Offensive Security Tips and Trends for 2025 with NVIDIA and PlexTrac

Welcome to our new home. How exciting is this? So even if you are a long time veteran of our webinars, you may not be as familiar with the console. So let’s walk through, take a little tour together right now, and then we’ll bring our speakers on out here. Now I want to start out with the chat tab. Know this is on the far right hand side of your screen.

So this is where you can say hi. You can say hello. We can connect with our fellow attendees. We’re going to share all of our thoughts or ideas, our stories, our favorite emojis, whatever you get excited about, you can send those messages, send those emojis, and get to know our wonderful community a little bit better. We’re going to try it out now.

I see lots coming in the chat. Oh I love this. Hey Michael. Hey, Janelle. Hey, Franklin. Tatiana. Oh, we got a whole awesome crew, and this is so exciting. I’m loving the live chat. This is brand news. I’m very, very happy that I get to hear from all of you. And we get to be a part of this collaborative learning community as we go through that together.

I also want to take a moment to introduce Deanna Albuquerque, who is our wonderful coordinator behind the scenes. So she will be chatting with all of you today as well and helping us run a smooth show. So say hi to Deanna with her quick reminder that that chat tab is where you go. If you do need to reach out to Deanna and myself.

If you have any technical issues during the session and hopefully this doesn’t come up, knock on wood. And the very first thing you’re going to try is a browser refresh. I promise a browser refresh is going to clear out pretty much anything that comes up. But if that browser refresh does not work for you, no problem. You’re just going to post in the chat window and Deanna and I will be there to help you out.

Okay, so while chat is there for all the general thoughts and the ideas, all the connection building, getting to know folks, the Q&A is where you’re going to ask your questions. We started out in that chat tab, and then we’re going to bounce two tabs over to the Q&A tab. So this is where you’re going to get your live questions.

And for our incredible speakers here today. And we have a very fun and interactive conversation plan for all of you. We are throwing the slides, our throwing the script out and we’re just chatting. And so an important part of that is hearing from you. So make sure you’re using that chat window and make sure you’re using the Q&A to get all of those questions.

And as always, if we don’t get to your question during a live Q&A session, we will follow up with you after we wrap up. The last stop on our tour today. Is the docs tab. We have some very exciting content to go along with the webinar today, so make sure you have spent some time in that docs tab.

There are some really, really cool takeaways, and follow ups to everything that we’re going to be chatting about. So make sure you’ve, you’ve opened that docs tab and start exploring. Well, as you can see we have two incredible speakers here with us today. I’m going to bring them out in just a moment. But I want to introduce you to our wonderful presenters that we will be learning from and exploring these topics with today.

And that is, of course, Dan DeCloss, founder and CTO at PlexTrac and Tyler Robinson, offensive capability lead at Nvidia. Dan and Tyler, I’m going to bring you out on stage with me here. Welcome, welcome. Oh, there we go. Hey, team. Welcome to the stage, how are you? This is fancy. I like it right. Yeah. New house. Welcome. This is a little tour.

Yes, we’re very excited about it. Dan and Tyler. Okay. We have a lot to cover. We have a lot that we want to get into today, and I’m pretty pumped about it. Just kind of breaking the fourth wall here with our audience is that we don’t entirely know where this conversation is going to go, either, because we have some things we want to talk about, we have some ideas of where we want to go, but we’re going to kind of base it off of where the passion takes us today, where the ideas take us and where the audience takes us with their questions.

So that’s absolutely thrilling to me. And I cannot wait to dive in. What I’d love to start with, though, is just a quick kind of we’ve done names and titles, but stepping beyond that, if I could ask each one of you to give me a little idea of of you and what you’re passionate about and what you would most like to kind of get into today, as we explore with our audience.

And, Dan, maybe I’ll ask you to kick us off. And then. Tyler. Yeah, that sounds great. So, yeah. Well, one, thanks everybody for joining us. We know your time is valuable. So, we hope that this will be a good use of your time and, and excited about the conversation. And thanks, Tyler, for joining us. And Jess, thanks for putting this all together.

But, but yeah, so like my background has been in, you know, offensive security penetration testing. And what I’m passionate about is actually, you know, taking the results of, of these, you know, critical risk, items that are getting reported out of all of these tests, you know, over the years, you know, I’ve I’ve been involved in a lot of those types of assessments and then kind of felt like you get that, you get those findings and those risks identified, and then they’re put into the hands of the people that you think should be fixing them.

And then they just kind of get lost in the ether or they don’t get really prioritized the right way. And so I’m really passionate about actually making a difference, you know, in terms of security and, and making sure that, that, that the, the issues are getting identified correctly and prioritized correctly and actually reducing the risk.

So, that’s what I’m really passionate about. And I think that offensive security has always been the best way to identify, you know, and be proactive and that’s obviously why I started PlexTrac and things like that. So so I’m really excited to dive into those topics today and, and kind of help you help share with the with the audience as well as, and, you know, around how we’re, seeing the trends change this year and all the new technology that has come out over the last couple of years and what impact that has both on the offensive security space.

But then how do we actually, you know, make those into meaningful action, you know, results and things like that. So I’m really excited about it. Tyler, I’ll hand it off to you. Thank you, you know, Tyler Robinson, thank you guys for coming, this is exciting. As you all know, Dan and I go way back, so it’s always fun when I see a message from Dan.

Hey, you want to do something? Oh, yeah. Definitely gonna hop in on that. PlexTrac has been a close friend and a company I’ve seen develop over the years. It’s just phenomenal. So, besides being good friends like they do, provide some interesting things that I, as an offensive security practitioner for almost. I’m coming up on 30 years, like, we’ll call it 27 now.

It wasn’t really a job way back then, but, you know, we’ll call it something different. The reporting side of that has always been a passion of mine because I hated reporting so much. And then I hated finding out, getting out there and not, not being dealt with or having too much on my plate to follow up, to remediate, to help the blue team properly.

That was one of the real big gaps in the very early days was quality reporting and just interaction and really assisting the blue team. And doing that, you know, could be on multiple communication channels, different platforms. They could go through, you know, multiple different ticketing systems, all those things that are just things that the offensive people know.
Keeping up is very hard. We weren’t keeping up with the blue team and helping them out after we were done with tests. So like what PlexTrac brought, it really alleviated many problems for me. So I am a true believer, an evangelist for many, many years. So I’m excited to be here to talk about some interesting things in the offensive space.

