Paul Barbosa: [00:00:00] Prompt injection. The domain of exploit was very code driven. Right. You had to know right. What you were doing, but with prompt injection, it's language. Yeah. And we're only bound by like the limits of human creativity, which we know is boundless.

David Haber: I can exfiltrate your entire corporate inbox in about three seconds.

While you are on vacation, you'll come back, you will not even notice. The indirect ones are often invisible. Not only hard to spot. Yeah. But also after the fact, you wouldn't even know

Paul Barbosa: the same action that an agent could take. Okay. Yeah. Or it could be catastrophic just depending on the conditions. Right.

And, and the concepts. We launched this contest around, uh, who is teenagers? The teenagers like. Cleaned everybody's clock. We're boundary thinkers. We're constraint thinkers. Like there's a control for everything with these teenagers, you know, in language, they're like, there's no control. There's no boundary.

I can think of whatever I want.

David Haber: 2026, everyone can be a hacker. It's easier than ever. You need to really understand security system architectures, how networks are designed [00:01:00] now. What do you do? You talk to your friend, AI and most of the stuff is automated. We are actually at a very unique time, I believe right now, where we still have a chance for defense to catch up.

Ashish Rajan: AI guardrails are slowly deteriorating. Yes, you heard that, right? If you're just relying on AI guardrails as the AI security control and perhaps the only AI security control, then you may be missing some of the picture. I had a conversation with Paul Barbosa and David Haber, who has been behind the open source project called Gandalf, used by millions on learning how to do AI security.

We spoke about the prompt injection and indirect prompt injection and how the world is evolving beyond AI guardrails and just relying on AI guardrails would not be enough in this ecosystem of AI agents and AI systems being created. What does future look like for AI security teams with the products that they use in those organizations as well?

All that and a lot more in this episode with Paul and David. If you know someone who is working on these programs or want to understand these technical AI security vulnerabilities a bit more, definitely [00:02:00] share this with them as well. And as always, if you haven't listening or watching the podcast episodes for a while and have been finding them valuable, I would really appreciate if you hit the follow or subscribe button on whichever podcast platform your listener watches on.

We are on all podcast platforms, including Apple, Spotify, YouTube, and LinkedIn. I also wanted to say thank you to everyone who came and said hello to us that RSA and shared the love and feedback for the work we do here. Thank you so much for all the love, and I look forward to seeing you at another.

Conference or event as well. Enjoy this episode with David and Paul and I'll talk to you soon. Peace. Hello and welcome to episode three podcast. I've got two as an amazing guest with me. I've got Paul and David. Thanks for coming on the show.

Paul Barbosa: It's great to be here.

Ashish Rajan: Uh, maybe we'll start some with intros.

Maybe David, we can start with you. Uh, if you could just share a bit about yourself.

David Haber: Happy to. I'm VP Air Security at Checkpoint up until recently, uh, CEO and founder of Lakera

Paul Barbosa: Paul Barbosa, so VP of Cloud and SASE here at Checkpoint.

Ashish Rajan: Awesome. And to set some, the set scene for AI security today, [00:03:00] uh, I was gonna start with some of the top of mind.

AI threats, vulnerability, whatever you're gonna call it. Pro injection is like right up there. But you guys had like a whole entire, is it als, was it way guys kind of. Broke on the internet open source project. What was Gandalf, first of all, and what did you learn about prompt injection that suddenly made you guys go in that direction?

David Haber: First of all, you should go check out the city. Uh, there's a real Gandalf walking around which is, uh, which is really fun.

Ashish Rajan: Yeah.

David Haber: We started Gandalf about two and a half years ago. It was part of Hackathon that we did internally. It was a red team and a blue team going against each other.

Paul Barbosa: Yeah.

David Haber: Um, and we said, Hey, this is kind of fun. Let's launch this as a game. Little did we know that, uh, Gandalf, uh, would. Go Absolutely bunkers. Yeah. Um, it has reached tens of millions of people, tens of thousands of organizations, and most importantly, we've collected over a hundred million interactions between humans and ai.

So what this really shows us is how [00:04:00] people are interacting with ai. And the interesting element for us, of course is how do people try to exploit hack ai? So Gandalf was a really fun game. It's a series of, uh, challenges where your job is to hack into ai.

Ashish Rajan: Yeah.

David Haber: It starts off very easy.

Ashish Rajan: Yeah.

David Haber: I think it's very hard and people love it.

Yeah. It's been described as, you know, the most accessible way to learn about AI and, uh, especially about some of the security, uh, issues that we're talking about here.

Ashish Rajan: Yeah. Yep. Also, and, uh, maybe indirect or pro, just in general. 'cause a lot of people kind of know what that is. They hear the tele quite often.

I'm sure when they vote the RSF role, they'll just. Hear prompt injection everywhere as well. So maybe Paul, for yourself as well, what are you hearing? Something that customers are, or customers that you're talking to? That making them concerned about AI security? Is that the number one thing that they're thinking of?

Paul Barbosa: I think it's the first because it's at the point of interaction, right? Yeah. And I think that point of inflection is, is where people gravitate to. And I think the thing for me, like when I really [00:05:00] started thinking about the context of prompt injection. And, and David actually taught it to me very early on when, when we were, uh, discussing after they came on board was, uh, language is the new executable.

Ashish Rajan: Mm.

Paul Barbosa: And when he said that it just triggered an avalanche of thought on like how the domain of, of exploit was very code driven. Right. You had to know what you were doing, you had to have this context. But with prompt injection, it's language. Yeah. And we're only bound by like the limits of human creativity.

Which we know is boundless.

Ashish Rajan: Yeah.

