Scott Gerlach: [00:00:00] Before, I would say even the end of last year, the AppSec programs were really still kind of reactive and just trying to keep up as best they could, and then AI hit the ground and everyone's like,

Joe Sullivan: wow, we're way behind. Now. The vulnerability volume is 10 Xing as well. And we were already in trouble for pushing back too much at them.

Some of the companies I work with are letting non-engineers push code that ends up in production, and if security catches that, a vulnerability in that code, we're gonna send it back to the person in the marketing department and ask them to fix it. Can you tell me which company has a mature program today?

I don't think any security leader feels like their AppSec is in like a pristine state in March of 2026.

Ashish Rajan: If you're making tickets,

Joe Sullivan: it's probably not mature enough.

Ashish Rajan: We are known to have a lot more false positives, just by the nature of we didn't have the context for what's inside. Traditionally DAST has been looked at, very noisy.

Now it's 90%. True [00:01:00]

Scott Gerlach: positive rate versus 90% false positive rate.

Joe Sullivan: We can't fall for that whole sunk cost fallacy. We can't be resistant to change. For security to reposition itself more and more as a business enabler, we gotta unlock this new pro productivity, not be the blocker.

Ashish Rajan: When an agent is used to write a commit code, who owns the security of it?

Is it the developer who wrote it, perhaps the security team, or is it the agent itself? I had the pleasure of talking to Joe Sullivan, who has been a CSO of Uber, CloudFlare, and many other companies building security programs across such large companies, along with Scott Gerlach from StackHawk talking about this exact thing.

When you have agents using code, what happens to dev SEC cost programs? Who is responsible for security? How do you build security programs that are ready for ai and why the old model of AppSec is dead? It has to evolve and what does the evolution look like? We spoke about all that a lot more in this episode of the podcast.

If you know someone who's working on application security today and [00:02:00] is trying to figure out what does a security program in this world would look like, what would that mean for cloud? What does that mean for runtime security specifically? This is the episode for you Do share this with anyone who's trying to look into runtime security for AI or just how to build security programs that would lead you down the right path as you create and support a security program.

As always, if you're here for a second or third time and have been finding episodes of. The podcast valuable. I would really appreciate if you take a quick second to hit the follow subscribe button, whichever platform you're listening or watching this on. We are everywhere on YouTube, LinkedIn, Spotify, apple.

It doesn't cost you anything, but means a lot for us because that means we get seen by more people as well. Thank you everyone who came and said hello to us at the RSA Conference in San Francisco last week as well. Really appreciate all the love and support that you show for the podcast that we create over here behind TechRiot.io Thank you so much for this and I hope you enjoy this episode with Joe and Scott.

Scott Gerlach: Talk soon.

Ashish Rajan: Hello and welcome to another episode of Cloud Security Podcast. I've got Scott and Joe with me. Thank you for coming to the show and just for context of [00:03:00] people, maybe a few introductions.

Maybe we can start with you, Joe, just about your background, what you've been doing in cybersecurity.

Joe Sullivan: Sure. Awesome. My name's Joe Sullivan. I've been in cybersecurity for my whole adult career. I started out with the US Department of Justice for eight years. I was the first US federal prosecutor focused on cyber crime.

Uh. Full-time prosecuting cases in the late nineties. I went to eBay and PayPal. I went to Facebook in 2008 when it was tiny. Built their security team from three people to hundreds. I left there in 2015, went to Uber, built their security team from three people to hundreds. And then I went to CloudFlare in 2018 and built their security team from three people to hundreds.

Now I do, uh, security consulting. My day job is I help a couple of companies at a time scale security. Oh.

Ashish Rajan: Scott.

Scott Gerlach: Yeah. Super. Like not that impressive.

Ashish Rajan: I, I know.

Scott Gerlach: I should've

Ashish Rajan: just must be on like any, any eBay in your microphone.

Scott Gerlach: No. So, my name's Scott Gerlach chief Security Officer, co-founder at StackHawk.

Uh, my background is running security teams. Uh, I ran different security teams at [00:04:00] GoDaddy for about 10 years CISO at SendGrid for three years. Uh, and then we started StackHawk. Okay.

Ashish Rajan: Yeah. Maybe I'll start the, uh, the first question with you in that case. Okay. Obviously when you were the CISO Sendgrid and otherwise as well, you, we've kind of seen like a shift in AppSec overall.

I would love for you to kind of unpack, and obviously we're at RSA, so there's a lot of agent and AI floating around as well. We, we'll get into that a bit more. I'm just curious as to how do you see the, the before Gen AI and the After Gen AI change in AppSec, specifically the things that you're working on?

Scott Gerlach: Yeah. I mean. It's just a radically different world, right? Like before, I would say even the end of last year, the AppSec programs were really still kind of reactive and just trying to keep up as best they could. And then AI hit the ground and everyone's like, wow, we're way behind now. So the ability to, for the engineering team to create at such a rapid velocity and such a huge scale has put the AppSec team.

In a [00:05:00] spot where they're like, wow, we really need to rethink and revamp and understand, but how do we actually help our engineering teams build and ship secure code? So there's both a lot of fright and fear. Yeah, and a lot of excitement because of what can actually get done now instead of just looking at pie charts of stuff that hasn't been fixed for the last five years

Ashish Rajan: as a CISO scaling multiple teams how do you see this world differently?

In terms of the AppSec pieces, or I mean, is security program in general as well?

Joe Sullivan: Well, let me tell you, the hardest job to, to fill right now in security is AppSec engineer. Uh, the companies I'm working with, a couple of public companies, they'd hire five AppSec engineers right now if they could find them.

And every startup that I'm helping scale, the most important position that I need to fill, probably even more important than the CISO role. I hate to admit it, is that head of product security role because every company that's launching in Silicon Valley right now is an an AI company. And [00:06:00] so trying to find a security person who can be in there working with the founders on building the product and making sure it's secure out of the gate.

That's a, that's a really fun job, but it's really hard to find people who are qualified to be able to sit. Run, walk, whatever it is next to, you know, the, this new generation of AI founders. It's challenging.

Ashish Rajan: Could, you said product security. You didn't say apps. Why? What, what's product security in your mind, which is different to apps outta curiosity

Joe Sullivan: in my mind.

So there are people who are very religious about the difference in my mind.

