Risky Business - Soap Box: Red teaming AI systems with SpecterOps
Episode Date: March 27, 2026In this sponsored Soap Box edition of the show, Patrick Gray and James Wilson talk about red teaming AI systems with Russel Van Tuyl, Vice President of Services at elite... penetration testing firm SpecterOps. SpecterOps is the company behind attack path enumeration tool Bloodhound and Bloodhound Enterprise, but they’re also a pentest and red teaming shop with world class expertise in popping shells on all sorts of interesting systems in all sorts of interesting places. This episode is also available on Youtube. Show notes
Transcript
Discussion (0)
Hey everyone and welcome to this soapbox edition of the Risky Business Podcast. My name's Patrick Gray.
These soapbox editions of the show are wholly sponsored and that means everyone you hear in one of them paid to be here.
But that's okay because we have excellent taste in sponsors and they generally join us in these soapbox conversations and say very interesting things.
So joining us now is Russell Van Tile who is the VP of Services from SpectorOps. Hello, Russell.
Hey, Pat.
And James Wilson, our very own James Wilson, is joining us for this one because it's very much in his wheelhouse. James, how's it going?
Hey, Pat. Hey, Russell. Great to meet you.
So what we're going to talk about today, we're going to be talking about red-teaming AI systems.
And we're going to be talking about what AI systems are doing to the typical enterprise in terms of driving risk, both in the sense that there are all sorts of risky internal systems springing up that are sprouting new identities and new
attack paths and all of that stuff because SpectorOps of course makes Bloodhound,
which does the most sophisticated attack path measurement and enumeration.
Like if that's something you want to do, you want Spector Ops Bloodhound, excuse me.
And we'll also be talking about, you know, how everything is moving at machine speed and machine
scale these days and, you know, things are getting a bit crazy.
But I thought we'd start off, Russell, by just trying to define what it is that SpectreOps
means when you say you do a sort of AI red teaming.
engagement. I mean, is this really looking at weaknesses in the models that are being used?
Is it looking at or is it looking more at sort of the way AI systems that people are using,
you know, altogether, like looking at that as a system?
Yeah, the fact that the term red team already had a checkered history to begin with of like
what people agree on what it means, AI red teaming is even worse. You know, when AI first started
becoming a thing, everyone said that they're doing AI red teaming. And at the time, when that first
started, a lot of what the times of them meant is they were like,
like testing a model for like safety, alignment, uh, bias, all that kind of stuff to go on.
Trying to trick a, trick a model into saying something racist, basically, was very early,
early ideas with, uh, AI red teaming. Yeah. And, you know, that's definitely needed, uh, for it.
But then, you know, the offensive security space started connecting up with, you know,
testing AI systems. And I think that definition kind of changed. You mentioned two things. I
definitely see it as both even OWASP has their like OWAS for machine learning and then they're
OWASP for like LLM applications.
I believe that most of the organizations
that are going to come to us to do some type of tests
have like a whole system with AI in it
and they want us to test that whole system,
you know, web apps, databases, skills, all that kind of stuff.
Most companies are not creating models themselves.
They are just calling open AI or calling Anthropic
or calling one of those model providers.
And there's probably some in between that are actually like
creating their own models or maybe doing fine tuning on it.
So for me, I like to focus on actually testing like the
the system of systems that have a piece of AI in at some point to kind of separate out those too
on those.
I looked at some of the adversarial machine learning courses and that's a whole different
skill set to try to get into that kind of stuff.
A lot of math, a lot of understanding stuff.
And look, I still think it's important depending on how deep you want to get through
Cherrycraft because there are some tax you can go with.
But yeah, mostly the AI systems around them sticking closer to like the OWASP LLM for
top 10 for LLM applications.
Yeah, now you're talking about AI systems, right?
And we're talking about the sort of companies that would go and then get SpectorOps to have a look at these sort of systems.
So, I mean, what I imagine it's a pretty broad spectrum of AI systems that you're looking at.