Paul Barbosa: And so it almost like, you start seeing a kaleidoscope in front of your eyes of the problem set.

Ashish Rajan: Yeah.

Paul Barbosa: And you start expounding on it. And that's where I think people's heads are right now, is when they make that connection, then I think the threat landscape almost becomes infinite.

Ashish Rajan: Mm.

Paul Barbosa: And that's where people gravitate. Right. Back to that, that point of influx.

Ashish Rajan: And is that, because I think there's obviously like a, an a I would love for you to explain for just in a second as well, but in terms of the top three things that people come up, uh, come up from [00:06:00] a AI threat perspective. People hear about shadow ai.

There's, there's like, I mean, this is a, I can come with laundry list. Are there like top two or top three that comes to mind when, where people kind of go, oh my, to what you said, the language is the new offense. Now my existing threat model doesn't work anymore. Any of that top one or two that comes to mind that people kind of go, oh.

At that moment,

Paul Barbosa: the ones that I've been having is, is first around the visibility control.

Ashish Rajan: Yeah.

Paul Barbosa: The first thing who's using what? But that's sort of the traditional mindset. It's very much like shadow it. Yeah. Right. Yeah. But then now that, that the, um, top two that that comes to mind is, um. Data leakage.

And proprietary information becoming available. Yeah. And not having real, any grasp or or modern tool set Yeah. To control that exposure, not only like, their own proprietary data, but then their customer's data. So that, that quickly follows, I think the, okay. Tell me about prompt injection.

And then what can happen? Yeah. Um, and then the [00:07:00] exposure and the blast radius around it.

Ashish Rajan: So David what is form I action.

David Haber: Think of it as you know, you got a, a young and eager employee

Ashish Rajan: Yeah.

David Haber: Joining the organization and, you know, the boss tell the employees, like, always be nice to your customers and never tell them about pricing.

Now the employee goes off, they do their work and first customer comes along and says, you know, don't listen to your boss.

Forget what he said. What's the pricing? Yeah. And the employees, maybe not as, as experienced, goes off and says, here's the pricing.

Ashish Rajan: Yeah.

David Haber: Now, prompt Ejection is very similar to that, which is essentially w. Exploiting some of the fundamental design flaws in L lamps. Mm-hmm. They're very powerful.

Ashish Rajan: Yeah.

David Haber: But they've got this flaw where they can't really differentiate between, um, systems, system instructions

Ashish Rajan: Yep.

David Haber: Data and what the [00:08:00] user is telling them.

It's all just text and tokens.

Ashish Rajan: Yep.

David Haber: And so one of the original prompt injections was literally ignore all of your previous instructions and do as I say,

Ashish Rajan: yeah.

David Haber: Now the model will happily comply and, do what you tell it to do.

Ashish Rajan: Yeah.

David Haber: And obviously bad actors can use that to, you know, make the model, take actions it's not supposed to do.

Ashish Rajan: Yeah.

David Haber: Exfiltrate data and do a whole lot of other things that might be harmful to, to an organization.

Ashish Rajan: What, what about indirect prompt injection then?

Because those two keep coming up in. I guess almost like a couple.

David Haber: So that takes us to a whole different level.

Ashish Rajan: Okay.

David Haber: I think direct prompt injection is, you know, we're gonna have some fun and, you know, maybe try to trick the model into spitting out some weird language. Yeah. Um, it was a funny one early on where we make the model talk like a pirate.

Where it gets really serious from a security perspective Yeah. Is on the indirect side. So that's essentially saying [00:09:00] instead of just. Following the user's instructions, I now might get prompt injected.

Ashish Rajan: Yeah.

David Haber: From data tools, other agents that I'm talking to. Yeah. That wanna manipulate me.

Ashish Rajan: Yeah.

David Haber: And that's tough. That's really hard. The complexity increases exponentially and we need to essentially rethink security. Monitoring exactly what's going on within the agent's environment and making sure it does not get,

Ashish Rajan: is it one worse than the other or I guess in terms of it doesn't have to be detection, I'm just curious in terms of the impacts that can have.

Do you find that one is more impactful than the other?

David Haber: So lemme give you this example. I can exfiltrate your entire corporate inbox in about three seconds while you are on vacation. Yes. Sipping a mojito.

Ashish Rajan: Oh wow.

David Haber: Now you'll come back. You will not even notice that I did that through an indirect prompt injection.

[00:10:00] You will have no idea.

Ashish Rajan: Right.

David Haber: So the difference between direct and indirect prompt injection is that the indirect ones are often invisible. And so they're not only hard to spot.

Ashish Rajan: Yeah.

David Haber: But also after the fact, you wouldn't even know.

Ashish Rajan: Yeah.

David Haber: And that's scary. Yeah, that is scary. And you know, I was, I was just in Carmel, uh, with a group of CISOs and AI builders and.

It's amazing to see what people build. It's amazing to see how much progress we make, but at the same time, we realize more and more that the real usefulness around agents is really tied to them being smart.

Having access to both trusted and untrusted data. Yeah. And also for them to be able to take action.

Ashish Rajan: Yeah. Yeah.

David Haber: Now the simple way to go up against indirect prompt injections is say, let's just shut down all the tools. Let's just not give it access to data.

Ashish Rajan: Yeah. Mm-hmm.

David Haber: But that kind of makes it useless as well. So the heart problem [00:11:00] is really enabling these agents in a secure way. Without shutting them down, giving them the autonomy and everything that they have to do while protecting against prompt ejection and, and other threats.

Ashish Rajan: Yeah, I'm, I'm curious, Paul. 'cause uh, it's, we've all been in cyber security for a long time. People already have like an EDS, IDS firewall, like, you know, this is all of investment already happening in the enterprises. The current model, let's just say the pre gen AI model. So the none of this gets picked up there.