Ashish Rajan: People that come with pitch, folks after us after this. Yes.

Joe Sullivan: So I, I wanna be careful about that. Yeah. But like. In my mind, generally speaking, you know, as someone who's worked in, in security at tech companies, we u we've historically used them fairly interchangeably.

Mm-hmm. Sometimes though, product security might include some of the infrastructure side, the backend of the product and people working on, on the product security might also be sometimes thinking about privacy and a little bit [00:07:00] other implications. And then AppSec is almost exclusively like. You're responsible for the code.

Ashish Rajan: But um, this is probably for you Scott. A lot of people may hear both what, both the opinions and go, I, I have a mature devsecops program. I think I got this. So I'm curious, and as I laugh, maybe I gave with the answer as well. If people already have a mature devsecops program is being developer first and there's a lot more tickets being created, the.

How has that changed and maybe where are they exposed that they don't even realize, even though they have a mature deficit cost program?

Scott Gerlach: Yeah. Kind of. I think the way that I think about it is if you're making tickets, it's probably not mature enough.

Joe Sullivan: Yeah. I, I was gonna say like, can you tell me which company has a mature program today?

Because I know, like, I, I don't think any security leader feels like their AppSec Prodsec. DevSecOps is in like a pristine state in [00:08:00] March of 2026.

Ashish Rajan: Yeah. And we, this is the reason why we went down the path of looking for security champions in the first place. 'cause we couldn't find teams of people who were interested in security.

So we would find individuals, Hey, would you mind just pushing security up the ladder every time someone asked about secrets? Or should we do this? Another question and do, has this amplified with the use of. AI for coding? Like in terms of the adoption of it? Has it been

Scott Gerlach: Yeah, I think, I think so. And, and the thing that's super interesting to me is now is such a great time to like get embedded with engineering teams.

'cause newsflash engineering teams are also figuring out how to use AI and like how to standardize across their teams so that they're getting the same output or the same velocity from every member of the team.

Ashish Rajan: Yeah.

Scott Gerlach: So they're also figuring out. What new processes do we do? What new tools do we put in the chain?

How do we, push software through the pipeline? And if you're in application security or product security, and you're not in the middle of those conversations and [00:09:00] learning what they're learning, you're gonna get yourself into a bad spot again. Whereas if you're helping them figure that out, figure out what the guardrails and the bumpers are to be able to ship code quickly, but make sure it's secure.

Yeah, you're gonna be in much better shape in six months. Because you'll have to do small iterations instead of like this big giant catch up.

Joe Sullivan: And like your question presume that there's this pushback or back and forth where like the engineering team develops the code, security, reviews it, and then sends it back.

Yeah. Where there's, a little touch up needed. Yeah. Now there's two problems with that in 2026. Number one is the volume of code that they're sending over to security. Is 10 Xing. Yeah. And unfortunately, the, the vulnerability volume is 10 Xing as well. And so if we're not careful, we're gonna be pushing back at them 10 x the volume of issues.

Yeah. And we were already in trouble for pushing back too [00:10:00] much at them. So that's problem number one. And problem number two is when we push back, now it's not always engineers on the other side because. I'll tell you like some of the companies I work with are letting non-engineers push code that ends up in production.

And if security catches that, uh, vulnerability in that code, we're gonna send it back to the person in the marketing department and ask them to fix it.

Ashish Rajan: Yeah. That lovable that you worked on doesn't really fit the production profile, right. That you're going for

Scott Gerlach: or the VP of finance doing something very similar and you can't just go, okay, VP of Finance, go fix this vulnerability.

Ashish Rajan: Yeah.

Scott Gerlach: Uh, in this critical, like has all of our data app.

Ashish Rajan: I think you guys raised an interesting point 'cause it's kind of where all the excitement, I don't know if it's excitement, but there's definitely an interest in runtime security. Instead of focusing on, hey, SCA SAST and everything else kind of came the, let's just say the 1.0 version, which is the pre gen AI version.

There's a lot of emphasis on we need a SaaS product, we need an SCA product, and we're gonna get into DAST as well. In this world that we are moving [00:11:00] towards is runtime security. Like a better defense than what we had with SCA SaaS and DAST? Or is it just more am I giving up on that to go to the other side?

Joe Sullivan: Yeah. Let me jump in for a sec. So, in a mature security program, they were focusing on, both

Ashish Rajan: Yes.

Joe Sullivan: Historically. And what the pressure that's happening now is that everyone has to focus on both now. You know, there's hope that like the, the Cursors and the Claude codes of the world are gonna do more to deal with the SAST type problems.

But we haven't like seen that come to fruition yet. And I'm not sure if we will or not. But no question about it. In 2026, everybody needs to be paying attention to runtime.

Ashish Rajan: Yeah, I'm curious your thoughts as well, Scott. I mean, you've spent a lot of time in runtime security. I'm

Scott Gerlach: slightly biased.

Ashish Rajan: Yeah.

So actually I would offer you to kind of share the legacy DAST conversation you and I have. Sure. What is a legacy das?

Scott Gerlach: So I think of Legacy das as something that, I heard a weird number today. Someone was [00:12:00] like, they want to test production applications three times a year. I was like three times a year.

What? But something that's like, I'm looking at production side or like public facing applications that I know about testing them. Maybe kind of lightly, because I don't wanna take them down at the same time.

Ashish Rajan: Yeah.

Scott Gerlach: Just to get a compliance checkbox, right? Yeah. So when the auditor comes in, you go, yeah, we ran the DAST.

See, here's the report. There's not a lot of findings in it. You're just kind of making sure that, A, you cover your bases. B, the auditors are satisfied, and C, there's not a huge glaring hole. But in the, in a world where you can now create numerous assets so quickly, you have to be really good at asset management.

And then also like what is the testing cadence and procedure for making sure that we're catching vulnerabilities and fixing them before we ship them to production. So the legacy DAST is kind of that like, I don't wanna say checkboxy type of thing, but really focused on well-known assets in [00:13:00] production that are public versus being able to test super frequently, test, uh, really thoroughly like deep testing.

And get that feedback back into the SDLC or the AI DLC.

Ashish Rajan: What about the modern one then?

Scott Gerlach: Modern one is all about fast, like hardcore testing, doing it really fast. We're talking about instead of days. So legacy fast, I, when you say that to people, people go, yeah, yeah. The thing, I start on Friday and then when I come back in on Monday, I hope that it didn't fail, and then I start triaging all the reports and everything's good to go for next Friday when I run it again, I'm talking about.

