Snir Ben Shimol : [00:00:00] I'm asking. It's like how many tickets you open a month versus how many tickets you close a month, and then the room became quiet. What are they doing about this problem right now on their own? That process takes between 20 to 30 days per issue. How much takes someone to exploit it? Validated hours or days, and we're talking about months to actually take action.

We're losing. One of the biggest problems we have in vulnerability management is what is the vehicle? How do you know how to prioritize? How I'm getting from A to B if you don't know what's the vehicle to get there, what if I will tell you that you can upgrade one base image and that specific upgrade will resolve with reduction of 20 or 30% of your vulnerabilities within your backlog?

Just one action. What AI can do is, instead of walking forward, AI can help us to do recursive analysis. It's not solving the problem. Knowing about an open door or an open window don't make you more secure. No, just make you more aware.

Ashish Rajan: Let me ask you a [00:01:00] question. If you had to take a party of four people from a wedding, say to another location, how would you do it?

Would you find the best route possible? Or would you think about the vehicle? These are some of the questions people are asking on how to solve the massive amounts of alerts that people have in cloud security problems, and these are the same kind of challenges people are trying to tackle in the cloud security problems that you're seeing.

They have a lot of alerts that they're looking at. What's the best way to resolve a vulnerability or a misconfiguration, depending on the best path you should be taking. This is an insight from a conversation that I had with Snir. Who is the CEO and co-founder of a company called Zest Security. We spoke about how organizations are today using AI for doing cloud security.

How far can you truly get with AI in solving cloud security challenges? Perhaps if you're an organization who is just adding your own risk scoring on the CSPM findings or a cmap finding, this is definitely the episode for you. Just to give you an insight for. What is possible today [00:02:00] with AI and how far you can get with it practically yourself, with your team if you are here for a second or third time, and if you have been enjoying Cloud Security podcast episodes, I would really appreciate if you take a quick second to hit the subscribe follow button if you are listening to this on Apple Spotify, or if you're watching us on YouTube, LinkedIn.

Really miss a Lord when you take that second to support the work we do, and I hope you enjoy this episode with Snir. Soon, peace. Hello. Welcome to other episode of Cloud Security Podcast. I've got Snir with me. Hey, man, thanks for coming on the show. Very excited to be here. Thanks for having me, man. Let's start with your background first.

Where were you before? What's your professional background?

Snir Ben Shimol : I'll do it short. Around almost 20 years in cyber before it was cyber, so before we started Zest security I was the CSO at the Cider. Very quickly we sold to Palo Alto. We basically defined CICD security. Yeah.

Was very exciting. It was a big exit. And before that, I built from the ground up the entire cybersecurity at Varonis. Oh yeah. So the product a lot of machine learning instant response forensics data [00:03:00] science trade detection response. Really interesting. And also in charge of product security and before that offensive security research working in big companies, solving big problems.

Yeah. Exciting. So you've been around, for some time.

Ashish Rajan: Yeah. I just love it and. Actually, maybe this is a good time to ask you as well. I've been asking people what is cloud security? But like the 2025 edition, like I think there was obviously like a, there's been a few versions over the years.

What's your 2025 version of what cloud security is?

Snir Ben Shimol : I think when we, when I was starting to listen to your podcast, like I think five or six years ago I was also asking myself, okay, first of all wow, Kubernetes, I don't understand Kubernetes, so let's learn. I believe that today, first of all, everyone understand the cloud native capabilities.

Yeah. And if we're looking on 2025, even ahead, 2026, a cloud security is basically already defined by visibility and understanding of what we have within the cloud. Everyone knows their inventory. Everyone knows what they have, what they're managing, what they're not [00:04:00] managing. And now we're going to the next stage.

Yeah. And I believe the next stage is like how we can actually be proactive about our security from both sides, from how we use more native security capabilities from our cloud provider.

Ashish Rajan: Yeah.

Snir Ben Shimol : And how we actually using the visibility we have in order to derive more kind of a proactive approach to reduce attack surface.

Reduce vulnerabilities and make the cloud more secure, knowing about the problems. So I think the knowing is I've been solved by. This year, I think 2025 is the pivot. Yeah. Okay. It's like everyone have the CSPM, everyone kind of known. We have this, we have that. Also security folks feeling more comfortable about more touring cloud.

Looking into cloud.

Ashish Rajan: Yeah.

Snir Ben Shimol : And now we're moving to the next stage, the interesting stage of let's take actions. Let's build things that are more proactive. And I think this is where we go.

Ashish Rajan: Interesting to your point about a lot of visibility has been looked into, people are aware of, hey, what my problem areas [00:05:00] are.

What are some of the components you feel attached to the cloud security piece? Obviously you did the CICD security part. What are some of the moving parts in this space today?

Snir Ben Shimol : Cloud security, it's complex. It's very different than on-prem, that you can put it into boxes. I believe cloud security involved with couple of things.

First of all, the native and posture. Configuration. Best practices, whatever you have. And then you have the application layer, application third parties or your own application that running within the cloud. Yeah. And then you have things that outside of the ISN Pass that are basically maybe more related to runtime, more related to I will say like the CICD or maybe the deployment processes that you have across your cloud environment.