But, I mean, can you give us an idea of what sort of stuff we're talking about here?
Yeah, yeah.
I think probably the most common thing that I expect people will have implemented or use some version of as a chatbot.
Like that's really the one of the more primary interfaces people are getting, which, you know, is just a web application that, you know, takes your input and sends it off to inference to some other provider. Sometimes it has a rag database connected to it. Sometimes it's connected to other internal systems, all that kind of stuff. So that's probably the most common thing that we see where like AI is is like inside. That's like I got to be I got to be really honest that I'm somewhat disappointed that it's a chat bot, right? Like because I'm thinking you look at the spectacular blowups we've seen out of AWS.
from, you know, messing up orchestration and stuff,
and I'm expecting it to be really cool, and it's not.
It's chatbots.
James, you wanted to jump in with a question there.
Well, it's all chatbots at the end of the day,
but that's not where the question was that I had.
I was thinking about, you know, the engagements that you've done in the past
around red teams before it was AI red teaming.
Are you now, are you meeting with different teams?
Like, is the responsibility for AI being built into these systems?
Do enterprises even know where to manage that yet?
Where's like who's owning this problem?
Yeah, I've seen like a mix of kind of both things and I have a whole rant I like to go on about it.
But I've definitely seen the bigger organizations create a whole new AI red team because they're trying to like have a specific belly button they can poke to like do their AI security testing and whatnot.
So we've seen organizations stand up.
They have their regular red team and they stand up their own AI red team on top of it.
And a lot of times what we're seeing is everyone's still trying to figure it out.
I know the AI system's moving so fast.
And like basically inside their org, you know, they're trying to use AI as fast as they can.
And this new AI Red Team is trying to get connected over to the people that are using it.
If they could figure out who's using it and like trying to get all their governance and policies in place too.
So I'm still seeing it's developing a lot in organizations right now.
Now, I mean, obviously this is a new type of service, right?
You've got a long history in pen testing and red teaming, right?
SpectorOps is known as one of the best in the business for that sort of.
of work right so when you are now all of a sudden like you know hang out the shingle saying we do
ii pen tests like what is involved in sort of upskilling there i guess among all of all of your
testers to sort of to sort of figure this out like is this a completely different type of engagement
or is it just pen testing with a slightly new you know type of techno like how new is this
i would say a little of both and that's kind of one of the rants i usually like to get on i i
I just consider everything on offensive security assessment, and then the client's going to
give me some technology stack that I need to go look at.
And in my opinion, offensive security practitioners have always done the same.
You hop into some customer environment that got these weird technologies you never seen before.
You try to figure them out as fast as you can.
You try to figure out how to compromise them or steal identity and move and do that kind of stuff.
And when we talk about an AI system, the AI piece is new.
But again, all the other systems around it, the identities they're using, the web servers
they're running on, the databases they connect do.
Those aren't new.
those are the same old things that have been there for forever.
In fact, a lot of the TACPASS that you do see on AI,
just compromise identities or use other things that are not an AI system for it.
But, you know, a lot of it's unique.
I would say the prompt injection is probably like the biggest unique thing to understand.
And then also understanding, you know, probabilistic versus deterministic nature of just AI in general.
Like you kind of got to wrap your head around that.
There's more nuance to it than that.
But that's probably like the biggest starting point for getting people and understand it.
And then I would say generally speaking, most people that do like offensive security tests want to know everything at its deepest level possible, or at least we do.
And so it brings like this level of uncertainty when anyone's asked to look at it like, well, I'm not sure I know this enough kind of stuff.
We've definitely undertaken like an internal upskilling program to like get people to like get the knowledge they need to kind of understand it.
