Federal Tech Podcast: for innovators, entrepreneurs, and CEOs who want to increase reach and improve brand awareness

Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com A quick review of malicious activity shows large-scale cyberattacks being run without any human intervention. That means traditional penetration testing, which occurs once a year, can be easily defeated by massive, systematic attacks. During the interview with Snehal Antani, CEO of Horizon Three, he highlights the importance of continuous autonomous penetration. He suggests that it may be the only response to a non-human automated attack. Horizon3 has recently collaborated with the NSA's Cybersecurity Collaboration Center to develop the Continuous Autonomous Penetration program. He details identifying critical vulnerabilities not only in federal systems, but also in the Defense Industrial Base.] Today's cyber threat landscape is rapidly evolving, with artificial intelligence fueling a new wave of increasingly sophisticated attacks. Malicious actors now leverage AI to automate and scale their operations, resulting in large-scale, highly coordinated cyberattacks requiring little to no human oversight. This surge in automation on the offensive side has exposed a significant gap in the traditional cybersecurity strategies of federal agencies, which still largely rely on manual or scheduled defense mechanisms such as annual penetration testing. These legacy approaches are woefully inadequate against relentless, continuously evolving threats executed by automated tools that probe for weaknesses around the clock. Federal leaders, traditionally cautious about deploying automated systems for cybersecurity, now face a crucial crossroads. The old paradigm—where automation in cyber defense was seen as risky—must be reconsidered in light of real-world evidence that manual processes cannot keep pace with automated adversaries. In a recent interview, Snehal Antani, CEO of Horizon3, emphasized the critical need for continuous, autonomous penetration testing. He argued that just as attackers use automation to identify and exploit vulnerabilities at scale, defenders must employ similar automation to uncover and remediate those weaknesses swiftly and continuously. To advance this approach, Horizon3 has partnered with the NSA's Cybersecurity Collaboration Center, launching the Continuous Autonomous Penetration program. This initiative aims to proactively identify critical vulnerabilities not just in federal government networks, but also across the Defense Industrial Base. By integrating automated, persistent penetration testing into daily operations, federal agencies can better defend against the nonstop, AI-driven threats now targeting every aspect of their infrastructure.

Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com The good news is that federal security measures are preventing successful attacks; the bad news is that adversaries are examining every nook and cranny of a federal system and increasingly targeting the browser itself as an attack vector. During the interview, Scott "Monty" Montgomery gives a quick overview of Enterprise Browsers and Secure Enterprise Browsers. After all, browsers have been around since 1994. It may be the only application ubiquitous on home-based machines and in enterprise systems. They were not designed for security; they were intended to open the internet to the World Wide Web, full of images, links, and audio. Malicious actors did not have to focus on an app with limited use; by targeting a browser, they have almost unlimited targets to attack. Montgomery mentions the increase in browser-based attacks. In fact, they increased by 198% in the second half of 2023. Scott explains that phishing persists because people are curious or fearful, leading them to click on malicious links. A Secure Enterprise Browser can help prevent many common phishing exploits. Additionally, an SEB can support policies and controls. This means that an SEB fits completely with any current Zero Trust initiatives across all agencies. Beyond that, SEBs can be configured to manage legacy systems and even operate in low-bandwidth environments.

Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com Every federal agency prepares a backup strategy to protect data. This is a rigorous endeavor in which teams practice what to do in the event of a breach or system failure. However, nobody really has a plan for a temporary federal shutdown. Any political pundit worth his salt knows there will be another federal shutdown sometime in the future. It is reasonable to consider automation to see how it can be used to bridge services during a temporary shutdown. David Grundy is the Public Sector CTO for Tines. He has decades of experience in and outside the federal government. He highlights the challenges of human-centered workflows. For example, just because the staff is reduced does not mean attackers will take the day off. Adversaries work 365 days a year and are immune to political infighting. Based on David Grundy's experience, an agency should start with visibility to know which workflows exist. From there, document processing can be detailed, enabling scaling. During the interview, Grundy shares his experience in a federal agency that had to make digital transitions while complying with federal regulations. He is optimistic that operational resilience can be achieved through initiative-taking by all federal agencies.

Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com In a recent report from Microsoft, they share that foreign adversaries are increasing attacks on American infrastructure. One variation is that they will not penetrate systems and attack, but they will steal credentials and install code to act in stealth mode. This code can hide for years and be deployed when the antagonist wants. Today, we sat down with Travis Roseik from Rubrik to try to find some options for defending against this hidden attack. Let us say an agency has improved its resistance to foreign attacks. This is satisfactory progress, but what happens in a situation where the malicious code was planted prior to the increased defense. Further, during the interview, Roseik states that companies may be able to leverage AI to improve defense, nation states will be using that same AI to improve attack methods. If malicious code is within the walls of an organization, whether by AI or user error, Roseik makes the point that a defensive posture may not be enough in today's sophisticated world of attack. He recommends moving from a defensive approach to an initiative-taking threat hunting strategy. Even if Zero Trust and threat hunting fail, the best response is to have immutable backups. For example, if a breach occurs and the system recovers quickly, then the attackers will go after more vulnerable targets. The conversation underscores the urgency for organizations to adapt and innovate to counteract these threats.

Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com The federal government recognizes that threats are multiplying at an exponential level. In fact, in October 2025, CISA released a free vulnerability scanner, and 10,000 organizations have signed up. Today, CISA is at its current capacity. Today, we examine solutions from a successful startup called CrunchAtlas. One of the co-founders, Ben Fabrelle, will share with the audience his experience in threat hunting in the federal government and why he combined with another veteran to form a company that can assist in threat intelligence, data analysis, and automation. During the interview, Fabrelle says that CrunchAtlas likes to attack "wicked" complex problems. One of the most complicated problems the federal government has is identifying threats in a world where the DoD is being attacked by malicious actors every day. Fabrelle suggests that the solution is a persistent cyber-hunt platform. It can search for threats in a wide range of environments. This means it can be deployed on-prem, in the cloud, or in an air-gapped environment. The founders view that a platform approach is the best way to scale against these adversaries. One of the key differentiators for CrunchAtlas is its ability to operate in the cloud, on-prem, and even in an air-gapped environment. In fact, their offering's code stack, from design, operates in an air-gapped environment. Automation in this kind of environment will allow for a reduction in false positives, which will, in turn, reduce fatigue and decrease the need for human threat hunters.

Ep. 281 How Zero Trust Automation Helps Federal Agencies do More with Less Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com As this interview was recorded, the federal government was in the middle of a shutdown. Hundreds of pundits have given interviews about the politics of the situation; very few have looked at the impact on cybersecurity during a phase of workforce reduction. Today, we sat down with Gary Barlet, the Public Sector CTO at Illumio, to see whether Zero Trust can help the federal government bridge this short personnel gap. Barlet begins by giving an overview of Zero Trust and automation. Rather than having human beings vet entry into federal systems, the concept is to use an automated process that reviews credentials and decides on permission. Barlet emphasizes the importance of Zero Trust in automating security tasks and maintaining operational resilience, especially with reduced staff. He continues to mention several other benefits of Zero Trust in a federal environment. Compliance: A well-thought-out Zero Trust architecture will enable managers to collect data to demonstrate policy enforcement. Legacy: One can effectively take existing systems and "ring fence" them off. This approach creates hundreds and hundreds of rings of defense. Design: During the interview, Gary recommends that you have a handle on the real traffic to reduce complexity. That way, when policies change, the rules can adapt to the environment. Maturity Level: Although CISA has a maturity level for Zero Trust. Barlet distills down some of the requirements for which efforts can be applied to sensitive systems. He suggests focusing on security, not necessarily on a grade. Additionally, he addresses the challenges of managing complex, hybrid environments and the emergence of shadow AI models, stressing the need for robust policies and controls.

Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com Today, we sat down with Chris Wysopal from Veracode to talk about how to leverage the power of AI to increase productivity in federal systems. It seems like every headline you read talks about AI speeding up the process of writing code. However, there may be mixed messages here. Wysopan read some academic reports that talked about vulnerabilities being introduced in human code as well as AI code. Because this has been a concern for a while, He initiated the Gen AI Code Security report. They examined a wide range of LLMs to get a fair overview. They discovered 45% introduced vulnerabilities. What is even more shocking is this is similar to the rate from regular, old, garden variety software developers. You can get more details from the Veracode's 2025 Gen AI Code Security Report. It details methodology and notes despite improvements in syntax; security remains a concern. When he presented at a recent Billington Cyber Summit, he was deluged with people interested in problems with AI generated code. The overview is Implement a centralized risk management approach to prioritize and address the most critical vulnerabilities.

