Data Security Decoded

Episodi

• Beyond the Doomsday: Operational Resilience, Identity Sprawl, and Back-to-Basics Cyber Defense 23.06.2026 35min

  In this comprehensive roundtable episode, a powerhouse panel of seasoned security professionals—Cynthia Kaiser, Matt Castriotta, Allison Wikoff, John Fokker, Amit Malik, and Joe Hladik—joins host Caleb Tolin to confront the uncomfortable realities facing modern organizations. As digital infrastructure becomes more interconnected, traditional defense playbooks are being constantly challenged by sophisticated automated tactics, complex cloud migrations, and a massive explosion of non-human identities. Across both public and private sectors, the consensus among these experts is clear: maintaining foundational security hygiene is more critical than ever. The episode begins with a deep dive into active threat mitigation, exploring why layered defense strategies and robust identity controls are mandatory components of a resilient architecture. The conversation then seamlessly transitions into cloud environment realities, breaking down the often-misunderstood boundaries of the shared responsibility model. The panel challenges teams to look past surface-level configuration patching and focus intensely on data survivability, business continuity, and systemic recovery planning. Finally, the dialogue shifts to the rapidly evolving frontier of artificial intelligence integration. The guests examine the critical operational differences between simple environmental visibility and context-rich observability. Rejecting sensationalist doomsday narratives, they offer a grounded, realistic blueprint for the future of technological growth. This discussion provides essential high-level insights and tactical takeaways for both technical learners and strategic leaders looking to safeguard their organizations against modern operational risks. What You’ll Learn The Reality of Modern Ransomware: Why today’s cybercriminals act exactly like elite red teams, utilizing native tools to move surreptitiously across networks. Phishing-Resistant Identity Controls: How to implement hard tokens and application-based authentication to eliminate man-in-the-middle vector attacks. The Cloud Backup Blueprint: Practical methods for translating traditional concepts like air-gapping and data immutability directly into hyperscaler environments. Demystifying Shared Responsibility: Why cloud providers guarantee service uptime but leave data security and data care entirely in your hands. Visibility vs. Observability: A clear framework for understanding not just what assets exist on your network, but the active context of what they are executing. Overcoming the "Cyber Red Cross" Syndrome: Why healthcare and critical infrastructure must abandon the assumption that threat actors consider them off-limits. The Human-in-the-Loop Mandate: How to strategically design checkpoint systems that maintain human oversight over rapid AI agent execution.
• The Anatomy of Cloud Ransomware with Matt Castriotta 09.06.2026 28min

  Are your cloud security controls actually protecting your infrastructure, or are they just keeping the lights on? With host Caleb Tolin, Matt Castriotta, Field CTO for Cloud at Rubrik, breaks down the tactical gaps exposed when organizations blindly replicate data center mindsets in public cloud networks. Castriotta charts the history of high-profile incidents from the Colonial Pipeline timeline up through modern adversaries like Scattered Spider and Storm-0501. He highlights how today's attackers move laterally by exploiting over-privileged, non-human identities to trigger malwareless mass deletion rather than relying on on-prem style encryption loops. The discussion pivots into an actionable critique of popular resilience assumptions. Castriotta details why relying on built-in features like S3 versioning and cross-region replication handles business continuity but leaves organizations entirely defenseless against automated cyber assaults. He delivers a precise operational roadmap for defining a "minimum viable business," establishing secure isolated recovery environments, and breaking the 80% ransomware reinfection cycle. This episode serves as an essential strategic guide for any enterprise trying to align the cloud shared responsibility model with predictable, audited return-to-service timelines. Resources ⁠Rubrik Cloud Cyber Resilience Solutions Microsoft Threat Intelligence Report on Storm-0501 Scattered Spider Threat Profile What You’ll Learn How to separate low-probability disaster recovery protocols from high-probability cyber attacks. The architectural threat mechanisms behind malwareless, privilege-driven data destruction. A blueprint for prioritizing operations based on your minimum viable business components. Solutions to tackle non-human credential sprawl and enforce just-in-time domain separation. The hard realities of cloud platform pricing mechanics during major recovery events.
• Running the Inverted Offensive Campaign with Adam Karcher 26.05.2026 35min

  What happens when the adversary’s dwell time is measured in years, but your defense is measured in tickets? Adam Karcher, FBI Supervisory Special Agent, Cyber Division, and a member of the Bureau’s AI Working Group, joins host Caleb Tolin to break down the "convergent evolution" of modern cyber threats. Karcher explains why defenders are often stuck in a cleanup cycle, while threat actors operate in a sophisticated, compartmentalized ecosystem that requires a fundamental shift in defensive strategy. The conversation provides a rare look at how the FBI evaluates agentic AI technology. Karcher warns of the transition from AI that simply answers questions to agents that take independent actions, emphasizing why these systems must remain well-bounded and auditable. He also debunks the "glamorous" myth of cyber investigations, revealing why law enforcement breakthroughs almost always stem from human OPSEC mistakes rather than complex code analysis. Whether you are managing legacy mainframes or securing a modern identity stack, this episode provides a tactical roadmap for treating your security posture as an "inverted offensive campaign." Resources Information Sharing and Analysis Centers (ISACs)⁠ ⁠Local FBI Field Offices What You’ll Learn Match your defensive cadence to the adversary's multi-year campaign dwell time. Prioritize auditable AI use cases to prevent autonomous agents from acting on hallucinations. Focus on "people mistakes" like infrastructure reuse rather than just analyzing malicious code. Secure identity stacks to defend against AI-driven deep fakes and precision phishing. Engage with ISACs and local field offices before a crisis occurs.
• Protecting the Neglected: Measuring County Cyber Risk with Dr. Ido Sivan Sevilla 19.05.2026 26min