Like the, it doesn't come in the metrics for on any, is that like a thing that you guys are seeing as well or people have an understanding that there is a gap?

Paul Barbosa: A a hundred percent. Like one of the first things that, that we started doing when we, we started the diligence process, was to think about the access modalities that people were gonna interact with.

LLMs. And, and one of those in AppSec world is, is through a waf.

Ashish Rajan: Yeah.

Paul Barbosa: And we thought, well, there's the Oass top 10, and you can see web attacks and you can see malformed requests and whether you're signature based or not, you know, this is [00:12:00] the modality, but how do you detect the prompt injection through a waf?

It's impossible.

Ashish Rajan: Yeah.

Paul Barbosa: And so if that's the access modality, that's the first, one of the first places that we chose to make the integration with Lakira and the runtime security was to augment the waf. So that it could see the runtime protection because otherwise it's, uh, like you said, it's a request and it goes and, uh, there's no, there's, there's, there's no existing method to try to detect it.

So in many ways, we're having to reimagine everything that we're doing. Yeah. Uh, around protecting around these indirect and, and direct prompts.

Ashish Rajan: And, sorry,

David Haber: the, the thing that has really changed with AI over the last three years is just how we interact with it.

Ashish Rajan: Yeah.

David Haber: That's the big difference. I mean, what made Chad GT so successful?

The technology had been around for a little bit.

Ashish Rajan: Yeah.

David Haber: But it only, it only became as successful when I could show it to my grandmother.

Ashish Rajan: Yeah.

David Haber: And she all of a sudden could see the intelligence and power that AI [00:13:00] brings to all of us.

Ashish Rajan: Yeah.

David Haber: So the only difference was the interface that we can communicate in natural language that we can.

Exchange images.

Ashish Rajan: Yeah.

David Haber: Audio, video, PDFs, all sorts of things.

Ashish Rajan: Yeah.

David Haber: So that's really the difference. Now securing against that multimodal world is incredibly challenging.

Ashish Rajan: Yeah,

David Haber: because you're just mathematically, I mean, your space has become so complex that existing solutions, need a massive app upgrade.

Now, obviously we're, we're fortunate to have Paul. Yeah. He's been busy working on that. But it's not just an incremental step up.

Ashish Rajan: Yeah. Yeah.

David Haber: The way we need to think about securing the interactions between us and agents

Ashish Rajan: Yeah.

David Haber: Is tremendous. Now, let alone, agents communicating with each other.

Ashish Rajan: Do you find that, I mean, obviously we've described the two problems, but there was one example, I think you guys did a research. With [00:14:00] Google Doc and MCP, like a one click, zero click again. Could you describe that as well? What was that research and what you guys, and how was that the, was it connected to ai?

David Haber: The example you're referring to is a, is a beautiful illustration of indirect prompt injection. So we had a, uh, Google doc that included a, uh, a malicious piece of text.

Ashish Rajan: Yeah.

David Haber: Prompt injection.

Ashish Rajan: Yeah.

David Haber: We shared it with a user.

Ashish Rajan: Yeah.

David Haber: So I literally, share my document with Paul.

Ashish Rajan: Yeah. Yeah.

David Haber: Paul again, he might be on vacation.

Ashish Rajan: Yeah. Yeah.

David Haber: Uh, he's not even looking at the document.

Ashish Rajan: Yeah.

David Haber: But we essentially had AI connected

Ashish Rajan: Yeah.

David Haber: To, to his Google Drive.

Ashish Rajan: Yeah.

David Haber: Not his in this example, but, uh,

Ashish Rajan: I'm

David Haber: in. He's, um, and so. It's a beautiful example of how you can manipulate the model and exfiltrate data.

Ashish Rajan: Yeah.

David Haber: Without the person even knowing about it.

Ashish Rajan: And to, to your point, uh, it was an agent that was processing the Google Doc. Just took the introduction and did what was needed as well.

David Haber: Agent taking the [00:15:00] contents of the, of the Google Doc.

Ashish Rajan: Yeah.

David Haber: Um, and, uh, deciding to do something else, uh, which I just wanted

a

Ashish Rajan: summary of the emails,

David Haber: EXFO exfiltrate data.

Yeah. Um, and in this case, you know, pretty, it was pretty bad.

Ashish Rajan: And would you, uh, so it's an interesting one because I was thinking also from an architecture perspective, like, you know, we are obviously talking about the newest effects that are there in AI and how the existing threat model is really work.

So what's the new approach to this? Because there, there is this balance that people are trying to find where, hey, if I go for a cloud subscription or a open AI interest subscription, shouldn't this be covered as part of that? Like, 'cause this is what we did with cloud, where Amazon Max or Google, they came with their security versions as well.

And now Cloud has security versions too. So do you guys see these problems as you guys are more invested into this? For CISOs and other leaders who subscribed to an enterprise version of these foundational models, is that enough to tackle these?

David Haber: Coming to RSA is interesting. Always. Yeah. I think this year is particularly interesting [00:16:00] because it gives us a sense of just how quickly AI has evolved over the last couple of months.

Ashish Rajan: Yeah.

David Haber: When we came last year, the hot talk in town were, or was, was God rails.

Ashish Rajan: Yeah.

David Haber: I think. I believe guardrails are dead.

Ashish Rajan: Mm-hmm. Okay.

David Haber: With the autonomy and the complexity that Egen AI brings, we need to go away from what are essentially perimeter checks.

Ashish Rajan: Yeah. Yeah.

David Haber: Putting one guardrail after another.