Yeah. And the complexity is interesting because when you look on these type of buckets, you look on different teams within your organization that makes things like, makes protecting the cloud more problematic. When [00:06:00] you know in the on-prem you have the security team in IT. Yeah. Now you're dealing with different type of teams, different capabilities, and the systems are completely different.

So you can have Terraform, you can have CloudFormation, you can have Pulumi you can have different type of representation of this infrastructure as code and DevOps system. In different areas and tenants. Yeah. And then you can have a microservices here, a docker implementation there more instances there.

So more os related kind of vulnerabilities and in situation and sometimes you have a pure software composition analysis. Implementation of your security. So I believe that a lot of the worlds that we use to dissect, yeah. To different type of markets and different type of problems in cloud, they're all coming together, which make it more interesting but more difficult for security team to be proactive about.

Ashish Rajan: So do you feel, obviously in the detection phase or at execution phase,

Snir Ben Shimol : eh, the detection phase, it's already solved. [00:07:00] So again, if you look on SMBs or if you look on like small organization that're just building the cloud practice, you're still in the journey of getting the visibility. Yeah. The good thing is like they know what they need to do.

Yeah. They know that they need to look into maybe a CSPM and CNAPP They know where to look at. They know that open S3 buckets. It's not good. Yeah. Which five years ago you ask a CISO what you scared about. They will never give you that example. And today it's like we don't have any open S3 buckets, or at least without sensitive or interesting information.

So they know what they need to do and now they're just implementing it. But, the organization we are working with are a little bit more mature or at least small, but heavily regulated. They pass that point from visibility. Yeah. So they know about their problems, they know about their misconfiguration, they know about the vulnerabilities they have tools and processes in place in order to get that information.

And I believe the challenge right now and the next challenge to face is once I understand. Where my problems [00:08:00] are. Yeah. How can I address them? How can I resolve them in the best way possible? And I think this is where we at in that. Pivotal point from I need to understand. I need to have visibility.

Yeah. I need to understand where my problem is. And right now I believe visibility is already accomplished. All the security, we have great security tools to tell us what we're doing wrong in cloud. Yeah. Runtime, configuration, application. It's really good. Like I think no matter which type of product you're going to pick, they're going to give you great results.

From that point into, okay, what are we doing about it? That's a big question. How are we taking this amazing product and amazing investment that gives me all that contextual information about my problem? I'm actually taking it to the next stage of actually solving it. I like to ask a question about cloud security to security leaders that I'm talking to. They're very happy about their security [00:09:00] practice in the cloud. And I'm asking s like, just imagine you're at work or in vacation. You know that your door is open. Yeah. You're aware. You have that visibility. You have the camera and it's oh, I left my door open and I left two of my windows open.

You know about it that means that you're more secure because No, the door is still open. Someone can go in. Yeah. So that's basically the question I'm, I like to ask. It's like knowing about the problems is the first step. Yeah. And it's important having the context first step, important. What you do next.

I think it's what will make you a better and more secure organization than the other companies. Interesting.

Ashish Rajan: And what are people doing about this right now in terms of, I guess to your point, detection has been solved to a point is they can do use any amount of tools to find out individual pockets of problems.

What are they doing about this problem right now on their own?

Snir Ben Shimol : So that's where everything has become very interesting and I think we have a [00:10:00] huge AI conversation around it as well. Usually when you have complex problem, you're looking for product or you're looking for something to help you or some kind of workflow, some kind of processes to take action on visible misconfiguration of vulnerabilities in the cloud.

Today's being done completely manual. The process of remediation. The process of mitigation it's completely manual. I've been there. I was managing cloud security teams. It's a lot of work to prioritize. I believe that there is a lot of automation in prioritization, which is important.

And I think because, and thanks to the context we have, we can prioritize at some level. Yeah. But when we need to take action and actually remediate. You need to triage. Triage is manual. You need to understand what to do and where to do it. Is it a kind of, if the remediation is supposed to happen in infrastructure code, is that asset is being managed by Terraform or in [00:11:00]CloudFormation?

And just imagine you have a big. Environment. Yeah. How many Terraform and how many IC you have. Yeah. Where it's actually fits. Yeah. Security team not always have that visibility. So what they do, they're talking to DevOps and DevOps okay. Let me see. So the process of Jake, that managing is a cloud security architect, so Jesse is.

Jake is going is looking on the CSPM. This is very interesting. Wow. I have an attack pad. Okay. I have care. VPSS. Very high score. Yeah. I want to focus on that. I want to prioritize it. Let's open a ticket. Yeah, send the ticket. Oh, I know this area. It's probably this SRE team sending it to the SRE team.

They SRE team getting the ticket. It's okay. Yeah, I know it's a, oh, okay. It's a problem. Yeah, I don't think it's a problem. It's yeah, it's a problem. Let's do something about it. Great. What do I need to do? I don't know. You have it in the ticket from the scanner or the visibility tool. Yeah, visibility tool.

Don't understand your CICD. Don't understand how this problem actually derive into the cloud. So this is where triage starts. So they need to understand, okay, where the [00:12:00] fix are supposed to happen. Secrets in Lambda functions. Everyone has it, right? Yeah. Should I use Vault or AWS secret manager?