  Dr. Ido Sivan Sevilla joins host Caleb Tolin⁠⁠⁠ to break down battlefield stories from a massive analysis of over 3,000 local government entities. Dr. Sivan Sevilla, who serves as an Assistant Professor at the UMD College of Information and holds joint positions at the Hebrew University School of Public Policy & Governance and the School of Computer Science and Engineering, brings a multidisciplinary lens to the alarming reality of risk clusters. Their discussion moves past theory to explore how hundreds of counties share identical IP addresses and third-party service providers, creating centralized points of failure that attackers can identify using data. The dialogue highlights the dual-use nature of modern AI models. While these tools allow adversaries to automate exploit generation for open-source software, Dr. Sivan Sevilla, leveraging his expertise as founder of UMD's Tech Policy Hub, explains how defenders can use AI operations to map their own attack surfaces for free. By utilizing honeypots and large language models, limited-resource organizations can transition from reactive patching to a proactive posture. The episode concludes with a strategic look at identity resilience, advocating for adaptive regulations that learn from compliance data rather than static, outdated legislative mandates. Resources CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog This research was conducted by Dr. Ido Sivan Sevilla, Dr. Charles Harry, and Mr. Mark McDermot, with additional support from student researcher Mr. Parthav Poudel What You’ll Learn How to prioritize the 3% of vulnerabilities that actually result in real-world exploitation. The definition of attack surface diversity versus severity in measuring county level risk. The impact of LLMs on identifying flaws in open source software for attackers and defenders. Why risk clusters create a single point of failure for hundreds of independent county governments. Methods for conducting ethical passive reconnaissance to map organizational security postures from the outside. How adaptive regulations can improve compliance by learning from real-time security data and metrics. The strategic benefit of using honeypots to monitor targeted threats against limited-resource digital infrastructure.
• The Terrorist Designation: A New Red Line for Ransomware with Cynthia Kaiser 05.05.2026 29min

  In this episode, host⁠ ⁠Caleb Tolin⁠⁠ explores the battlefield of enterprise defense, which has moved from simple data theft to ultra heinous crimes that put patient outcomes at risk. Guest⁠ ⁠Cynthia Kaiser⁠⁠ shares Battlefield Stories from her time at the FBI and her current work as SVP of the Ransomware Research Center at⁠ ⁠Halcyon⁠⁠, illustrating how the industrialization of cybercrime has reached a tipping point. They dive into the alarming reality of modern dwell times, specifically looking at how groups like Akira move from initial access to full encryption in as little as one hour. The conversation challenges the industry to face the inconvenient truths of cybercrime and ransomware. Kaiser shares case studies of how modern cybercriminals are adopting multilateral techniques to gain access to and exploit your network. By adopting an Assume Breach mindset, elite defenders can build the defense in depth required to combat malicious threat actors who follow their own rules to cause disruption and destruction. Resources House Homeland Security Committee Testimony: ⁠Online Scams, Crypto Fraud, and Digital Extortion⁠ Halcyon Analysis: ⁠Akira Ransomware Attacks in Under an Hour⁠ Halcyon: ⁠Sicarii Ransomware Encryption Key Handling Defect⁠ Previous Episode Referenced: ⁠Downtime in Healthcare is Fatal: Achieving Resilience in Health & Life Sciences What You’ll Learn Why designating ransomware as terrorism helps influence adversary target selection. The impact of Akira's accelerated dwell time on traditional incident response. How AI enables clumsy amateur "wannabes" to conduct messy attacks. The critical role of phishing resistant MFA in securing the identity perimeter. Why Assume Breach necessitates deep defense in depth strategies. The overestimation of readiness among CISOs compared to actual red team performance Episode Highlights [00:00] - The Case for Designating Ransomware as Terrorism [04:20] - Modern Extortion and the Shortening of Dwell Time [08:30] - Ransomware Recovery in Interconnected Cloud Environments [11:45] - The Impact of AI on the "Wannabe" Attacker [17:45] - Three Actionable Steps for Modern Defenders [21:30] - Inconvenient Truths for Government and Private Sector
• The Three-Layer Strategy for Autonomous Agent Governance with Joe Hladik and Amit Malik 21.04.2026 32min