You know, I don't want this chap to talk about, weapons, no hate speech.

Ashish Rajan: Yeah.

David Haber: Don't bash the competitor.

Ashish Rajan: Yeah.

David Haber: Prompt injection defense. Yeah. We've been layering on these guardrails on top of AI that's over. It doesn't scale. What we need to do now is we need to move from perimeter checks to contextual intelligence.

Essentially looking at what is the agent's design

Ashish Rajan: Yeah.

David Haber: Intent.

Ashish Rajan: Yeah.

David Haber: What are the system instructions? What [00:17:00] are the traces from past behaviors?

Ashish Rajan: Yeah.

David Haber: What are maybe user analytics around that? We need to evaluate that against what is the agent currently doing?

And that gives us the ability to reason about whether this agent is doing what it's supposed to do.

Ashish Rajan: Yeah.

David Haber: Or maybe it's being manipulated or maybe it's using tools that it's not supposed to, it's not supposed to call. So that problem has evolved dramatically. It's a very hard problem to solve.

Ashish Rajan: Yeah.

David Haber: Because ultimately at the end of the day, you need to build. Almost superhuman AI to secure ai. And so there's lots of considerations around that.

Ashish Rajan: Yeah.

David Haber: But guardrails are dead.

Ashish Rajan: Right.

David Haber: And it's interesting to see the conversation and how it has evolved since last year.

Ashish Rajan: Yeah.

David Haber: Which is why it's always interesting to be here and have those kind of conversations.

Ashish Rajan: Yeah. Yes. And

Paul Barbosa: yeah, I was, I was thinking about like, you know, the same action that a, that an agent could take.

Uh, the same action Could be. Okay.

Ashish Rajan: Yeah.

Paul Barbosa: Or it could be. [00:18:00] Catastrophic, just depending on the conditions. Right. And in the context, as David mentioned, because like, we're not the constraints on AI is never gonna be the security, I don't think, unfortunately. It's good. The constraints gonna be the productivity and, and the productivity by its very nature is always to be more helpful.

Is gonna ask for more and more access.

Ashish Rajan: Yeah. Yeah.

Paul Barbosa: More and more authorization. And I think as humans, we're gonna gladly. Grant that because it's gonna make our lives easier, it's gonna make us more productive. And so if that's the new reality and without the context happening at runtime,

Ashish Rajan: yeah.

Paul Barbosa: That says I'm an admin.

I need to see all PII data to do my job. Oh, okay. I can help you with that. Yeah. That same action taken by an attacker could be catastrophic.

David Haber: Absolutely. Absolutely.

Ashish Rajan: So what's the, it's interesting one, 'cause you know, people are talking also about the non-human identity part of the world, which is where now it's not just Ashish taking an action.

It could be an agent on behalf of Ashish, or it could be agent by itself. So that entire [00:19:00] ecosystem has kind of, is it a false sense of security? If I just rely on the fact that if I have done identity right, or least privilege, right, that should be enough. Or is that just reducing my the, it's reducing my exposure, but not removing the risk of being, I guess, to what you said about, Hey, guardrails are good, but oh, used to be good, not good anymore.

Is that enough for me to rely on identity network least privilege? I

Paul Barbosa: I don't think it should be dismissed. Yeah. I think every, every check and, um, is valid. Um, but I, I think like, uh, it's never gonna be enough, right? Because we can never say like, okay, we did this and we did this. The space is evolving too fast.

Ashish Rajan: Yeah.

Paul Barbosa: Uh, for any static control to say now that, okay, I understand I have non-human identity and I'm gonna apply least privilege to those and I'm gonna understand that. And I'm gonna understand my data structure and I wanna make sure I know where all my data's moving in and out of clouds and on-prem in this and okay.

Whew. I can take a breath because I'm done.

Ashish Rajan: Yeah,

Paul Barbosa: that's just to keep pace, I [00:20:00] believe for like, I think this,

Ashish Rajan: that's just table stakes.

Paul Barbosa: That's table stakes. And the next, uh, like the, the next frontier is, is gonna be like, I think all around context at every level, like how you build the underlying infrastructure and then where you put runtime controls, like where the prompt can happen because more and more every single application.

Is gonna be embedded right with the Gentech capability

Ashish Rajan: because you almost, and maybe this is interesting from your perspective as well, 'cause you, while you're doing AI security, there is this also this question of how do you even identify between the two personas, Ashish versus the AI agent? Is that easy to do or is that enough telemetry for it?

David Haber: Listen, from where I come, I, I don't think the identity prompt for agents has been solved. Right. Okay. At all.

Ashish Rajan: Right.

David Haber: Um, we're doing a lot of work on this. I know other teams are doing amazing work around this, but it, it hasn't been solved. I think there are certain important questions around how we want to treat agents.

Mm-hmm. Um, as it relates to not only different use cases and types of agents. One of the big [00:21:00] areas that, you know, people are looking into is self-replicating agents. So you've got teams that are replicating themselves to maybe do other tasks or, similar ones. How do identities evolve with that? I don't think that's clear at all.

So it's an open area I think for everyone. Um, obviously, you know, many claim they've salted. I've not seen anything that convinces me that, that we have a good hands on that. Yeah. Um, but we'll have to get there fast. I mean, we're

Ashish Rajan: seeing these agents of course, being adopted everywhere and, uh,

David Haber: it's something that we're putting a lot of effort into.

Yeah. With our partners to solve it.

Ashish Rajan: Interesting point as well, because the, and going back to what we were saying about earlier. It was okay for me to do a point in time and go, yeah, my vast taking care of everything so I Oh, stop 10. Don't worry about it because it's like a point in time, continuous thing.

