Chasing Entropy Podcast by 1Password

In this episode of Chasing Entropy Podcast, I spoke with Paul Klein about the emerging “agentic web”, where AI agents perform real-world digital tasks on our behalf. Paul shares how Browserbase builds secure infrastructure for these agents to interact with websites safely, and how new integrations with 1Password’s Agentic Autofill enable secure, human-approved credential use without exposing secrets to AI models.Together, they explore how this evolution of automation can make the web more useful, while keeping it secure, observable, and aligned with human intent.Key takeaways1. The rise of the “agentic web”The internet still runs on legacy systems with no APIs—think DMV forms and government portals.Browserbase enables AI agents to safely automate tasks on these sites using headless browsers (full browsers without a GUI).These agents can perform structured, repetitive workflows—like procurement, compliance checks, or data lookups—without human micromanagement.2. Automation that works like an internAI isn’t magic, it needs structure.Klein compares AI agents to interns: they’re capable but need clear instructions, context, and defined steps.Repetitive “SOP-style” tasks are ideal; vague one-line prompts aren’t.3. Stagehand & Director: Building automation for everyoneStagehand (open-source) allows natural-language automation using “fuzzy selectors” like “click the login button”, instead of brittle scripts.Director lets anyone prompt AI to build web workflows, see the generated code in real time, and reuse it in production environments.4. Guardrails: Observability before autonomyBrowserbase includes live session replay—you can literally watch what your AI agent is doing in a headless browser.Observability ensures safety and accountability; cached workflows reduce dependency on LLMs over time.Governance best practice: treat AI tool use as remote code execution—sandbox it, restrict tool access, and monitor every action.5. Secure authentication for agents1Password Agentic Autofill now works in Director, allowing agents to securely log in with stored credentials.The human stays in the loop: every login request is approved (or denied) in real time.Passwords are never shared with the model, 1Password fills them directly into the browser.The pragmatic future of AI automationPaul sees agentic browsing not as a replacement for humans, but as a relief valve for digital drudgery. AI can handle the tedious work, checking orders, renewing passports, filling government forms, so humans can focus on creative and strategic thinking.“We’ve automated the equivalent of a couple thousand human lifetimes of browsing,” Klein notes. “That’s time people get back.”For CISOs and security leadersPaul’s advice:Treat AI agents like RCE: Lock down execution environments, sandbox them, and validate every dependency.Constrain tool access: Only approved connectors or MCPs should be callable.Start with observability: Log every action and enable real-time oversight before allowing automation to run at scale.Memorable quote“AI is your intern. Give it the shopping list and the steps.” ~ Paul KleinListen to this episode of Chasing Entropy wherever you get your podcasts, no hype, no FUD, just the humans behind the next wave of cybersecurity and AI automation.Also on YouTube: https://www.youtube.com/watch?v=o4tgJz_4WcM 

In this episode of Chasing Entropy, I sit down with Dhillon Kannabhiran, the founder of the long-running Hack in the Box (HITB) Security Conference, to explore the origins, evolution, and impact of one of the world’s most influential hacker gatherings.From Kuala Lumpur to Global StagesDhillon shares the unlikely beginnings of HITB in Malaysia, started as a scrappy, accessible alternative to high-cost events like Black Hat. Against all odds, and skepticism that “nobody would come to Malaysia”, HITB attracted global speakers and quickly became a fixture in Asia, the Middle East, and Europe. Along the way came wild stories of last-minute chaos, cultural exchanges, and the conference’s deliberate focus on building community through face-to-face connections.Curating Talks and Building CommunityThe conversation dives into how talks are chosen, balancing technical depth with accessibility, and ensuring new voices get a platform. Dhillon emphasizes that HITB isn’t just about the talks you can rewatch later, it’s about hallway conversations, TCP/IP networking sessions, and serendipitous encounters that spark startups, collaborations, and lifelong friendships.Security Lessons (and Non-Lessons)Looking back at two decades of research presented at HITB, Dhillon is candid: many of the same problems persist, only shifted into new technologies. From classic exploits to today’s “vibe coding” and AI-assisted development, human error and misunderstanding remain the root causes of vulnerabilities. Still, this constant reinvention ensures hackers, and defenders, will never run out of work.AI, Translation, and the Future of ConferencesThe discussion expands to how AI is reshaping both hacking and events. From bug-hunting orchestration with AI agents to real-time language translation devices, the tools are changing fast. Dhillon warns of risks like AI-generated deepfakes but also highlights opportunities for accessibility, inclusivity, and global collaboration.Words to Hack ByDhillon closes with advice for hackers and builders alike: “Try stuff out. Don’t hold back. Don’t think there’s going to be a tomorrow. Do whatever you can today. Keep hacking, bro.”