  The race for AI dominance has created a dangerous imbalance between business velocity and cyber resilience. In this episode, host Caleb Tolin is joined by Joe Hladik, Head of Rubrik Zero Labs, and Staff Security Researcher Amit Malik to break down the findings of their latest report on agentic adoption. The discussion centers on the Agentic Paradox. This is the technical reality that tools designed to automate high-level tasks are inherently built to find the most efficient path around obstacles, including existing security policies. A primary focus is implementing a three-layer framework for AI Operations. This model targets the Tool Layer, where agents interact with databases; the Cognitive Layer, which serves as the LLM brain; and the critical Identity Layer. The conversation explores stories in which agents, without malicious intent, have caused catastrophic data loss simply by following an optimized logic path. These instances prove that agents need not be sentient to be destructive when they lack proper human-in-the-loop checkpoints. Technical hurdles of Identity Resilience are also addressed, specifically the explosion of non-human identities that spin up and down like elastic cloud infrastructure. The episode examines the fear index regarding job security, noting that 92% of leaders fear for their roles post-breach. Joe and Amit join Caleb to explore the evolution of personal liability for CISOs and the urgent need to move from basic visibility to deep observability. This is a forward-looking briefing for leaders who recognize that, in an era of autonomous routines, the human must remain the ultimate command-and-control center. What You’ll Learn Define the agentic paradox to understand why AI efficiency naturally compromises traditional security guardrails. Implement a three-layer framework to secure the tool, cognitive, and identity components of AI. Transition from basic visibility to deep observability to track autonomous decision-making in real time. Mitigate prompt injection risks by auditing the input and output flows of the cognitive layer. Utilize ephemeral containers to sandbox agentic tools and prevent unauthorized database alterations. Manage the elasticity of non-human identities to maintain control over rapidly spinning AI agents. Anchor AI operations with human-in-the-loop checkpoints to ensure integrity during high-stakes executions. Episode Highlights Defining the Agentic Identity and Autonomous Routines Revenue vs. Resilience: The Drivers of AI Urgency The Three-Layer Framework for Agentic Defense Shadow AI and the Rise of Invisible Insider Threats The Context Gap: Why Rolling Back AI Actions is Hard The CISO Fear Index and Personal Liability Post-Breach Visibility vs. Observability in Elastic Identity Environments
• Detecting Adversary Intent: Analyzing Behavioral Tells in Admin Logs with Allison Wikoff 14.04.2026 20min

  Adversaries are already logging into your network using your own admin credentials. In this episode, Caleb Tolin sits down with Allison Wikoff to move past the identity clichés and analyze the specific behavioral signals that separate routine IT maintenance from state-sponsored sabotage. They dissect why resilience is not a flash of genius during a crisis, but a mindset that organizations can adopt to stay ahead of dynamic threat actors. The conversation explores how attackers are increasingly bypassing traditional controls like MFA and leveraging non-human identities such as service accounts, APIs, and AI agents. These identities often operate with persistent access and elevated privileges, making them highly attractive targets. As AI continues to lower the barrier to entry, adversaries are moving faster and blending more effectively into normal activity, making detection significantly more challenging. The episode also examines how ransomware, espionage, and sabotage offer different behavioral tells, with data exfiltration now central across multiple threat types. In parallel, organizations must begin preparing for long-term risks like quantum computing, where encrypted data stolen today could be exposed in the future (i.e., “harvest now, decrypt later”_. Throughout the discussion, practical strategies take center stage. From strengthening identity hygiene and segmentation to improving visibility across users, systems, and third parties, the fundamentals remain critical. The key takeaway is clear. While the threat landscape is evolving, organizations that focus on identity, preparedness, and resilience will be best positioned to reduce risk and recover effectively. What You’ll Learn How attackers bypass MFA and blend in using legitimate credentials Which non-human identities are high-risk targets How threat actors are leveraging AI to lower the barrier to entry for cybercrime The difference between ransomware, espionage, and sabotage intent signals What “harvest now, decrypt later” means for quantum risk The three hygiene practices that still stop most attacks Episode Highlights [00:00:00] The Limits of MFA Why attackers are starting to work around multi-factor authentication [00:02:00] The Explosion of Non-Human Identities Service accounts, APIs, and AI agents as new attack surfaces [00:04:00] AI and the Speed of Threats How AI is accelerating reconnaissance and malware creation [00:05:00] Ransomware vs. Espionage Why data exfiltration is now central to both [00:06:00] Healthcare Under Pressure Why critical sectors face compounded cyber risk [00:08:00] Quantum Threats Explained Understanding “harvest now, decrypt later” [00:11:00] Identity Recovery Challenges Why restoring trust is harder than restoring systems [00:14:00] The 3 Security Fundamentals Identity hygiene, segmentation, and visibility
• Downtime in Healthcare is Fatal: Achieving Resilience in Health & Life Sciences 07.04.2026 25min