Which type of secret manager I'm using in this environment? I don't know. Depends who's, oh, you open the Jira ticket? Yeah. It's okay, let's use this and let's do that. And you go to the console, you change it three days after security team's looking, and it's oh, it's the same problem. You close the ticket.

What's going on? Yeah. Jake is calling the SRE team. It's guys, you closed the ticket. The problem is still there. It's no, we actually closed it. We deploy exactly what you told us to deploy. And then you do another triage forensics analysis, how the problem resurface back. Yeah. And it's Hey, we fixed it in the wrong place because that specific asset and that specific service is being derived by a change within infrastructure as code in that specific Terraform State file from that plane.

From that IAC. When you look into it, just one example, understand the complexity. And this is only misconfiguration. Let's talk about vulnerabilities. You have vulnerability from your software composition analysis. Yeah. And you have [00:13:00] vulnerabilities from your production, from your CNAPP. Yeah. And then some of the vulnerabilities are basically the core recommendation is upgrade the package.

And then you ask yourself, okay, so I need to upgrade now, 20 different packages. A whack-a-mole, but this is exactly what we're doing right now. Instead of asking how this specific vulnerability arrived to that specific container. Yeah. And if we have an image and then the base image, it's the docker, that specific process is what Jake is doing together with the, and sometimes the engineering team.

Yep. That process takes. Between 20 to 30 days per issue that the team already spend additional couple of days to prioritize. Yeah. Yeah. How many times? How much? Not only days, sometimes hours. Takes someone to exploit it. Validated hours or days. And we're talking about months to actually take [00:14:00] action.

We're losing. Yeah. And I think when we understand that and experience that. We realize that the next stage is more difficult than give you the problem, the fixing, the remediating, the resolving. Not always remediation is an option. Resolution is the next stage and everything I just, everything Jake is doing, actually doing the triage and the analysis.

Yep. It's not a deterministic, it's not like a playbook. It's, there is no playbook because everything is different. And this is where again. If you cannot use automation, you cannot use workflows. So what do you do how you accelerate? Yeah. Ai, LLM can help you to take and digest that information and actually accelerate that process that takes you weeks in a very large environment across a large number of vulnerabilities.

Yeah, and I think this is where we're at when we reach to a place that we need to solve a [00:15:00] complex challenge. Thankfully very smart people created great technology so security team can actually use in order to use that. We didn't have it a couple of years ago.

Ashish Rajan: So is the remediation now different?

Are we back to the autom remediation part where we point now that I have the context window, I understand that I have a CICD containers. Everything else is ai.

Snir Ben Shimol : How far can we go with ai? That's a great question. I think their mediation is completely different in the cloud. way more complicated.

I believe that because you have different type of ways to solve one or a group of problems, I think that's what makes everything more difficult. Yeah. When you have option, it's more difficult and I think the option is not, it's not really about. What should I do is how I'm doing it. That will suitable for how my organization look like, and I like to maybe we'll switch roles and I'll ask another question.

If and I like parties, I like events, [00:16:00] right? We're now in BlackHat, is fun, but if I need to get from A to B, I have an event. Yeah. We need to put all the guests in in we need to take the guest for a wedding, let's say. Yeah. From A to B. Yeah. How you prioritize who's going first, who is going second, how will you prioritize basically that specific process of who is going to the event first.

Family first. Family first, and then kids first. I guess maybe older. Older people. Older people, yeah. Yeah. That's, I think exactly the type of answers I'm always getting, including this, yeah. Is one of the biggest problems we have in vulnerability management and cloud security posture. Why you need to respond with the question is what is the vehicle?

How do you know how to prioritize how I'm getting from A to B? If you don't know what's the vehicle to get there? If I will tell you that we don't have a car, we have a plane, we have a bus. Why should you prioritize? You can [00:17:00]probably fit everyone in and do it. Yeah. Yeah. That's exactly the shift in mindset that we can use ai.

Yeah. CICD and cloud. Yeah. Native capabilities in order to streamline remediation. And that's the difference. So what if I'll tell you that? You can change one configuration in your Terraform. Yeah. Or you can upgrade one base image. And that specific upgrade will resolve with reduction of 20 or 30% of your vulnerabilities within your backlog.

Just one action. Yeah. And that's exactly I think what AI help us to do. You think in remediation, you think recursively? Yeah. Our human brain cannot walk recursively. If any one of the listeners can do research recursively, I'll hire him. You do have some people that can do that in their geniuses, right?

But what AI can do is instead of walking forward. Let's take a list of vulnerabilities and cloud vulnerabilities and let's dissect them. Let's [00:18:00]prioritize them, and let's take action one by one. This is how you lose the battle because the numbers are too big and you're not thinking about what's the vehicles we have in order to reach the goal.

And then AI can help us to do recursive analysis. So what AI is doing is basically help us to ask a different question, if I will make this change how it's going to affect my backlog? If I will patch this version and that version and upgrade this package, how it's can affect the vast majority of my vulnerability.

Yeah. By doing it infinite time, you can basically create a very, like the best pathway to remediation. Interesting. So again, using AI in a different way, not in automation. Yeah. But how we in increase the impact of our remediation. Yeah. If it's patching, if it's code change and decrease, therefore, that we will need to ask from the engineering team Yeah.