5, 6, 10 times a day, testing each little microservice that's coming out, making sure we're doing it as part of the development process or part of the CICD process so that every single release, every single PR or MR has been checked, you can verify it. And the thing that's going into production is as safe as it can be

Ashish Rajan: is this, and maybe I'm aging myself, [00:14:00] but not I, it's one of those ones where I always looked at.

AppSec ecosystem or I guess security ecosystem in general. We are known to have a lot more false positives just by the nature of we didn't have the context for what's inside. So my framework of looking at say the same security vulnerability from the outside in is different to what I would've looked at it for as an internal employee.

So which kind of led to the part where traditionally DA DAST has been looked at as very noisy. Yeah. Full of false positive. Is that changed with modern DAST? A hundred percent.

Scott Gerlach: We, we just talked to a customer the other day that was talking about our DAST program that they're switching out had like a 90% false positive rate.

And when they tested with StackHawk and be able to test closer to the thing that you're testing, have more of a white box, gray box. How was this thing built? Yeah. Uh, and not test through WAFs and firewalls and across the internet. Now it's 90%. True positive rate versus 90% false positive rate. So that [00:15:00] signal is so important to what do I need to go fix?

Uh, as opposed to like sifting through false positives all over the place and trying to figure out what to prioritize let alone what to send to engineers to go, Hey, you should fix this, or who to send it to.

Ashish Rajan: So what's the difference in the approach then? Like, why was it not working the first time with legacy people?

Scott Gerlach: Yeah.

Ashish Rajan: So obviously using StackHawk is one option, but so,

Scott Gerlach: So that legacy view is really testing and production, right? So there's a couple things that go into that. One is just round trip time between the app. Every time you ask it a question, it's gotta go back and forth.

Ashish Rajan: Yeah.

Scott Gerlach: That takes a long time when it's not physically located next to it.

Next to the thing that you're testing, two is all the protection mechanisms that exist out on the internet. All the WAFs, all the cloud flares, all the. API security tools that are out there giving you false signal. Yeah. Like you try and attack and it goes blocked, and that gives you a weird signal.

And then the last thing is you don't really want to test those production apps [00:16:00] really hard. Really? Completely because you might take the thing down in production and that would be also bad. So. That lightweight scan in production takes a really long time so you're not causing outages and problems for usage.

Led to a lot of this false positives and it was more, I think the idea was more we'll give you as much signal as you can as we can. Yeah. And you weed through it and figure out what's important in there and then ship that off to the developers and you just can't do that anymore. Like that, that number of, alerts that you're gonna get from the amount of code that we're creating is just gonna be skyrocketing. So you have to be able to test close to what you're testing, test the behavior,

Ashish Rajan: yeah.

Scott Gerlach: Of what you're, um, the applications or the APIs that you're testing really get into it and hit it hard. And then if you're doing it in the development process, you don't have the last part of that is.

Who does this? Who works on this thing? 'Cause it might be an [00:17:00] API gateway that has 50 microservices behind it. Which service does it go to? Who can actually help me in the development process? You've got people working on the code itself. If you get them the feedback of, Hey, there's a brand new vulnerability that got introduced with this code change, the person that's writing that code is gonna be like, oh, I did that.

I need to fix it. Right? Yeah. 'Cause developers always wanna put out quality code. As long as you can get them the information while they're doing it, while they're building.

Ashish Rajan: I, I'm glad you mentioned the new vulnerability thing as well. 'cause I think as you was talking about the increase of adoption of AI coding tools and how it changes the paradigm of security, is that also in introducing newer forms of vulnerabilities?

That's why the new approach,

Joe Sullivan: It's not necessarily introducing any new type of vulnerability, but it's showing that we need to focus a little bit more in some areas that we weren't focusing as much before. Uh, because an engineer had more kind of like context around their unique environment.

[00:18:00] Every engineer goes into a new company. And they spend the first six months to a year really understanding the infrastructure beyond the code. Yeah. And so when they write the code, they understand the environment they're building for and all the dependencies. And so I think there's a lot more focus now on like bus business logic testing and, and things like that.

Uh, because you know, these AI IDs just, you know, they think of code as code. And I'm not sure we're gonna wanna eventually even open up to these frontier model companies our entire, uh, you know, here, map my entire infrastructure and you, and add that into your post training or your model.

I, I don't know if we want to do that.

Ashish Rajan: Actually, that's a good point. I don't know how many people use the integration with GitHub that freely, although it's available, I don't know how open an enterprise would be. Actually, I shouldn't intricate my entire code base into this. And see what they find. That would not be the FI mean, 'cause we were talking about go being closer to the source and the modern DAST.

How would that look like in an agent kind of workforce? Joe was explaining it.

Scott Gerlach: Same, same kind of deal. So like [00:19:00] as the closer you can get to the loop or in the loop? Yeah. So that when Claude Code is done writing it's feature that you asked it to write and it goes, oh, I see a hook for, I should run the app, run StackHawk against the app.

And then consume the findings from that and fix them.

Ashish Rajan: Yeah.

Scott Gerlach: As part of the Claude Code loop or the Cursor loop or whatever. Now you're actually getting real work, real security work into that and not burdening the developer with what is this ticket? Where does this live? All that good stuff. And the agents are really good at it.

Being able to take that security, finding output and fix in the loop, and not even get to code, commit or pr as part of the prompt.

Joe Sullivan: Yeah. And, and maybe the other side of this coin to think about from a company security team, like do we want to like flip on all of, maybe not in this month.

Are the companies counting the tokens we're spending? Yeah, of course. But a year [00:20:00] from now, companies are gonna say, all right, we let, we let you all run amuck for a year and you burned hundreds of thousands, if not millions of dollars on tokens. Yeah. Can we get back to some deterministic software solu, like if we have a deterministic software solution?

Our security solution that gets the job done for a lot less money, shouldn't we be using that? So I, I think I think in our haste to jump into ai, you know, we're spending a lot of coin right now. Yeah. And rationality is gonna set in sooner or later.

Ashish Rajan: Do you, do you feel, I mean, obviously at the moment, a lot of people, to your point, are in the race to adopt ai, burn as many as you can.

