The past, present, and future of enterprise AI – Pravi Devineni – ESW #403
In this interview, we're excited to speak with Pravi Devineni, who was into AI before it was insane. Pravi has a PhD in AI and remembers the days when machine learning (ML) and AI were synonymous. This is where we'll start our conversation: trying to get some perspective around how generative AI has changed the overall landscape of AI in the enterprise.
Then, we move on to the topic of AI safety and whether that should be the CISO's job, or someone else's.
Finally, we'll discuss the future of AI and try to end on a positive or hopeful note!
Applied data scientist with 7+ years of experience in working with domain experts to provide machine learning solutions to a wide variety of applications. As part of my work, I design and deploy scalable end-to-end machine learning pipelines.
Identiverse 2025 is returning to Las Vegas, June 3-6. Hear from 250+ expert speakers and connect with 3,000+ identity security professionals across four days of keynotes, breakout sessions, and deep dives into the latest identity security trends. Plus, take part in hands-on workshops and explore the brand-new Non-Human Identity Pavilion. Register now and save 25% with code IDV25-SecurityWeekly at https://www.securityweekly.com/IDV2025
Patch It Like You Stole It: Vulnerability Management Lifestyle Choices – Matthew Toussain – ESW #403
What a time to have this conversation! Mere days from the certain destruction of CVE, averted only in the 11th hour, we have a chat about vulnerability management lifecycles. CVEs are definitely part of them.
Vulnerability management is very much a hot mess at the moment for many reasons. Even with perfectly stable support from the institutions that catalog and label vulnerabilities from vendors, we'd still have some serious issues to address, like:
- disconnects between vulnerability analysts and asset owners
- gaps and issues in vulnerability discovery and asset management
- different options for workflows between security and IT: which is best?
- patching it like you stole it
Oh, did we mention Matt built an open source vuln scanner?
Matt Toussain is a recognized leader in offensive security, penetration testing, and cybersecurity training. As the founder of Open Security, he has built a firm dedicated to real-world adversarial testing, red teaming, and advanced security education. A former U.S. Air Force cyber warfare leader, Matt has spent over a decade at the cutting edge of cybersecurity, specializing in network exploitation, adversarial tactics, and threat analysis.
Matt is also the creator of Sirius; a tactical cybersecurity vulnerability scanner developed over five years. His work is widely respected in the industry for its technical depth and practical applicability, bridging the gap between security theory and real-world execution.
Through Open Security, Sirius, and his contributions to the cybersecurity community, Matt continues to push the boundaries of offensive security, equipping security professionals with the knowledge and tools to counter evolving threats.
Tailscale rakes it in, CVE dead to us, cool Chrome extensions, dog saves toddler – ESW #403
In the enterprise security news,
- lots of funding, but no acquisitions?
- New companies
- new tools
- including a SecOps chrome plugin
- and a chrome plugin that tells you the price of enterprise software
- prompt engineering tips from google
- being an Innovation Sandbox finalist will cost you
- Security brutalism
- CVE dumpster fires
- and a heartwarming story about a dog, because we need to end on something happy!
All that and more, on this episode of Enterprise Security Weekly.
I'll be running an panelcast with Fastly, titled Security Without Speed Bumps: Using WAF Simulator to Transform DevSecOps Workflows. Join me for this exciting webcast on April 16th. To register for this panelcast, go to securityweekly.com/WAF
Adrian Sanabria
- FUNDING: Courtesy of the Security, Funded newsletter, #189 – Cool Quantum Croissants
Last week's vibe check asked, "what's the strongest early signal a security tool will succeed in your org?"
The clear winner was "quick time-to-value (days, not weeks)"!
In this week's funding:
- Tailscale rasied a $160M Series C from Accel
- Anecdotes, a US-based GRC platform, raised a $30M Series B from DTCP
- Aurascape, a US-based AI security posture management platform raised a $26.2M Series A from Mayfield and Menlo Ventures.
- Outtake, a US-based agentic AI security platform raised a $16.5M Series A from CRV.
- Finally, NetRise announces a $10M Series A led by dnxVentures to focus on supply chain security.
Also, when was the last time we saw an acquisition? Oh, RIGHT, RSA is coming up. We're gonna get all those announcements at once.
- NEW COMPANIES: AuthZEN Aims to Harmonize Fractured Authorization Controls
- NEW TOOLS: COACH, from Dropzone.ai
A Chrome plugin from Dropzone.ai that peeps the alert in the current tab and gives you some recommendations on how to deal with it.
- NEW TOOLS: Vendr Chrome Extension Makes Enterprise Pricing Visible
- NEW TOOLS: step-security/harden-runner
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in real-time.
- LEARN: Google Prompt Engineering v7 2025
Apparently a really great prompt engineering howto from Google
- RSAC: RSA’s Innovation Sandbox: Cybersecurity Startups Must Accept $5 Million Investment
This is old news that we never covered, because I put it in the wrong place and lost it for a few months.
Now that RSAC is coming up, it's worth a chat. Not too different from how Shark Tank does things, apparently.
- ESSAYS: Security Brutalism – Modern Adversary
- REPORTS: From KPMG – Top Geopolitical Risks in 2025
We've often talked about how cybersecurity isn't the business's top priority, but less so about what IS a business's top priorities. This report is a great opportunity to understand exactly what those risks are. The report doesn't attempt to quantify these risks, but it still provides a useful perspective for those of us deep in the cybersecurity bubble 24/7.
- DUMPSTER FIRES: “CISA have, at the last minute, extended the MITRE CVE contract”
What a wild ride this was the other day.
At around 1:23pm Eastern, we see a tweet that CVE is in trouble. Tomorrow.
Then, I start seeing a flood of posts on LinkedIn from everyone, including Jen Easterly
And then part of the CVE board decides to fork and start a non-profit! This is something they apparently had been planning for at least a year.
I'm up late, trying to think through the damage, the potential scenarios, what advice to give IANS clients...
And then, in the morning, we see that a deal was done, and all is fine.
Too soon. This was the tariffs all over again. All this buildup, then a delay. Buildup, exceptions. Also like the tariffs, I think the damage was already done in those 12-16 hours. No one in this industry is going to be comfortable depending solely on CVE/NVD going forward.
- THREATS: AI-hallucinated code dependencies become new supply chain risk
- ATTACKS: Recently I was targeted by an extremely sophisticated phishing attack…
WILD story and some very interesting and useful analysis of how this attack was put together. A very convincing phish.
- WEIRD: Microsoft: Windows ‘inetpub’ folder created by security fix, don’t delete
"This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users."
- SQUIRREL: Missing toddler who walked 7 miles through Arizona wilderness led to safety by a dog
