Detection at Scale

Mike Vetri, Sr. Director of Security Operations at Veeva Systems, reflects on transforming SOC investigations through AI-powered data aggregation and building threat operations teams with the analytical mindset required for proactive defense. Mike introduces the C3 Matrix framework for prioritizing security efforts across centers of gravity, crown jewels, and capability enablers, and explains the seven Ds of cyber defense from discovery through deception operations.  Drawing from 10+ years of Air Force cyber intelligence experience, Mike details why threat operations requires fundamentally different system-two thinking than detection engineering, and how this discipline shift moves organizations from reactive firefighting to proactive threat anticipation. He covers practical examples of AI cutting investigation time by aggregating data from multiple tools, the importance of defense in personnel for operational resilience, and strategies for preventing analyst burnout while maintaining effective security operations.  Topics discussed: How AI transforms insider threat investigations by aggregating workstation logs, browsing history, and DLP alerts into single queries The C3 Matrix framework prioritizes security controls across centers of gravity, crown jewels, and capability enablers based on organizational impact and recoverability Why threat operations requires system-two analytical thinking fundamentally different from the engineering mindset The seven Ds of cyber defense: discover, detect, deny, disrupt, degrade, destroy, and deception operations for comprehensive threat mitigation How deception operations provide the most accurate intelligence by studying adversary behavior in controlled environments The distinction between threat intelligence and threat operations, and why mature SOCs need teams focused on proactive defense strategies Defense in personnel ensures multiple team members can handle each security capability, preventing single points of failure Time-sensitive investigation scenarios where AI delivers maximum ROI by eliminating the need to manually query dozens of security tools The evolution of cyber threats from technical attacks to psychological warfare using AI to challenge human judgment and decision-making Why security culture must extend beyond traditional boundaries as AI-powered threats increasingly target HR processes, financial operations, and business functions Listen to more episodes:  Apple  Spotify  YouTube Website

Gary Hunter, Head of Security Operations at Trustpilot, built a security team from scratch at a company synonymous with trust. Gary shares how his ten-person team leverages AI agents across alert triage, multimodal brand protection, and incident response.  He explores why he and his team treat AI agents like interns with codified guardrails, why competitive prompt testing reveals the best approaches, and how restricting AI to specific documentation sets prevents confusion. Gary also offers his tips on building weatherproof team members who adapt to any technology shift and reflects on why constraints breed creativity in resource-limited environments. Topics discussed: Building security operations from scratch by identifying pain points, understanding technology gaps, and systematically increasing detection coverage and visibility Leveraging AI agents for alert triage and workflows to enable teams to run as fast as attackers while maintaining appropriate human oversight Implementing competitive prompt testing by running multiple AI models to identify the most effective approach before deployment Creating cultural buy-in for AI adoption by empowering team members to contribute prompts and democratizing learning across skill levels Using AI for multimodal brand protection, analyzing screenshots and HTML content to score potential infringements and automate response workflows appropriately Treating AI agents like interns, codifying processes, and limiting tool access based on what you'd delegate to junior team members Building detection strategies that focus on behaviors and crown jewels while using AI to triage noisy but potentially valuable alerts Documenting institutional knowledge concisely rather than overwhelming AI models with extensive documentation that creates conflicting or irrelevant responses Shifting team focus from alert triaging to high-impact prevention work, vendor management, and building relationships across the business  Listen to more episodes:  Apple  Spotify  YouTube Website

Vjaceslavs Klimovs, Distinguished Engineer at CoreWeave, reflects on building security programs in AI infrastructure companies operating at massive scale. He explores how security observability must be the foundation of any program, how to ensure all security work connects to concrete threat models, and why AI agents will make previously tolerable security gaps completely unacceptable.  Vjaceslavs also discusses CoreWeave's approach to host integrity from firmware to user space, the transition from SOC analysts to detection engineers, and building AI-first detection platforms. He shares insights on where LLMs excel in security operations, from customer questionnaires to forensic analysis, while emphasizing the continued need for deterministic controls in compliance-regulated environments. Topics discussed: The importance of security observability as the foundation for any security program, even before data is perfectly parsed. Why 40 to 50 percent of security work across the industry lacks connection to concrete threat models or meaningful risk reduction. The prioritization framework for detection over prevention in fast-moving environments due to lower organizational friction. How AI agents will expose previously tolerable security gaps like over-provisioned access, bearer tokens, and lack of source control. Building an AI-first detection platform with assistance for analysis, detection writing, and forensic investigations. The transition from traditional SOC analyst tiers to full-stack detection engineering with end-to-end ownership of verticals. Strategic use of LLMs for customer questionnaires, design doc refinement, and forensic analysis. Why authentication and authorization systems cannot rely on autonomous AI decision-making in compliance-regulated environments requiring strong accountability.