As you start to get into these AI Pintest more and more, I just wonder how often are you going to see.
truly novel, incredible things that an LLM is doing that's unpredictable versus just almost like a
forehead-slapping discovery of like, you've just undone the last five to ten years of security
controls were put in place because you bolted this damn model in right next to where all the
credentials are. Like, you know, in the space of one week, we had this story of like an incredible
nation state grade exploit kit that came out that blew my mind. And then by the end of the week,
it's like, and Google's just jammed an agent into your browser and it can access all your
extensions. It's like, what are you seeing? Like, is it novel? Is it exciting? Or is it just like,
oh, I can't believe you've actually done it this way? Yeah, yeah. I think what kind of the point you're
getting to is like even like with open claw and its thing, like everyone's so excited about AI. They're
moving so fast to do everything. And like to get the most value out of AI, they just connect it to literally
everything. And then you know, you just like you said, you undo all these security principles that
we spent years learning. And it's like no one cares about them anymore. It's more like I got to keep up
with AI. So I'm just going to put all these things together. I'm not going to care about
principalies privilege. I'm not going to care about separation. I'm not going to care about
testing nothing. Just move as fast as you can to say that you're gaining some efficiencies out
of AI. Again, a lot of the public reports I see is they're all, most of them are traditional
like web app vulnerabilities. It's some type of eye door, some type of injection kind of thing.
Like you said, most of the attack primitives are not new on it. The only thing I argue is new is
prompt engineering. And while it is new, to me it's just like social engineering a human,
which is also part of red teaming models different than a human in some ways, but a lot of ways,
like the attacks are just like, how can I get this model to do what I want that it wasn't really
planning on doing, which is the same as like calling someone on the phone and trying to get them
to give you your password. Like what things do I need to say to get you to do what I want.
Well, and it's funny too, because they are non-deterministic, you can ask them the same thing twice
and get a different result, right? And I've experienced this trying to get Gemini to do stuff
that's like kind of outside the boundaries of the model safety or whatever, you know,
generating embarrassing pictures of politicians or whatever it is. And, you know, sometimes you've got,
you've got ways of tricking it into doing what you want and it works. And other days,
it just doesn't feel like it, right? And that's, that's the, but I mean, people are like that
too, right? Mm-hmm. Yeah, sure. Yeah. You know, you can make 10 phone calls and, you know,
nine of them don't work. The people are just like, nope, there's hang up on you straight away.
And, you know, maybe that 10th time, finally you convince someone or maybe you called that person
earlier and you get someone else from your team to call them another day or so.
It's a way that it works out.
One point you mentioned there about the non-deterministic part, that's another interesting
part when it comes to doing the testing of any of these types of systems is because
they're nondeterministic, you really have to log your inputs and outputs and you need to try
every prompt injection type attack multiple times.
A lot of times, like when a report, when you give a client, you give them the steps to
reproduce the vulnerability or reproduce the thing.
Like when it comes to prompt injection, you can't just like, this is the prompt I send
you'll also get the same response because you won't.
Yeah, yeah, no, that's funny.
Now, look, staying kind of,
I mean, this kind of connects to the open claw thing
that you just sort of mentioned as well.
And it connects pretty nicely to spectroops as well
because, you know, you make bloodhounded,
you're the attack path experts.
You know, it seems like the identities
that are being used by agents.
There's a lot of identities being used by agents.
Every time someone puts in an agent,
there's one and sometimes multiple identities,
used by that agent to perform various tasks.
It's like, what if, you know,
instead of trying to minimize the number of service accounts
in our organization,
we just tried to maximize it instead.
I mean, it feels a little bit like that.
You know, the AI age feels like,
my God, machine-to-machine accounts are just exploding.
Is that just, you know,
is that an accurate perception?
Because it seems like that's the logical place
this is going to go,
which is just, yeah,
like a gazillion machine-to-machine identities in most organizations eventually.
Yeah, definitely seen a lot of explosion, like you mentioned.
I think some of the public reports report anywhere from 82 to 96 non-human identities
to human identities and org.
I think AI is definitely exacerbating that.
But I also think, you know, when SaaS started becoming super popular years ago,
I think a lot of those non-human identities come from just SaaS applications to begin with.
