The GIST of Govt IT

Minutes, Not Months: Inside the New Cyber Velocity Facing Federal Agencies

Swish

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 40:40

48 hours. That's the time it took for a federal employee credentials to be stolen as a result of a phishing attack, to being listed on a dark web marketplace. In Episode 8 of The GIST of Govt IT, Brian and Sean sit down at Check Point's Engage Summit in DC with Yochai Corem, General Manager of Check Point's Exposure Management division, to unpack what happens when both sides of cyber warfare have agentic AI — and why the next three years will not be kind to defenders. Yochai shares why pen testing once a quarter is no longer relevant, how a single Chinese developer built an entire attack program in a week using an army of agents, and what Iranian threat actors targeting Israeli hospitals look like in real-time during active kinetic conflict. The conversation digs into agentic red teaming vs. automated red teaming (and why the difference matters), why "safe remediation" still keeps a human in the loop, how to use the firewalls, WAFs, and IPS you already own as compensating controls when patching takes weeks, and the under-discussed reality that government leaders must put their hands on the keyboard with AI. Plus: Yochai's family cookbook and other vibe-coding stories.


RESOURCES MENTIONED IN THIS EPISODE


Featured Guest

- Yochai Corem, GM, Exposure Management, Check Point
- Corem Travel — Yochai's travel planning app

 Check Point
- Check Point

- Check Point Exposure Management
- Check Point Engage Summit - Washington, DC 


Check Point's Exposure Management Acquisitions
- Cyberint (now part of Check Point's external risk management)
- Veriti (automated security control management)
- Cyclops (now Check Point's CAASM offering)


Exposure Management & CTEM Framework
- Gartner Continuous Threat Exposure Management (CTEM) overview
- CISA Known Exploited Vulnerabilities (KEV) Catalog 


Agentic AI & Red Teaming
- OWASP Top 10 for LLM Applications
- OWASP AIVSS — AI Vulnerability Scoring System for Agentic AI
- MITRE ATLAS (Adversarial Threat Landscape for AI Systems)


Threat Actor Tracking

- Check Point Research (threat intelligence blog)

- Check Point ThreatCloud AI


Concepts & References

- Air-gapped network security guidance (NIST SP 800-82)

- IRGC (Iranian threat actor background — CISA advisory on CyberAv3ngers)


Related Episodes

- Episode 7: Iran Came for the Dams and We Got Lucky: Frontline Insights into the OT Fight
- Episode 6: Cupcakes & OODA Loops: Inside(r) Insights Into the New Federal AI Cyber Playbook
- Episode 5: Vibe Hacking and Nation State Cyber Threats

Upcoming Events

- GIST 360 Breakfast Briefing at the National Press Club, July 14, 2026 - When the Perimeter Disappears 


The Hosts & Show
- Swish
- GIST 360 

CONNECT WITH US

Got an idea for a future episode? Want to be a guest? Let us know.

Brian Lake - blake@swishdata.com

Sean Applegate - sapplegate@swishdata.com

Subscribe wherever you get your podcasts: Apple Podcasts, Spotify, or gist360.com.


The 48 Hours to a Dark Web Sale

Brian Lake

Here's a number that should keep every federal CISO awake at night. 48 hours. That's how long it takes, from the moment an employee is a victim of a phishing scam to the moment their federal credentials are listed for sale on a dark web marketplace. 48 hours. While it may take weeks for that federal agency to even realize the theft. The attacker's playbook in 2026 is now all about reconnaissance. From the outside, continuously, and at machine speed. We're live today from the Checkpoint Engage Conference in Washington, D.C., where our guest is one of the four front leaders who wrote the playbook around continuous threat exposure management. The question is really about whether the federal government can read it fast enough. So to dig into these threats and unpack strategies that CISOs need to be prioritizing, you know what we have to do. Let's get down to the gist of it.

Meet Yochai Corem

Brian Lake

Welcome to the show, Sean.

Sean Applegate

Outstanding coming uh from Checkpoint Engage today. So lots of new lessons. That's right.