It’s definitely changing a ton with AI and a lot of the stuff coming out and a lot of the stuff is still the same, and we are just repeating history over and over again. So it’ll be an interesting conversation with some, some different perspectives, I’m sure, than many people. Oh, Tyler. Okay, that’s exactly where I wanted to start this conversation.
First and foremost, I have to say, Dan, you just heard Tyler say that whatever you ask, he’s in. So I feel like that’s a dangerous president. Yes. That’s a bold statement.

The text messages that you get like, hey, what are you doing next Friday? And I was like, I’m in before. Yeah. Mexican jails. All right. That’s where we got. Let’s do it, man. Look, that everyone needs that one friend. That’s what’s important. So. Okay. But, Tyler, that’s exactly where I wanted to start with this today, because I think every, you know, security changes all the time, right?

And everything’s evolving rapidly. And right now, you know, industries are being totally blown up by AI. And what I’d love to get an idea from you guys is A. Is it as revolutionary as we think it is as we, you know, as the hype makes it seem, is everything blowing up and starting from scratch and changing? Or or maybe some things, but others, you know, Tyler, you just said maybe some things are staying the same.

Where do you guys sit on that? I mean, if you had asked me that, say, 2, 3 to 2 years ago, I don’t know, somewhere in between there I would have said that AI added at it stage it was was probably like having a high school intern that really didn’t understand how to use a debit card or get coffee, and in which you had to do so much work to actually help them with work.
That it was not worth any of your time. Now that’s changed quite a bit, since we’ve seen ChatGPT come out and we actually seen some improvement around the model providing them, you know, access to the internet, ongoing language model, updates and, and genetic agents, like, all of the things kind of changed. There was a pretty big shift there, once that happened, because, again, we were working with something that could go get information.

But you didn’t have that information and it was out of date. It was off, you know, line in like 2021, like all those things were like, okay, that’s kind of cool. I see where this could go. But like, this is just not really useful. In fact, it was kind of like academia taken some like some old college classes from an old professor that hasn’t been in the game in, you know, 20 years.
It was really not all that fun. Now we are really at a point where people are building some very interesting products. We have AI coming in in very strategic ways with the research and the deep learning and providing information specific to organizations where the training on internal data and leveraging the different language models to then articulate and gain access to do things more efficiently.

And at the end of the day, that’s what hopefully we were looking to get to rather than, you know, world domination of the AI and Terminator starting out. Like I hope we were working towards efficiency. We all have more time to do the things that are important. But it is kind of that in-between place where things are getting really good, but it is a steep learning curve and there are a lot of mistakes still being made and a lot of caveats too, to do this right and doing this well.

Yeah, I think that I agree with Tyler in terms of how ChatGPT coming onto the scene really did become a game changer for both how offensive security practitioner owners need to look at the world, as well as how attackers and threat actors are looking at the world as well. Right. So, the use of AI for, you know, speeding up attacks and speeding up exploit development and speeding up every facet of the attack lifecycle, is something to really be, you know, noted.

And we’ve talked about this before with, you know, with other folks, but there’s a lot of work going on in the AI space for being able to conduct exploits in a, in a more autonomous fashion. And the way that I see it and in Tyler, I’d love to kind of hear your opinion here too, is like it’s very similar to, you know, as we continue to enhance automation capabilities, it allows the attackers and, and offensive security professionals to identify the lower hanging fruit, you know, more quickly and then be able to dive in deeper on the the more intricate exploits.
Right. So when Burp Suite came on the scene, it sped up how we could attack websites. And so it took away the, the time to, to find that, that lower hanging fruit and really allowed us to, to dive into the deeper and more complicated exploits. I don’t think anything is much different, you know, in terms of AI, except that it’s advancing a lot.

You know, the things that you do, you consume more of the offensive security team members’ time. So I think that’s really, really important. I think that’s a trend that we’ll continue to see. And then how do you know, how do defenders, you know, that may not have as much experience with offensive security? How can they leverage the AI to be able to use these AI tools and this automation to be able to identify deeper, bigger gaps in their organization without having the skill set that that someone like Tyler me would have had.
Right? So I really see it as a game changer and continuing to be that trend. And, and I think you see a lot more advancement. Tyler, I love your thoughts about. Yeah, I think you’re spot on there. And I think there are a lot of different back and forth on that particular use case.
Right. Like, you do have a lot of play being made with the offensive space. Like you can definitely speed up your operations. You can have a knowledge base where you can ask questions that would otherwise have to be base knowledge. So we’ve lowered the barrier of entry for some of the script kiddies or some of the the lower tier, threat actor groups in order to provide them with easy answers, easy ways to write out exploit code, easy ways to, build a script on the fly like that takes, you know, you could write a good script if you’re good at prompting and you have a nice, LLM, that’s not guardrails.

You can write out some malicious code in, you know, 30s back in the day, you had to actually do that. Look for an example, modify it, double check it like it lowered the bar, for the attackers. But it did also lower the bar for the defenders, where we are adding a lot of these AI agents and, the ability to ask specific questions of AI to build out defensive capabilities to build out, kql queries for your hunting.
We’re integrating, you know, a lot of detection capabilities for heuristics around AI and looking for pattern matching and doing that across very large amounts of data. So those things are also, I think, encouraging to see where we’re able to identify and even do some pre-identification of vulnerabilities within tools as part of the pipeline through models that are evaluating those things.

Those are promising areas that bring the bar I think higher for the attacker in certain areas. But it’s also still lower. And right now we have tools at people’s fingertips that are allowing them to do things that are, they could be very dangerous and they don’t fully understand. And then you get to the, the higher end, top tier of that, and you see things like polymorphic AI, agents, things that, like Jeff Sims working on, with is like AI voodoo or, his espionage, where it looks at different, companies and provides you ways in which phishing or social engineering might work.