[00:19:00] To actually apply it. Because sometimes the bottleneck is not prioritization. It's our button. Like the security team. Yeah. But at the end of the day, we need to understand what's the other side Effort and the analysis and triage. Yeah. And I think a and as a fact, AI can actually eliminate that.

Ashish Rajan: I think you hit on something interesting as well.

I find a, I love the analogy of having the party bus versus the car. It definitely goes into the whole cloud security piece. Would you not need access to like your Jira or Slack or whatever. You need like a lot of context to be able to to your point about the, what kind of vehicle it's gonna be.

Are we at that stage with AI in terms of, in organizations where people are doing that?

Snir Ben Shimol : Yeah, definitely. The way I am looking into it, I'm dissecting it into three different problems. Okay. The third problem, I don't believe AI can. There yet. Okay, but maybe I'm wrong. Maybe I didn't do my research because I was not completely focusing on that.

[00:20:00] I'm focusing on the technical side. So the three problems will be, the first one is the prioritization. Yeah. How I'm taking all my vulnerabilities and misconfiguration cloud backlog. Yeah. And I'm making sure that I'm working on what's risky for me. From my environment. Yeah. Not only threat intelligence, EPSS and scoring system.

We can talk about it. This is the past. This is automation. We can use ai in order to analyze and understand what is actually dangerous for my environment. And have a proof why it's not. 'cause we, at the end of the day, I think at least our customers scared from regulators. More than scared from attackers.

Yeah. They have great SOC team, but the regulators looking on that backlog and like, why you have so many criticals open in Jira for three months? What's going on? Fix it. So again, the prioritization. Yeah. How many vulnerabilities and risk I can dismiss. Second thing is what's the best resolution path?

Resolution [00:21:00] pathway. Remediation pathway. Mitigation pathway. Yeah. After I understand my prioritization, what will be the least effort, maximum impact that can derive. Yeah. Ai. Different LLMs, by the way, you cannot do it just with ChatGPT and stuff. We can also dive deep into what we discover there.

Yeah, sure. Because every LLM is different. So this two section of prioritization of multiple vulnerabilities based on your technical DNA. Yeah. And then building the best pathway. Think about Google Maps for our vulnerability management team. Yeah. What's the best option we have in order to eliminate that backlog?

The third one is what you mentioned. How we learning from our ticketing system and our process. Yeah. I think some companies trying to replace things like ServiceNow. Yeah. And this and that for security. I don't believe AI is there. You know why? Because I don't believe organization are there.

Every organization we're working with have a different ticketing system. Process. Different escalation process. Yep. Different SLAs. [00:22:00] And it really depends not only on the organization, it depends on the people. Yeah. And I think that it's too hard. To give you a silver bullet because everyone is different.

Yeah. This is why I think AI is not there because we are not there.

Ashish Rajan: Fair. And I guess to your point about the first two priorities, because how, and I guess a lot of people who would be skeptic towards a whole, Hey, we, I already have a CNAPP and CSPM sear, why do you feel an AI agents can solve this better?

Snir Ben Shimol : That's, I think the most, the first or the second question I'm getting when I'm speaking to the security leaders. I like to ask, I always like to ask questions to understand. Exactly, so my first question I'm asking is you get like the visibility they're giving you all, or like you feel confident that you know what's running in your cloud.

It's yeah, of course I know about all my vulnerabilities. My misconfiguration have the inventory and have context about what's important and what's not. I'm like, great, so you have a backlog. Like you, you open tickets. It's yeah, of course. It's like. [00:23:00] How many tickets you open a month versus how many tickets you close a month and then you have a kind of, the room became quiet.

Yeah. And then you realize that visibility, accomplish, context, accomplish. But now we need to take it to the next stage about let's actually reduce that backlog. And this is where they understand that there, there is one part of cloud security that is solved. Which is the visibility. Yeah. The security stack is rich with visibility around your vulnerabilities and misconfiguration.

Today we have runtime, which is great. Yeah, help us a lot. Then what? And that point that we actually need to take action and close the doors and the windows because knowing about an open door Yeah. Or an open window. Don't make you more secure. No. Just make you more aware. Yeah. People can still come in.

Yeah. That's exactly, I think, the difference between remediation platform or resolution platform, then this great tools, and I think another process that we realized that these platform [00:24:00] are really good with identifying problems. Because they're. Connected to your cloud. Yeah. But they're not looking into the systems that created the problem.

CCD, DevOps system. DevOps processes. They're not really care about how their problem. Reach the cloud. They care about how can I find more problems and give more context about why this problem is very bad or not really bad. Yeah. But how the problem reach to that cloud where, what is the root cause, or what is the process or the service or the code or the configuration.

Yeah. Or the image that spin up that specific process that actually results with a problem. Yeah. They're not looking on these systems. So even if they want to build it. They need to look on a whole different area of technologies within the cloud to reach to do remediation. And this is where we realize that remediation is a completely different process, [00:25:00] mind process and technology process than finding problems.

Ashish Rajan: Yeah. And I guess your point, knowing which problem to go after as well is probably the biggest one of them all.

Snir Ben Shimol : Yes and no. I think again, prioritization. Yeah. So I, I also think exactly like we're doing with remediation. I think prioritization is also something that we're walking like we doing in the past 20 years.