But, you know, what's an AI chatbot if it's not connected to anything?
and you can't do anything with it.
At a base level, you're at least going to have the token to talk to the model,
so you could probably steal that.
But again, if it's not connected to other things,
that's how useful is it going to be to you?
Well, this is why some of the open claw security advice that you see around on social media is so funny,
is because everybody's like, yeah, I put it in a VM, so it's totally fine.
But then they give it its credit card, the credit card number and like, all of the cookies
out of their web browser, and you just think, yeah, that's not, that's not how this works,
guys. Yep. Yeah. I've been taking around with OpenClau myself and it is in a VM, but I do not give
the ability to get to anything. Right now it just has my inference key to do that kind of stuff.
I'm really scared about that, like you said. You start giving it your identities and they can start
maybe exchanging them for other things or accessing things you didn't know about. Plus, you know,
you got the prompt injection part where, you know, you let it read your email because you want
to just help you read your email. And then like someone just sends a email to you with a prompt injection
and then off you go.
So definitely a problem with any type of AI agent system.
Consumers want it to be useful for them,
so that's why they're connecting everything to it.
It scares me.
It's not the exact same parallel,
but one way, way back when you used to be able to compromise,
like an RDP server or any Windows server
and all the credentials that were ever there,
you could kind of pull out of memory.
And this kind of reminds me of that.
Like, if you compromise like an open clause system,
you can get a whole truckload of credentials.
You can do all kinds of stuff with.
And yeah, look, this is one thing that's been on my mind is that I think so much of what we're seeing in AI at the moment, especially that case you just mentioned, where it's like the open claw is not useful if you deploy it in the way that everyone's telling you to do it, right?
If you locked it away in a VM with no credentials, that gets real boring, real fast.
But the moment you give it any credential, I think you've got to make an assumption that that credential will A be leaked and B be used to move laterally in directions you hadn't imagined.
which is where I think things that are already out there in this cybersecurity space
become just far more important than they already are.
And Pat mentioned their bloodhound and that's sort of that attack path enumeration
or that lateral enumeration.
I'm just curious as to how you guys are thinking about this in terms of,
is it the same product doing the same thing,
but it's now just even more important?
Or are there ways in which you need to start thinking about extending that product set to be,
I hate to say it, but AI native and almost like follow this.
LLM relentless desire to just get something done regardless of the friction.
You know, one of the things that's still the same in offensive security to match your
question when you're asking me is like, as an offensive security practitioner, you
compromise an identity, you see what access it has and you keep doing that credential
shuffle over and over again until you get the access that you're trying to go to.
Obviously, a lot of the products that we have and a lot of pen testers are used to as actor
director and ANTRA, those are probably the primary two that everyone's like super familiar with.
But definitely attack pass on assessments we've been doing.
I've been crossing multiple technology stacks just like you're seeing in the public
reporting.
You get from GitHub to AWS to something else to something else to something else.
And we've definitely been doing that.
Not necessarily to shield a product, but like the open graph extension that we have allows
you to map an identity across any technology stack and you can kind of define it.
So I think we're kind of positioned well to kind of handle that as is.
So it's still thinking about the same.
It's looking at the identity attack pass through all your technology stacks instead of just active director,
or ENTCHA, to find, you know, where people are going to move.
And that just matches the tradecraft we're actually doing on assessments as well.
Well, it's funny, it's funny too what you said there, James, because, you know,
AI making all of the existing controls kind of more important.
It's true, but it's two-fold, right?
because it's not just enterprise use of AI internally
that make all of the fundamentals more important,
like watching your identities, monitoring identities,
looking at attack parts, things like that.
But it's also adversaries now using AI to scale out,
which just means like a conversation,
I've mentioned it a couple of times,
a conversation with Tony De La Fuente from Proula,
which is the open source cloud security scanner,
like Claude uses Proula to scan things for you
if you want them to, right?