Like those are truly advancements that show proof of concept. Like, obviously, nation states are doing these exact things. If we’re doing them and we are thinking of them, then absolutely, this is in the pipeline. So now it’s changed the land, the threat landscape, of nation state attacks and the vulnerabilities and things you have to look at and think about from your threat risk profile and then begin to build a plan because it is going to come down the pipe and it’s actually probably already here.

So now, what is your plan and roadmap to begin to address the new threat landscape and, and where these models are going I think excuse me I think that’s a great point. And you triggered something that also excites me. It also makes me makes me want to make sure we, you know, emphasize the importance of being proactive and, you know, using AI as a defender for, for the benefit of your organization or, you know, whoever you’re you’re you’re working for in that it can help you identify some of that low hanging fruit.

But I think also what’s important is the attackers are using this. And then they’re also not necessarily, you know, any any breach and exploit, you know, deeper exploitation, you know, at organizations right now, most of them, you see, are not using zero day exploits, right? They’re not exploiting vulnerabilities that haven’t been patched or things like that.

They’re using, well, what we would just typically say are tried and true techniques that that organizations just still tend to miss. And I think that’s an area that I could really, really help because AI is great at distilling the known knowns and helping you identify through large data sets where you might have gaps. And I think that that is something we will definitely see a trend.

And as we continue to move forward, you know, with the AI research, both on the offensive side, but using that from a defensive perspective. So I think it’s really important to highlight that, you know, most breaches, you know, are the initial vectors or, or combination of the vectors that provide for deep exploitation are not super sophisticated exploitation techniques.

Right? They’re they’re the ones where, hey, you left MFA off on a specific server or, you know, your, your password policy for, for a subset of, of, you know, groups within AD just didn’t happen to be configured correctly and they were susceptible to spraying things like that. And I think those are the things that AI could do a really good job of, you know, as we know in our space, defending against the unknown unknowns is going to be all is, is, is always going to be hard, right.

We just don’t know what we’re, we’re talking about. But if you get it, if you get an upper leg on on the things that we do know about are using using miner attack as kind of a baseline for ttps and how to how to be testing for it, you really can at least start to be able to communicate effectively around your gaps with with those known techniques, which tends to be how you’re initially going to get compromised, you know?

Yeah, I mean, it is so again, no, Tyler, you go ahead. I’m going to let you dig in the there’s some interesting things there that triggered some thought around the defense and really getting the basics right. Like one of the things that that we’ve I mean, we’ve been saying this data intrusion, but at least doing this together at least for 15 years, saying the same thing of, you know, the basics are where the bread and butter is out of true protection, getting the core fundamental foundation of good security, following best practices, getting the sticks running through all those.

But the reality of doing that means it’s easy for everyone to say that. And then, you know, red teams and pentesters, all of them just do this, just turn off, you know, turn off local admin. Okay. But there is a lot to some of these basic recommendations. The fundamentals of doing it right.

And there is a business at the end of each of the things that we don’t always consider from an IT or security standpoint, like business goes on, there’s business risk decisions, but there’s also business decisions, like there’s not just one silo, to business. And really wrapping your mind around security is not the only thing that is considered and thought about, which is why we are in the state we’re in for security. Now, I’m not saying that security’s not important, and it is the forefront of a lot of executives’ minds now where we are trying to we’ve we’ve now seen the risk. It’s been demonstrated the impacts there. But the ability for defenders and executives to get onto the same page and speak the same language and understand that the risks have to be addressed, but also understand that IT’s hard, like the defenders, they really do need a pat on the back.

They need to be heroes more than the red team, more than the attackers. Like, let’s give them some hero names and some techniques and tools to do a better job because they have a hard job to do. And I think AI hopefully begins to do and focus on that a little bit more, because we have seen a lot of experimentation around just AI in general being used, either maliciously or to short circuit stuff or to to make things easier.
Yes, but also not making or not making the world generally a better place. Like now we’ve got interviewers that maybe shouldn’t be candidates to just use ChatGPT to get a job, to then not be great. Like, let’s we’re going to see, I think improvement down those those routes that hopefully lend a hand to it in general and begin to provide them the resources, the support, the budget, the the mindset, all of those things that they’ve been lacking over the last two decades, and really do a better job.

And that being said, like even around budgets, like there was a question in the chat around being able to emulate some of the apts or emulate some of the red team and Pentesting, like let’s, let’s start to leverage those so we can recoup budget to give back to blue teams. I mean, it is not going to be very effective, right?

Second, there’s a lot of projects, there’s a lot of pretty interesting tools that I’ve seen work, to emulate some pentesting, emulate some apt tactics, but we’ll be really like apt good red teams. They are going to be the creative type. They’re going to be looking for breaking processes and procedures, looking at different flows and really thinking very, very much outside of the box in ways that AI is probably going to have a little bit harder time doing.
Like we are very creative elements, which is why we’re never going to be replaced. I mean, I said we can take some of the small, easy tasks, the minutia tasks, the tasks in which you maybe shouldn’t have a red team because we need to address these tasks first, before we bring in and spend money on a red team.

I believe AI is there and can begin to do some of that. It will never replace pentests. It will never replace red teams. But that’s going to be, the simulations and the emulations part, I believe you can start to build good playbooks and build out good scripts and work with some companies that are doing some cool things with tools around that.

Yeah, exactly. Like, I don’t know that like I’m not aware of, like a single tool that could do that, you know, today using modern AI. But what I have seen people doing is, you know, there’s different projects, right? For both, for both the, the threat hunting side and the threat intelligence side and merging that with the actual exploitation capabilities.

So being able to have models so like, you know, at RSA last year, Adam McKinsey and his cohort, or his, his peer did it did a pretty good presentation on just like creating a model that took threat intelligence reports and overlaid it where you basically worked on the prompts like, hey, in my tech stack, I have these these capabilities within my tech stack.

I’m a we’re a mac shop or a windows shop, for example, basic things like that where they can actually prompt, prompt the agent and say like, you know what? What ttp should I actually be, you know, worried about? And then and then from there, you know, kind of marrying that with, hey, now create scripts in in provide exploits that, that, you know, focus on these things so you can make the, the you can make the attack much more realistic to the environment before you even, you know, submitted any kind of exploit.