So let's go backwards. The first one was, let's get visibility to the cloud. Yeah. We have all the problem and then we need to prioritize. So then the CSPM provided us attack path. Yep. Like attack path is interesting. In other prioritization though. But we still have. Dozens and hundreds of vulnerabilities.

Yeah. And then there's okay, let's give you some context. So do you have admin? Do you have sensitive data? Do you have this? Do you have that static context? Great. Another prioritization. So you reduce 5% of the noise, you're still with 80% or 70% noise. Yeah. We're talking about millions. Yeah. Still exist.

And then you have runtime. Runtime. Did a good reduction. You [00:26:00]reached to 30%. 30% for enterprise, 30% of the backlog is. Hundreds of thousands. Yeah. Easy. How much time it takes you to solve hundreds of thousands of tickets, not you. Of course, engineering. Yeah. Yeah. Yeah. And again, I think the process that we're, this is why vulnerability management and cloud security failed.

For so many years. I think cloud security and not failed because we're still building it. Yeah. But vulnerability management specifically and posture management failed. Yeah. We're walking like waterfall. It's okay, let's add this and remove some more noise. Let's add that and remove some more noise.

We need to pivot. We need to think differently. What is the end goal? Yeah. Again, Google Maps. Where do I need to get walk backwards. Yeah. I'm getting to zero backlog. Yeah. I'm getting to a point. I need, I can use my resources in order to be more secure. So it's not like what other product I need to buy in order to enrich my prioritization.

It's basically a. What do I need to [00:27:00] do? And what do I need to know in order to reduce my backlog? And if you ask the right questions, you're not in that whack-a-mole about, let's add runtime, let's add Kev, let's add DPSS. Let's do different internal schooling system based on business. Critical. We try, it doesn't work.

It helps. Yeah. But it's just reducing the symptoms. It's not solving the problem.

Ashish Rajan: I think you hit it on the nail as well. The number of people that I've spoken to who have an internal scoring system on top of a CSPM, because I guess a CSPM or a CNAPP gives you a version of risk posture, which is not the same as yours.

So now you're in this field. I just, I guess I'll just make my own and you walk down that path as well. I wonder certain, an interesting thing with ai, right? Because you've mentioned that AI is a great vehicle that we can use to get behind this and maybe. Hopefully solve this other problem as well.

A lot of people also looking at AI as man Snir made it sound so easy. I can do this myself. What's the reality of building something that is using AI to solve? [00:28:00] Like hundreds of thousands of this kind of a thing. Because I, I think where I'm coming with this is that a lot of people would hear this and go, yes, he did it.

He was in cloud for a long time. So I've been in cloud for a long time. AI is my friend. I can do it. So what have you found as some of the challenges people do not consider when they just go 'cause this is a typical buy versus bell conversation where sounds like AI is available.

I've got the subscription $200 per month. Why can't I do it? So what do you find in this?

Snir Ben Shimol : First of all, the organization we're working with are. Very advanced. They're pretty advanced, and they are using AI by themself. Oh, to do, for example, prioritization. I don't think prioritization is that complex up to a point.

So you can definitely get a lot of value. Buildings, things by yourself. Yeah. Eh, and then you go and you have two different questions. First of all, it's expensive. Yeah. Second of all, maintenance is expensive. So once you build, it's not. That's it. Like you need to maintain, you need to tune, you need to work on it.

And again they usually, these smart people usually do that in order to solve one [00:29:00] or two different type of problems and to get closer to the end goal. And the way I'm describing it is we have scalable AI. Multi agent system that you need a lot of money, a lot of talented people to do. If your organization have the resources to basically build Zest inside of your organization, you should do it.

And I want to be in touch with you guys, and I want to help you and let's do it together. And we learn from each other. Yeah. Yeah. Happy. Yeah. Happy to do it. And support these teams. And you do have some organization that doing it in house, but those are Fortune 200. Fortune, right? Very rare than 100. Yeah.

Eh. I also believe that it's good to build on top of good technology. So just imagine you get a multi-agent AI system. Yeah. That getting you all the way to the 90, 95%. That extra 5% is complex and it needs to be done internally, I think. Because I don't think we [00:30:00] can do 100%. If someone in cybersecurity tell me.

I'm going to give you something. 100% AI is not there. Yeah. And every organization is different. I can take organization to 95%. Yeah. On top of that, they still need to add their own, Zest their own flavor. Yeah. Yeah. And I think what we did is I hire people that were smarter than me. We are using different l lm so you need to have an expert per the LLM you're using because it's completely different.

Yeah. Think about the system that needs to build remediation. You need a LLM that is really good with code review. You need a different LLM that is really good with a root cause analysis of infrastructure in the cloud. ISN pass. Yeah. You need a LLM that is really good with contextual analysis.

Yeah. To take. Tons of data, vulnerability data and act as a researchers based on the context of that specific cv. Yeah. And you need LLLM that can do simulation. Yeah. So when you recommend the remediation, you need to understand the blast [00:31:00] radius of the impact of the change. Yeah. That's a completely different LLM, so you can build that.

But good luck. This is what we did. Yeah. It cost us a lot of money, a lot of pain. We're still building it. Yeah. And. The reason that we're very excited about it is because we couldn't do it like three years ago, two years ago even. And also these LLMs quality is changing. Okay, so let's say in the, even eight months from now, you can ask me Snir, which type of LLM using for this type of agents?

