Resilient Cyber

In this episode of Resilient Cyber I sit down with Anshuman Bhartiya to discuss AI-native AppSec. Anshuman is a Staff Security Engineer at Lyft, Host of the The Boring AppSec Community podcast, and author of the AI Security Engineer newsletter on LinkedIn. Anshuman has quickly become an AppSec leader I highly respect and find myself learning from his content and perspectives on AppSec and Security Engineering in the era of AI, LLMs and Agents.

In this episode of Resilient Cyber I'm joined by one of my favorite Vulnerability Researchers, Jerry Gamblin.Jerry recently published a comprehensive 2025 CVE retrospective, which we will dive into, as well as his thoughts around trends and patterns we may see emerge in the vulnerability management landscape moving into 2026 and beyond.

In this episode of Resilient Cyber, I sit down with my friend and the Founder of Return on Security (RoS), 💰 Mike Privette.Mike is the among the best our community has to offer when it comes to analyzing the macroeconomic trends of the cybersecurity ecosystem, from M&A, fundraising, startups, innovation, and venture capital.We will dig into the macroeconomics of cyber this past year, key trends, takeaways, the outsized role AI has or hasn’t had and what 2026 may hold as we look ahead.

In this discussion, Patrick Garrity, a vulnerability researcher from VulnCheck, dives into the 2025 trends in vulnerability management. He reveals how attackers are evolving tactics, making security vendors prime targets due to outdated code. Patrick also discusses the fragmentation in vulnerability databases and the importance of quality data in maintaining effective defenses. His insights into coordinated disclosure processes and predictions for exploitation trends in 2026 paint a compelling picture of the future landscape in cybersecurity.

In this episode of Resilient Cyber, I'm joined by Jesus Alejandro Cardenes Cabre, SVP of Product Architecture and John Xiaremba, Software Engineer, both from the VIA Knowledge Hub team to dig into all things post-quantum cryptography (PQC). This includes PQC standards, as well as practical steps developers must take today to mitigate future risks.

In this episode of Resilient Cyber, I sit down with Kamal Shah, Cofounder and CEO at Prophet Security, to discuss the State of AI in SecOps. There continues to be a tremendous amount of excitement and investment in the industry around AI and cybersecurity, with Security Operations (SecOps) arguably seeing the most investment among the various cybersecurity categories.Kamal and I will walk through the actual state of AI in SecOps, how AI is impacting the future of the SOC, what hype vs. reality is, and much more.

In this episode of Resilient Cyber, I sit down with longtime industry AppSec leader and Founder/CTO of Contrast Security, Jeff Williams, along with Contrast Security's Sr. Director of Product Security Naomi Buckwalter, to discuss all things Application Detection & Response (ADR), as well as the implications of AI-driven development.

Ross Young, a former CIA officer and seasoned cybersecurity leader, dives deep into mastering the cybersecurity budget. He discusses the common pitfalls in budget allocation and critiques the inefficiencies of incremental budgeting. Ross highlights the importance of understanding total cost of ownership and advocates for a threat-informed approach to spending. He also introduces his unique audit method to optimize tool usage and shares insights from his upcoming book on the often-overlooked challenges in cybersecurity finance.

In this episode, I sit down with Mitchel Herckis, Global Head of Government Affairs at cloud security leader Wiz. We will be discussing all things public sector and cybersecurity, including the evolution of the FedRAMP program, modernizing vulnerability management, and the future of Continuous ATO (cATO).We covered a lot of ground, including:Mitch’s background, both at Wiz and inside Government at roles such as OMBHow Wiz is working with Federal agencies and Defense Industrial Base (DIB) partners on Cloud Security, including the long-needed overhaul of FedRAMP with FedRAMP 20x’s efforts.The move towards real Continuous Monitoring (ConMon) with real-time visibility of cloud environments, as well as the need for machine-readable artifacts, automations, and streamlined security control assessments.The modernization of vulnerability management, including factors such as attack paths, reachability, exploitability, known exploitation, and the importance of focusing on real risks versus noise.Moving away from paper-based compliance exercises and bridging the gap between security and compliance.Wiz’s role as a CVE Numbering Authority (CNA) and the broader CVE program, including its importance for both the Government and industry when it comes to vulnerability management.To evolving usage of SBOMs and broader supply chain security.Disjointed efforts around the Government at both the Federal at State levels when it comes to Continuous ATO (cATO) and how we can move towards a more cohesive approach to modern system assessment and authorization.The importance of Government Affairs and bridging the divide between industry and Government, including bringing in tech leaders into Government, influencing policy, and improving outcomes for citizens and warfighters alike.The dual-edged sword that is AI adoption in the public sector.

In this episode of Resilient Cyber, I sit down with Founder & CEO of Paramify, Kenny Scott, to unpack the evolution of the FedRAMP program, FedRAMP 20x, and discuss what the public sector cloud compliance looks like moving into the future.Kenny and I dove into a lot of topics, including:What FedRAMP is and why it mattersWhat FedRAMP 20x is and what longstanding challenges associated with FedRAMP and public sector cloud and compliance it is addressingThe various aspects of FedRAMP 20x, including its phased rolloutChanges via FedRAMP 20x when it comes to Key Security Indicators (KSI), and how they differ from “controls”FedRAMP’s modern vulnerability management approach and how it changes from the way vulnerability was historically handled under FedRAMPThe importance of automated assessments, machine-readable artifacts, real Continuous Monitoring (ConMon), and more for practical GRC EngineeringThe role of GRC platforms when it comes to modernizing GRCWhat are the implications of FedRAMP 20x for other public sector compliance programs, such as DoD’s SWFT, SRG, and RMFSubscribe now