Cole Grolmus, founder of Strategy of Security, discusses the intricate relationship between cybersecurity and mergers & acquisitions. He shares insights from his journey from sysadmin to industry analyst, stressing that security concerns rarely derail deals but can greatly influence budgets and integration strategies. The conversation also touches on the challenges of integrating AI in M&A, highlighting the need for forward-looking plans. Grolmus offers practical advice for CISOs to effectively navigate these complexities and manage risks.

From a tank driver in the Gulf War to the founder of one of the U.S.’s largest regional cybersecurity conferences, Michael Farnum’s journey is a study in discipline, community, and curiosity. He shares how early exposure to cryptography, BASIC programming pranks, and first encounters with firewalls led him into security.We dive into how Farnum built the Houston Security Conference (HOU.SEC.CON) from 120 attendees in 2010 into a 3,000-person international eventHe also discusses the rapid rise of agentic AI, what excites him, and the risks of unauthenticated MCP servers, shaky credential governance, and invisible AI triggers. Despite looming challenges, Farnum is optimistic that security conversations are starting earlier this time around.He closes with timeless advice: don’t be overly cautious, advocate for your value and take the smart risks you might otherwise pass up.Key TakeawaysMilitary lessons: Encryption mishaps in the Gulf War taught discipline, planning, and after-action reviews that later informed his cybersecurity mindsetThe hook into security: First exposure to a Unix firewall showing live traffic convinced him this was the path to followCommunity builder: Founded HOU.SEC.CON to unite a fragmented Houston infosec scene; it has since grown into a national/international draw with thousands of attendeesAI & agentic AI: Rising volume of submissions at security conferences; risks include unauthenticated MCP endpoints, hidden triggers, and weak credential governanceCISO struggles:Data security remains the #1 challenge—knowing what you have, where it is, and who can access it.Application security continues to lag despite new tools.Modern infrastructure & APIs can help if applied well.AI-driven SOCs are already shifting MDR/MSSP models, often without customers realizingCareer advice: Be less cautious and ask for what you’re worth, take smart risks, and don’t undersell yourself