Is it possible to have. Like that. Are we, how far maybe are we from that future? I guess? 'cause you said way next year. 'cause I imagine people over here walking the show floors are planning already for 2026 plan. Like, I mean, I, I have a AppSec program, I have a runtime security program I'm trying to uplift.

Should I, what a, what should I look out for in terms of things that are important for me in my runtime environment that would enable [00:21:00] me for the next six months, maybe one year, two year? I don't even know if you can plan for two years, but let's just assume for one or two years. What would be some of your top three things?

I'm curious from you as well after that.

Joe Sullivan: Well, I mean, we can learn a lot from the move to the cloud. At the beginning of the move to cloud, everyone was so excited about how it was gonna reduce all of our risks and reduce all of our costs. You talk to a lot of leaders now and they're like, I'm not sure it reduced our costs at all.

But in those first couple of years, we were all jumping in. We were comfortable overspending as we learned. And I feel like. We're gonna do the same thing with ai the burn rates that we all have, learning how to use ai. The, so I was with a group of CISOs last night at the end of the day, and we were talking, and one of them brought up this issue is at their company.

Uh, there's so much pressure to get everybody to use AI. And so at that company, the CEO was getting reports of who's using the most tokens and that was being viewed as a good thing, you know? And they're like, [00:22:00] A year from now, it's gonna be like, how can you get the output with less tokens?

Ashish Rajan: Yeah.

Joe Sullivan: Uh, you know, someone's going to build a product that is gonna help us moderate our token use and prioritize it. There's gotta be products coming down the road doing that.

Scott Gerlach: I have this conversation with our, with our VP of engineering all the time.

He's like, here's who's burning tokens. And I always go, who's shipping product? Like, who's delivering value to customers? Because that's what the really important part of this is. The move to the cloud was, it's not cheaper. I can deliver value to customers faster. The same thing is gonna happen with tokens who's efficiently burning tokens to get value to customers.

I think that's where that's gonna end up. So. Yes, there's gonna be somebody who's like, you're burning tokens on, nothing. Stop doing that. But the people who are shipping and delivering value burn more tokens. You know what I mean? Like make sure that we're getting as much value to customers as quickly as we can because every single other co competitors doing that.

And that's the how you stay competitive.

Joe Sullivan: Yeah. [00:23:00] And there we're already seeing, I think, the latest iteration of Cursor. Involves kind of like a, a more tailored, uh, model that will burn less tokens. Yeah. So, so we're gonna see on that side as well. Trying to manage the cost a little bit.

And we're probably like going to see some new, like you were asking about new products next year we're probably gonna see some vertical LLM models that are tailored for security that, someone's gonna build it and then they're gonna say, why are you using 800 tokens with Claude Code when you could be using our security LLM and it'll be 20 tokens.

Economic rationality is gonna. Kick in in a year, I think, and we're gonna start seeing a bunch of different products that and features that are gonna help us do that.

Ashish Rajan: I think someone just got the startup idea and they probably, next time we record this, it's gonna be like a security LLM model conversation will be having with someone as well.

I, I think both of you kind of nailed on something really interesting. 'cause at the moment we are not looking at the cost as a driver. [00:24:00] It's being looked at. We need to burn this to be, to survive the ai. I don't wanna say a apocalypse, but at least it's AI wave. Let's just say the next half of it, when you start realizing, okay, I've spent, I've kept burning for two years.

I had to recoup this somewhere. Like, how am I gonna get that back? Get that back? What would that mean for people who are already invested in this? Like IDE driven code generation? 'cause you were saying earlier, being close to the source. Obviously I don't think that's gonna disappear even if you, but we will still be using IDE to kind of enable that dev SEC program.

I don't know if it's maybe still applicable, maybe not. Depending on the level of coding we have. Do we still find runtime security would be a activity that would help us get through that? 'cause I think that's kind of where I'm trying to get to because a lot of people would invest in a product that, hey invest in us because we'll be there six years down the track.

You guys mentioned at the point that, hey, great, but eventually that cost of token is gonna come to you somehow. Either the product is [00:25:00] gonna charge you for the tokens or you're burning the token themselves. But to your point about the customer objective, which is a, I wanna be more secure in that future for runtime security, what would that look like?

I'm curious in terms of does the modern desk evolve even more?

Scott Gerlach: I think absolutely. So the. There's a couple things that go along with this that are, the exciting part of this is, one, you hear so much about business logic testing because it was such a hard problem to solve. Being able to understand patterns in APIs or applications and then be able to test those patterns wasn't possible before.

Like we put the burden on a security professional, like, you know, the flow maybe.

Ashish Rajan: Yeah,

Scott Gerlach: write it all down and we'll go test and see if it like that's a waste of time now, the ability to. To probabilistically look at an API or look at an application and go, I think I understand how this is supposed to work.

Ashish Rajan: Yeah.

Scott Gerlach: Now I can start testing it to see if it behaves correctly [00:26:00] while it's running. And do that deterministically, is it a problem every single time I test it? Those are the two things that are really, really exciting, is being able to probabilistically go, what is this supposed to do? And then deterministically go, is it broken?

And get the same answer every single time. So that's kind of how I think about, uh, runtime and what's super exciting about it. But you're gonna, you, we get to see more and more like creativity in how that deterministic testing happens to be able to say there is a problem in this application. API.

Joe Sullivan: Yeah, and I'd and I'd say if you zoom out from AppSec.

To like thinking about the security program holistically, we've always had two sides to security prevention and detection. Yeah. And in many ways the introduction of non-deterministic software into the side that we're trying to set up, the guardrails and the protection, you know, before we launch.

Means that we have like, it's [00:27:00] like squeezing a balloon and like more just moved over to the runtime side. Yeah, yeah, yeah. So like the first year of kind of this world of ai, we've invested a lot in kind of like compliance frameworks and guardrails and policies, and 2026 is now we're moving over to focusing on, okay, now we actually have this non-deterministic code operating.

It's vulnerable to prompt injection. It's, at risk because the volume, you know, nobody's been able to stay on top of it. So runtime I think is where it's at right now.

Ashish Rajan: But what would the operating model look like? 'cause if scale teams in the past, in that 1.0 as I have to call it, then the two point era.

Oh, in the 2.0 era, what would the operating model look like for people trying to build teams on this as well, which is ai, ai, augmented, AI, accelerated, whichever version you wanna go with. What would an operating model look like?