Yeah, I'll probably give you a different one. So the idea is if you just use chat GPT or you use a tropic or use these companies and their own l LMS in different versions they're really good for that reason for right now. But maybe in eight months you have a different LLM that is way better.

This is the maintenance spark. Yeah. This is the research part. And if you want the best remediation, if you want the best vulnerability management program in your cloud, you need to be agile. [00:32:00] AI is just very fast. Everyone, the number one company today is not the number one company in a month from now.

Yeah. We are seeing it. Yeah. So I want to work with the best LMS possible, and again, this is the main challenge that we solve. With like building a data fabric and orchestrating different type of LLMs. And so if we need to replace or change one, we can do it without any toil on the business logic of the system.

Ashish Rajan: Yeah. Yeah. And I guess to your point, you're almost building a scaffolding around the fact that you can easily replace models if you want to, but an organization may not be. That flexible, they might have their own processes and stuff as well to go through.

Snir Ben Shimol : You say easy. It's not easy, but manageable.

Oh, okay. All it's still not easy. Oh, even with my infrastructure, it's manageable. Interesting because Interesting. I still need to have someone who is an expert in that LLM and I still need to change some stuff. And I still need to check and tune because it's still undeterministic.

Yeah. So I need to do all the research and all the changes and understand that it's actually giving me and giving the customers value without [00:33:00]hallucination. Yeah. And without false positive and without things that are not related to his 'cause. Remediation, it's important. Yeah. Like you cannot talk to engineering, give engineering, Hey, this is how you fix a problem.

And then engineering will look into it and say you don't know what you're talking about. If it happened one or twice. Yeah. You lose credibility. Our product and the way we are approaching remediation is like we need to build credibility with engineering.

Ashish Rajan: Yeah.

Snir Ben Shimol : To tell them that we know your pain, we know your triage, we know the code, we know the infrastructure.

Yeah. We did all of that for you. You just need to click a button because we did the work for you. We know you're busy. Yeah. And you know you're not being compensated on closing our ticket, but when you give them information that is not vetted, that is not good, that is not reliable. You can actually create some kind of lack of trust.

Yeah. So the way we're approaching the problem is how can we be. Sure that this remediation is the actual remediation you need to take place.

Ashish Rajan: See, that's a good point because you're almost building a product at that point in time. If the moment you go down the path of building an AI [00:34:00] agent that, Hey, I'm gonna solve my cloud 'cause to, to what you said, that's just one area.

Off your thing. Like you just looked at cloud, whether it's multi-cloud, whatever, you're just one of your areas now you have to get the SOC team in there. Identity team in there. CICD team in there. You almost like, and by the way, you have route continuously as well. So just you do it once in ro 'cause they decide to go with, Pulumi me tomorrow and ditch Terraform.

And now you're like, oh I need to build for this again. And by the way, I have to update the model as well because, oh, I see what you mean. And, but do you, 'cause you mentioned earlier. Vulnerability management kind of failed us as well, which is like that container os kind of world. Or do you see vulnerability management as a cloud?

Beyond os or is it more misconfiguration? How do you classify the new threats that they're seeing in the cloud AI world that you're in now?

Snir Ben Shimol : I like to, that's a great question. I like to say, I like to call it like a cloud exposure. Posture management. Yeah. It's contain two [00:35:00]things.

Vulnerabilities and misconfiguration. Misconfiguration. Things you cannot patch. Yeah. Problems with sometimes identity, sometimes a problem with like bad tuning or bad configuration that expose your organization. Yeah. Pure CSPM type of play and findings. Yeah. The other one is vulnerabilities.

Vulnerabilities you have in instances in containers in different type of assets. A thermal dynamic or static? Yeah. Like we all know. Yeah. And also you have vulnerabilities that actually derive from development or product or application. Things that you normally find with ASPM or software composition analysis scans.

Or runtime scans. All of that actually. Lives in cloud environments. I call it vulnerabilities in the cloud. Yeah. It's increased the complexity and this is why if you only do remediation per one, you will not be able to remediate. So how many times? You have an SEA finding Yeah. That is not actually related to your code, it's actually [00:36:00] related to the infrastructure that generate that specific container.

Yeah. Many times you cannot patch, many times you cannot upgrade the os. So we have customers that saying, for this specific environment, we cannot change or upgrade images. So we're just doing the whack-a-mole with the packages. Yeah. Great. So what we're giving them basically is that one package that can kill vast majority of cvs that we care about.

Yeah. But we give them the package. We rather them to actually upgrade the base image. Yeah. But again, the beauty about security as a vendor, I realized in my many years building security product, if you enforce your product in a company and it's this is what everyone should do, this is what you need to do.

Only OS upgrade. Only patching. Yeah. You are going to fail because. Maybe they cannot do patching right now. Yeah. Maybe it's faster for them to upgrade packages. It's not right or wrong. Yeah. There is what's right for you. Yeah. As a security team and as an organization, the beauty about AI is to give you the option.

Yeah. So the beauty [00:37:00] about cloud. Is you have options. Yeah. You can, by the way, you can also use cloud native compensating controls. So one example, we have a large customer that have misconfiguration. They have problem with lambda function. And it's so like in order for me to fix that based on your remediation, which is amazing service, a lot of time with the triage and everything, now we know what we need to do.