This week I got to sit down with Brian Levine who is a cybersecurity consultant and former U.S. DOJ cybercrime prosecutor, to unpack how security risks shape mergers, acquisitions, divestitures, and investments. We cover what really moves deal price and structure, why early cyber due diligence matters, and how to protect “Day 1” operations without blowing up the integration plan. Brian Levine, Cybersecurity consultant; former DOJ national coordinator for cybercrime prosecutors; founder of FormerGov, a directory connecting former government and military professionals with employers and recruiters.Key takeawaysIncidents move deals. Known or newly discovered breaches often pause negotiations, change terms, and drive down price—even if they don’t kill the deal.Do diligence in three passes:Inside-out (docs, policies, IR records, pen tests, insurance);Outside-in (OSINT, dark-web intel);Technical testing (when permitted pre-sign/close).Start early. The earlier you assess cyber risk, the more leverage you have to shape price, integration plans, and pre-close remediation.MFA, IAM, backups = table stakes. Missing basics can invalidate cyber-insurance claims and should be fixed before announcement to avoid “signal flare” attacks.Cloud reality check. Many targets lack visibility into their cloud posture; prioritize third-party assessments and guardrails that protect PII, IP, and operations.Vendor blast radius matters. Mature third-party risk management includes annual reassessments, contractual obligations, insurance checks, and vendor-involved tabletops, plus contingency (“backup vendor”) planning.Culture can be a blocker. If “everyone is an admin,” expect friction; design an identity plan that tightens controls without triggering mass attrition.Day-1 playbook, security-first. Run a compromise assessment pre-connect, harden the first systems to integrate (often O365), and sequence identity, segmentation, and logging before broad access.Boards should ask: What did we actually do for cyber diligence, what didn’t we do, and why? Reasonableness, and the paper trail, matters.Notable momentsUnearthing issues outside-in: spotting malware beacons and leaked data for sale before the target even knows.Regulatory context: Europe’s heavier regime (GDPR, DORA, AI rules) vs. U.S. patchwork, either way, negligence standards still bite.Real-world stakes: from payroll outages to healthcare delays, cyber incidents can rapidly become safety and livelihood issues.Resources & mentionsFormerGov, directory for former government and military professionals seeking roles in the private sector.Topics referenced: GDPR, DORA, MFA, IAM, immutable backups, zero-trust enclaves, dark-web monitoring, third-party risk management & vendor tabletop exercises.About the showChasing Entropy goes beyond headlines, no hype, no FUD, exploring the human decisions and systemic cracks that put security to the test. Subscribe, share, and send me your questions for future episodes.

In the 20th episode of the Chasing Entropy Podcast, Dave Lewis sits down with Trey Ford, Chief Strategy & Trust Officer at Bugcrowd and former General Manager of Black Hat, to explore the realities of modern cybersecurity leadership.From the pitfalls of annual penetration tests to the messy realities of vulnerability disclosure, Trey shares lessons from decades in the field. He explains why risk should be owned at the board level (not by the CISO alone), why disclosure remains the internet’s immune system, and what the rise of agentic AI means for governance and resilience.The conversation also dives into leadership growth: shifting from arguing to win, to arguing to understand, and how CISOs can transform into true business partners rather than gatekeepers.Key TakeawaysContinuous resilience matters. Annual pen tests don’t reflect reality—continuous measurement does.Risk ownership belongs with the business. CISOs shouldn’t carry it alone.Disclosure is essential. Research-first venues like Black Hat make it safer.Agentic AI raises new risks. Guardrails, explainability, and governance must be designed in.CISO success = trust. Build partnerships across the executive team, not walls.Memorable Quotes“If it’s accessible, it’s worth securing, scope is a convenience, not a defense.”“It’s not CISO vs. world; it’s the business deciding risk together.”“In the cloud you can ‘accidentally it all the way’, agentic AI just gives that accident agency.”Listen to Episode 20 now wherever you get your podcasts!

In this episode of Chasing Entropy, host Dave Lewis, Global Advisory CISO at 1Password, sits down with Jacob DePriest, the newly appointed CISO and CIO at 1Password. Together, they explore the intersection of security, IT, and the human factors that shape how we defend and sometimes undermine our digital world.From NSA to GitHub to 1PasswordJacob traces his path from early engineering work at the NSA to leading security operations at GitHub, and now into his dual role at 1Password. With roots in engineering and open source advocacy, he shares how those experiences shaped his approach to building secure yet productive environments.Security and Development: A Necessary PartnershipA recurring theme is the relationship between security teams and developers. Jacob emphasizes that security cannot scale without deep integration into the engineering lifecycle. Rather than bolting on controls, he advocates for shared scoreboards, embedded guardrails, and empowering developers to focus on outcomes without unnecessary friction.Secrets, AI, and the Future of RiskThe conversation dives into secrets management and the rise of AI in security. Jacob highlights how smarter alerting and AI-assisted scanning can help reduce noise around exposed credentials. They also discuss the promises and pitfalls of agentic AI, where transparency, governance, and credential security will become defining challenges for enterprises.Balancing Productivity and ProtectionAs both CISO and CIO, Jacob is uniquely positioned to tackle the long-standing tension between IT enablement and security. He argues that these shouldn’t be opposing forces, the shared goal is enabling the business safely and responsibly. Hybrid teams and flexible models, such as customizable unlock experiences in 1Password, illustrate how to strike that balance.Diversity, Culture, and Psychological SafetyThe episode also touches on team culture: hiring for diversity of thought, encouraging dissenting voices, and building psychological safety. Jacob and Dave reflect on how recognition systems, open communication, and intentional leadership can foster stronger, more resilient security teams.Parting Advice for Security LeadersJacob closes with two guiding principles:Focus on outcomes and the big picture, don’t lose sight of the real problems in pursuit of perfect solutions.Appreciate the community of security professionals who face daily challenges in an increasingly complex landscape.Listen now to hear Jacob’s insights on navigating the evolving role of security leaders, the integration of IT and cybersecurity, and how to prepare for the next wave of challenges.As always, be sure to like and subcribe!