Brian Lake

Excited to be here. And I'm really excited today, Sean, because we have a guest with us today, Mr. Yokai Korum, who is the general manager of the uh exposure management division at Checkpoint. I got that right. 100%. All right, excellent. So, Yokai, uh let why don't you tell the folks a little bit why who you are, how you got to be here at Checkpoint, what we're going to talk about today, and then I've got a really special question for you based off something I heard earlier today.

SPEAKER_00

Okay. Um I I lead the exposure management division, uh, pillar in Checkpoint. Checkpoint has a new strategy in the last year. Um you know, many people know Checkpoint is the firewall company uh for the last 31 years. The father, right, of firewalls is Gil Schwade. Um and the cybersecurity world is much more than just firewalls today. So Checkpoint has four pillars, uh, the firewall hybrid mesh pillar, as we call it, workspace AI, and I led the fourth one, which is called exposure management. I joined Checkpoint about one and a half years ago through an acquisition. I was the CEO of a company named Cyberint, which uh I led for a few years. Um, and then Checkpoint, and we can probably talk about it later, decided to acquire us. Since then, I've acquired two more companies, and together we build a unique portfolio, very differentiated often for from what I see with discussions with many CCOs and CIOs to help uh solve the vulnerabilities and exposure problem uh in the AI world today. Um so that's what I'm doing. Excellent. So and home is where?

Brian Lake

Israel. Israel, excellent. And and how and I'm assuming that you've been around the cybersecurity world for a little bit? 30 years. Since 1997. Great, excellent. Well, listen, uh very glad to have you on the show today. We're excited

Vibe Coding Personal Apps Fast

Brian Lake

to dig in. But I do want to say I was listening to your presentation earlier, and you mentioned previously, as I was doing some research about your background, about this concept if you're not in front of AI, you're behind. And uh you share a pretty great story and that we we we Sean and I talked a little bit about how we we get in cloud and we start to vibe code and we see what we can create and we push each other a little further. But why don't you share with the folks what you vibe coded yourself, what application you built. Uh and then we'll dig into the cyber, the cybersecurity stuff a little bit more.

SPEAKER_00

Actually, I have several applications. The the one I shared with the audience today is about the story that my wife uh she likes cooking and she has all of those recipes shared in her private WhatsApp channel that she has with herself, or handtaken notes that you know already with stains from the oil from the last uh last time. And she said, Why don't we have a family cookbook? And then she went for uh uh uh Schlafstunde as the same German, right? For a for a nap in the afternoon. And and when she woke up, she had her own private uh uh family cookbook where I just you know went to Lovable and say, Hey, I want to have a family cookbook. This is something, what can you recommend? So it came up with says, okay, I take them all, say yes. And you know, an hour and a half later we had uh family cookbook where everyone can share and love and upload photos. Yeah.

Brian Lake

So is that is that is that something we could share with our listeners if they want to find uh the quorum's family recipe?

SPEAKER_00

That's not I created security, so that's private. So with the but with the second application I've done, it's it's uh I like hiking and traveling the world. So I I used to have I still have a blog for you know hiking the world. It's called the quorem travel.com. Uh so uh and then I thought, you know, I like hiking. If I want to go to be in Washington for two days, um what what should I do? So people go to Chat GPT and say, hey, tell me what I can do in two days in Washington, get a list, but it's not really easy to use because it's not on the map and you know what's open and what's not. So I built a travel planning app, uh which I worked for the last half a year on my nights. So go and um join and enjoy uh free travel planning. Or encoring travel. Yeah, corem travel. Yeah, corem dash travel.

Brian Lake

Yeah, I I texted my fiance who's Italian from New Jersey, and she's a big chef. Uh we always talk about the app and the healthy food, and I mean and I think I got myself in trouble. Get unclawed later. Well, listen, we're not here to talk about this. Let's get into it, Sean. Uh so Yokai, I really want to start with this kind of level setting

Outside Threats Facing Federal Agencies

Brian Lake

question. Um, 90% of successful cyber attacks start really outside of the perimeter, right? Stolen credentials, phishing, impersonation, exposed mobile assets. And while this is not something new, I think what's we're we've been seeing a lot lately is it's the way in the tools that the attackers have at their disposal, especially with AI, which is changing the veracity, the speed, the persistence of these hackers. And here in the federal government, we're talking about nation-state hackers. And then what even is more concerning to me is now we're getting these vibe hackers, amateurs that have access to tools that can then go be turned loose on some of these federal networks. So truly help us understand the scope of this problem for federal agencies and federal CISOs. Lay the groundwork for us.