So now that that's so easy,
to do, you need to find that stuff before anybody else does. Like you just have to be better now,
both because, both on the internal, because of internal reasons and internal use of AI,
and external attackers being able to be like, well, just go out there and continuously scan the
entire internet with, or this whole chunk of the internet, with prowler until something pops. And then,
you know, and then off we go. So, you know, I know a lot of vendors who are having that,
that conversation, like, you know, some of the, some of the vendors like, uh, um, airlock
digital who do allow listing of, you know, executable code and host hardening and stuff and knock
knock who do allow listing of network connections. And the pitch really has become, well,
you kind of need to go much more into this default deny stuff because like there's so much
more happening inside and outside that you just really got to get on top of this. Does that vibe
with your understanding, Russell? Yeah, it definitely does. The deny by default kind of policy,
it's like, uh, like you're described, everything moves so fast. And unless you can keep up with that,
how fast that is, you're safer by, you know, secure by default mindset,
instead of permissive by default mindset.
There's a big buzzword going around the industry that I try not to use,
but it seems pretty fitting.
It talks about, you know, things move at machine speed,
which is what you see with, like, the adversaries are using, you know,
they can just go through a whole exploit chain, you know, an hour or two kind of thing.
And obviously that leaves defenders wondering the same thing,
like, how can I find all these and block them all, you know, in the same two hours?
but it's hard to keep up with because the deployment of people using this stuff and putting it out there is happening so fast again.
Again, I'd argue that like most organizations at least understand the idea that you should have things go through security review before you deploy it,
but I wonder if that's actually happening because of how fast everyone is trying to move in this space.
Well, and that's another notch in the internal drive to make everything, you know, faster.
It's not just machine speed.
It's machine scale as well, right?
Right. Yeah. Like that's the thing that that boggles my mind about this is it's not just that everything's going faster. It's that everything's going faster and there's heaps more of it. Right. Like holy molly. Like, you know, we thought we were dealing with a fire hose before and now it's just, you know, wow. Yeah. I mean, it's exhausting to just keep up with the news as it is. Uh, like, what's trending. You're telling me, pal. I bet. It's so hard to keep up with. Yeah. I think that's where like a lot of executives are finding themselves too. They're like, how do I even keep up with this like AI stuff?
going on in my environment as well.
Now, just to bring a few threads together here, right?
So one of the things that you noted that you wanted to talk about
were a few of these publicly discussed AI-adjacent breaches
and how they played out and how they interacted with the attack parts and things like that.
So one of them was the sales loft drift breach.
Yep.
I'd love to get your view on that because, like, at the time, it wasn't like
super clear exactly how that happened and exactly what everything meant.
You know, I think by the time it was clear it, it had sort of dropped off the news agenda
a little bit.
But walk us through your view of that whole thing, start to end.
Yeah.
Kind of one of the main reasons I brought up that point is like most of the attack path
was like, again, using tried and true tactics that we're going through.
Like it didn't actually start with like an AI system if I remember correctly.
I believe it started with someone compromising GitHub and adding a user account to a thing,
and then somehow they got some credentials out from AWS,
and then once they got in their AWS environment,
they got the OAuth tokens to talk to everybody's Salesforce instance,
and then they just started pulling out more and more credits.
SalesLoft Drift made like an AI chatbot for Salesforce, right?
So you could do like certain customer service tasks,
you could just get the AI chatbot to do that.
But it is a great example of where, well, this chatbot, it obviously needed
access and it did it through iWOTH and if those tokens went walkies well you know it's a bad time yep
yep that was the thing they stole so i forgot to mention that like when they got into the ad ups aWS environment
they stole the oath token for the chat bot that people use to talk to sales force and then from there
they just pulled out exponentially more sensitive data out of people's environments uh again one of the
reasons i brought it up is like it's all traditional trade craft on stealing identity what does i have
access to pivot to the next thing until you get to your objective whatever it is you're trying to
accomplish on that one. Another interesting attack is the the Kleinjection in tech.
They also kind of that one actually did start from an indirect prompt injection.