Joe Sullivan: This is one of my favorite conversations with security leaders. 'cause I, I, I often ask, are you hiring the same people with the same job [00:28:00] descriptions as two years ago and six months ago, everyone was saying yes.

And today everyone's saying no because they've realized the power of what AI is gonna do to the workplace. And they've realized where the pressure points are on their security team. And like I was saying earlier, application security is the biggest stress area right now. And so there's a lot of focus on.

Can I get really good application security people and who can I get and what can I get from a product that will relieve the burden on that AppSec team because they're so overworked And so, it's products like StackHawk and AppSec that are gonna be the future of security teams. I think,

Ashish Rajan: because I'm also curious, I, I guess hearing both of you, some people in cloud security going.

We guys are important too. I'm, I'm just curious is, 'cause you know how I was using the example earlier, like I know even like I'm, I'm not gonna age myself by call talking about mainframe here, but I'll just say mainframe still exists and so does the cloud environment, so does the cloud environment [00:29:00] that we have worked in for so many years.

DevSecOps has been part of that as well. We have made it cloud native DevSecOps as well. We have APIs that are I think is the, is the thinking in the new world that we're moving towards the operating model would have, we obviously con continue to maintain that old, oh, well it sounds old, but as in we continue to maintain the existing in the new frontier that we are moving towards the newer evolution of whatever became the better microservices, better APIs in that ecosystem. What are some of the components that you guys see that, 'cause you are talking to engineering teams as well. Is runtime security obviously important? Is DevSecOps still a part there or is DevSecOps probably getting to your point?

The balloon is getting smaller because the problem is, should be solved at the IDE rather than waiting all the way into the hook of the GitHub. Where, where, where do you guys sit on that?

Scott Gerlach: I think so a couple things. One myself and my senior engineers don't use an IDE anymore. [00:30:00] When we're writing code, we're just in, in a terminal.

We might open up an IDE to look at some code or, or look at a problem if it's, if it's not working quite right, but the ability to just stay in a terminal and tell Claude to go do stuff, go work on something else, and or open up another terminal and then do more code over there. Yeah. Is a thing, so like even thinking that an IDE is gonna be around it'll probably be around, but the, where the majority of the work the whole thing is gonna shift.

Will CICD be a thing in the future? You know what I mean? Like yeah. We have this whole, we have this whole ability now to write software and ship it and no, CICD without CICD. What, what do we need it for?

Ashish Rajan: Yeah.

Scott Gerlach: We need it to do like testing and attestation that it was tested and, and some of the audit trail that needs to go along with it, but technically you don't need it.

And so there's a lot of stuff that's gonna change in that DevSecOps process that was so. Ingrained in, I'm in [00:31:00] CICD, I'm doing a lot of work in CICD. You gotta really think about, is that the only place you can do it? Is that the best place to do it? Is there more things I can do on the Terraform side?

And guardrails around what's happening with infrastructure as code? Is there more guardrails I can put around? What's actually getting deployed into prod by checking what APIs are getting called what's being logged? Those kinds of things like. It's a crazy time and you gotta really think about, and that's why I say like getting involved with the engineers.

What are they doing? How are they thinking about it so that you can actually adapt that DevSecOps process that historically was a little interruptive in the middle. That's why SEC is in the middle of the Dev and the ops.

Ashish Rajan: Yeah,

Scott Gerlach: to be more assistive. Assistive.

Ashish Rajan: Yeah.

Joe Sullivan: Yeah. It's really a crazy time, like you said, because, there's no question. If you try to step back and say, what is the number one job that's been disrupted by ai, you'd say software engineer, right? No job has [00:32:00] fundamentally changed more because of AI so far.

Ashish Rajan: Yeah. Yeah.

Joe Sullivan: But we don't even know what it will look like a year from now. Right? Software engineers.

Software engineers,

Ashish Rajan: yeah.

Joe Sullivan: Yeah. Like we're, we're doing so much with voice now instead of even hands on keyboard. Everything is going to continue to evolve over this, this, and so, I mean, I think it's a fun and scary time to be building a product for that audience. Uh, I mean, the one thing you know at the end is we gotta make sure that the code comes out with Vulnera without vulnerabilities, right?

Yeah,

Ashish Rajan: yeah, yeah.

Joe Sullivan: Everything else is in flux.

Ashish Rajan: Well, maybe bringing that back to security programs than people who are building security programs who probably had invested a lot of time and energy into DevSecOps. CI ICD pipelines. What's your recommendation for, I guess, the MVP that they should expect for the newer team?

'cause you said that the way people used to hire two years ago is not the same way they hired today. So the capabilities that I'm looking for in a team today are probably vastly different. [00:33:00] Is it more going in this realm of we are, uh, AI for security is gonna be that bigger ecosystem in within organizations and.

To your point, products would have to integrate with whatever that AI for security looks like in organizations.

Joe Sullivan: I think the number one word that I keep hearing, and maybe I keep saying is curiosity. If you're not excited about AI and digging in and playing around with the new things, how are you going to keep up with the product and engineering teams that are, you have to adopt that same excited, energetic mindset.

And be in discovery mode. We can't, like, we can't fall for that whole sunk cost fallacy. We can't we can't be resistant to change at this time. We have to be like I, I actually think it's a really great opportunity for security to reposition itself more and more as a business enabler. We gotta unlock this new pro productivity, not be the blocker.

And that's [00:34:00] really hard. But if the more curious we are, the more we're experimenting with new products that, like, I hate to say it, but walking the expo floor and, and like talking to everybody and understanding what, like what are other security teams experimenting with right now? Yeah. It's not like.

There's no playbook. That's like set. It's all changing and so you gotta be full of energy and curiosity and patience. I guess

Scott Gerlach: we, we had the this, we had this conversation last night at the event that you were moderating where people were like, what is the new skillset that you're looking for in security teams?

I don't think anyone had a great answer for that. I do think they had a good answer for what's the anti-pattern, the people that have to have well-defined procedures and they wanna stay in the box. That's probably the anti-pattern for the next gen security team. And you know, one of the, one of the, one of my favorite questions this week has been, what's the name of your AI assistant?

What did you name your AI assistant? What did you name your [00:35:00] open claw?