SPEAKER_00

Um at the end of the day, I'm we're trying to look from the perspective of the adversary. Right? Because when you analyze the attacks, you s you analyze how that adversary has executed them. You rightfully said that uh they all start from the outside in reality, right? No one starts from the inside. You need to put someone inside to be so the either identity theft through credentials and info stealers, uh, through uh phishing attacks, uh, through vulnerable internet-facing assets, through suppliers. This will be the top four most common attack vectors. Uh, if people invest time to think how they can secure in multi-layers those vectors, they are going to have less risks. In addition, we are, you know, based on the checkpoint telemetry that we we have, we are researching uh all the um adversaries from China, from Iran, from Russia, which are the ones that are targeting the public sector in the US and federal specifically. Uh we monitor, for example, just in Iran, more than seven groups with uh some from the Intelligence Interior and some uh ministry and some from other ministries. Uh each one is targeting different organizations. You know, I was surprised to see in our literature uh one of the recent research we've we've published is how many universities and health and and uh education uh institutes are being attacked by the Iranian government because they have a lot of data, both research data as well as PII data about people who studies in those universities. You know, intelligence sometimes will be later being used for human operations. So if you have very sensitive data about some people, uh, for example, they lied in the resume and they're in parliament, just an example, would be what can you do with that? Uh just think of all kinds of ideas. So the the Iranians and the Russians and are definitely uh working very hard. Some of them have advanced tools, some of them have just okay tools, and then they'll just use social engineering and all the other techniques we know. This is the reality today. The the difference is that if before you need to have very skilled attacker to use those techniques, today, you know, anyone can use them. Uh and you don't need to be a smart developer and smart DevOps and smart application and smart hacker to just use AI tools, suddenly the amount of attacks is going much higher. And also the complexity is higher because more people can use simple tools today.

Sean Applegate

Yeah, and I think you know some of the stuff we're seeing as far as speed and velocity, it is it is off the charts when you think of how fast and at what scale they can do it in, the quality, uh, you know, the ability for them to exploit us and move from kind of touch point one to you're completely owned is is breakneck,

Minutes To Exploit vs. Slow Government Cyber Procurement Cycles

Sean Applegate

right? And I think we talked about this earlier upstairs, but you know, we're moving from from maybe months or weeks to hours or minutes now. And it's way more risky.

SPEAKER_00

I can tell you minutes, and you know, we've developed our own agentic attacker because we believe that in order to be protected against agenc attack tools, you need to run them on yourself. And pen testing once a year or once a quarter, or even once is not relevant. It's not just the periodically, it's also the tools that are being used and why agentic reasoning is needed. Um and I can tell you, just in the last week, we've exploited 21 vulnerabilities that had no known exploit before. All of them took less than 10 minutes to exploit. Okay, by our own, not the most sophisticated models, right? By engineers that are not nation state, you know, uh just smart engineering and knowing what to do. So it is minutes today, um, and definitely not days. Okay. The velocity, the speed, the c the amount is something else. And I think when I look at governments, not only in the US, I work all around the world, uh, the process for procuring in government is very, very slow. The decision making is very, very slow. It has to be lawful and according to the contract rules and all of that. So you need to create an RFI and get answers and then write an RFP and then you know you disengage. And it takes you two years to build a cybersecurity solution where the hackers they don't need to go through this process. And you know, in in we just analyzed a Chinese attacker. Um we we were he did a mistake. Uh we know Chinese because some of the code is the comments are in Chinese. Um we thought, wow, it's amazing uh tech tools against Linux infrastructure. Uh we thought it took this uh group of hackers about half a year to develop. But because they made a mistake, we're able to see that that's actually was one developer that created armies of agents that coded the entire tech tools or tech program in one week. Okay. One week. And this is the reality today. So they are not waiting, they're running it. And the problem for governments is that the procurement speed is very slow and uh you know it's not easy to solve, to be honest with you, when you work in a democratic country.