And I think, I think, you know, kind of in answering that question, really, how do you emulate this stuff? I think we’re going to continue to see a lot of that progress. And there are other things like pentests, automation tooling out there that claim to use AI and I can’t speak to, you know, how in-depth it is versus, you know, versus what we’re seeing in the open source world.
But, I think Jason Haddix also has some really good work out there with, like, his red, red, purple teaming type stuff. So I think that’s where we’re going to see a lot more focus this year is how do we start to marry this where it’s like, hey, the known ttps we can speak about intelligently.

And you brought up, you brought up, another prompt that, continuing to have a common nomenclature about how we speak about breaches, I think is going to continue to improve, which makes me happy. Right. Because I think, you know, as far back as I can remember, being a pen tester, you always wanted to talk to people about things like, well, what actually will get you breached, right?
What are the things, you know, and and I think that that is continuing to drive more focus than, than it has in the past, because it’s like like we said, it’s the common known techniques that are starting the, you know, once you can what you can address those, then the zero day exploits, the really complicated, you know, exploits, you know, those are then what you have you have to like start to defend against.

But man, if you’re in that state, you’re in a really good spot. So I think we’ll definitely see some trends, from, you know, the merging of threat intelligence correlation to using AI to help identify, you know, how to exploit this environment based on that. And I think it’s also important, like attackers are also, you know, doing this research as well.

And they’re not sharing it. That’s right. The threat intelligence side is super, super exciting, right? Because that is where AI is really good at, like summarizing and parsing and digesting large amounts of data and Intel, so that has a lot of potential, brings a lot of knowledge. But along those same lines, right, like now we are again, we have AI agents doing pentests.

They are doing red team. We’ve got all this threat intelligence. We can summarize all that. You still have to have reports. You still have to disseminate information. You still have to be able to bring ticketing down and be able to collaborate with the teams like, I love AI is speeding some of this up and it’s providing more knowledge, more data, but with more data comes, more problems, as you know Dan, than like there.

There are some serious issues with not being able to collaborate, not being able to do much, for the different pieces of telemetry you’re gathering from all this. And we also have a skill set gap, right. Like AI is bringing in a lot of new vulnerabilities or risks to organizations and businesses really understanding, like where is your data going?

What models are you training against? You have to have an understanding of models. You have to have an understanding of what your pipeline is. You have to have an understanding of where the data lake or the data being trained on is actually living. And is it going back into an LLM that you control on your hardware, not your hardware or shared hardware, like all of these things then become business risks.

At some point, we’re going to start to see some of these attacks and business risks begin to come out like, yeah, we have a lot of jailbreaks. We got a lot of, you know, guardrail bypasses on AI, which has its own set. You know, people can have their own AI. So it’s not as a huge of a risk, but when you start to talk about data living outside and AI having access to that, like as we begin to do more and more AI, like if companies don’t have that skill set to one, understand what the risks are, two, understand, what they’re providing through AI and where their data lives and their separation and permissions and proper ACLs. And then to what are the risks to the models and the things that you’re building into your products. Right. Like we’ve got whole new attack lines on Onix files, on pickle files, on things that can execute things on an AI model like those things will, if that’s running in your product or running on your infrastructure as a service provider, providing something to your clients, like now you’ve got an entirely new set of tech stack that you’ve got to understand protect, and we’ve provided a layer of complexity and abstraction that now makes it even more difficult for IT to evaluate and know those risks.

So it’s definitely a landscape that is going to take some people some time to get up to speed on, but we need to be up to speed. Everyone is. Yeah. It increases the attack service for sure. But you know, so then you have to continue to weigh that from your risk management stuff.
Jess, I know you were going to chime in with the question. I think we just started riffing. So I know you guys are on the edge of my standing mat. This is, this is, it’s absolutely thrilling. No. And I do want to make sure that we get into some questions as well as we’re kind of going through here.

You guys have been doing a good job of answering them, actually, as they’re kind of coming up. But maybe before I switch into audience questions, what I was kind of wondering about. And, Tyler, you’ve been sort of brushing along this and especially with our, our skill deficit. And I think this comes up a lot. Are we, do you think that the entire nature of what it means to be an offset pro, or to have a security team, does the team need to restructure?

Is it training? Is it like what? What is the trend that we’re going to see for the teams themselves moving forward into 2025? I think a lot of that is going to be hyper dependent on the vertical maturity and team structure. In its current form, you’re going to have people that are naturally inclined to want to go learn AI.

They’re going to probably do it themselves. You should 100% support that as much as you can and begin to build that out. But the the structure will have to change because there are going to be very specific threats, threat models and information in, in many of the larger organizations that are going to be have to be dedicated to keeping up to speed on all of just the AI stuff.

The, the, AI risk the models and we’ll be real even even when we abstract this, like most of us don’t even understand the surface of how AI truly works and the level of math it takes to do some of this correctly. At the layers that, you know, many of the the people I work with do I, I don’t even pretend to dive in on some of the stuff, like Joe Lucas and Rich Hering put out. So there’s a lot of math, there’s a lot of statistics. So you’re going to naturally have to have some expertise in there, even as they’re building. And you’re going to have to understand where that team structure is going to make sense in, in an org based on your maturity. If you guys are not deploying any AI other than like a business copilot, then great.

Now you need a Microsoft, Pro and you need someone that’s up to speed on AI and Microsoft and how copilot is functioning, and then what data you’re providing it with, with the ways to secure it. Now, if you’ve got multiple teams and you’re providing AI in a product and, you’re going to have some data, scientists are going to have to have some a little bit of offensive minded and defensive minded people for that with infrastructure that then understands some of the nuance of how I was going to have to integrate into your product and where that solution fits to make security work and all of these things.

There’s going to be definitely some restructure, and I think it’s going to make a lot of sense to naturally let some of that play out so that you see who’s actually interested and capable, as well as get everybody on a baseline and start to begin to provide resources so that they at least have a general understanding, because it is going to apply to basically everybody in IT at some point.

Yeah, I think like in terms of like it’s it’s the age old question of like, how do you continue to keep your skills up? I mean, I think one thing that’s unique, not only being in tech, but also being in the offensive security side of tech, is that you always kind of have to know at a base level, a lot of different technologies, right?