Over his 15-year journey through healthcare and financial services security, Ken Bowles, now Director of Security Operations at GreenSky, has collected a plethora of practical strategies for prioritizing crown jewels, managing cloud over-permissions, and building SOCs that scale effectively. He reflects on transforming security operations through AI and intelligent automation and discusses how AI is reducing analyst investigation time dramatically. Ken also asserts the importance of auditing security controls before they silently fail. The conversation touches on the evolving role of the MITRE framework, the concept of signaling versus alerting, and why embracing AI might be the best career move for security professionals navigating rapid technological change in cloud environments. Topics discussed: Building security operations programs around crown jewels and scaling outward to manage the most critical assets first. Managing over-permissions in cloud environments that have snowballed across multiple administrators without proper governance. Using AI to reduce analyst investigation time from 30 minutes to seconds through intelligent data enrichment and context. Creating true single-pane-of-glass visibility by connecting security tools and data sources for more effective threat detection. Training new security analysts with AI assistance to bridge knowledge gaps in SQL, SOAR platforms, and log analysis. Documenting institutional knowledge while encouraging analysts to trust their intuition when something doesn't look right. Understanding the limitations of impossible travel alerts and using AI to establish user behavior baselines for accurate detection. Applying the MITRE framework as a guideline rather than gospel, adapting detection strategies to specific organizational needs. Implementing signaling approaches that label security-relevant events without creating alert fatigue for security operations teams. Auditing security controls regularly to catch configuration drift and ensure protective measures remain effective over time.  Listen to more episodes:  Apple  Spotify  YouTube Website

Tyler Martin, Senior Director of Enterprise Security Engineering & Operations at FanDuel, reflects on revolutionizing security operations by replacing traditional analyst tiers with security engineers supported by custom AI agents. Tyler shares the architecture behind SAGE, FanDuel's phishing automation system, and explains how his team progressed from human-in-the-loop validation to fully autonomous triage through bronze-silver-gold maturity stages.  The conversation explores practical challenges like context enrichment, implementing user personas connected to IDP and HRIS systems, and choosing between RAG versus CAG models for knowledge augmentation. Tyler also discusses shifts in detection strategy, arguing for leaner detection catalogs with just-in-time, query-based rules over maintaining point-in-time codified detections that no longer address active risks. Topics discussed: Restructuring security operations teams to include only security engineers while AI agents handle traditional level 1-3 triage work. Building Security Analysis and Guided Escalation, an AI-powered phishing automation system that reduced manual ticket volume. Implementing bronze-silver-gold maturity stages for AI triage: manual validation, automated closures with oversight, and full autonomous operations. Enriching AI agents with organizational context through connections to IDP systems, HRIS platforms, and user behavior analytics. Creating user personas that encode access patterns, permissions, security groups, and typical behaviors to improve AI decision-making accuracy. Designing incident response automation that spins up Slack channels, Zoom bridges, recordings, and comprehensive documentation through simple commands. Eliminating 90% of missing PIR action items through automated documentation capture and stakeholder tagging in Confluence. Shifting detection strategy from maintaining large MITRE-mapped catalogs to just-in-time query-based rules written by AI agents. Balancing signal volume and enrichment data against inference costs while avoiding context rot that degrades LLM performance. Evaluating RAG versus CAG models for knowledge augmentation and exploring multi-agent architectures with supervisory oversight layers.  Listen to more episodes:  Apple  Spotify  YouTube Website