Ashish Rajan: Yeah,

Scott Gerlach: mine's my, I picked pepper pots because pepper pots is a badass and she gets stuff done. Yeah. So that's my version of how do I figure out where. This agent is gonna break.

Ashish Rajan: Yeah.

Scott Gerlach: And what it's gonna do to the security model is you gotta play with it to see like in practice what's going on and that like openness to figure out what this new technology is.

Bang your head against it. 'cause it doesn't work. It forgets all kinds of stuff in a week.

Ashish Rajan: Yeah. Yeah.

Scott Gerlach: And, and then when you're rolling that thing, those things out, thinking about the identity model and the security model that it inherits from you and you're like, wait a second, I don't want it to have this much access.

How can I, for myself, limit that access? And then what does that do for the enterprise? What does that scale into?

Ashish Rajan: Yeah, I was gonna say you kind of hit a good point there with the expectation for skillset is changing, evolving. Yeah. And does, I'm gonna ask a meta question here. Does that mean the CISO's [00:36:00] responsibility is also evolving and, but maybe responsibility is not the right word.

The role itself, considering the software developer, software engineer part may not have a CI CD pipeline. May, we will still be responsible to put code into production, which is almost free from vulnerability. I don't think it'll be a hundred percent free, but as far as some people would still claim it.

But what is the role of a CISO in this newer world we are moving towards then?

Joe Sullivan: So it's already been changing the last few years and it's changing even more because of ai. A couple of things have happened, like there's this there's been this really big longer term trend. As cloud and SaaS has gone up, the role of the CIO has gone down.

You know, a lot of the role of that strategic role went away. It it's so much more commoditized. It's conference rooms, it's laptops and SaaS software. That's not so exciting. And so, like, people aren't running for that role anymore. And so what's happened over, so I'd say like four or five people from [00:37:00] my last security team at CloudFlare.

Are all now security leaders on their own at other companies. And every single one of them owns security. And it, uh, that has become a, a really big trend. Uh, you go around Silicon Valley, when I help a company set up a security, an organization, I'm usually hiring one person to run security in it. So that's So you take that trend.

Yeah. And then 2026, the CEO was ignoring everything happening in it for the last five years. Suddenly in 2026, the CEO is turning to it and saying, I want you to lead the AI transformation for the company. And that person is the security leader too. And so, I, a lot of my friends are saying, I'm talking to myself, half of me is saying I gotta go fast.

The CEO and the other side is saying, I run security and I'm, I'm afraid. And, and so, you know, we're that so we have more responsibility and we have more interaction with the ceo. Yeah. And that's not gonna go backwards.

Ashish Rajan: The genie out the box already, or out the lamb, I [00:38:00] guess. Yeah. Well,

Joe Sullivan: well, every organization on the planet is more dependent today than they were yesterday on the technology.

Yeah. Do you think they're gonna be less dependent on technology tomorrow or more?

Ashish Rajan: More, yeah.

Joe Sullivan: More and more. Yeah. And so that means that technology risk is going to continue to grow in importance for every organization.

Scott Gerlach: Just think about the blast radius of implementing agents.

Ashish Rajan: Yeah.

Scott Gerlach: Whether it's a coding agent or it's a customer service agent, or it's whatever it is, it touches every single part of the business now. So it's, by the way, it's always good to remind ourselves that there's harder problems in the world.

I was talking to a CISO last night who had a deployment in an AWS data center that got hit by a drone. That's a different problem.

Joe Sullivan: Yeah. Yeah.

Scott Gerlach: And, and think about the AWS, uh, security team. They're thinking about people.

Joe Sullivan: Yeah,

Scott Gerlach: yeah. Lives of people.

Joe Sullivan: Yeah. Yeah.

Scott Gerlach: That's a hard, hard problem.

Joe Sullivan: Yeah.

Scott Gerlach: So this is relatively an easy problem in comparison.

Joe Sullivan: Yeah.

Scott Gerlach: But it just continues to expand in the impact to the organization. And [00:39:00] instead of just like, we gotta make sure the workstations are locked down and emails are safe, and et cetera, now we're talking about enabling the business to go. Fast, deliver a ton of value and hopefully grow

Ashish Rajan: Yeah.

Scott Gerlach: From the CISO suite.

Ashish Rajan: Do you, do you guys feel that because the democratization of, I'm not stuck with one language, I'm not stuck with one security skill. Like anyone can be a security person with the right knowledge and maybe the guide guidance as well to an extent. Would the pendulum shift more towards, as a software engineer role is evolving?

Because at the end of the day, security's goal is to improve the quality of the code that's coming out, and that's all you want. So would we all start working more with developers instead of security people? Would security kind of lean more on software as well? Would everyone become more of a coder, do you reckon?

Joe Sullivan: At the end of the day, uh, mature organizations need to have a team called security that. Is evaluating the risk of the code that they're [00:40:00] running. Yeah. That team is gonna have to continue to be deeply technical. Yeah. I, at the same time, I do see a lot of security people who got in without a technical background or with a minimal technical background, really excited about how AI is allowing them, to do their job so much better.

Yes. Like, like a lot of the bug bounty folks, they're, you know. With the power of ai, they're finding vulnerabilities 10 x faster than they were before. They're also, you know, they used to maybe do, do a little bit of scripting for themselves to automate like the work. Now they're building whole, you know, applications to, to make themselves go faster.

GRC folks, same thing. Instead of spending eight hours filling out a spreadsheet. They're automating it and so I, I see just a lot of excitement just in general about how AI can reduce the toil of a security team. I'll tell you, as a security leader, the hardest part of my job, I'd hire all these great people and then I'd tell them, I need you to focus on the grunt work.

Everybody wants to chase the shiny objects in security [00:41:00] and be the hero and catch Russia in their network. But like the reality is, so much of the work has not been that glamorous. Yeah. And the kind of, the part that's not been glamorous. Is where the AI can step in and automate the heck out of it.

Scott Gerlach: Yeah, I think, you know, when you say, when you say developer what's the skill that you imagine today or yesterday? Coding.

Ashish Rajan: Coding? Yeah. Yeah.

Scott Gerlach: It's not the skill. They're, they're getting paid to solve problems like being a problem solver and do that in code.

Ashish Rajan: Yeah.

Scott Gerlach: And the, the unlock there is, I don't have to memorize. This language, I don't have to learn a new framework. I don't have to, I have to be able to describe and solve problems. Mm-hmm. And that is across the board, right? So like in the security world, if I can describe and solve this problem, now I'm unlocked.