  Cybersecurity in healthcare is undergoing a critical shift. What was once viewed as a back-office IT concern is now directly tied to patient safety and clinical outcomes. In this episode of Data Security Decoded, host Caleb Tolin sits down with John Fokker, Vice President of Threat Intelligence Strategy at Trellix, to explore new findings that reveal a significant increase in inpatient mortality rates following cyberattacks on hospitals, reframing cybersecurity as a life-or-death issue. The conversation dives into how attackers infiltrate healthcare environments, often through familiar entry points like email, before moving laterally across interconnected systems. From HVAC units to supply chain logistics, even nonclinical systems can disrupt care delivery when compromised. The discussion highlights how adversaries blend into hospital networks using legitimate tools, making detection increasingly difficult. We also examine the alarming dwell times seen in healthcare environments and what defenders can do to identify subtle anomalies before they escalate. The episode outlines practical strategies, including stronger email defenses, network segmentation, and proactive threat hunting. Finally, we confront two uncomfortable truths: apolitical healthcare and humanitarian organizations remain prime targets, and AI introduces both powerful defenses and new risks. The takeaway is clear. Cyber resilience is not optional. It is essential to maintain trust, ensure continuity, and ultimately save lives. What You’ll Learn Why cyberattacks in healthcare directly impact patient mortality How nonclinical systems can disrupt critical care delivery What long dwell times reveal about attacker behavior How threat actors use legitimate tools to evade detection The most effective ways to reduce healthcare attack surfaces Why email remains the primary entry point for attackers How to reframe cybersecurity as a patient safety priority Episode Highlights 00:00 – A Shocking Statistic A 29 percent increase in mortality reframes cyber risk 02:30 – From IT to Patient Safety Why CISOs now have a stronger voice at the board level 05:10 – The Backdoor Problem Nonclinical systems and third parties as attack vectors 09:00 – Living in the Network Understanding long dwell times and stealthy attackers 13:45 – Spotting the Signals Key behavioral indicators defenders should watch 18:20 – Three Steps to Resilience Email security, segmentation, and attack surface reduction 23:10 – Two Inconvenient Truths AI risk and the myth of healthcare immunity 27:00 – Final Takeaway Cybersecurity as operational resilience
• AI Takes Over RSAC Conference (Now What?) with Dave Bittner. 31.03.2026 16min

  In this RSAC Conference recap, Dave Bittner, Host of The CyberWire Daily, joins Data Security Decoded host Caleb Tolin from the guest seat to unpack the biggest theme dominating the conference: artificial intelligence, and, more specifically, agentic AI. From wall-to-wall AI messaging across San Francisco to in-depth conversations with security leaders and analysts, one thing became clear: the industry has moved past debating whether AI will take hold. It already has. Now, the focus has shifted to making it safe. Dave shares insights from discussions with vendors, researchers, and intelligence professionals, highlighting a growing consensus around the need for strong guardrails, identity controls, and governance frameworks. As organizations begin deploying AI agents capable of acting autonomously, concerns around misuse, manipulation, and “machine-speed” attacks are accelerating. The conversation also explores the rise of “shadow AI,” where employees use AI tools outside official oversight, and why banning these tools may backfire. Instead, organizations must embrace visibility and collaboration to manage risk effectively. Ultimately, this episode captures a pivotal moment for cybersecurity: a transition from experimentation to operational reality. The tools are powerful, the risks are real, and the path forward requires balancing innovation with control while, as Dave puts it, doing everything possible to “limit the blast radius.” What You’ll Learn Why AI adoption in cybersecurity has shifted from optional to inevitable What “agentic AI” means and why it’s a game changer How identity is becoming the core security layer for AI systems Why “machine speed” is forcing defenders to rethink workflows The real risks of AI misuse, including manipulation and prompt injection How “shadow AI” is emerging inside organizations—and why it matters Practical ways companies are thinking about AI guardrails and governance Episode Highlights [00:00] – Role Reversal at RSA Dave steps into the interviewee seat and kicks things off with a lighthearted karaoke discussion. [02:15] – RSA Energy Check Why this year’s conference felt more optimistic despite industry uncertainty. [04:10] – AI Everywhere From billboards to conversations—AI dominates RSA. [06:00] – Agentic AI Arrives Why autonomous AI agents are no longer theoretical. [08:30] – Guardrails & Identity How security leaders are thinking about controlling AI behavior. [11:15] – When AI Goes Wrong A real-world example of AI being manipulated—and what it reveals. [14:00] – Machine-Speed Threats Why defenders must move faster than ever before. [17:30] – The Big Shift AI is inevitable—now the focus is containment. [19:30] – Shadow AI Risk Why employees using AI outside oversight is a growing concern.
• Your Backups Are Talking — Are You Listening? 17.03.2026 17min