It came from like a GitHub issue and they had anthropic worker, I believe it was,
and their GitHub account that just read the issue title, I think it was. And they used
that to inject some actions and to post install. But the attack got a little bit more technically
complicated. Well, hang on, hang on. I'm going to ask you to just roll back there a second because
I don't know what Klein injection actually is. What is client injection?
Sorry, Klein is one of those IDs that people use to do like AI coding type stuff and they push out a package.
It kind of looks a little bit like VS code.
And so a lot of people are using it as what I would get out for that.
I tried it out myself for a little bit as well.
It was nifty and nice to use.
One of the cool features that has like a distinct plan mode button and an action mode button.
So you can kind of separate it out.
But the point for the Klein injection is software that a lot of developers are using and someone compromised their repository and was able to push out malicious versions.
of that client to people.
And what did those versions do?
I think at the beginning
they had just
published some like post-install scripts
for it.
And I know later on
then the attack path
they published it.
So that way it just installed
OpenClaught on an instance.
And I think the public reporting
of like why somebody would do that
wasn't really clear.
I think the theory was
open clause known to have a lot of vulnerabilities in it.
So that would just create
an attacker ability to just have C2
through open claw basically.
I love that as like the,
it's almost like, you know, that meme of like step one,
build an exploit, step two question mark, step three, profit.
It's like they just skipped straight to,
what are we going to do with this?
I don't know.
Should we just dump open claw in there?
Yes, do that.
Then we'll work it all out later.
It's just wild that there's like an agent that can be the end of the chain of this
when you're not quite sure what you're going to do,
but you'd love something that's going to be like super obedient,
sitting there on their end user's machine that you can absolutely own
to any point in time. Crazy.
Yeah, I know. It was definitely an interesting one.
I was curious, just like asking myself was like,
was this like maybe a white hat person that just saw an opportunity to like test out
their skills or was an actual like real adversary trying to accomplish something?
And that's just where they went.
Maybe they had more goals or something after.
I'm not sure it was interesting though.
Yeah.
Now, one other thing that we want to talk about today is AI in the browser,
which I'm going to be honest, like I don't use an AI browser,
and I think using an AI browser seems like a pretty bad idea.
Yes.
And I know that this is going to age me out, right?
Like real quick, because this is what everybody is doing.
But when you've got non-deterministic models,
and you've even got open AI saying prompt injection is never really going to be a solved problem.
And, you know, these things inherently mix code and data.
Like, it is never going to be a solved problem.
It just, you know, it just doesn't feel, it does not spark joy the idea of using an AI browser.
But what are the enterprise security implications?
And what are the implications for you as someone who runs, you know, a red teaming practice of people using AI browsers?
Well, even if it's not an AI browser, the browser is one of our favorite things to attack to begin with, because what does the browser have in it?
All your post-MFA authentication credential.
So very common technique that we'll use is either dump your cookies from your browser or stand up maybe Chrome on like a dev port and pull your cookies over to our session so we can start using them.
So the AI part definitely adds something unique to it, but browsers are already a gold mine to begin with, which is why I also don't use an AI browser for that same reason.
All the identities, everything past MFA is in there for you, just grab, scoop up, and use.
If we were starting to test actual people that were using AI browsers, we also have now,
natural language way to try to accomplish some of our tasks of compromise or if we want to get the
user to do other other kind of stuff. So that makes it real interesting. And in the target of I think
AI browsers are popular because what do most people know how to use very easily? It's the browser.
It's like if I was selling the stuff, it feels like that's a good way to get it in front of
consumers. You know, everything is you can do everything to the browser. So maybe that's the
appeal of it. But the security risk to me is huge. Yeah. Yeah, me too.
So, and I'm glad, thank you for validating my thinking there and for being another rapidly aging person.
That's me.
Who's, yeah, basically, Grandpa, why do you still use, yeah, why do you still use a browser that you have to type in?
I think is going to be the situation sooner than we would like to, sooner than we'd like to think.