Or be really good at researching, on the fly. Right. And so AI, AI doesn’t change that. I think AI is can be viewed two ways. Right. And should be is like one it’s another tool that you’re, you know, going to be able to leverage to improve your, the quality of your tests and the capabilities of your testing, but also like, hey, it because it’s expanded the attack service, you now need to learn, you know, what are the techniques that we should be testing against the AI themselves.

Right. So so that I don’t know that that changes much this, you know, and as we see trends, just like anything else, as technology continues to evolve, offensive security professionals have to kind of keep up on it. What’s nice is like, we have a great community that continues to help facilitate that, that learning quicker. You know, you’ve got the you’ve got the people on the forefront that are doing the research.

They’re publishing it. They’re they’re helping out the community, you know, and then there’s there’s those of us that may lag behind a little bit in, in our, you know, riding the coattails of some of that research to be able to kind of continue to expand on it as well. So I think it’s always going to be a combination.

I don’t I don’t know that, I think that I can I can help improve some of the training for the basics for an offensive security professional in terms of just like, hey, what do I need to know about XYZ and being able to ask questions. But, you know, the, the trend that we continue to see and in, in OffSec is like, hey, is there’s always new stuff coming out.
And so I think everybody does need to continue to find resources on their own or where they’re learning how to how to stay on top of these things. And I don’t think there’s a magic bullet for for how we continue to train our industries. Wouldn’t that be nice? I agree with that, I think. Oh, yeah. It would be nice.
I think one of the things that we will see that, that Nvidia is, is actually already doing, and you’ll see this more and more, I think some of the abstraction is going to increase a little bit. And there’s going to be some additional security parameter. There’s going to be some additional things to test, but also some of the complexity removed with our like microservices like Nims.
Those are going to provide, you know, pre-trained, highly optimized and tuned, microservices for industry specific things or like things like Bio Nemo, which is, for biopharmaceuticals, different, different environments that are already pre-configured where you can build some of that in new tool. So some of the security is going to be evaluated, handled, taken care of and built.
But you also at that point we go back to the age old of trust but verify. So now now you’ve got a something that’s done a lot of the hard work, but you still probably want to trust and verify some of that. And make sure that that’s going to enable your company to leverage something like that and take some complexity out and still be secure.
So I think we’re going to see a lot more of those kind of services start to to narrow that gap and, and begin to, fix a little bit of the complexity layers. But it’s definitely not going to be the full complexity layers. Yeah. Can I ask you guys, I’d like to talk a little bit about the evolution of Pentesting, because that has come up a few times in the questions.
And so I’m going to read this question here. And then you guys can take it into wherever you want to go with Pentesting. I’m sure there’s a lot to say. Have you, have you had any success using AI to analyze pentest results for an organization in aggregation, analyzing findings across multiple assessments, including retesting to provide better management and business insights into the overall risk picture.
This is a very well written question. But also the maturity of remediation processes. Is this something that PlexTrac may add as a feature? I promise that was not a planted question because like, that’s really good. And I think it is something you’re very passionate about. So so the short answer is yes, we’re actually working on that exact thing.
But because what we’re seeing is that, being able to correlate that data across, hey, you know, being able to ask questions of your data is something that we’re actually going to be releasing here very soon as as we help progress the product in that way, and in not trying to plug the product, but it’s it’s very, too much.
But like, I’m always going to try and plug the product because but, but in terms of just the goal in terms of the goal. Absolutely right. So it was kind of where, where I was wanting to kind of head a little bit in terms of when we talk about being proactive, that really means ruthless prioritization of what are the most important things I should be working on. Right. And so when you have data across multiple types of assessments, both from vulnerability scanning from threat hunting, from penetration testing, risk, any kind of risk assessments, if you want to be able to aggregate that data together and provide some kind of context, it’s like, what are the most important things we’re going to, be working on?
We have a module in here in PlexTrac today called Priorities, which allows you to, to, apply your own, you know, custom risk scoring to, to the findings. Right. And so it’s based on the business context that you can support. And so it really allows you to have the focus on, hey, based on the criteria that we’ve set forth, whether we want to focus on assets that are in the DMZ or publicly facing assets or critical assets in this, in this type of a, you know, lab environment that houses a lot of our IP, you can set that criteria.
And I think that’s important regardless of whether you’re using PlexTrac or not, is that that’s where that’s where the future is heading. AI is really good at distilling data right? And being able to answer questions of the data. And so that’s definitely something that we’re working on, that it can really help facilitate the entire risk management lifecycle of A. We’re really good at getting data in right. We’re typically pretty good even on the pentesting side and finding some really cool stuff. Then how do I aggregate that together and really identify what are the most important things we should be working on? And that’s where AI can help with like, hey, based on the criteria, these are the things that we think you know, are the highest priority.
And then you actually have to do the work that then you actually have to assign that out to somebody, you know, track the progress, you know, just like any other kind of project or task. But you do start to be able to have a better picture of, hey, are we actually working on the right things? And are we making progress and reducing our risk?
And AI will play a great part in that. So, the short answer is yes. We’re actually working on that right now. But it’s super important whether, whether it’s us or somebody else doing it right? Yeah. I think there’s, there’s a lot of promise there on that side. I think you guys are definitely leading the way because you know what a lot of the risks are.
You know, how to evaluate a pentest report or a scan or a red team and all of those get put into something that is then allowing, allowing you to build a risk profile and a risk picture across multiple types of assessments or teams. That’s the real difficult part. And so I haven’t seen many other products do that.
And as, as you guys, you know, expand, I’m sure there’s going to be a lot more companies trying to do that, but it takes a lot of base knowledge to begin to understand what the customer needs are, that then make that something that is actionable. And it’s one thing to have it. It’s one thing to summarize it.
It’s one thing to put it into even a business report that may or may not get to someone that cares and can read it. But having something that is actionable with a dashboard metrics the ability to pipe it to multiple systems. You know, your JIRA ticket, your different metrics capabilities, those all play into the picture of reducing risk from the business standpoint, I think that’s a key play.