  Security teams spend enormous effort chasing the latest threats, yet often overlook one of the most revealing sources of truth already in their environment: backups. In this episode of Data Security Decoded, host Caleb Tolin sits down with Kyle Fiehler, Transformation Analyst at Rubrik Zero Labs, to explore why backup data has become a critical — and largely ignored — form of security telemetry. Kyle explains how secure, immutable backups act as a historical record of attacks that evaded traditional detection tools, capturing digital fingerprints left behind by sophisticated adversaries. From hypervisor-level threats to long-dwell state-backed actors, backups often reveal what endpoint and network tools miss. And attackers know it. As Kyle outlines, ransomware groups like Evil Corp and Storm-0501 deliberately target backups and identity infrastructure to maximize leverage and accelerate payouts. The conversation also challenges how organizations think about recovery and Mean Time to Response (MTTR). Rather than treating MTTR as a single metric, Kyle advocates breaking recovery into phases — scoping compromise, validating clean recovery, and restoring identity — to pinpoint where resilience actually breaks down. The result is a more actionable, operational view of cyber readiness. This episode offers a clear message for security and IT leaders alike: resilience isn’t just about preventing attacks. It’s about using every available signal, drilling recovery before incidents occur, and recognizing that backups are no longer passive insurance — they’re active intelligence. What You’ll Learn Why secure backups function as a record of threats other tools miss How ransomware groups deliberately target backups and identity systems Where organizations commonly fail to extract security value from backup data How to rethink MTTR by breaking recovery into measurable phases Why identity infrastructure is central to modern recovery strategies Three concrete steps to operationalize backup intelligence today Episode Highlights [00:00] Backups as Digital Fingerprints Why immutable backups reveal threats that evade traditional security tools. [04:30] The Telemetry Everyone Ignores How organizations overlook backups as a source of threat intelligence. [07:45] Who Owns Backup Security? The growing shift from IT ownership to security accountability. [10:30] MTTR Is Broken Why recovery metrics fail — and how phased recovery fixes that. [12:45] Threat Actors Targeting Backups How groups like Evil Corp and Storm-0501 maximize leverage. [15:00] Three Actions Security Teams Can Take Today Practical steps to extract real value from backup data.
• AI Moves Fast. Privacy Has to Move Faster. 03.03.2026 25min

  AI promises speed, scale, and efficiency—but it also magnifies privacy risk in ways many organizations aren’t prepared for. In this episode, Caleb Tolin welcomes Ojas Rege of OneTrust for a practical, wide-ranging conversation on how data privacy and governance must evolve alongside enterprise AI adoption. Ojas explains why AI fundamentally changes the privacy conversation: the same systems that enable organizations to move faster can also cause harm faster when guardrails aren’t in place. From agentic AI systems that dynamically repurpose data to general-purpose models that blur traditional notions of “intended use,” the challenge isn’t just compliance—it’s trust. The discussion dives deep into purpose limitation under GDPR and the EU AI Act, clarifying where organizations commonly misunderstand consent and where AI training introduces entirely new risks. Ojas emphasizes a simple but powerful test: are you using personal data for the same purpose you originally received consent for—or has AI quietly expanded that purpose? The conversation then shifts to cloud and data sovereignty, particularly for European organizations navigating geopolitical uncertainty. Ojas outlines why data mapping, prioritization, and software supply chain visibility matter more than ever—and why perfection is less realistic than smart prioritization. Ultimately, this episode reframes governance as an enabler. When privacy and data governance are embedded early, organizations can innovate faster, build lasting trust, and deploy AI with confidence in an increasingly complex global environment. What You’ll Learn Why AI scales privacy risk just as fast as business value How purpose limitation breaks down with general-purpose AI models When AI use requires new consent—and when it doesn’t Why transparency is foundational to long-term customer trust How data sovereignty concerns extend beyond cloud providers Where software supply chains create hidden privacy blind spots How good governance can accelerate, not block, AI deployment Episode Highlights [00:02:00] AI Scales the Good—and the Bad How AI accelerates both innovation and privacy harm. [00:04:00] Purpose Limitation Meets AI Reality Why general-purpose models challenge traditional consent frameworks. [00:06:30] Trust as a Business Risk Why transparency matters as much as legal compliance. [00:07:30] Cloud & Data Sovereignty Explained What European organizations can do today to reduce risk. [00:10:30] The Software Supply Chain Blind Spot Why third parties make sovereignty harder in the AI era. [00:12:30] Data as Economic Power How nations now view citizen data as an AI asset. [00:14:00] Governance That Enables Speed Why governing early helps organizations move faster later.
• The Real Risks of Agentic AI in the Enterprise 17.02.2026 27min

  As enterprises race to adopt AI, many are discovering that traditional security models no longer hold. In this episode of Data Security Decoded, host Caleb Tolin is joined by Camille Stewart-Gloster, CEO of CAS Strategies and former Deputy National Cyber Director, to unpack how AI is redefining cyber risk at every layer of the organization. Camille explains why identity-based attacks are so effective and how non-human identities (from APIs to AI agents) are quietly expanding the attack surface. She emphasized how critical MFA is for organizations to enable as they scale up AI operations., and why conditional access and governance must be foundational, not optional. The conversation also tackles ethical AI head-on. Camille argues that AI ethics and AI security are inseparable, and that removing humans from the loop introduces both legal and operational risk. From shadow AI to agent autonomy, she offers a clear-eyed framework for deploying AI systems that augment human teams rather than replace them. This episode is a practical guide for security leaders and learners navigating AI adoption, focused on resilience, trust, and long-term enterprise readiness. What You’ll Learn Why identity has become the dominant attack surface How AI agents and non-human identities increase risk Where EDR falls short in Identity-driven attacks Why AI ethics is foundational to AI security How governance enables secure AI deployment When AI should augment—not replace—security teams Episode Highlights [00:03:00] Cyber offense and the evolving national strategy [00:07:30] Identity eclipses malware as the primary threat [00:10:00] AI systems as high-value targets [00:12:30] Human judgment vs. automated response [00:14:00] The ethics–security connection [00:15:30] Why AI governance can’t be an afterthought
• When Hacktivists Target Water Utilities: Inside a Russian-Aligned OT Attack 03.02.2026 19min