In this episode of the Chasing Entropy Podcast, host Dave Lewis, Global Advisory CISO at 1Password, sits down with Rob Fuller (a.k.a. Mubix), cybersecurity leader, Marine Corps veteran, red teamer, and technical advisor—to explore the twists, turns, and lessons from a career built at the intersection of curiosity, community, and defense.Early Sparks of CuriosityRob shares how tinkering with Game Genie and GameShark consoles in his youth planted the seeds of hacking and cybersecurity. From experimenting with memory manipulation in video games to dabbling in early online communities, his fascination with technology was clear—even if he didn’t yet have a name for it.The Marine Corps and Grounding in RealityHis journey took a pivotal turn in the U.S. Marine Corps, where Rob shifted into IT and found his calling at the Marine Corps CERT. There, he confronted threats at a national scale, battling nation-state adversaries and learning the importance of context, failure, and resilience. The high-stakes environment taught him perspective—what truly counts as critical versus what’s just noise.Red Teams, Purple Teams, and the Role of AIRob dives into his philosophy on red vs. purple teaming, how organizations misstep in their security approaches, and where AI fits into the equation. While AI can accelerate tasks like data analysis and content generation, he stresses that human judgment remains essential, particularly when weighing real-world risk.Maturity in Vulnerability Disclosure ProgramsRob outlines the evolution of Vulnerability Disclosure Programs (VDPs)—from a simple security@company.com email, to structured bug bounties, to advanced maturity where vulnerabilities are ballooned out, templated, and continuously scanned across entire infrastructures. Tools like Nuclei earn his praise as underrated game-changers in scaling this process.What’s Overrated, What’s UnderratedWhen asked about overrated tools, Rob jokingly points to Splunk, acknowledging it as a powerful log platform but often overhyped without the right people and processes behind it. In contrast, he champions Nuclei for its ability to empower teams with scalable, reusable vulnerability detection.Leadership, Curiosity, and MentorshipFor those entering cybersecurity, Rob emphasizes starting the leadership journey early—seeking credentials, mentorship, and experience beyond being just a technical contributor. For senior leaders, he advises fostering curiosity and root cause analysis across teams, and creating spaces for “show and tells” where junior staff can share passion projects that might blossom into innovative enterprise-wide solutions.Silicon Valley and BeyondRob also reflects on his experience as a technical advisor for HBO’s Silicon Valley, ensuring cybersecurity accuracy behind the scenes. From late-night calls to writer’s room debates, the role gave him a chance to influence how hacking and security were portrayed to millions of viewers—an opportunity to shift the narrative away from the usual Hollywood myths.Listen to the full conversation for Rob’s insights on community, resilience, and the underrated value of curiosity in shaping the future of cybersecurity.Don’t forget to like & subscribe to the Chasing Entropy Podcast wherever you get your podcasts.