ETA five months it's financial system. Yeah. Okay. Five months until it's actually pushed to production. It is what it is. We have different priorities. The business have different priorities, but it's a serious risk. We told them like, you have AWS, you have an a, a service control policies. So in that area we generated a service control policy.

Yeah. To basically diffuse that specific. Huge issues. Over 3000 Lambda function that actually exposing the organization to previous escalation lateral movement. We use Cloud native. We didn't ask em to buy a product. Yeah, just you have a W sqs that policy, we simulate that [00:38:00] policy. We told them like, it's going to work, it's going to cover that.

We tested it. We told 'em, this is what you need to deploy. We send it to the SRE team. They tested it, send it to the CICD. Engineering, fix it six months after they study, deployed one day after what happened. That specific risk reduce. Yeah, they did an audit. Again, we love audits. They did the audit and the auditor is yeah, we seeing that specific problem in your CSPM and you close it.

It's yeah, we added this compensating control. This guardrail. Yeah. Yeah. That we didn't pay anything. It's not next generation firewall. It's actually cloud native capability. Yeah. That Amazon provided them and we actually told them, if you use that, you're going to reduce the risk. Yeah. So you have different type of ways to do what you need to do.

Again, Google Maps. Yeah. If the is five minutes and Subway is 10 minutes, I'll want to walk. Yeah, but what if it's raining outside? Raining in New York. I rather use the subway.

Ashish Rajan: Yeah. Fair. And I think you made an interesting point, man, because a [00:39:00] lot of times it's just the missing context of what you're trying to deal with and not being able to see the full picture.

So far, at least the way cloud security has been explained for all these years has been I detect, I get visibility, and then the ordeal starts. I find the right sear in development like, Hey man, I'll beg and plead and hopefully he would add me to the next sprint and I, but then it may change because the company's priority change halfway during the sprint.

Now you're like, actually, I have to push this down. Yeah, I think I to what you said, maybe before ai, this was not something which is practically possible as well. It was not possible. Yeah. '

Snir Ben Shimol : cause you cannot automate it. Yeah. The cloud is a living creature. Yeah. Your vulnerabilities are a living creature.

You have too many steps and too many stuff to analyze and the amount of data that you need to analyze in order to make the decision. Yeah, it's enormous. Yeah. So even if you have, and again, the way I'm explaining it to the teams that we're working with, the CISOs. Yeah. Just imagine you have two security departments.

The way we're tackling the problem in [00:40:00] two ways. You cannot tackle it in one way. One way is a very good security engineer. Yeah. An army of agents that are doing what security engineer will do, take all the risk of all these vulnerabilities and understand what is actually risking for us or not. Yeah. One example, you have an open SSH vulnerability all across these containers.

These containers have no. SSH present covered by A VPC. No ingress. SSH, these vulnerabilities are not exploitable. Yeah. Even if they have a POC, even the kev, even the EPSS is like all the way up in my environment. It's not relevant. So this is like the agents that doing that in the other side, we're provide you security, we're providing you DevSecOps or security engineering.

Eh eh, from the remediation standpoint, yeah. There's 200, 300 employees that what they do is they're taking this prioritizing risky vulnerabilities and now they're doing all the analysis of where the fix supposed to do, yeah. To happen. If it's in the code, if it's in the container, if it's in a base image, simulating it.

Checking [00:41:00] that it's not going to ruin too many things. Validating that this is the right fix and not exposing them to even more vulnerabilities, doing all that process. And then you have two type of deliveries, cleaning the backlog from noise and then what we need to do. How we need to do it. And then you go to the engineering, it's guys, I know you're busy.

We did all of that for you and you cannot do it with humans. Yeah, that's exactly where we are. What we can do today that we cannot automate.

Ashish Rajan: Yeah,

Snir Ben Shimol : we can do with agents. Interesting.

Ashish Rajan: Great. So how do, and this is maybe a final technical question as well. How do CISOs today separate signal from the noise?

'cause you, I guess you've been on the floor, I'm pretty sure everyone has an AI agent. Everyone has a so how does someone who maybe understands the cloud world, understands the technology behind it? And to your point, what are definitely related to that SCP example that you just shared as well?

How do they separate signal from the noise for, hey, this is a real deal, versus I'm just being given a chat. Thing to talk on.

Snir Ben Shimol : I think it's the biggest problem in [00:42:00] cybersecurity. It's not like we don't have good products. It's because we have so much noise and a lot of bad products as well.

I always like to tell CISOs, take me for a ride.

Give me two weeks. Install the product and see it by yourself. Yeah. But no one has the time to do tons of POCs. I want to give a, maybe shout out to one of the talks in this BlackHat was how you understand if the vendor actually doing ai. We're AI native, so if you take AI from our product, our products not going to work.

Oh, okay. Oh, I see. That's a good point. It's like our product is going to completely fail if you take the AI components and the LLMs from that engine because the engine is actually 70% AI based. And again, in order to dissect that, yeah. First of all, look on legacy company, big companies that have products.

Yeah. And now they sparkle some AI there. It's good. It's a good beginning, but it's not AI native. Yeah. So we need to understand exactly why they put [00:43:00] AI capabilities there. What was the reason, what they tried to achieve by using AI? Yeah. And ask them if I don't have AI. If I'm not using that AI component, what did you do so far with your product in order to achieve that?