  Russian-aligned hacktivist groups are increasingly targeting industrial control systems and OT environments—and sometimes it’s shockingly easy. In this episode, Daniel dos Santos, VP of Research at Forescout, walks through how his team used a honeypot to observe an attack against a simulated water treatment facility. We explore attacker motivations, common entry points, and what defenders must prioritize now. What You’ll Learn How honeypots can uncover real-world hacktivist tactics and behaviors Why exposed HMIs remain one of the weakest entry points in OT environments How Telegram has become a primary platform for hacktivist attack claims The evolving motivations behind Russian-aligned hacktivist groups Why visibility across all networked devices is critical to defense How opportunistic attacks differ from targeted nation-state operations Practical steps to avoid becoming “easy prey” for attackers Episode Highlights 00:02:30 – How the Attack Was Discovered Spotting the honeypot activity through Telegram claims00:04:00 – The Entry Point Explained Default credentials and exposed HMIs00:06:45 – Hacktivist Motivation Shift From activism to geopolitics and profit00:10:50 – Why OT Attacks Are Hard to Eradicate Hidden devices and lateral movement 00:14:20 – The Core Defensive Takeaway Don’t ignore opportunistic threats Episode Resources Forescout Research ReportsTelegram (hacktivist communications platform)Canadian Government OT Security Alert Shodan (internet-exposed asset scanning tool)
• How Rubrik Zero Labs Uses LLMs to Analyze Malware at Machine Speed 20.01.2026 24min

  AI is changing how malware is built—and how it’s caught. In this episode, Caleb Tolin is joined by Amit Malik, Staff Security Researcher at Rubrik Zero Labs, to unpack how large language models are transforming malware analysis, enabling defenders to sift through thousands of samples and surface truly novel threats. From Chameleon malware abusing WSL to AI-generated attack code, this conversation explores what real data resilience looks like in an AI-driven threat landscape. What You’ll Learn How LLMs help analysts move from syntax-level review to intent-based malware analysis Why processing thousands of samples daily requires AI-assisted triage and clustering How attackers are abusing WSL and cloud-native environments to evade detection What AI-generated, dynamically delivered malware code means for traditional defenses Where LLMs excel—and where human validation remains essential Why resilience matters more than speed in AI-driven security operations Episode Highlights [00:00] AI-generated malware and shrinking attacker footprints [03:30] Why Rubrik Zero Labs built an LLM-driven malware analysis system [05:45] Scaling from 6,000 samples to 20 worth investigating[07:40] Extracting malware “business logic” before sending code to LLMs [10:05] Chameleon malware abusing Windows Subsystem for Linux [13:00] APT-linked Linux RATs and what sophistication signals intent [15:00] LLM hallucinations and the need for human verification Episode Resources Rubrik Zero Labs Research Reports
• Ransomware, Remote Access, and the OT Reality Check 06.01.2026 27min

  In this episode of Data Security Decoded, Cybersecurity veteran Dawn Cappelli joins host Caleb Tolin to unpack the rapidly evolving threat landscape facing operational technology environments. With decades of experience spanning CERT, Rockwell Automation, and now Dragos, Dawn breaks down how geopolitical conflicts, empowered hacktivists, and ransomware are reshaping OT risk. She shares the five critical ICS controls every organization should prioritize and discusses why community-driven defense models are now essential for resilience. A must-listen for leaders responsible for critical infrastructure, manufacturing, and industrial cybersecurity. What you'll learn: How global conflicts have dissolved previous norms that protected critical infrastructure from cyber retaliation. Why hacktivist groups are becoming more dangerous — and how state actors quietly support them. The five highest-impact ICS security controls and where most organizations fail. Why OT environments remain decades behind IT security — and what leaders must immediately address. How ransomware operators target manufacturing and critical infrastructure for maximum leverage. The risks of insecure remote access and unmanaged third-party connections. How OT-CERT and community defense can uplift organizations with limited resources. Episode Highlights: 00:00 – Opening + Guest Introduction Caleb introduces Dawn and frames her decades of OT and insider threat leadership. 02:00 – Dawn’s Early Journey into OT and Security How nuclear engineering, the CDC bioterrorism portal, and 9/11 sparked her cybersecurity mission. 05:00 – Founding the CERT Insider Threat Center Inside the origin story and its impact on insider risk theory. 07:00 – Moving to Rockwell: The Hidden OT Backdoor Risk Why insider sabotage in OT environments was a turning point in her career. 08:00 – The Geopolitical Shift in OT Threats How Russia–Ukraine changed everything about attacking critical infrastructure. 10:00 – The Rise of State-Aligned Hacktivists Why groups like Cyber Avengers now have real disruption capability. 13:00 – The SANS Five ICS Controls Dawn breaks down the controls that prevent and detect most attacks. 17:00 – Ransomware Trends in OT Why manufacturing is a prime target and how attacks are evolving. 19:00 – The Promise and Peril of Agentic AI in OT Why autonomous agents could cause catastrophic outcomes. 21:00 – OT-CERT: Free Global Resources How Dragos is empowering organizations worldwide with practical support. Episode Resources: Information on OT-CERT: OT-CERT Register for OT-CERT: Register for Dragos OT-CERT | Dragos Information on Community Defense Program: Community Defense Program | Dragos Register for Community Defense Program: Register for Dragos Community Defense Program | Dragos SANS Five ICS Cybersecurity Critical Controls: The Five ICS Cybersecurity Critical Controls
• The Hidden Risk in Your Stack 16.12.2025 27min