A recent study from Carnegie Mellon University is titled "AI Agents Fail at Office Tasks Nearly 70% of the Time." Federal agencies are adopting Agentic AI for the efficiency it can deliver. Unfortunately, many do not realize that Agentic AI is prone to operational risks, ranging from technical glitches to legal complications to accidental database deletion. When Agentic AI causes problems at a federal agency, there can be lives at stake. Today, we sat down with Travis Rosiek, Rubrik's Public Sector Chief Technology Officer. During the interview, he explores the federal challenges of implementing Agentic AI, building an Agentic AI inventory, and making Agentic AI visible, auditable, and reversible. CHALLENGES Everyone —from a systems administrator to an agency administrator —knows that data must be backed up. However, very few understand that Agentic AI is a collection of agents that can be attacked, just like a database. Rubrik offers the capability to reassure users that Agentic AI can be reversed if malicious actors enter the picture. STARTING POINT Most cybersecurity professionals agree that one starts by understanding a system's apps, data, and connections. Five years ago, it was easy; getting a grasp on what Agentic AI connects to is a much more intangible concept. During the interview, Travis Rosiek unpacks Rubrik's history and its unique ability to understand complex systems. CAREFUL In a rather shocking statement, Rosiek says one should approach introducing technology with the assumption that it will fail. This is not a pessimistic approach, but a nuanced understanding of how complexities in current systems can lead to unintended consequences. Rosiek advises starting with the end goal in mind, planning for worst-case scenarios, and building trustworthy AI architectures to mitigate risks and ensure reliable operations.

Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com Elastic has been around since 2012 and has been gradually gaining traction in the commercial world. In fact, Elastic has recently signed agreements with Nvidia and Google to improve integration with its distributed search analysis. All this assists with AI search and observability. Today, we sat down with Chris Thompson from Elastic to highlight how commercial success can be applied to the federal world. Looking back at his decades of work with federal agencies, he sees one of the problems in acquisition. In a world of rapid change, it is challenging to acquire technology that can keep pace with the fast pace of change. During the interview, Thompson discusses a recent strategic agreement developed by Elastic working with the GSA and other companies. This streamlines the process of providing technology to federal professionals. This agreement accomplished several tasks at once: >>It leverages the GSA's collective buying power. Rather than negotiating separate prices for dozens of agencies, it has substantial discounts with all the major cloud providers. >>> It reduces duplication. We know several federal agencies are facing similar tech challenges. Rather than duplicating requirements gathering and testing before making a purchase, the GSA approach eliminates this duplicative process. >>With numerous AI tools flooding the market, this agreement enables the accelerated use of these tools. >> When you have standardized contracts, enhanced security is typically the result. No contract is perfect, and people who have developed this agreement know it is a living document that can flex and adapt to technical situations as they arise. GSA officials have stated this is an evolving approach, giving it the ability to adapt to innovative technology, new companies, and a rapidly changing cyber threat.

Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com MongoDB has spent years earning a formidable reputation in the developer world; today, we will unpack some of its capabilities for project managers and federal leaders so they can understand where MongoDB may fit in their stack. Conventional wisdom is that MongoDB is a flexible open-source database. Although that is true, this does not do justice to some characteristics that will appeal to the federal audience. ONE: An agency may have restrictions on where the cloud is not suitable for storage. Because of its ability to use flexible, JSON-like documents, MongoDB has listened to those needs and can have storage in many varying regions. In fact, we have seen a movement to move cloud applications back on premises. MongoDB provides flexibility for working in both hybrid and on-premises environments. TWO: Most readers have studied encryption and think of it primarily as data at rest. Cloud storage transitions have forced a method where data is encrypted during transit. MongoDB can take encrypted data and search while it remains encrypted. Some will describe encryption at rest, in transit, and now, data in use. THREE MongoDB has listened to the federal community and is offering something called MongoDB Atlas for Government. It is a secure, fully managed cloud database service for U.S. Government agencies to modernize applications and oversee sensitive data. During the interview, Ben Cephalo revealed the effort MongoDB is making to serve federal agencies that require FedRAMP high capabilities.