Brian Lake

Yeah, I think we we've talked extensively, Sean, about the tsunami of agents that are not on our side that are coming for us and coming for our networks, coming for our agencies. There is no perimeter any longer. It can come from any direction. Um can I ask you real quickly, when you mentioned uh you identify in minutes, what does the remediation look like for organizations?

Cutting Noise With Exploit Validation

Brian Lake

Because we've talked a lot about mythos is out there and to finding hundreds and thousands of vulnerabilities, but then you have to, if you don't have an an AI solution to help you remediate, is you're relying on humans to get in the middle to do that remediation. So how do you manage this if you're finding all these vulnerabilities and then trying to actually fix the problem?

SPEAKER_00

Let's start with one previous problem is I have so many vulnerabilities, which one are actually true? Sure. Right? So the classic uh vulnerability scanners will scan all your environment and will find uh the X amount of asset times number amount of vulnerabilities, then you have hundreds of thousands of vulnerability cases you have to solve, and it's not it was never possible and not today. And then the vulnerability team, they open tickets for someone else, they need to find who's the right team, who is the right owner of this application or uh security control, and then open a ticket, and then they pray. They they pray that the person is not in vacation, is not, you know, uh is he cares, he understands the context, that they're writing well enough, and it's it's a it's a battle against ticket SLA, right? So uh the first question are all vulnerabilities the same? And what we found out, and and then you went through the classical, hi, this is critical, this is high, sysakev, and all of that. In reality, today even a low vulnerability or vulnerability without existing exploit is not something that you can rule out anymore, right? So what we what we're trying to do is actually validate whether the specif whether this is actually exploitable in your specific context. Okay, so we run our GENT capabilities to try to exploit this vulnerability in safe conditions, of course, to validate whether all of those passive findings, scanner findings, are really related. So first we want to eliminate 90% of the problems that are not actually exploitable in our case. For example, we analyze all the vulnerabilities and we come up with the precondition for this vulnerability to exist. The fact that there is a file with a hash that is potentially vulnerable doesn't mean it's actually running or the process is running, or another precondition exists, and we can rule out some of the vulnerabilities. Secondly, we want to validate there is actually internet-facing access because many of those vulnerabilities require uh attacker actually being able to reach the asset that is vulnerable and exploit it. So, in many cases, the prioritization question is different than before, and we need to tackle that in a different um philosophy than it was uh even a year ago. And that's what we are doing. The second to to the question you asked is how do you uh remediate? The best thing, of course, is to patch. That's the best thing because we you eliminate the the problem from the source. Unfortunately, patching sometimes takes time because you need to write the code, you need to upgrade the software, software could be in production, you need to test it because there's impact if you do create a bug, or uh you know, you cannot upgrade the C4I system for the military just because there's a vulnerability, and they know you have troops in the field that you know that they fight, they need to be running. And there's a slower process to do so. Uh in some cases, there's no patch. The vendor did not even have a patch. So you have a vulnerability without a patch. Okay, so what do you do there? Um, so our approach is actually to use the investment you've done in the last 10 years for with security tools like firewalls, like WAFs, like endpoints, like cloud security solutions, et cetera, and use them as compensating controls and actually cut the uh reachability or the ability for the hacker from the outside or from different subnet to reach the vulnerable host, and by that again give you time to go and patch in in a more ordinary fashion. And it seems that in most companies, micro-segmentation and firewalls and WAF, et cetera, already exist because that's the best practice that we have for many years. But when you go, especially in in government network and air-gapped network, okay, which is uh some of my experience, people don't apply IPS rules and don't apply good uh you know segmentation internally because we th they think hey, it's air gapped, so we are secure. So we don't even need the endpoints on all of the devices in some cases, or it's okay, it's Windows XP, because you're air gapped, who can get there? In reality, it's never air gapped 100%. Um, and what we are trying to identify is based on the existing security controls, what can you change? How can we create a WAF rule signature or an IPS or change something in the registry to eliminate the problem or at least block it? Uh again, use existing compensated control to make the vulnerability not be relevant anymore.