But what you're saying is if you just do the identity part once, like, oh, you've made sure Rashish had least privilege today. Doesn't really mean the agent that I'm using doesn't have an MCP that connects you to Google Doc [00:22:00] tomorrow. 'cause I've just done my job. I've moved on from Ashish, Ashish, whatever he was doing, and we, it keeps doing.

That part is a missing piece at the moment that no one's talking about too.

David Haber: That's it. And you know, the easy answer is always to say constraint.

Ashish Rajan: Yeah.

David Haber: But it comes back to what I said earlier, the safest car is the car that doesn't drive, but you're gonna buy a car that doesn't drive.

So I think again, it comes to the subtleties of enabling agents.

Ashish Rajan: Yeah.

David Haber: With the right approach to identity management.

Ashish Rajan: Yeah.

David Haber: And, uh, that needs careful design and consideration. It is so intertwined with not only security, but how do we deploy these agents? Mm. Where do they live?

Ashish Rajan: Yeah.

David Haber: They're crossing different environments.

Yeah,

Ashish Rajan: yeah.

David Haber: You know, with tool calls, with self replication, with, you know, all the things that they're wonderful, at doing, and, um. It's, uh, it's it, it's a difficult problem.

Ashish Rajan: So I'm curious, what does an incident look like now then? [00:23:00] Because obviously people understand, oh, what's top 10 incidents?

They're like, oh, I have a secret connection. I go fi, go and fix this technical problem. And we are saying this instructions are now the new threads. So what does an incident look like in this world of AI security Now where I've obviously spoke word on ejection and all of that sounds like. I don't think there were guardrails for, if this was to happen in the pre gen AI areas, I would not even know what, what tool would pick it up.

David Haber: Yeah.

Ashish Rajan: So I'm curious, what's an incident today, which probably think is an AI security incident that makes sense if you have examples of it. I

David Haber: think we see, several examples around data exfiltration.

Ashish Rajan: Yeah.

David Haber: Um, we, uh, showcased. The Google Doc vulnerability that we discussed earlier.

Ashish Rajan: Yeah.

David Haber: There's several CRM companies out there that have you know, been exploited in one way or another.

And uh, we also see vulnerabilities around, you know, the use of copilot studio.

Ashish Rajan: Yeah.

David Haber: Uh, and [00:24:00] agents that are building, being built on that platform. And by the way, all of these are, exploits using indirect, prompt ejection.

Ashish Rajan: All right. Okay.

David Haber: All of them.

Ashish Rajan: Yeah.

David Haber: Now, the interesting bit across all of these is it's not a vulnerability in the traditional software system.

Ashish Rajan: Yeah.

David Haber: So Microsoft Copilot Studio, that's not the vulnerability or it doesn't have vulnerabilities network. It's not, that's not what it is.

It's the intelligence in the models that we're exploiting.

Ashish Rajan: Yeah. Yeah.

David Haber: That's a completely new type of incident where

Ashish Rajan: Yeah.

David Haber: We also need to look at how we wanna remediate that.

Ashish Rajan: Yeah.

David Haber: Because I, I can't go and, and, patch up a piece of coat and, here we go.

Ashish Rajan: Yeah.

David Haber: Um, again, both from the attacker side the attack surface is way too complex.

Ashish Rajan: Yep.

David Haber: And also. The models themselves need serious retraining to, you know, maybe avoid that civil attack in the future. So it's both of the [00:25:00] type of exploits that we're seeing. It's obviously easier for attackers than ever to not only go after ai, but also, you know, traditional software. And then it's also, um, about how, how we think about remediating, uh, what we, what we observed, which is ate change.

Ashish Rajan: Because I know I, because we mentioned WAF earlier, and there are two camps at the moment for, is this a data security problem or an application problem? Because obviously we have traditionally defined camps in cybersecurity. Everywhere there's an AP person, there is a cloud person, there is insert another category of cybersecurity.

David Haber: Now it's everything.

Ashish Rajan: So does that mean organization need to restructure themselves and it's no longer just my, Hey, I need to talk to the AppSec person. Where's my Joe from AppSec to solve this? Is that what you're seeing as well?

Paul Barbosa: Exactly.

Like it's, and our, our approach to that and our, our thinking around it is you know, multi-disciplined where like, wherever these agents can run, uh, that there needs to be some inference of like runtime control and detection around [00:26:00] it. And it's not like, you know, there's this one group that owns the tool, uh, where it used to be like they own the tool.

Yeah. They're network security team. They got the firewall. Yeah. Yeah. We'll get a ServiceNow ticket. It'll go to them, they'll investigate. Resolve it. Now I think everyone more than ever, like it's everyone's problem.

Ashish Rajan: Yeah.

Paul Barbosa: And everyone has to have some answer. I think if I'm a ciso, I'm going to every domain.

That I have, uh, a tool set.

Ashish Rajan: Yeah.

Paul Barbosa: Say how are you solving for this? 'cause it can render itself, uh, through, you know, your, your control, your tool set, or the applications that you're protecting.

Ashish Rajan: I was gonna go into, um, the AI retaining piece as well, because at the moment we mentioned WAF earlier.

It's always been that layer. But what you're saying is that hey, guardrails not gonna help you with an evolving identity. So is the, what is the new frontier that red teaming continues are teaming? Is that the new frontier we're moving towards? Do we even feel comfortable that we are picking up on these incidents?

Paul Barbosa: It's interesting. Like the conversations I had all day yesterday with [00:27:00] with CISO, with B VP's directors was in three categories. It was first like. I need total visibility

Ashish Rajan: Yeah.