  In this episode of Data Security Decoded, host Caleb Tolin sits down with Hayden Smith, CEO of Hunted Labs, as he breaks down how software supply chain attacks really work, why open source dependencies create unseen exposure, and what modern threat actors are doing to exploit trust at scale. Caleb and Hayden dive deep into real-world attacks, emerging TTPs, AI-powered threat hunting, and what organizations must do today to keep pace. Listeners walk away with a clear picture of the problem—and a practical blueprint for reducing supply chain risk. What You’ll Learn  How modern attackers infiltrate open source ecosystems through fake accounts and counterfeit package contributions. Why dependency chains dramatically amplify both exposure and attacker leverage. How to use threat intelligence and threat hunting to proactively evaluate upstream packages before adoption. Where AI-powered code analysis is changing the ability to discover hidden vulnerabilities and suspicious patterns. Why dependency pinning, SBOM discipline, and continuous monitoring now define a strong supply chain posture. Episode Highlights 00:00 — Welcome + Why Software Supply Chain Risk Matters 02:00 — Hayden’s Non-Cyber Passion + Framing Today’s Topic 03:00 — Why Open Source Powers Everything—and Why That Creates Exposure 06:00 — The Real Attack Vector: Contribution as Initial Access 08:00 — Inside the Indonesian “Fake Package” Campaign 10:30 — How to Evaluate Code + Contributor Identity Together 12:00 — Threat Hunting and AI-Enabled Code Interrogation 15:00 — The Challenge of Undisclosed Vulnerabilities in Widely Used Components 16:30 — How Recovery Works When Malware Is Already in Your Stack 19:00 — Continuous Monitoring as the Foundation of Modern Supply Chain Security 22:00 — Pinning, Maintainer Analysis, and Code Interrogation Best Practices 24:00 — Where to Learn More About Hunted Labs Episode Resources Hunted Labs — https://huntedlabs.com Hunted Labs Entercept Hunted Labs “Hunting Ground” research blog Open Source Malware (Paul McCarty)
• Top CISO Priorities and Global Digital Trust with Morgan Adamski 02.12.2025 23min

  Welcome to Data Security Decoded. Join host Caleb Tolin in conversation with Morgan Adamski who leads Cyber, Data, and Tech Risk at PwC and is a former US national security leader who spent 16 years tracking nation-state threats inside the US government. Coming out of a career spent inside secure facilities without windows or phones and working to address China’s prepositioning in US critical infrastructure, Morgan shares a direct view of how geopolitics is now shaping cyber risk decisions in boardrooms. What You'll Learn: Why only 24% invest in proactive defense, even while 60% call cyber a top priority How AI agents are cutting breach timelines to under 80 days Why cyber insurance is now a hygiene scorecard, not just financial protection The real reason leaders lack confidence in resilience Where legacy systems and supply chain dependencies expose blind spots How public–private collaboration changed the response to China’s infrastructure campaign What CISOs must confront now to avoid being blindsided by the next crisis The conversation gives security leaders and decision-makers a clear view of where current strategies fall short and the choices required to build real resilience before the next crisis forces it. Episode Highlights: [03:43] Why China prepositions inside US critical infrastructure to trigger disruption and panic in a crisis [04:20] Collective defense in action: how victims and industry exposed the campaign [09:27] The truth behind cyber budgets: only 24% invest in proactive defense [11:57] How AI agents are shortening breach lifecycles to under 80 days [13:07] Why cyber insurance is now a security scorecard, not a safety net Episode Resources Caleb Tolin on LinkedIn Morgan Adamski on LinkedIn PwC’s 2026 Global Digital Trust Insights report
• Agentic AI and Identity Sprawl 18.11.2025 24min

  In this episode of Data Security Decoded, join host Caleb Tolin as he welcomes back Joe Hladik, Head of Rubrik Zero Labs, to unpack the findings from their new report, Identity Crisis: Understanding & Building Resilience Against Identity-Driven Threats, Joe breaks down how the explosion of non-human identities, from API keys to AI agents, is rewriting the threat landscape and forcing security leaders to rethink the perimeter itself. He explains why identity resilience is the new foundation of cyber defense, how to prioritize recovery when every system matters, and what steps teams can take now to stay ahead of emerging agentic AI-driven attacks. What You'll Learn: Why identity has replaced the network as the modern security perimeter How non-human identities outnumber humans 82 to 1, and what that means for control and monitoring Practical steps to build recovery plans around dependency mapping and minimal viable operations Why ransom payments remain high and how better resilience planning can reverse that trend How threat actors exploit backup systems to gain total business leverage What agentic AI really means for cyber defense and how to prepare for its impact The episode offers a clear framework for leaders to transform identity resilience from a reactive measure into a proactive pillar of enterprise security. Episode Highlights: [05:13] The 82:1 Ratio: Why Non-Human Identities Now Define Risk [07:03] Prioritizing Recovery: Building for Minimal Viable Operations [10:53] Declining Recovery Confidence and the Rise of Ransom Payments [15:46] Backups Under Attack: How Threat Actors Seize Business Control [16:32] Agentic AI and the Shifting Nature of Cyber Threats [25:32] What Defenders Can Do Now to Build Identity Resilience Episode Resources Caleb Tolin on LinkedIn Joe Hladik on LinkedIn Rubrik Zero Labs report, Identity Crisis: Understanding & Building Resilience Against Identity-Driven Threats
• Secure by Design, Secure by Default, Secure by Demand 04.11.2025 26min