In this episode of Chasing Entropy, Dave Lewis sits down with longtime friend and industry veteran Bill Brenner, Senior VP and Head of Content at Cyber Risk Alliance. Bill has been shaping the cybersecurity narrative for over two decades, from his early reporting days at TechTarget to his leadership roles at Akamai, Sophos, IANS, and now Cyber Risk Alliance.From Newsrooms to CybersecurityBill shares how his career began in traditional journalism, with a pivotal moment after 9/11 pushing him toward B2B reporting. A role at SearchSecurity marked his entry into cybersecurity, where he quickly established himself as a respected interviewer, writer, and—eventually—a storyteller within the security community.The OCD Diaries & Mental Health AdvocacyA major part of Bill’s journey has been his candid writing in The OCD Diaries, a personal blog turned community resource. What started as a therapeutic exercise evolved into a touchstone for many in security facing similar struggles. Today, Bill continues that advocacy through his work with CyberMinds, developing tools and resources to support the mental health of cyber defenders, who often face burnout, PTSD-like stress, and relentless alert fatigue.Storytelling, Security, and LeadershipReflecting on his time at Akamai, Bill discusses how being embedded in a security team during the Heartbleed and Shellshock era shaped his understanding of communication, trust, and leadership. He and Dave revisit their collaboration on reports, vulnerability advisories, and how content can influence both internal teams and the wider industry.AI, Content, and the Human ElementBill and Dave dive into the current disruption caused by artificial intelligence. While many companies mistakenly see AI as a replacement for people, Bill argues it must be used as an enhancer—freeing humans from repetitive tasks while preserving creativity, critical thinking, and authenticity. His own work at Cyber Risk Alliance now includes experimenting with AI to streamline workflows without losing the human voice.Looking AheadBill emphasizes the importance of resilience, humility, and staying focused on the human side of security. Whether through mental health advocacy, building stronger content strategies, or mentoring the next generation, his mission remains clear: tell stories that matter and help the community thrive in an increasingly chaotic digital world.👉 Where to find Bill:The OCD Diaries (archived blog with evergreen posts)Bill on LinkedIn (active writing and insights)SC Media / SC World (ongoing journalism and leadership work)

In this episode of the Chasing Entropy Podcast, host Dave Lewis welcomes industry analyst and long-time cybersecurity veteran Fernando Montenegro for a far-ranging and refreshingly honest discussion about the evolution of security, the realities of AI, and the human stories that shape our digital defenses.Fernando shares his origin story from math and fractals in Brazil to cryptography and bulletin boards, and ultimately to a career that has spanned consulting, sales engineering, and now research and analysis. Along the way, he highlights the importance of community spaces like TASK (Toronto Area Security Klatsch) and B-Sides as pivotal launchpads for industry newcomers.The conversation dives deep into artificial intelligence and its nuanced role in cybersecurity:Security for AI: Helping organizations safely adopt AI tools.AI for Security: Using AI to enhance defense mechanisms.Security against AI: Preparing for AI-augmented attacks and fraud.Fernando advocates for viewing AI through an economic and socio-technical lens rather than blindly trusting in its promise. As both he and Dave agree, AI isn't magic—it's math. It can augment work, but replacing human judgment, strategy, and contextual understanding is far from reality.They also touch on the dangers of layoffs fueled by AI hype, calling out examples like Klarna’s public misstep, and drawing parallels to earlier cloud-related downsizing miscalculations. Both stress the importance of understanding what workers actually do before trying to replace them with automation.As the episode wraps, Fernando delivers sage advice for those entering or pivoting into cybersecurity:Leverage your prior experience, whether from hospitality or marketing, it has value.Seek mentorship from peers 2–5 years ahead of you for tactical guidance.Don’t be discouraged by gatekeeping; curiosity and kindness go a long way in this relationship-driven field.Whether you're a seasoned professional or just getting started, this episode is a candid reminder that cybersecurity is as much about people as it is about technology and that chasing entropy means embracing complexity, not avoiding it.