Sean Applegate

Yeah.

Safe Remediation With Humans In Loop

Sean Applegate

I mean, we're back to the OODA loop first off. So, hey, where are issues, you know, orientate to the priorities, decide what you're gonna fix and go do it, right? And then let's do it, do it faster, right? At the end of the day. Maybe, maybe so a lot of our federal clients, especially have, I'll say, complex, heterogeneous environments. And so maybe for for some of our clients where they have lots of tools, you know, a good example somebody has like, you know, four or five different firewall vendors, you might have six different WAFs, right? How does how does the checkpoint automated remediation deal with those complex large enterprise scenarios? That's hard.

SPEAKER_00

I I want to fix something, it's not automated remediation. We call it safe remediation. Although we can automate everything, we still believe there needs to be a human in the loop, at least for you know the first half of 2026. Maybe in in another quarter we'll change it. Because the we want to verify people trust the remediation. So we want to do all the steps that a human would do for validating what is the compensating control. Is it safe? Is it false positive? Would we cause any uh disruption to the CPU because we overload it? And all of those tests that a human would do or maybe not not do and then just avoid from uh using the compensating control, we do it for them. We'll tell them exactly what they need to do. Still, we want them to push the button and say, do it. Okay. But now they can do hundreds of remediations in one hour instead of one remediation takes them hundreds of hours to do all those tests, right?

Sean Applegate

Yeah, let me unpack that for a minute. So what I so what I heard was your security team can find what needs to get patched efficiently. They can go work with the other team members that might own those systems through ticketing systems and whatever, and they make sure as a as a team they can patch those things at scale very efficiently and back into things like their change control process and some of the human validation or QA in a pretty clean fashion. Is that accurate?

SPEAKER_00

We actually do most of you said what you said automatically. Okay. So you don't need to go to work with anyone. We automatically analyze that the vulnerable host is in specific subnet. This subnet is behind the firewall. This firewall also is behind another firewall. We'd say out of the hundred firewalls you have, which are the two that are related to stop the vulnerability. The IPS is turned off. Why it's stand off? Who knows? Right? If we turn this specific signature in the IPS, that's and we go and check the logs of the IPS and the firewall and see there's no false positive traffic. And uh we do all of that automatically in seconds, and then we say, hey, it is safe to turn on this specific IPS. By the way, we don't need to turn the role the this IPS signature throughout the company or the organization, just those profiles that actually block where you have vulnerable hosts. Okay, so it's much pinpointed things like an ammunition, right? Instead of sending a bomb to kill something small, you send a very small, specific missile targeted to fix the problem. Or if you're a marine like me, we send a sniper. So a sniper instead instead of collateral, and then the collateral damage is much smaller.

Mapping Multi Vendor Controls For Fixes

Brian Lake

How do you build this level of observability in your environment? I mean, you make it sound so easy, but I'm thinking about a very complex, especially in the federal government, Frankenstein legacy architecture, things that have been built by detail systems, different solutions, different OEMs.

SPEAKER_00

Like how do you even achieve that level? So we understand the security tools. That's what we do for the last 30 years. So today, by the way, uh exposure management doesn't require any checkpoint products in the customer environment. So we can we support uh checkpoint, of course, but Palo 40, Cisco, uh 5, uh 40net, uh, you know, and you know, Cloudflare and all just and on the end, you have endpoint integration too. Endpoint integration, CrowdStrike, Sentinel One, Microsoft Defender, et cetera. So we have more than 150 integrations. Some of them are read-only, some of them are b-direction. We can also push uh uh commands. By the way, when we say check, uh when we say Palo, there are many, many versions and variations. So it's not just one. We have deep knowledge of those. Um so this is why customers with multi-vendor environment, they need something like us because we can give them one perspective of the entire uh ecosystem they they manage, right? Uh and it gives them freedom not to be dependent on one vendor or other and actually just have this one uh orchestration layer. Um what we are doing, I made it sound simple. Um imagine it's simple as a packet coming from a host which is vulnerable to the internet. We track the packets, the routing rule, the NAT rules, and all the rest of the communication patterns, right? We automatically learn that, and that we can create a map, a memory map, who is what is connected to what, and what is in the middle that could be used in order to block that, right? And what capabilities now each WANF or FIWAL has in order to can we activate them? Is it currently active, et cetera, et cetera. So we can tell you what you can