I can actually go do that.

Ashish Rajan: Yeah.

Scott Gerlach: Uh, and get rid of a ton of toil. But that's exactly what's happening in the engineering team. Right. And where you see engineers falter is the ones that can't describe and solve problem. They're [00:42:00] wrapped up in their identity of, I'm a node developer. I know node js back and forth.

Ashish Rajan: All the syntax. I know all the syntax,

Scott Gerlach: I know all the syntax, I know all the ways, all the cool tricks for async functions.

Ashish Rajan: Yeah.

Scott Gerlach: Doesn't matter. What problem are you trying to solve? Can you solve the problem?

Ashish Rajan: Yeah. I, I see like this one where I, people used to talk about, I think it was Java.

I think it used to consume a lot of memory and people used to be like, oh, I can do, I can create the same program in a way. It doesn't consume more memory. That was like a specialization. You go to the senior developer for that, like they have done the tests. Yes, they have figured it out. Gone through the hard toil.

That is irrelevant today.

Scott Gerlach: I mean, it's still probably relevant and at some point, but being able to describe the issue

Ashish Rajan: Yeah,

Scott Gerlach: because you've seen it before, is just as valuable as being able to write the code that fixes the problem.

Ashish Rajan: Yeah,

Scott Gerlach: because that the last part is what Cursor is doing and what Claude is doing and what Gemini is doing.

Yeah the. The senior is really about what patterns have I seen that have worked and have broke. [00:43:00] The junior is about can I repeat the problem that product has sent me and what I'm trying to solve for the customer

Ashish Rajan: and, and explain it in a way that the AI can create the core for Exactly. Awesome. On that note, that's the technical questions I have.

I've got, uh, I've got a snack or, or snack. Fun questions to be precise. We've got Australian snacks as well as, uh, the British snacks. But crowd favorites have been crocodile and kangaroo, so no pressure on picking them. If you, you've never judge you guys if you did not take that. But I would highly encourage them, is what I would say.

So,

Scott Gerlach: I mean, I'll go kangaroo, I don't know. But

Ashish Rajan: I mean, you can go both if you want. You want Vegemite? Okay. You go

Scott Gerlach: Vegemite. I kind of want Vegemite as well.

Ashish Rajan: Oh, you can have both if you want. You can. I mean, you don't have to have stock.

Scott Gerlach: I've never had Vegemite.

Joe Sullivan: Gotta try it now.

Ashish Rajan: Well, well, to be fair, this is a cheesy version of Vegemite.

It's not the true Vegemite like I do. I

Scott Gerlach: do like cheese.

Ashish Rajan: Yeah. So this is, this is like a good, so you know, you guys are not going for kangaroo or croda. All right. Fair. Like the, I'm curious [00:44:00] if you guys are quiet. Do you feel, actually, because you've had Vegemite before? Yes. How would you describe it to Scott who has not had it before?

Before he has the Australian shaped shapes.

Joe Sullivan: It's very salty.

Ashish Rajan: It is the shape of Australia in case you want to

Joe Sullivan: Oh,

Scott Gerlach: okay.

Ashish Rajan: Yeah,

Scott Gerlach: I was like, is it a, is it Koala Bear or something?

Ashish Rajan: Yeah. How would you describe

Joe Sullivan: Salty and tangy?

Ashish Rajan: Yeah, salty taste. It's acquired taste.

Scott Gerlach: What's it actually made of?

Ashish Rajan: Yeast.

Joe Sullivan: It's like if you ever had nutritional yeast.

Scott Gerlach: Yes.

Ashish Rajan: It's literally that.

Scott Gerlach: It's spoon. It's not actually like vegetables.

Ashish Rajan: I would describe it's

Joe Sullivan: spoonful of nutritional yeast.

Scott Gerlach: Okay.

Ashish Rajan: Which is. We should have, which you should have in very small quantities, not in like large quantities as you inhale the entire thing.

Scott Gerlach: So Don, so don't just eat the whole thing.

Okay, great.

Joe Sullivan: These are great

Ashish Rajan: heads

Scott Gerlach: up,

Ashish Rajan: but this is like a, I would say I tried these, these are a very mellow version of where Vegemite is.

Scott Gerlach: These are good, these are taste like chicken and a biscuit, a little bit

Ashish Rajan: like [00:45:00] chips. I would, okay. Fair. I mean, I don't take that comparison. Uh,

Scott Gerlach: I mean it tastes a little bit like chicken and a biscuit.

Ashish Rajan: Okay. Uh, well, I would definitely encourage trying the original Vegemite.

Scott Gerlach: Okay.

Ashish Rajan: The British version is called Marmite, which is a bit

Scott Gerlach: Marmite. Yep.

Ashish Rajan: Yeah. So, uh, if you've tried Marmite, it's kind of like,

Scott Gerlach: I, I haven't, I've seen it. I haven't tried it.

Ashish Rajan: Oh, it, it's like the more disgusting version of Marmite in Vegemite.

That's how I describe it. It took me five years to get used to the idea. 'cause my wife loves it and I'm going, there's clearly I'm doing something wrong here. So I found out the right way to have Aite is. Uh, a thin slice of butter. A thin slice, sorry, A thin slice. Uh, a thin layer of butter, a thin layer of Vegemite, avocado fe, and then it edible.

Scott Gerlach: So basically you can't taste it.

Ashish Rajan: Yeah,

Scott Gerlach: that's, that's what I heard.

Ashish Rajan: Yeah. Yeah. Basically like, like that. That's how I figured out, oh, I can have aite now.

Scott Gerlach: Like so salt and pepper and then hot sauce, and then

Ashish Rajan: some jalapeno and salt, basically Like now [00:46:00] it's edible.

Scott Gerlach: Yeah, now I can eat it.

Yeah.

Ashish Rajan: Yeah. But I think my wife has it without any of that.

So I think it took me that much effort to, oh, now I can have this version. I still cannot have the regular version yet, so Fair enough. I haven't graduated it. Alright.

Scott Gerlach: Alright.

Ashish Rajan: Segue to my, my, my fun questions. And the first one is what do you guys spend most time on when you're not trying to solve the security problems of the world?

Could be anything Personal, professional.

Joe Sullivan: My favorite sporting activity is skiing.