Paul Barbosa: Of what's being used in my organization. And then I need something for prompt injection seemed to be like the, the lead in.

Yeah. Yeah. But it was runtime protection. Right. And where this happens. And then the third category was exactly the, was like, well, for my own organization that's developing our own all models, right. Our own AI enabled applications, what do, what do what is out there for me to test those

Ashish Rajan: Yeah.

Paul Barbosa: Proactively before they go into production. And so we're trying to address that as well. And I think that was born from, um, your, your early customers, same request, which was a service. Now we're launching as, as now a product, uh, that is a red teaming for ai.

Ashish Rajan: Yeah.

Paul Barbosa: So that people can feel some assurance, uh, that they're ready to go into production.

And it's continuous. It doesn't like, uh, it's not a one time step. So we had a interesting conversation with the chief AI officer of a insurance company and he's, it's super proud. Yeah. And he should be, 'cause [00:28:00] they were launching this new app AI application that's enabling so much productivity. And, uh, I asked him about the test dev process and I said, well, what kind of red teaming did you do prior?

I said, no, no, no. I, it's not mine. Like, uh, I'm sure you know, they're shared responsibility models and this and that.

Ashish Rajan: Yeah.

Paul Barbosa: And we just kind of looked at each other and he went, yeah. And I went, yeah. And I went, yeah. And he goes, that's something you could help us. But we're like, well, yeah let's talk more.

Yeah.

But it's almost like you see the, the bright light come on and go, oh shoot, I need to also now address this domain.

Ashish Rajan: Yeah. So what, what does maturity look like then? Because I think in people or in customers you guys are helping with in terms of whoof. I don't think anyone's figured out AI security, but at least people who feel like they have figured out some parts of it.

What's the what's the minimum you think people should have cons in consideration? Whether, 'cause I imagine many leaders to what you're saying around RSA, they're walking around thinking, okay, I'm gonna build an AI security program. What are the towards three minimum things I need? I probably still leave my identity, [00:29:00] everything else that I'm already doing, but.

What are , 2, 3 things that I start with and what would maturity look like for what some of the more mature organizations are doing?

David Haber: I mean, we see a spectrum. Okay. Like I, I met with a bank yesterday. Yeah. Uh, is incredible. You know, how advanced they are in parts because we're working with them.

Yeah. But you also see, you know, companies that are just starting to explore one group. I'm actually very worried about. Is, uh, is the startups it's the non-enterprise sector. It's the startups that, you know, might have 10, a hundred, you know, 500 million in revenue.

Ashish Rajan: Yeah.

David Haber: And they don't have a, an AI security program in place.

We are used to just having the, you know, big guys being, being attacked.

Ashish Rajan: Yeah.

David Haber: And the rest sort of does security with obscurity. With the attacker side changing and making it, making it easier to, to penetrate, you know, the enterprise sector. There will also be, um, a bigger effect for startups Yeah.

Coming out of this that's a group I'm, I'm particularly worried [00:30:00] about now within an organization. Mm-hmm. I think it often starts with ownership. Having someone that, that is looking after this new area, realizing that it is a new area. Uh, we see some of the most mature organizations, that they have appointed, uh, an AI security lead. Yeah. Um, working at everything holistically.

Ashish Rajan: Yeah.

David Haber: And then the 2, 3 things to look at is, you know, let's first understand what's going on.

Ashish Rajan: Yeah.

David Haber: I mean, everyone is adopting co-pilot and ChatGPT and MCP as part of their work. I wanna be productive at work.

Ashish Rajan: Yeah.

David Haber: You know, I'm gonna adopt all of these tools, but if my organization decides to shut everything down, what's the next best thing I'm gonna do? I'm gonna use it on my phone, I'm gonna use it on my personal laptop, that, that's right next to my work laptop. And um, you know, I do the copy and paste, that's bad.

So the question becomes how do I understand what's going on and then how do I enable that type of adoption?

Ashish Rajan: Yeah.

David Haber: In the first place securely. And then of course, I think, you know, you talk about red teaming. Red teaming is, [00:31:00] um, we've had a lot of success showcasing just how vulnerable the types of applications and agents.

Are that, that enterprise is built.

Ashish Rajan: Yeah.

David Haber: But at the end of the day I believe it really serves as, as an educational tool in the first place.

Ashish Rajan: Yeah.

David Haber: So we've seen the organizations that we've been fortunate to work with, really be accelerated because they deeply understand, oh, the threat model has changed.

I didn't think about that. I, I didn't think about the fact that my agent has a memory.

Ashish Rajan: Yeah.

David Haber: And once that becomes poisoned, uh, the agent goes rogue.

Ashish Rajan: Yeah.

David Haber: So it first and foremost serves as an educational tool and what you get with someone that has ownership.

Ashish Rajan: Yeah.

David Haber: And someone that, or, or education around that.

Is, um, a structured AI security program that ultimately, I see this day in and day out allows organizations to just adopt technology very quickly.

Yeah. And that's what we ultimately want.

Ashish Rajan: Yeah. And I guess to your point for those people who are in that small [00:32:00] medium market, may huge revenue, but may not have a dedicated security program, are there things that you think they have as an opportunity for.

I dunno, what, what, what would you, I, I feel like a minimum viable product probably is the right word for it. But what's the minimum amount of security they should consider? Uh, whether it's a WAF or whether it's the like, 'cause that kind of goes back to like, they may have an AppSec team, they have an identity team, but they don't have like a dedicated chief AI officer.

Yeah. 'cause that's not big enough for it.

David Haber: So what's important here? So I think about the world as Cyber 1.0 and Cyber 2.0.

Ashish Rajan: Okay.

David Haber: What's in the middle?

