View More ESW Episodes

Penetration Tests: useful, pointless, harmful, required, ineffective? – Phillip Wylie, Marina Segal – ESW #398

Penetration tests are probably the most common and recognized cybersecurity consulting services. Nearly every business above a certain size has had at least one pentest by an external firm. Here’s the thing, though – the average ransomware attack looks an awful lot like the bog standard pentest we’ve all been purchasing or delivering for years. Yet thousands of orgs every year fall victim to these attacks. What’s going on here? Why are we so bad at stopping the very thing we’ve been training against for so long? This Interview with Phillip Wylie will provide some insight into this! Spoiler: a lot of the issues we had 10, even 15 years ago remain today. Segment resources: Phillip’s talk, Opt...

Full Show Notes
Segment One

Penetration Tests: useful, pointless, harmful, required, ineffective? – Phillip Wylie – ESW #398

Penetration tests are probably the most common and recognized cybersecurity consulting services. Nearly every business above a certain size has had at least one pentest by an external firm.

Here's the thing, though - the average ransomware attack looks an awful lot like the bog standard pentest we've all been purchasing or delivering for years. Yet thousands of orgs every year fall victim to these attacks. What's going on here? Why are we so bad at stopping the very thing we've been training against for so long?

This Interview with Phillip Wylie will provide some insight into this! Spoiler: a lot of the issues we had 10, even 15 years ago remain today.

Segment resources:

OSZAR »
Guest
@phillipwylie

Phillip Wylie is an offensive security professional with over 21 years of cybersecurity experience. He is also a former Dallas College Adjunct Instructor where he taught pentesting and web application pentesting. Phillip has diverse experience in multiple cybersecurity disciplines, including network security, application security, and pentesting. As an offensive security professional with over a decade of experience, he has conducted pentests of networks, Wi-Fi networks, and applications.

Phillip’s contributions to the cybersecurity industry extend beyond his work as a pentester. He is the concept creator and co-author of The Pentester Blueprint: Starting a Career as an Ethical Hacker, a highly regarded book inspired by a lecture he presented to his class at Dallas College, which later became a conference talk. Phillip previously hosts The Phillip Wylie Show and The Hacker Factory Podcast. Lastly, he is a frequent speaker, keynote speaker, international speaker, and workshop instructor.

Announcements

  • Identiverse 2025 is returning to Las Vegas, June 3-6. Hear from 250+ expert speakers and connect with 3,000+ identity security professionals across four days of keynotes, breakout sessions, and deep dives into the latest identity security trends. Plus, take part in hands-on workshops and explore the brand-new Non-Human Identity Pavilion. Register now and save 25% with code IDV25-SecurityWeekly at https://www.securityweekly.com/IDV2025

    OSZAR »
Segment Two

Your Cloud is a Mess, and We Explore 5 Reasons Why – Marina Segal – ESW #398

It takes months to get approvals and remediate cloud issues. It can take months to fix even critical vulnerabilities! How could this be? I thought the cloud was the birthplace of agile/DevOps, and everything speedy and scalable in IT? How could cloud security be struggling so much?

In this interview we chat with Marina Segal, the founder and CEO of Tamnoon - a company she founded specifically to address these problems.

Segment Resources:

  1. Gartner prediction: By 2025, 75% of new CSPM purchases will be part of an integrated CNAPP offering. This highlights the growing importance of CNAPP solutions. https://www.wiz.io/academy/cnapp-vs-cspm

  2. Cloud security skills gap: Even well-intentioned teams may inadvertently leave their systems vulnerable due to the cybersecurity skills shortage. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/

  3. CNAPP market growth: The CNAPP market is expected to grow from $10.74 billion in 2025 to $59.88 billion by 2034, indicating a significant increase in demand for these solutions. https://eviden.com/publications/digital-security-magazine/cybersecurity-predictions-2025/top-cloud-security-trends/

  4. Challenges in Kubernetes security: CSPMs and CNAPPs may have gaps in addressing Kubernetes-specific security issues, which could be relevant to the skills gap discussion. https://www.armosec.io/blog/kubernetes-security-gap-cspm-cnapp/

  5. Addressing the skills gap: Investing in training to bridge the cybersecurity skills gap and leveraging CNAPP platforms that combine advanced tools are recommended strategies. https://www.fortinet.com/blog/business-and-technology/navigating-todays-cloud-security-challenges