And I think, there was another question just around some of that similar stuff around AI and the ability to do some of the real time analysis of a risk in organizations. And I think it’s going to be a little while till you see some of that. There’s already stuff in defensive tools or stuff that they play and look at logs and look at, you know, firewall traffic and they’re, they’re evaluating that.
The only product I know of out there that does real time analysis and does it very, very well, is, reversing labs and they’re, they’re doing some amazing stuff with the reversing labs detect right off your pipeline data lake, inbound inbound traffic flows, as well as the analyze where it’s looking at the stuff later. But those guys, are doing some interesting stuff that I’m hoping with the Nvidia GPUs, they begin to then even leverage that further, where maybe we are doing entire flow analysis off of a wire like that would be awesome at some point to to have a complete picture across a whole org of anything and everything that’s touching your
computers. And knowing that it is not malicious, not quite there. They’ve done that before when it wasn’t quite such a volume. And they do that now on files. But man, that’s a big, tall order that hopefully we can start to see GPUs and AI lend a hand. I think Ned’s asking a question. That’s a line there, Tyler, that you’re talking about visibility and and, and being able to kind of see, you know, have that insight.
One of the problems I think can happen with AI is we get really excited about it. It’s bright and shiny and there’s lots of opportunities. And so then people just start adding AI into things. And so what Ned is bringing up is that there’s a possibility that an organization would add AI into a bunch of places and not actually have insight into what it is, how it’s working in the organization that raises compliance issues, privacy issues and just general, you know, the potential for risk is there.
So, what advice would you give to an organization that is looking to expand their, their, connection, their integration with AI and doing it in a way that is, has insight, has visibility, and is best for the organization? I would say a lot, a lot of focus and planning should be done with the offensive space, just because they know a lot of the risks and players that are doing good and bad things from that space.
I would also be looking at new emerging companies that have a good reputation. They don’t necessarily have to be big. They don’t have to be the best out there. But they probably should have a good reputation. But looking at what you’re trying to solve first and making sure you’re not adding complexity to your organization, adding risk to your environment simply by trying to leverage AI in a way that may or may not bring value or be more effective.
I think identifying the problem you’re trying to solve and where you’re trying to use AI should be, even if you’re deploying it in a product for your customers should be the first question everyone is asking as they are moving to AI adoption is what problem AI trying to solve and are we truly solving this problem better than doing it the traditional way, doing it in a more creative way?
It doesn’t have to be. AI does not have to be the end all, be all solution to go to the next level. I know for marketers and for buzzwords and for VCs like they would love for you to just say that you’re just moving to AI and AI solves all the problems. But it’s not always the correct answer, and it really needs to become the norm to understand that that doesn’t always have to be the thing that you are doing in a company to be creative, to do good market saturation.
Those are, those are great things. If it provides value, let’s do it. If it doesn’t, like, let’s answer the question, what are we trying to do? And I think that strategy can be adopted. There’s some great things that are happening. You know, if you’re going to look to start adopting, like start with the things that you already pay for a copilot with inside of Microsoft.
If you’re spending money on E5 licenses throughout your organization, then look at the problem you’re trying to solve. You want your team to have a faster ability to ask questions of your data. Okay, perfect. There’s a problem. Copilot can solve that. Let’s make sure that we evaluate the risk by talking to our security teams. What is the risk of enabling Copilot inside of our organization?
What things do we need to set up prior to enabling Copilot in our organization to make it a secure deployment? And that’s like doing things like ACLs, getting your document, permissions and sensitivity levels, created and evaluated. Then you turn copilot on and now magically, like some stuff happens in it and it works well. And you’ve got good security built in from a company that knows how to deploy an AI product.
And they’re doing heavy testing and are pretty good at it. Yeah. I think, you know, it’s kind of funny because, like, you know, those of us that live through the whole cloud transformation, I see a lot of similarities here. You know, with AI, it was like, there’s people like you, can I use it? It’s too risky. There’s so much there’s so much attack service there, you know.
And I think it’s, you know, versus oh hey, this is the future. Like let’s jump on board. And I think it’s very similar in terms of how AI is going to continue to be pervasive. It’ll weave its way into everything that we’re using. Right. And in some respects already has. I mean, it’s not just ChatGPT, I mean, just not just large language models that we’re talking about when we talk about AI.
It’s the topic du jour because it is so powerful. But, you know, AI has been around for a long time in other capacities. But, I think what’s important is that it’s another technology just like anything else. And Tyler had like I always try to start with like before we go evaluate like, hey, we need a tool for this or we need to automate this.
What problem are we actually trying to solve first? Right. And is this the right tool for that job? And then from there you can start to evaluate it. Governance is going to continue to be a factor around AI, you know, it’s the Wild West. We all know that. But so was the cloud right. Like I mean like you know, there were you had to I think you kind of had to start similar.
Yeah I think you have to start similar now as you kind of did in the cloud days of like, hey, we’re just going to have a company policy that like these are the areas you can use AI and these are the areas that you cannot. Right. How you actually enforce that is going to be an evolutionary thing.
But but I think starting from like, hey, what are the what are the aspects that we’re willing to take the risk on versus not same same same as like with cloud like, hey, you know, we’re willing to put like public facing materials into the cloud. But anything IP ways we’re not going to do that. Right. And then over time you kind of started to learn like the cloud vendors are actually going to do a better job of securing the data because they have to.
Right? Like that’s their job. Their whole business would be at risk. So I think I think similar, similar, you know, capabilities, or similar approach within AI as well. So it’s still going to take. I think it’s still going to take some time as we, as it just continues to change so frequently. But I think that’s the right way to approach, you know, when you’re evaluating AI and bringing it in.
So I think that is a conversation that most of the IT needs to get up to speed themselves. Like understanding what AI is and how we make AI safe, accessible and providing value to the organization. So you can then take that information. Once you really understand it, you understand what the risk is.
A lot of the scary stuff comes out of it. It’s not quite as magical and cool and smoky. Smoky mirrors. Terminator, you know, sentience that you think it is. It is very much a lot of statistics. So lots of statistics and lots of words okay. So providing a good picture that you can articulate to the executives with inside of their language and provide them the knowledge that they need to then make business decisions and come to you for business risk decisions as they are being asked about what they’re doing with AI, what governance they’re going to fall and what they’re going to put into product, what they’re going to leverage or use inside the enterprise.