Scott Gerlach: Oh.

Joe Sullivan: And, uh. So I'm always trying to figure out how I can get a business trip to some place so that I can ski

Ashish Rajan: fair.

Scott Gerlach: That's why he joined the Colorado StackHawk Company.

Ashish Rajan: Oh, a lot

Scott Gerlach: of skiing

Ashish Rajan: you guys that okay? Fair Lot of snow.

Yeah. Fair.

Scott Gerlach: One of the many benefits.

Ashish Rajan: What were yourself?

Scott Gerlach: Uh, I play a lot of golf and was talking to somebody who was doing like CISO interviews the other day and he said the number one answer for leisure time activity for CISOs was fishing. And I was like, I don't fish, but it's the same, same deal, right?

We're out in [00:47:00] nature. Out in the outside, there's not a lot of computers running around. No, no flashing Things kind of just take in like in Denver, take in the mountains with the snow on top of 'em and just go, wow.

Ashish Rajan: I don't know who comes up with the Sta. 'cause I always thought it was F1. Was, uh,

Scott Gerlach: watching F1.

Ashish Rajan: Yeah. Watching F1

Joe Sullivan: F1 is really popular in security world.

Ashish Rajan: Yeah. As a, as a nerdy sport. 'cause there's a lot of engineering and especially if you watch the F1 TV show on Netflix, you kind of realize how intense it gets. You realize the importance of it. I think I've watched the first season, I'm like, oh, I, I see it.

Before that I was, because it's uh, 52 laps or something. It's the same circle. For 50 to, I mean, you going okay for two hours, someone's just gonna go circles around the same line. It's like

Scott Gerlach: left and right in the circles.

Ashish Rajan: It's like sharp turns. Oh no, no. I'm, I'm, I'm obviously oversimplifying it. I'm pretty sure F1 people are gonna come after me.

Joe Sullivan: You're making the whole security world matter.

Ashish Rajan: Yeah, they're gonna come after me after this. Like how do you describe F1? It's great sport. [00:48:00] I mean, I'm sure it is. Uh, second question. What is something that you're proud of that is not on your social media?

Scott Gerlach: You proud of? That's not on my social media. Yes. I mean, I'm super proud of my kid, like she is finishing her first year in college.

Okay. And you know, she struggled a little bit at the first semester like everyone does in their freshman year, but she stuck with it. She's straight A's right now, so. Oh, wow. I'm super proud of that.

Ashish Rajan: Awesome.

Scott Gerlach: Good. And that's not on my social media yet, I guess it is now.

Ashish Rajan: Yeah. Eventually would be. I mean, it goes out.

Yeah. Or will you?

Joe Sullivan: Yeah. I mean, you, you can't help but be proud of your kids. Yeah. And uh, and yeah, I have three daughters that don't let me put them on my social media too much. Uh, but my oldest daughter, she always said, I'm never going into cybersecurity. And, uh, she's on the security team at Tesla now, so Oh.

I'm pretty proud of her for that. 'cause, you know, it's, it's a hard job market sometimes. And she got out and she got that job on her own and [00:49:00] Wow. And she set the bar high for her sisters, so. Oh, wow. You know, and the two of them are in college now, so I'm proud of them.

Ashish Rajan: Yeah. No, no, no pressure on them to kind of follow the eldest.

Alright. Uh, final question. What's your favorite cuisine or restaurant that you can share?

Joe Sullivan: Oh, for me it's Indian food.

Ashish Rajan: Oh, nice.

Joe Sullivan: Yeah. I love Indian food. Uh, the spicier the better.

Ashish Rajan: Oh, spice, I mean, so Vegemite would not cut it for you then, I guess.

Joe Sullivan: No, I, I, I, I'll take more heat.

Ashish Rajan: What we got,

Scott Gerlach: man, favorite food. I mean, I do like taco, like just a good three-sided sandwich is a really good treat, but.

My favorite thing in the whole world is just a great steak. Like a great steak. Probably some french fries

Ashish Rajan: like you eat Dbo D

Scott Gerlach: No, I'm a filet guy.

Ashish Rajan: Oh, filet,

Scott Gerlach: okay. Filet. And that's it. Like no rib eye, no nothing else. Just fla. If it's not on the menu, I'm not even ordering.

Ashish Rajan: Okay. Fair. That's how you know the good [00:50:00] steakhouse.

If they don't have filet, you're not going in.

Scott Gerlach: Yeah. If there's not a filet at a steakhouse, you're not at a steakhouse,

Ashish Rajan: you're at a bar.

Scott Gerlach: Yeah.

Ashish Rajan: Where can people find out more about StackHawk and the work you guys are doing as well?

Scott Gerlach: Yeah, obviously, uh, StackHawk.com

Ashish Rajan: Yeah.

Scott Gerlach: Uh, is a great place to learn tons of resources.

Uh, our LinkedIn page, uh, StackHawk is really good, full of all great, all kinds of great stuff that. Uh, our team posts about either StackHawk and what we do

Ashish Rajan: Yeah.

Scott Gerlach: Or what we're doing at StackHawk. Yeah. Uh, with some, some of the AI stuff and then just the rest of our socials.

Joe Sullivan: Yeah, I've, I've got two websites. Uh, Joe Sullivan security.com is, uh, for my consulting business. Yeah. And then I'm also the CEO of a nonprofit called Ukraine Friends Uhhuh. And that's Ukraine friends.org. Uh, we we take compu computers, donations from lots of companies.

We bring 'em over to Ukraine and we give 'em to kids who are stuck in remote school.

Ashish Rajan: Oh wow. Great. Cause as well, I'll put all the links in the show as well. But thank you so much for coming on the show I really enjoyed our conversation, so thank you so much.

Yeah, thank you for having us. Thank you [00:51:00] so much.

Scott Gerlach: And thank you for the Vegemite.

Ashish Rajan: Thank you for listening or watching this episode of Cloud Security Podcast. This was brought to you by Tech riot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on Cloud Security Podcast tv, our website, or on social media platforms like YouTube, LinkedIn, and Apple, Spotify.

In case you are interested in learning about AI security as well, to check out our podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, apple as well, where we talked. To other CISOs and practitioners about what's the latest in the world of AI security. Finally, if you're after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast.

You can check that out on cloud security newsletter.com. I'll see you in the next episode, please.

‍