Cyber Warfare Tied To Kinetic Conflict

SPEAKER_00

use. In in reality, for example, we work with the entire health sector in Israel. The Ministry of Health have um mandated all the uh hospitals to and uh healthcare organization to uh implement a solution. And we can tell what is the level of effectiveness of hardening they have using all the security. And some of them have you know MRI systems and ITOT, very complex environment, you know, mission critical. Uh so we we have again hundreds of different uh systems there that we connect to and we can tell them how well they're integrated. And I can tell you uh in the last year, where we are in constant wars, you probably hear here in the news. I'm not sure here, but in Israel there is some conflict ongoing. Uh the health sector is under constant uh attack by the Iranians. They don't see it's a problem to go after civilian organizations. And I can tell you that we are actually we know how many attacks we blocked on a daily basis from Iranian uh threat troops because we see what we blocked and we can do the affiliation. Can you quantify that for us? That's millions of attacks. So it depends what you call an attack. So an attack is someone connects to your network. That's an attack, or is it actually trying to go one step further? We are attacked all the time. I I can tell you, even in the last uh in February, where we had uh uh just that you understand how cyber warfare is connected to the kinetic war, um in February, what we saw that the Iranians they hacked cameras uh in Kuwait, in Bahrain, also in Israel, because they try to validate what is the impact of the kinetic missiles and are they shooting in the right place, right? So they use cyber attacks in Paul and we see really uh we looked at the signals, it's just you know, in the same time as the uh kinetic missiles being fired.

Sean Applegate

Aaron Powell Yeah, and I think it's important when you think of military operations. The planners think in all domain operations, they don't think just cyber, right? They're not single, single-threaded, like in a lot of our people that are in IT positions. We think tech, tech, tech, or you know, IT, IOT, OT, ICS scatter a little bit now. And it's certainly been a topic of of interest across the U.S. federal government when we think of critical infrastructure or the organic industry-based and department of war, modernizing, connecting things, be able to operate quicker. Um, defending that cyber landscape as it grows and expands is super important. Um, you know, I think from from the commercial entities, we often find the soft underbelly, you know, much like you're seeing in Israel, are going to be things like local municipalities, underfunded uh small businesses, um, you know, small utilities, potentially in the US, for example, are really risky, right? They just don't have the staff to go do these things. So lots of us we're talking about being able to do, you know, do safe remediation at scale and reduce from kind of mean time to exploitation to you know addressing mean time to remediation is really important.

SPEAKER_00

And another story I can tell you from the intelligence that I read, uh, some of the threat groups, you know, are and ransomware change their tactics. So where they go and how they use AI for this. So if you're a threat actor and you are able to get into the network of uh someone with a soft valley that didn't like a law fim, for example, okay, which serves, which is a supplier of many others, then you have a few terabytes of data of documents. Even if you're a lawyer, you don't like reading those documents. But now with AI capability, they target the prompt the hacker uses, find uh IRS-related issues that shows that there is unlawful activity based on the documents. And they go to the victim and tell, hey, if you are not paying us, we're going to do an anonymous complaint to IRS or to the law enforcement based on the evidence we have.

unknown

Yeah.

Sean Applegate

Yeah. Yeah. Blackmail is a very effective uh tactic if you're uh you know trying to manipulate people and get access.

Brian Lake

I think it's it's it's it's intriguing to me that this this is global in nature. So you're Israel's at the front line right now with the conflict that's going in Iran. And America is also at simultaneously having municipal water systems being hacked by Iranian threat actors. Because again, if if if you're if you're the Iranians, you're sitting there going, what's the best way to keep America out of the fight? Distract their population where they don't want to be involved. And so the geopolitical implications of this is just absolutely astounding to me. Um certainly, I think the connection between kinetic and and cyber is the line's even more blurred than ever before. Um So uh gentlemen, we're here at Checkpoints Engage Summit. Wanted to ask you both some of the biggest things that you've seen or heard today from speakers on the stage that you're taking away that encourages you or concerns you, and that we need to continue this conversation.

