feed to your AI model? Very difficult problem. So we have now an approach, technical approach. We believe we are the only one so we have developed a couple technologies. One is very developer friendly. Yeah. One is extremely developer friendly.

That allows us to collect all traces across the agent tech stuff, which allows us to, when an attack happens, draw what we call the chain of threat graph.

Ashish Rajan: Yeah. Okay.

Ankur Shah: Where you can clearly trace that during the entire execution process of a given human task. Where did shit hit the fan? And and that's where we've done it.

And also I should mention that's the data collection part of the difficulty, the AI engine. Part of the difficulty is that in our previous fine tuning run, we had to train them on what data leak looks like in PII pattern matching. How do you train models on agent traces? So the amount of synthetic data generation that is required.

Real data, real world attack scenario. This is not something you can do it [00:38:00] overnight because every agent trace is different. Yeah. Yeah. So how do you do that? So there's a lot of craftsmanship that went into it. And we talked about it in our product blog, et cetera. Yeah. But your

Ashish Rajan: point is also comes back to the continuous part as well, because it's the current version of threat versus.

I think, Renee, what you mentioned, the threat's evolving continuously. So yes, just because you have a graph of it today doesn't really mean that's gonna be tomorrow or day after when a new version comes out.

Ankur Shah: Yeah, and look, I think you frame it as future, which is the right framing, but I'd like to think the future is now.

The need to safeguard gent application is. Today, it's moving so fast that you blink and something happens. The Machir McDonald HR agent issue happened a couple of weeks ago. It was not a purely LLM chat bot issue, 65 million. Customer's data got leaked.

Ashish Rajan: Yeah.

Ankur Shah: Yeah. This can happen any moment.

Yeah. So yeah, that's why you need a next gen technology for this.

Ashish Rajan: Yeah. Awesome. That's all the technical questions I had. Thank you. Sharing that. I'll put the link in the call in the short as well so people can check out the press release for that. Yeah. And [00:39:00] get to know about that as well. So we've got fun questions.

Okay. Three fun questions. No pressure whenever you doing first time. Okay. First one being, what do you spend most time on when you're not researching all the AI securities agent security problems of the world?

Vinay Pidathala : I have two kids and I have. Dog for, that, that takes up most of my time.

But I just bought a book called Empire of ai, Karen Oh, by Karen Howe. I just started reading it. It's a fascinating read. So if you guys fictional or is it No it's about open AI and the workings of it. So it's interesting. It's a fascinating book. I just started reading it.

Looks interesting. So I'll, the next time we meet, I'll let you know if I liked it or not. I'll be curious as well. What

Ashish Rajan: about you, Anka? What are you spending time most on?

Ankur Shah: Oh, man. There is no time there is no rest for the wicked in this business. It's a nonstop go go. I, with whatever time I have left outside of Stryker, try to read books play sports here and there.

But to be honest, I don't have much of a life beyond Stryker, my friend.

Ashish Rajan: Fair? Fair. It's not a, it's not a bad thing. [00:40:00] I don't either. I just have to say that.

And second question. What is something that you're proud of that is not only in social media.

Vinay Pidathala : There's not a lot of stuff on my social media anyway. Fair. I'm not very active on it. Very proud of what we have built here at Stryker. Yeah I'm truly, really proud. You can build what we've built.

We, we've built systems that are actually eed out some stuff like our blog mentioned. So to build a product that can help with customers problems. Today.

Ashish Rajan: Yeah.

Vinay Pidathala : And I'm super proud about that,

Ashish Rajan: that's awesome though. Yeah. It's a great thing to be proud of as well. What about you and

Ankur Shah: Yeah, look, obviously outside of the work, which is where we got a lot of joy and meaning in life my answer hasn't changed since we last spoke.

As a matter of fact, it hasn't changed in last many years. Just being, being a good dad, a good son, and a good husband. I think that's all I strive for our outside of work.

Ashish Rajan: Oh, fair. That's a vision goal for everyone. It's like to be ideally fair.

Yeah. Final question. What's your [00:41:00] final, oh, what's your favorite cuisine or restaurant you can share with

Vinay Pidathala : us?

Ashish Rajan: Cuisine. Yeah. Favorite cuisine or restaurant? Ooh,

Vinay Pidathala : my goodness. So I. I'm from a place called Hebard in India. I was born and brought up there, and we are known for a bani. Oh, nice. So I am all about the best BNA in the world.

Chicken bani. I go looking

Ashish Rajan: for, I'm glad you said chicken biani not a vegetarian biani. Yeah. So

Vinay Pidathala : I'm all about that. So I look f. Look, I go searching for these mom and pop stores that sell good berry. So that's my poison. Poison, I would say poison. No, because it's, it does not go well with your workouts.

Oh, fair.

Ankur Shah: What about you, uncle? Oh man. Since I'm in Vegas so many places to pick I had to say that the more recent one, not at this triple last one, was I think Lotus has Siam like the thigh place. Okay. It's really incredible. I'm a vegetarian, so not a lot of choices. So he going from extreme,

Ashish Rajan: Let's go for lunch.

Vinne no, thank you very much. No, I understand that, but so you said like good Thai food.

Ankur Shah: Yeah, very good food. It is one of the best ones I've ever had. Yeah. Interesting.

Ashish Rajan: Yeah. Alright I'll check it out as well. [00:42:00] Yeah, of course. It's, sometimes you find that hard to find good food in Vegas sometimes, or sometimes it's more like hype rather than taste, so I'm surprised I'm not ushi. I'm glad you found something which is not just hype.

Ankur Shah: Yeah. Yeah. You gotta f they're everywhere. Obviously. You gotta find it. You gotta, yeah. Yeah. Work

Ashish Rajan: hard. Yeah. Awesome. And awaken people learn more about the work you guys are doing at Stryker, the research you guys have done.

Ankur Shah: Yeah, look, check us out on our social media and handle but look at our website. We just launched a brand new one. There's a big fan following now on our website. We have given it a, cyber punk new age look. Oh, we have real world agents. They were showing up at Blackhead, but it's stryker.ai.

So it's Stryker with AI in the middle. S-T-R-A-I-K-E-R. Oh, okay.

Ashish Rajan: Oh, that's why. Okay. Fair. Yes. It's a good way to say it. What about there's research there as well?

Vinay Pidathala : Yeah. We have a dedicated spot for for all the research that we publish. We. Our goal is to publish as much research as we can so that we educate everybody in the industry.

Awesome. Yeah, on psycho ai you have a blogs page and you

Ashish Rajan: can read all [00:43:00] our research there. Awesome. Thank you both for coming on the show and I really appreciate, I'll put all the links including the press release as well on the short as well, so thank you so much for doing this.

Yeah. Thanks for asking so much. Thank you. Thanks everyone.

‍