So ensuring that you’re up to speed in order to have, articulable conversation with a clear understanding, not just to flood from the internet, not just from a couple of articles standing what the technology is, taking that and bringing that to the business in an appropriate manner because they are relying on us to do that and to do that.
Well, if we do not do that, and the places you’ll see failing at AI are the places that do not have a clear picture of what the technology truly is and what the risks truly are. Those are the places that you’re going to see in the future fail at AI just like the cloud. We’ve seen the people that we’re anti-clockwise in, the people that adopted the cloud too quickly.
We’ve seen the people that just thought the cloud was a magic bullet and didn’t articulate anything to executives, but moved everything. So really doing your due diligence, having a good understanding of what AI is and the technologies behind it, and then bringing that to the business. So the business has the capability to make good decisions.
There’s a gentleman in the chat making a, I think, a very tongue in cheek suggestion to everyone out there, that they just tell all their bosses that AI found this bug and, and they get to relaunch all the issues that they’ve been hiding.
You know, but and I think John’s making a joke, but it’s, you know, I think you’re right, Tyler, to your point, that it becomes this sort of if the AI label is on it, then everybody’s in. And it’s important to improve that lexicon and that understanding of literacy around AI before you’re making any decisions around that.
And Dan and we’re watching the clock here. We’re getting into our final ten minutes, which is wild. This has gone by so fast, I thought I was like, oh, we’re not at the time. And now here we are. Dan, I’m wondering because speed comes up a lot and we’ve talked about real time and, and the importance of speed and obviously on, threat detection, that’s imperative these days.
Is there a potential risk with speed that would impact the quality of our work? How do we find that balance between moving quickly and moving effectively? You know, I mean, I think I mean, it’s a good question. I don’t know, like I think in the OffSec world, you know, there’s not a lot I mean, there’s the faster you go like you’re it is a proactive mindset.
Right. So I think you’d want to be a little more concerned if there was something on the reactive side that you’re missing. You know, if like, you know, if you’re using AI for threat detection and alerting, you’d want to make sure that that’s been tried and true, tested like that, something’s not slipping through or that you’re doing a lot of evaluation there.
The same could be true on the off side. And I’ll welcome Tyler’s thoughts here. But I think at a minimum, like being able to know that you’re, you’re you’re testing faster through more techniques, more procedures, I think I think one of the big things that I’m excited about, this, this, you know, that we’ve seen, you know, continue to trend in the right direction is speaking about it more in the terms of the ttps right in and not just like the shiny exploits that that are kind of unique or the CVEs, but in addition to that, actually being able to speak to like, hey, here’s how strong we are in detecting and preventing against
lateral movement versus privilege escalation. And these are the techniques that we’re really strong at. And these are the gaps that we have. I think that is important. And so the faster you can test against those types of things, to me it’s the better. I think there’s always going to be a risk of like, you miss something, right.
But at a minimum, if you’re identifying more and can distill that down into ways to, prioritize and remediate it, that’s going to be a win regardless. So if you mean quantitative instead of qualitative, now is a good thing. I don’t mean, we’ve always, we’ve always said some of that and it’s some of it’s been hard to do quantification on Pentesting.
And I believe being able to distill that down to one improvement, you’re quantitatively improving and providing coverage, on the things that matter. I think those are really in particularly good things to do. And from an offensive standpoint, we’ve always been kind of yolo’d, right? Like Blue Team, you got to worry about infrastructure, uptime. SLA is all the things that are hard to do.
And the red team’s just like yolo. Let’s just test this and use this and we’re good to go and very little impact. We’ve gotten more responsible, at least to mature people. And the good teams have been very careful about building out plans, understanding executions and POCs and really, adopting that. I think the people doing it and using it well have a very, very deep understanding of what the AI is doing, what it is providing for coverage and testing.
And then it is then able to quantify all of the things that took a lot more time. So we’re effectively providing a better business case and ROI back to the business of our time and coverage. That coverage has always been a big hard thing for red teams, which is why you usually only left them for mature companies. So, obviously the pentest was a little bit different, but those are things that I think AI is going to shorten the gap just a little bit.
We are in our final minutes here, and so I’m going to throw a lightning round question at each one of you. And what I would like to do here is I’m going to bring us back to our title.
We’re talking about trends and we’re talking about tips. So I’m going to ask you each for one trend that you are excited about or that you will be watching whether you’re happy, excited, or nervous excited in 2025, what is one trend that you think should be on everybody’s radar, and what is one tip? And Tyler, I’m going to ask you to kick us off and Dan, you’re going to be our grand finale.
All right, all right. Let’s see. One trend I’m excited about. I really think, a genetic agents, which is essentially being able to leverage very strategic we’ll say the agent gets a little confusion. I believe a genetic agents with AI workflow, and being able to build very complex pipelines of on very specific data that live in different areas and have them do tasks that, are otherwise hard to achieve or take a very long development cycle. I believe those are going to be very, very prevalent this year. Genetic agents provide a ton of insight. They provide access to different data. They can feed much more concrete results back to a different LLM, and do multiple rounds of that, on different data sets to then get to the most accurate, the most fluid and, and the best answer for the thing that you’re trying to prompt on, and when you start to build out really complex AI workflows that then do things with that data and those agents, that’s when it starts to get really exciting. You get to do way more things on different types of data. That is very fun. So I think that trend is going to be the big one for 2025. I’m excited to see that. For tips, I would just say spend a little bit of time to, to follow a couple people, get in the weeds and look at the core foundation of what AI is and how it’s truly working. Begin to get an understanding of the bits and pieces and ways that, come up so that you can understand some of the current events, some of the models coming out.
Why why it matters whether deep C did whatever they did with their model and, you know, the guardrails that are in there and how they did those things and what impact that has on you, impact that has on the ability to, have a model trained at a lower cost, if that’s actually true. If any of those things, are just hype news lines, you know, all the things that you just, you don’t know unless you start to dig in and then you can start to build some, some reasonable reasoning around that. So I would say spend the time to understand the fundamentals as we usually do. And then you’ll have a much better picture of the smoke and mirrors that happen in the news, and the smoke and mirrors of and lack of understanding of even technical articles and companies trying to make conclusions that are most of the time very inconclusive.