  6. Tamnoon's State of Remediation 2025 report

OSZAR »
Guest

Marina Segal is an entrepreneur and product leader in the Cloud Protection Space with over 17 years of global experience in Cyber Security, MSSP, Risk Management, Compliance, and Governance. She is currently the CEO and Co-Founder of Tamnoon, and has a track record of enabling Dome9 (acquired by Check Point) and Sysdig to become leaders in the Cloud Security Market. Marina has expertise in leveraging AI and ML technologies to develop cloud security products and has been instrumental in driving innovation and delivering high accuracy results. Marina is also a board member of the Cloud Security Alliance Seattle Chapter and is the Founder of WoSec Chapter Meetup – Bay Area.

Segment Three

Security doesn’t trust AI, but startups are using it to write 95% of their code – ESW #398

In this week's enterprise security news,

  1. Knostic raises funding
  2. The real barriers to AI adoption for security folks
  3. What AI is really getting used for in the wild
  4. Early stage startup code bases are almost entirely AI generated
  5. Hacking your employer never seems to go well
  6. should the CISO be the chief resiliency officer?
  7. proof we still need more women in tech

All that and more, on this episode of Enterprise Security Weekly.

OSZAR »
Announcements

  • Security Weekly listeners save $100 on their RSAC Conference 2025 Full Conference Pass! RSA Conference will take place April 28 to May 1 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac25 and use the code 5U5SECWEEKLY! We hope to see you there!

    OSZAR »
List of Articles

Adrian Sanabria

  1. FUNDING: Crogl, armed with $30M, takes the wraps off a new AI ‘Iron Man suit’ for security analysts
  2. FUNDING: Knostic Nabs $11 Million to Eliminate Enterprise AI Data Leaks
  3. MARKET: Security, Funded #184 – Zero Trust for AI

    Actually, this week, I want to focus on something not related to funding in Mike Privette's Security, Funded newsletter. Every issue, he runs some polls. This past week, he asked readers, "what's holding back AI in cybersecurity?"

    The answer was overwhelmingly that vendors struggle to make AI fit into real workflows. Tied for second was buyers aren't convinced AI actually helps, and security leaders & practitioners don't fully trust AI decisions

  4. AI TRENDS: The Anthropic Economic Index
  5. AI TRENDS: A quarter of startups in YC’s current cohort have codebases that are almost entirely AI-generated

    I actually think this might be a good thing. Bear with me as I explain.

    From talking to folks who have been using AI to write code, it's great for prototyping, or maybe even building an MVP, but don't expect it to scale very far.

    Which is kind of perfect, given that many startups find that the code that got them from pre-Seed to Series A won't get them much further without a major redesign/rearchitect/refactor.

    This is often because it won't scale to serve that new customer that is truly massive, or the market fit they discovered was different, requiring a bit of a pivot that the MVP wasn't designed for.

    Since the MVP is inevitably going to be thrown away ANYWAY, why not use AI to generate most of it?

  6. CYBER INCIDENTS: Developer Convicted for Hacking Former Employer’s Systems
  7. HACKS: One pixel attack

    I don't expect to see this as an attack from any financially-motivated attacker, but maybe an anti-AI hactivist?

    The larger concern, however, are just corrupted images being incorrectly categorized by AI. I wonder if this extends to face verification? I'm guessing not, since that requires an enrollment image that it is comparing against.

    But for surveillance cameras using this technology (e.g. Ring cameras), if I have a big enough pimple, will AI cameras think I'm a moose, or a Xerox machine?

    The paper is here.

  8. SQUIRREL: “After carefully watching this video of cats making burgers I’ve come to the conclusion that the billions we’ve spent on AI is money well spent”
  9. ESSAYS: The CISO as Business Resilience Architect

    A lot of interesting questions to ponder in this essay.

  10. SQUIRREL: “hmm maybe we do need more women in tech”

    haha this is just a joke right

    haha nope: https://patents.google.com/patent/US3216423A/en

Ayman Elsawah

  1. BREACHES: Feds Link $150M Cyberheist to 2022 LastPass Hacks
  2. NON-VULNS: The ESP32 Bluetooth Backdoor That Wasn’t
Show More

Stay in the Know, No Smoke and Mirrors – Join Our Newsletter

Get expert insights and technical breakdowns straight to your inbox.
Join Now

Related Episodes

Related Content

You can skip this ad in 5 seconds

OSZAR »