Why Leaders Need Hands On AI

SPEAKER_00

Yeah, I I I I would uh cover one thing uh and then I want to uh share what we are able to provide our organization in the in the government space today. But uh when I asked how many people actually did vibe coding or understand AI more than summarization of uh nice email, I would say very low amount. I think most government officials and especially people in high ranking positions uh do not have the time or think it's daily needed, et cetera. And um if you're you're not using AI to the extent AI can actually do things, you do not understand the complexity and the value it brings to the other side. And you can also not, it's hard for you to imagine how you can use it yourself in order to improve your own processes. Uh that's my perspective of today that many people talk about AI, but they don't understand what it is and they haven't tried it in their own tenant fingers.

Sean Applegate

Yeah, I would double down on that for sure. Especially in our more bureaucratic organizations in the federal government where they've locked things down really tight, you're gonna find that the curious people are experimenting on their own personal computers and personal environments to learn outside of maybe some of the application development teams that are doing AI use case stuff. And in many cases, that's being done by scientists that are really technical, but the government leaders themselves maybe haven't put hands on keyboard yet. Trevor Burrus, Jr.

SPEAKER_00

How many of them still get paper briefing?

Sean Applegate

That's a great question. I don't know what that answer is. Might be a fun survey.

SPEAKER_00

I was in the Hill yesterday, okay, and we we we you know provided to some senators and you know some of the and some of them. A lot of binders still.

Sean Applegate

The questions we need to ask. Yeah. At the House House of Representative and Senate, uh what's interesting in the the U.S. government is a lot of them have their staff that's tied to the state. So is a republic in in America. You know, they keep a lot of their, I'd say their senator and congressman activities isolated as state level infrastructure and not always done at the federal level. I mean, there's there's a blend there, there's federal stuff coming down, but a lot of that is still isolated from a state perspective uniquely. That's probably maybe a little more unique maybe to the U.S. government structure, but it's it's uh unique when you think of how to put security controls in place at scale, to be honest, or or monitor, observe things at scale. There's a bit of lines that you're not allowed to cross as a federal government oversight on things like state level congressmen and senators. A little unique, maybe sidetracked there. But but again, you know, how many senators and congressmen have played with a generative AI or maybe done a little bit of vibe coding? There's a few that are technology entrepreneurs that are really knowledgeable in those areas and have done a lot of work starting their own businesses like yourself and going through acquisitions. Um but I think that's far and few between, typically.

Brian Lake

Yeah, we don't want to go down the rat hole that is uh you know uh incumbency in the U.S. uh government here. So uh I I do think though, I mean when when when I think about exposure, when I think about exposure management, it it is truly aligned, Sean, with you know, a lot of the priorities of this administration of the federal government right now. The question really is, is can they move fast enough to really adopt it?

Supply Chain Risk And Dark Web Intel

Sean Applegate

Exactly. Yeah. And I think a lot of it's um you think of the process, right? This say the CTIM process we're looking at, scoping, discovery, prioritization of we need to fix, validating you can go execute the fixes where you fixed them, and then getting the teams mobilized to go do that, and then kind of oodaloop through that. That's a lot of the discussion we had back at the the Federal CISO Council discussion back in March. And I don't think there's one silver bullet for that, but I think one of the areas we often don't do a good enough job is looking at that from an external standpoint in, especially from things like dark web intelligence, understanding our suppliers and partners, and maybe where they're at risk instead of just us. I think we lock down stuff in the government reasonably well. But when you when you look at some of the client agencies that are out there, they might work with a couple hundred external partners or maybe a couple thousand when you think of somebody like uh like DLA is a good example where you're buying beans, band-aids, bullets globally for a workforce that's you know millions of people globally, or maybe maybe six to eight million total when you think of contractors under contract. So that stuff is not simple to say the least. But if you've got a supply chain risk management team that is just looking at it from a more traditional logistical perspective and not looking at dark web intel or bringing in real-time threat intel feeds that are global in nature, that are well-rounded and informed. I mean, you're you're really kind of fighting with one arm tied behind your back.

