AI Red Teaming Comes to Bug Bounties – Michiel Prins – ESW #391
HackerOne's co-founder, Michiel Prins walks us through the latest new offensive security service: AI red teaming.
At the same time enterprises are globally trying to figure out how to QA and red team generative AI models like LLMs, early adopters are challenged to scale these tests. Crowdsourced bug bounty platforms are a natural place to turn for assistance with scaling this work, though, as we'll discuss on this episode, it is unlike anything bug hunters have ever tackled before.
Segment Resources:
Michiel Prins is a Co-Founder and Senior Director of Product Management at HackerOne, the cybersecurity company dedicated to eliminating vulnerabilities through continuous testing. He is an information security expert, researcher, hacker, and developer. Michiel has been finding critical software vulnerabilities in technology for over 10 years. Prior to founding HackerOne, Michiel co-founded a successful penetration testing company that worked on projects for trusted organizations from government institutions to top technology companies, including Twitter, Facebook, Evernote, and Airbnb, among others. Michiel regularly presents on vulnerability disclosure and security research projects regarding security management, privacy, and web application infrastructure. Michiel graduated with a B.S. in Computer Science from Hanze University Groningen.
Guiding an Open Source-Based Business Through Troubled Times – Francis Dinha – ESW #391
This interview is a bit different from our norm. We talk to the founder and CEO of OpenVPN about what it is like to operate a business based on open source, particularly through trying times like the recent pandemic. How do you compete when your competitors are free to build products using your software and IP? It seems like an oxymoron, but an open source-based business actually has some significant advantages over the closed source commercial approach.
Francis Dinha is the CEO and Founder of OpenVPN, Inc, a leading network security company with enterprise solutions for remote access and more. Dinha grew up under the dictatorship of Saddam Hussein in Iraq, and managed to escape in the 1970’s to Sweden. There, he achieved his Master of Science in computer engineering from the University of Linkoping. He spent the next several decades working in technology, contributing his skill and leadership to major projects across the world.
His work in tech has consistently been about building more secure and efficient communications — in short, bringing people together. He has served as an architect and broadband system engineer at Ericsson, where he worked both in the U.S. and Sweden. Francis was also the founder and CTO of PacketStream, a company whose patented technology enabled dynamic Quality of Service provisioning of IP networks. Then, before he co-founded OpenVPN, Francis was the CEO at Iraq Development and Investment Projects where he played a principal role in architecting a joint venture to win the mobile communication license in Iraq. Today he continues to lead OpenVPN as they provide enterprise network security solutions for today’s businesses.
IPOs are back, AI jumps the shark, NGFWs have some serious security issues – ESW #391
In this week's enterprise security news,
- the first cybersecurity IPO in 3.5 years!
- new companies
- new tools
- the fate of CISA and the cyber safety review board
- things we learned about AI in 2024
- is the humanless SOC possible?
- NGFWs have some surprising vulnerabilities
- what did generative music sound like in 1996?
All that and more, on this episode of Enterprise Security Weekly.
Security Weekly listeners save $100 on their RSAC Conference 2025 Full Conference Pass! RSA Conference will take place April 28 to May 1 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac25 and use the code 5U5SECWEEKLY! We hope to see you there!
Adrian Sanabria
- IPOs: SailPoint S-1
Our first cyber IPO in FOREVER. After being taken private by Thoma Bravo in 2022 for $6.9B, SailPoint is going public again, and will use the same ticker symbol again (SAIL).
Does it make sense for cybersecurity companies to go public? I don't think so, but it looks like it's going to start happening again anyway.
When did we last see a security company IPO? Back in September 2021 - we were all still wearing masks, though most of us stopped washing our groceries by this time. ForgeRock went public for a hot minute before they were taken private again, only 13 months after going public.
Why am I ignoring Rubrik? They're not cybersecurity - they're a backup company that has dipped into cybersecurity (honestly, I haven't looked at their last 10K/10Q, and I don't know what portion of their revenue comes from data security vs backups, so don't come at me).
You might have noticed some interesting facts. Our last two cybersecurity IPOs are both IAM vendors that were both taken private by Thoma Bravo. Then, in 2023, Thoma Bravo merged ForgeRock and Ping Identity. This PE shop really went all in on identity!
Are we going to see more IPOs in 2025? It's certainly possible, with Wiz and Netskope as the most likely candidates.
- FUNDING: Databricks Announces $15B in Financing to Attract Top AI Talent and Accelerate Global Expansion
This isn't a cybersecurity company, but it's a useful foil for discussing whether or not cybersecurity companies should even consider going public at all.
- going public takes a lot of work and prep - the road to an S-1 filing often takes years!
- the initial capital raised is typically less than $15B. A LOT less
- cybersecurity companies typically need to pivot or reinvent themselves every 5 years - the public market and shareholders don't like that, and it takes control and agility away from the company - then, the company often ends up getting taken private anyway
- NEW COMPANIES: Cybersecurity startup Tenex launches with an AI-powered cloud MDR service – SiliconANGLE
Another AI-powered SOC startup, though this one is focused on providing an MDR service. I have thoughts and opinions.
- NEW TOOLS: Stratoshark
It's like Wireshark, but for your cloud!
- LEGISLATION: Eric Geller on Twitter – Is the Cyber Safety Review Board dead?
The tweet text:
DHS has terminated the memberships of everyone on its advisory committees. Includes several cyber committees, like CISA's advisory panel & the Cyber Safety Review Board, which was investigating Salt Typhoon. That review is "dead," person familiar says.
- CYBERCRIME: Trump Pardons ‘Silk Road’ Dark Web Market Creator
I recall thinking, "DAMN, that's a harsh sentence", but I definitely didn't see this coming.
- VULNERABILITIES: Microsoft fixes 159 bugs in first Patch Tuesday of 2025
“This is the largest number of CVEs addressed in any single month since at least 2017 and is more than double the usual amount of CVEs fixed in January,”
I had to reboot my Windows systems a LOT
- REPORTS: Security Navigator 2025: Latest Cybersecurity Threats and Trends
From Orange Cyberdefense, this report is chock full of useful data points sourced by their engagements with their clients.
- ESSAYS: A Brief Guide for Dealing with ‘Humanless SOC’ Idiots
Spicy, very on-brand take from my friend Anton Chuvakin!
- AI ROUNDUP: Things we learned about LLMs in 2024
The amount of AI news in 2024 was a little overwhelming, so this is a nice resource to summarize and remind you of everything that happened. Some particularly interesting insights here, especially around AI agents.
- HISTORY: ShmooCon ends 20-year run with tears, malware and electronic fun
- VULNERABILITIES: Kevin Beaumont (@[email protected]) – A new group, Belsen Group, claim to have released Fortigate configs for 15k firewalls.
- VULNERABILITIES: Supply Chain Risks in Security Appliances – Eclypsium
The black box that is NGFWs is opened a bit for all to see...
- SQUIRREL: Brian Eno released Generative Music on a floppy – here’s what it sounded like