  Welcome to Data Security Decoded. Join host Caleb Tolin in conversation with Lauren Zabierek, Senior Vice President for the Future of Digital Security at the Institute for Security and Technology. A former CISA leader and long-time national security professional, Lauren unpacks the principles of Secure by Design, Secure by Default, and Secure by Demand and how these frameworks are reshaping the software supply chain. What You'll Learn: Why security must be a business decision led by executives rather than a technical afterthought How Secure by Design principles inspired more than 300 companies to eliminate entire classes of vulnerabilities The economic incentives that drive insecure software and what must change to realign the market How customers can evaluate vendors and ask the right questions to ensure secure authentication and transparent practices The role of Secure by Demand in helping buyers assess software safety before and after adoption Why initiatives like #ShareTheMicInCyber are essential for expanding diversity and innovation across cybersecurity policy The conversation offers a practical roadmap for executives, CISOs, and technology leaders to integrate secure development practices into business strategy, turning software security from a compliance checkbox into a competitive advantage. Episode Highlights: [08:46] Inside CISA’s Secure by Design Pledge [09:41] The Three Pillars: Secure by Design, Default, and Demand [11:59] Why Security Is an Economic Issue, Not Just Technical [15:41] How Customers Can Drive Change Through Secure by Demand [18:23] The Story and Impact of #ShareTheMicInCyber Quotes: "Security has to be a business decision led by business leaders in the company. It should not be an afterthought. It shouldn't just be left to the security team to sort of try to convince the rest of the company that they should do this. It's the company leadership that should say, this is a priority and therefore orient the different resources and priorities around that particular topic." "Having more secure software is not a technical impossibility. The companies right now are acting rationally in a misaligned market. Secure by Design, at its core, is about shifting those incentives in order to drive a change in behavior." "Software is what economists would refer to as a credence good. It's very hard to assess the quality of a product or a service both before you consume it and after you consume it. We don't have the criteria or benchmarks to fully assess that, and that’s a problem." "We looked at really how to provide guidance, and then we also created the Secure by Design pledge. And at the time when we launched it in 2024 at RSA, we had 68 software companies sign on… And then by the time we left, we had over 300 companies sign on. Now this pledge, you know, it addressed certain things like eliminating entire classes of vulnerability. It talked about enabling multifactor authentication by default across product lines. It talked about a vulnerability disclosure policy. Those are just a few things, but you can see that they're very concrete, measurable actions that lead to better outcomes." Episode Resources Caleb Tolin on LinkedIn Lauren Zabierek on LinkedIn Institute for Security and Technology (IST) Secure by Demand Guide from CISA
• Three Threats Reshaping Financial Services: Identity, Supply Chain, and AI 14.10.2025 27min

  Cyber resilience in financial services is often treated as a checklist of tools and controls, rather than what it truly is: a system of people, intelligence, and collaboration working together. In this episode of ⁠Data Security Decoded⁠, join ⁠Caleb Tolin⁠ as he sits down with ⁠Troy Wells⁠, Intelligence Officer at FS-ISAC and former U.S. Army intelligence officer, to explore how principles like teamwork, trust, and preparation, forged in national security, translate directly into protecting the global financial system. From using fire-safety lessons to explain prevention, detection, and response, to breaking down the difference between AI models and AI agents, Troy shares practical guidance for banks and financial institutions building resilience in the face of evolving threats. What You’ll Learn: Why prevention, detection, and response are strongest when treated as a cycle, not silos How AI models act as “calculators” while AI agents act as “interns,” and what oversight each requires The guardrails that financial institutions should set before deploying AI tools at scale How cloud misconfigurations in even major enterprises reveal the need for security-first design The three threat trends that will shape financial services in the next 12–24 months: identity attacks, supply chain compromises, and AI-enabled adversaries Episode Highlights: [00:22] Troy’s path from Army intelligence officer to FS-ISAC[03:20] Fire-safety lessons: framing prevention, detection, and response in cybersecurity[08:15] The difference between AI models and AI agents, and how to guide each[12:22] Four principles for adopting AI securely in financial institutions[17:00] Cloud misconfigurations and why resilience must be built into architecture[21:39] The top three threats to watch in the next 12–24 months: identity, supply chain, and AI-driven attacks[27:35] Why speed and sophistication make resilience and collaboration essential Episode Resources: Caleb Tolin on LinkedIn Troy Wells on LinkedIn