That's the first question. The second question I will ask is why I cannot automate that process with a script or automation? Rather than using ai, what is non-deterministic about this process? And I want them to give me examples. Give me example why it's not deterministic. Basically, the conversation we had.

Why we need AI agents to do remediation, because it's not something you can automate, soar. You can take to the soc. Yeah. You cannot take to vulnerability management. So I think these two questions like why are you using AI at all? Yeah. Yeah. And the second one is like, why you pick AI to solve this specific problem?

Yeah. Let's build some automation. Yeah. Yeah. So if this are like Yeah, but it automates better. [00:44:00] It's not real ai. And you can, as a ciso, this is how I think you can dissect between good or bad, eh, marketing fluff. Yeah. And also I believe ciso. Understand the problems that can be solved until today.

Yeah. Without ai and you have plenty of them. Yeah. And the so problem that we never solve, like remediation, like vulnerability and exposure management. Yeah. Everyone still have backlog of vulnerabilities. Yeah. And everyone trying to prioritize. This is a problem that exists for so many years.

Yeah. I don't need to ask why AI is important here because so far nothing is successful. Yeah, and I think AI is the try and the attempt to make it

Ashish Rajan: successful. And as, as I, I love that as understanding as well, especially the two questions definitely hit home as well. So those are technical questions I have, I've got three fun questions, which I'm sure you would've heard plenty of times, but now it's your turn to answer them.

First one being, where do you spend most time on when not trying to solve the cloud security problem with [00:45:00] ai?

Snir Ben Shimol : Talking to the team in Zest and making sure they're not working too hard, which they are. And taking care of our people. I think as a founder is almost impossible to do something else than building the company, especially in this stage that we're at today.

Tons of new customers. Tons of deployments new challenges every time. Just have no time if I do have time. Go surfing. Oh, oh yeah. You have surfing in New York by the way. You can surf like really good waves in New York. New York, yep. Okay. I need to look, take the pieces office the next visit.

Ashish Rajan: Lemme know. I'll, Sec. Second question. What is something that you're proud of that is not only social media?

Snir Ben Shimol : Yeah, everyone's proud in their social media. Something I'm proud about is I think wow. I think a lot of things, but the way we keep. The way we're being human. To people that disagree with us.

I think there, there is something that I learned [00:46:00] and I'm very happy about. I'm having a lot of conversation with a lot of people and I'm very proud on the fact that even now, if you're not going to use my technology, if you're disagree with me. We're still going to have a lot of conversation and a lot of open conversation.

So I'm really proud on the way that I have a community of people Yeah. That give me feedback. I know how to get the feedback and I give them feedback and it's really good. So I think communication, the communication that we build in cybersecurity and the transparency, something that I'm really proud of.

That's awesome, man. It's a big deal. It's a big deal.

Ashish Rajan: Great. Call out as well. Final question. What's your favorite cuisine or restaurant you can share with us?

Snir Ben Shimol : Thai. I love Thai food. I can eat Thai food like for years. Wait, green curry, red Cury or Pat Thai? What? Yeah, all of them. All of them.

Because you have different types and they're not using a lot of seasoning as much as they're using the pure vegetables in order to season. So it's healthy. Yeah. And you get the flavors without seasoning, but with vegetables. [00:47:00] And I love that. So

Ashish Rajan: I can see the way you describe it, how much you love it as well.

Where can people find more about Zest security and the work you guys are doing there as well and connect with you as well?

Snir Ben Shimol : Yeah. Opening LinkedIn. Yeah, please connect with me in LinkedIn. We have I think website that really under explain what we do.

Ashish Rajan: Yeah,

Snir Ben Shimol : we're very open about what we do.

You can have a demo about the website. In the website you can ask for a demo. Without the salespeople, just like really live demonstration based on the environment you have. And also in our LinkedIn and our page in Zest. Zest security.io. Yeah. And Zest security. In LinkedIn we always announcing product updates.

Yeah. I'll put those things

Ashish Rajan: in there as, but dude, thank you so much for coming and it's again, it's great to, we have a full circle that you've been listening to the podcast for a while and now you actually got you come on it as well. So I'm glad we could make this happen. So thank you so much for coming on the show.

Snir Ben Shimol : It was my pleasure and my honor, and anyone that listened to this podcast and disagree with what I had to say, I'm happy for them to contact me because I love conversations. [00:48:00]

Ashish Rajan: Perfect. I'll make sure. Please do. Thank you everyone for tuning in as well. Thanks time. Thank you. Thank you so much for listening and watching this episode of Cloud Security Podcast.

If you've been enjoying content like this, you can find more episodes like these on www.cloudsecuritypodcast.tv. We are also publishing these episodes on social media as well, so you can definitely find these episodes there. Oh, by the way, just in case there was interest in learning about AI cybersecurity, we also have a sister podcast called AI Cybersecurity Podcast, which may be of interest as well.

I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do in-depth. Analysis of different topics within cloud security ranging from identity endpoint all the way up to what is the CNAPP or whatever, a new acronym that comes out tomorrow. Thank you so much for supporting, listening and watching.

I'll see you next time.

‍