So, look, we've talked about how we've got an explosion identities.
We've got agents crawling around often without appropriate controls on them.
We've talked about how things are now moving at machine speed and machine scale.
You know, we touched briefly on how, like, least privileged access is going to be important.
And I do think it's really funny that, like, the oldest school control is, like, allow listing of some kind.
Like, it is the most low-tech thing, and it seems like people are taking a real fresh look at that approach because of AI,
which is crazy.
But what are some of the other ideas
that you would like to put out there
in front of the typical enterprise
in terms of like how we deal
with both the sort of internal
the internal risk
from people attacking the system,
the AI systems that we use internally
and also just the general elevation of risk
from attackers using AI systems
to orchestrate attacks?
Like what's the advice like from SpectorOps
on what,
companies should be doing to sort of deal with with 2026 with all this you know yeah there's a lot there
to get through uh i mean fundamentally still the same like identity attack bath management is still the
the thing i'm going to stand on for no matter what system or technology are using but again obviously
a i kind of explodes that um well and i'm guessing i'm guessing too that that makes for some interesting
interpretations of like of um and and and and bloodhound uh scans right like bloodhound activity when you're
like well this chatbot you know you can actually create
a attack path from its credential to full domain compromise, like, or to GitHub or whatever,
like that's going to be the sort of new contemporary, like, alarming finding, right?
Yeah, I don't, I was trying to see if I wanted to challenge, like, alarming or not.
We used those attack paths pretty frequently on, like, regular, like, Red Team assessments.
I would say it's a newer capability in Bloodhound to be able to visualize those cross-technology
stacks or hybrid.
You know, we first had Active Directory, then we added Intra, and then we called the ability
to pivot between the two hybrid attack.
pass, but we've already been executing those kind of attack pass across technology stacks from,
you know, AD to ANTRA to AWS to GitHub, like across them all kind of thing. I think that
complexity definitely makes them. HD more has done some really cool work in that space as well, like
just taking OpenGraph and just running with it, right? It is extremely cool, but I'm guessing,
I mean, I guess my question was really like, you know, now you've got Open Graph and you're doing
red teams involving AI systems. I'm guessing there has been a few moments where you're like,
that credential that AI chatbot is using should not be able to.
to have this path, right?
Yeah, definitely a more interesting thing about trying to do that is you see these technology
stacks.
You might not know all your edges because your traditional active directory interest stuff is more
like I know how this all works.
And so a lot of it you get this weird technology stack you've not seen before and you have
to kind of enumerate like, well, what can I do with this kind of thing?
And that's when you ultimately end up running across like, oh, I didn't know it could
do that, but that's really cool it can because it's very useful to me.
So I'm going down that path.
So, I mean, I sort of derailed you there with just drilling down into attack path management,
but like, what's some other sort of more high-level generic advice that you would give the average
see-so on like what they really need to be doing to deal with, again, all this?
Yeah, I mean, it's really just understand the identities and what they have access to,
which I know is not like super high tech or anything.
And it's a lot to ask for it.
Like really just like figure that out because, again, everything's moving really fast.
But a lot of the principles, again, are still the same.
same, you know, with the principal least privilege, all that kind of stuff. Even the Kleinjection attack,
like one of the things that they did was they gave the AI the ability to execute arbitrary code
in the environment. Like, again, that's probably not something that you'd want to be doing in your
systems as you implement them and roll them out. Yeah, I think my favorite AI security incident so
far was the mid-level guy at the Ministry of State Security in China, who was using chat GPT to summarize
like classified reports, which was, yeah, that was, you know, 10 out of 10. Awesome. It's a funny old
world. Russell Fantile, thank you so much for joining us to have this conversation all about AI
and red teaming and what's changing. And I guess really what's not changing, you know, it's all the same
stuff, but more and faster. So yeah, cheers. Great to chat to you. Same. Thanks to both.
Yeah, thanks, Pat. Thanks, thanks for Russell. That was a great chat.