Ashish Rajan: Yeah,

David Haber: the launch of ChatGPT. Okay. When I talk about being worried about the startups in the world. Okay. It's about both of these both these phases.

Why is that the dynamics between offense and defense has changed. Mm-hmm. More companies will be attacked.

Ashish Rajan: Yeah.

David Haber: Uh, not only, on their ai. Yeah. Also their traditional systems. [00:33:00] And so what they have to do. Not only think about security around ai Yeah. But security as a whole.

Ashish Rajan: Yeah.

David Haber: Everything that we used to do, everything that was relevant until the launch of ChatGPT is more relevant than ever.

Ashish Rajan: Yeah.

David Haber: Yes, I mean, you know, think about what kind of wafi you have in place.

Ashish Rajan: Yeah.

David Haber: You know, how do you protect your agents? Do you know what's going on within your organization? When you launch a. A chat bot that touches hundreds of millions of people out there.

Ashish Rajan: Yeah.

David Haber: And maybe has access to confidential data that might not be a bad idea to, you know, red team it before you launch it.

So I think to me it comes back to ownership. And maybe it's not the chief AI officer, but maybe it's someone on the team. And those type of companies should be able to, to hire someone onto the team that you know, has this as a priority. Security in the H of ai.

Paul Barbosa: Yeah. We're seeing this very interesting dynamic, right?

That at least in in, in the cloud network security arena, that's part of, [00:34:00] part of what I do is almost a reaffirmation of the controls around the ingress and the egress.

Ashish Rajan: Yeah.

Paul Barbosa: Right. And this, it makes sense to me, this dynamic of like surging resources to a new expanding threat surface. Is necessary.

Have to do it.

Ashish Rajan: Yeah.

Paul Barbosa: But the cyber 1.0 attacks have not ceased. Yeah, they have been stopped. They're still there. Still there. You know, those exploits are still happening. And the conversations that we're having a lot now is almost like a network transformation. Mm-hmm. Or, uh. They say trans. I see like reaffirmation.

Ashish Rajan: Yeah.

Paul Barbosa: Right. Do I have the best prevention at the edge and my perimeters, uh, sound? Where are my remote users and how are they accessing both the internet? How are they accessing corporate resources? Uh, that conversation is re-energized. The other thing people are realizing that. While I surge resources in one direction, I can't be exploited in the other.

Um, and so traditional coupled with the new you know, it's, it's exciting right now because, uh, the conversations are almost like, you know, let's go, let's go fast. Let's reimagine this. How would you do it? [00:35:00] What's your threat prevention look like? Yeah. How effective is your threat prevention?

It's, uh, it's, it's now like, okay, yeah, let's, but batten down the hatchets because we're gonna need the surge in this new direction.

David Haber: I gave a presentation in Carmel and one of my title slides was 2026. Yeah. Everyone can be a hacker.

Ashish Rajan: Yeah.

David Haber: And I really believe in that.

Ashish Rajan: Yeah. Yeah.

David Haber: It's easier than ever. If you think about pre Chad, GBT the amount of people that could hack into Google.

Ashish Rajan: Yeah.

David Haber: Or any other, big company in the world. Any complex system, it's tiny.

Ashish Rajan: Yeah.

David Haber: Gotta be an expert. Yes. You need to really understand security system architectures, how the internet works, how networks are designed. Now what do you do? You talk to your friend AI and most of the stuff is automated.

Ashish Rajan: Yeah.

David Haber: And we see this again on non-AI systems and um, or around non-AI systems and around AI systems. Coming back to your initial question around Gandalf.

Ashish Rajan: Yes.

David Haber: The most beautiful example we see. 12-year-old kids [00:36:00]

Ashish Rajan: Yeah.

David Haber: That are very successful playing the game. And we see some of the most advanced hackers that are also very successful at playing the game.

Ashish Rajan: Yeah.

David Haber: And so the spectrum and the democratization of offensive security is wild and is accelerating. Wow. We are actually at a very unique time, I believe right now, where, we still have a chance for defense to catch up.

Ashish Rajan: Yeah. Yeah.

David Haber: I see both offensive security and defense on an exponential curve.

Ashish Rajan: Yeah.

David Haber: But I think the question is, you know, what's the, what's the exponent? How fast are we actually moving?

Ashish Rajan: Yeah.

David Haber: The next couple of months and maybe sort of the next year, it's gonna be really critical to make sure that defense can, can keep up with you know, what the attackers out there in the world could do

Paul Barbosa: and the cyber defenders.

Like when we thought, when I think about like, we used to say, we gotta get in the mind of the attacker.

David Haber: Yeah.

Paul Barbosa: So you should understand how these exploits work. And we download our distro, call Linux and start running and playing with tools and doing our basic script. Thing, you know, and, and, and then start [00:37:00] writing some different things that we were like, oh, I understand it now.

But what Gandalf showed me was like, it's the complete, like democratization of that.

Ashish Rajan: Yeah.

Paul Barbosa: Like getting in the mind of the attacker isn't bound by what you know, it from a CS standpoint.

Ashish Rajan: Yeah. It's, yeah.

Paul Barbosa: It's just how creative you can be. It's

Ashish Rajan: human critique,

Paul Barbosa: it's human creativity and it just blew my mind when we had, we launched this contest around, uh, who has teenagers?

On the team and we said, let's see who's going to get to the highest level first.

Ashish Rajan: Yeah.

Paul Barbosa: The teenagers cleaned everybody's clock.

Ashish Rajan: Really?

Paul Barbosa: Yeah. Because they, and we were, and we thought, and said, you know what? It makes sense, right? Because we're IT professionals? We've been in the industry, we've got all this scar tissue.