So that would probably be my, my big, my big one for the this year.
That’s the gold star on both of those that was great. All right Dan.
Yeah. So I think the thing that is the trend that I am excited about and I think is going to continue to see, you know, obviously, you know, we talked a lot about AI and its role in, you know, offensive security. And I think that obviously that’s going to play a big part, continue to play a big part. But I think what excites me strictly from the offensive security aspects, are the marriage of using threat intelligence to help prioritize what you’re testing for on a regular basis. And AI is perfect for distilling information and being able to apply it, creating test plans for the things that you should go test. And so I think the marriage of using threat intelligence and speaking more intelligently about threat actors and in the role how how well you can prevent again protect against these threat actors in your environment is a trend that I’ve been seeing, and I’m excited to see it because I think it continues to help standardize on on the nomenclature that we speak around exploits, you know, vulnerabilities, weaknesses in what our true gaps are.
And so that’s one thing that I’m really excited about. And I see a trend continuing to help, not only in the identification of these things, but the prioritization of them being able to correlate. Hey, what are the most important things that organizations should be focused on?
So the tip that I would have related to that is, continue to become very familiar with minor Attack. I think it’s a great framework. It supplies all of the information that you need. You would need to know around knowns like, hey, these are what attackers are doing in the real world. It’s a great data set that you can also use to to marry on top of your own models, or just testing out different things, or like being able to ask questions of like, hey, you know, based on our tech stack, how would we how would we go about testing for these for this specific threat? Right. And what should we prioritize for? So, so not only becoming, you know, very well versed with Minor attack and the different threat actors and, ttps out there, but then also just being able to know, like, hey, start small, start testing it, you know, the best way to to be proactive is to start now and, and test. It doesn’t have to be super comprehensive but but but get started somewhere similar to like I kind of use the adage of like, the best way to start losing weight is to start today and just do what you can today, and you’ll see the progress as you go along. But don’t get overwhelmed. All the things that you have been doing and just start somewhere else.
That’s that’s such a that’s the best advice for everything is just taking that first step, just taking that first step. Do something. And Dan, a perfect segue into the slide that I’ve put up on the screen here. That is a great first step. That is a fantastic follow up. You can book a demo, which is obviously the best way to really get into the sandbox and really see how things work.
So use that, very fancy, I like your QR code. Use that fancy, handy dandy QR code up on the screen here right now, and make sure you’ve got that. I do also want to say you may have noticed that a survey came up on your screen here, and what we’re doing is asking all of you a little bit about how you enjoyed the webinar and what you got out of it.
So please do take a little time to fill that out. That’s very helpful information. We want to make sure that we’re getting you the info that you’re looking for. Right. So let PlexTrac and our team know how that went for you today. Fill out that survey, grab that QR code. Those are great ways to follow up. I, we’re just at time, I mean, we were here. Time just sped by, Dan and Tyler. Before I let you go, I just want to say thank you so much for being here today, for bringing this conversation to life. I think you really, cut through the hype and the buzzwords and given us a lot to think about, a lot to look ahead to in 2025. Dan, any final thoughts or calls to action for the audience out there?
Uh no, just really appreciate Tyler taking time out of your busy schedule to do the webinar with us and Jess for coordinating it all. And yeah, I really appreciate everybody’s time. Feel free to check us out on the website. And, we got plenty of other resources, ebooks and things like that that can help you on your journey as well.
Awesome love that. Tyler, any final wrap up from you?
No, thank you guys, as always. Dan, text me. I’ll be here. Okay. Yeah. You’ve set a very dangerous precedent for that now. Yeah. But Tyler, thanks so much for being here with us today. And, and, Dan, it’s been an absolute pleasure. Thank you.
All right. I’m going to leave that slide up on the screen here because I want to give you as much time as you can to get to that QR code, make sure that you’ve got those resources. And I, just checking to make sure it looks like everyone’s gotten that survey. I can see that up there.
If for some reason it’s not letting you submit, maybe just check and make sure you’ve got an answer to each one of the questions and then try hitting submit. Worst case, that browser refresh should help you out. But we would definitely love to hear from you. So please do get those responses and a reminder to visit the docs tab if you haven’t already. There are such good resources and takeaways. I’m telling you that the docs tab is absolutely chock full of things. So first of all, you’ve got the Plex AI security FAQ sheet. That is a great, quick and easy read. There’s a couple of recordings actually, that I’m going to recommend. There’s like a I think about 30, 40 minute video and then a full webinar. This is on the new artificial intelligence opportunities and threats for offensive security. You’ve got Homework for Hackers, discover cutting edge trends and pentesting and bug bounty hunting. That one is with the wonderful Dan, who we just heard from. So make sure you check that out. If you’re somebody who likes visual learning, those videos are fantastic.If you’re looking for a little bit more of a read, there are two ebooks that I would recommend spending some time with. You’ve got Navigating the Cybersecurity Landscape in 2025, a preview of transformational trends and predictions. Those are very, very cool things. I like all those words. Transformational trends and predictions. And then we also have an e-book on Conversational Continuous Threat Exposure Management and a very cool read.
So make sure you’ve got all of those resources and spend some time with those before you head out today. All right. Well, with that, on behalf of the actual tech media team, I want to once again thank PlexTrac and our wonderful guests for making this webinar possible. A big thank you to Dan and to Tyler. You have both given us so much to think about today. Like I said at the start, we didn’t really know where we were going to go. We had some ideas for what we wanted to cover, and then we just threw all the planning away and dove in, and all of you were a big part of that. So my biggest high five and my biggest gold star is going to all of you here with us today for making that conversation possible, for asking some fantastic questions. We are going to make sure that all the questions that were asked, and I know we did not get to, we barely scratched the surface on the questions, but we are going to make sure that all of those questions get sent to the team. So you will get responses back from PlexTrac and Nvidia. So stay tuned for that and keep those questions coming in. All right. Well I had an absolute blast today with all of you. I’ve learned a ton. My brain is absolutely lit up and sparkling with information. And I hope that you are all feeling the same. I hope that you’ll come back and join me for a webinar again soon. And until then, have an absolutely beautiful end to your day.
Thanks all!