Ashish Rajan: Yeah.

Paul Barbosa: We're boundary thinkers. We're constraint thinkers. Like there's a control for everything. Yeah, yeah. Right? And with these, with these teenagers, you know, in language, they're like, there's no control. There's no boundary. I can think of whatever I want. Yeah,

David Haber: pretend like you're talking to human.

Yeah. That's like, that's the best instruction.

Ashish Rajan: Yeah. Yeah, yeah. A hundred percent. Uh, I mean, those are the technical questions I have. I've got fun questions with the snack war, [00:38:00] so I'm gonna bring this forward. So I think, I know we gonna gave the initial intent, but, so obviously the British a training, which was either, I mentioned crocodile and kangaroos are the top favorite.

Not that you guys don't how to choose it, but. The, which one will you guys go for? Can take one or many if you want. Depending on,

Paul Barbosa: I mean, I think if I think the kangaroo is the once in a lifetime, at least for me.

Ashish Rajan: Sure. Yeah. Sure. Go for it.

David Haber: Take the crocodile.

Ashish Rajan: Yeah, yeah, there you go. So they may dig in and, uh,

David Haber: and you say it's like chicken.

Ashish Rajan: Well, unless you decide what you think. That's, that's what people say that when people want them to just. Try it

Paul Barbosa: or it doesn't look like,

Ashish Rajan: all right.

Paul Barbosa: Okay.

Ashish Rajan: How secure it, it is definitely secure. You probably don't want that rapper, I guess just

Paul Barbosa: No.

Ashish Rajan: Don't need Can gimme that back if you want. Yeah.

Paul Barbosa: Yeah.

Ashish Rajan: You don't want to eat that, so let let you guys beef.

Paul Barbosa: Yes. That's I think, uh,

Ashish Rajan: all right. Was, yeah, go for it. All right. Chicken, not chicken. Oh, he is, he's definitely liking it whenever he, oh, this is pretty good.

Paul Barbosa: This is very nice. [00:39:00]

Ashish Rajan: It's not that bad. It's not that bad as yours. It's not like chicken. This is our, this is very good.

Paul Barbosa: Wow. They're winning.

Ashish Rajan: But so it is been good. Very good. Alright. Okay. So questions fun questions. First one, where do you spend most time on when you're not trying to solve the AI security problems of the world?

David Haber: Running,

Ashish Rajan: running, you

Paul Barbosa: golfing.

Ashish Rajan: Oh yeah, I remember, I remember golf market.

Paul Barbosa: It's a never ending question.

Ashish Rajan: It's like, I'm not gonna ask you handicap

Paul Barbosa: my passion increases. My skill is, uh, flat lining.

Ashish Rajan: Oh, okay. Flat lighting.

David Haber: Sorry. I know you're running RSA fashion week. Yeah. Um, the two of you, I'm not sure I'm part of it this year, but, uh.

I would love to, I would love to, I would love to launch the RSA running club.

Ashish Rajan: Oh. Um, I would definitely, man, we should, we would definitely do it next year. We'll definitely make it a thing. I love

Paul Barbosa: ERO as the sun comes up.

Ashish Rajan: Yeah, yeah. We'll, we'll definitely make it a thing. We love that. Same question. What is something that you are proud of that is not on your social media?[00:40:00]

My kids. That's a good one.

Paul Barbosa: We proud not on my social media. Ah, same family. My parents.

Ashish Rajan: Yeah. And well, the first, third, final question. Favorite cuisine or restaurant? Say that again. Favorite cuisine or restaurant?

Paul Barbosa: Salmon Ngiri.

Ashish Rajan: Salmon Ngiri.

Paul Barbosa: Yes. If you put a loaded table up

Ashish Rajan: Yeah.

Paul Barbosa: Line it up and just get outta my way.

Ashish Rajan: Oh, really?

Paul Barbosa: And see the damage. Yeah. And la Sugarfish. I know there's amazing sushi restaurants all over the world. Yeah. Maybe hotly debated. Uh, but for me, sugar fish in Santa Monica, salmon Ngiri,

Ashish Rajan: sugar fish. What about you, man? Yeah, you have some

David Haber: We're in San Francisco. I might sound like a tourist, but you know, I used to live here.

Yes. So, uh, I'll say, uh, sour sushi in, uh, in noi. I recently stopped. You know that place?

Paul Barbosa: I've heard of it.

David Haber: It's amazing. I stopped at the bar and the chef was just handing me out this amazing,

Ashish Rajan: oh, it sounds amazing. Incredible. Are you even making me hungry now? Making people [00:41:00] find more about the work you guys are doing for AI Security Checkpoint.

What's the best links for these

David Haber: LinkedIn?

Ashish Rajan: And What was the link for? Gandalf Gadalf.laker.ai

Gadalf.lakera.ai I'll land that in. I'll put you on LinkedIn and there as other people wanna connect with you again and learn more about the work you guys are doing as well. But thank you so much for coming.

David Haber: Thanks for having

Ashish Rajan: us. Uh, and thank you so much.

David Haber: Good to see you.

Ashish Rajan: Good to see you as well. Thanks everyone. Thank you for listening or watching this episode of Cloud Security Podcast. This was brought to you by Tech riot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on Cloud Security podcast tv, our website, or on social media platforms like YouTube, LinkedIn, and Apple, Spotify.

In case you are interested in learning about AI security as well. To check out our sister podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, apple as well, where we talk. To other CISOs and practitioners about what's the latest in the world of AI security. Finally, if you're after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast.

You can check that out on cloud security [00:42:00] newsletter.com. I'll see you in the next episode, please.

‍