Brian Lake

Aaron Powell, who's got the advantage right now? Do the good guys have the advantage or do the adversaries have the advantage when it comes to this?

SPEAKER_00

I think we are in uh the next three years, uh the defenders will not win. Uh I I saw ours, if I remember correctly, 2025 we had just on ransomware, uh 50 something percent more ransomware attacks in 25 compared to 24. And I expect the 26 will be even higher because there it takes much shorter time for attackers to use that versus uh defenders. And also it's not always clear what you need to do, right? So I think w where I am today, I think we have a clear vision and uh operation capability and technology to actually

Agentic Red Teaming Versus Automated Red Teaming

SPEAKER_00

help solve the two problems that when I distill what does it mean that hackers have AI tools? I distill it to two things. One, um, what can I find that hackers can find today? And can I find it before them? So we created our agentic attacker, which take our intel takes our intelligence and our tech surface management capabilities and actually try to exploit and then validate what is actually relevant. As we said before, not everything is relevant. So by providing proof that we were able to exploit, and it's a safe exploitation. We don't take any data out, we don't create denial of service and other things that could be of risk, we run an automated, agentic red team. And one thing we talked before this discussion, right, is what is the difference between automated and agentic. So, what is an automated red team? Automated red team means I have a predefined set of attacks that I run in machine speed. So, for example, we have an automatic exposure validation tool for a year. We have about 5,000 different attacks. We might have a team that crafts those attacks, some for vulnerability, some for misconfiguration, and we run them against every asset that you own, and either one of them is successful, great. It's only 5,000. And even if I work harder and we get 10,000, 20,000, it's just 20,000. Okay.

Sean Applegate

It's also very deterministic, right?

SPEAKER_00

Very deterministic. A linear path. Correct. Agentic is something different. We don't give the agentic attacker any instruction about what attacks to go through. So we give them the context. Hey, this is the certificate we see. These are the applications, these are the vulnerabilities we identify, these are the credentials we saw in the dark web. This is the third party this organization was working with, right? This is what we see in source code, in tokens that were leaked, et cetera, et cetera. Now go do your magic. And then the attacker crafts all kinds of attacks. We go through another uh agent that validates they're not risky and they'll they'll try it. They go back with the outcome, says, you know what? I need to pivot. It was not successful, but I have a new idea. And then it go through a new idea, right? It's like the recipe for my wife, right? It's there's every time she changes a little bit the ingredients to create something new. Same thing. So it's like a motive, endless motivated attacker with the knowledge of the number one developer, number one DevOps, number one hacker, all the knowledge in their hands, right? So they see a new application, they just go and learn the application and craft connection to this application, right? So the the it does in in a machine speed with agentic reasoning, what no one else can done for it. That's why we can take a hundred thousand employee organization and within one hour, right, run and full coverage with different hypotheses that and it's amazing what we see. So organizations who do not use agentic or automatic red teaming today are leaving uh the tech surface for the hackers, right? So that's what if I again go back to the two derivatives. One, you need to run before the others with the same tools they will be running, right? Right. And for that, by the way, we don't need anything from the organization. We just need approval because we are trying to exploit it. I want to be able to go into the US without anyone arresting me, so I'm you know going after the parliament or something like that, right? Um the second the second derivative is I'm going to have 10, 15, 20 times more vulnerabilities, but I don't want to have 20 times more stuff, or there are not existing stuff, it will not be 20 times faster, right? And also the time to exploit is much shorter, as we said before. So I need to reimagine the mechanism of how I remediate. And that's the the virtual patching or using existing uh controls that I shared before. These are two things that every organization should adopt now. Could be checkpoint exposure management, could be someone else. I don't think there are so many else that

Guardrails And Safety For Agent Attacks

SPEAKER_00

has what we have.

Brian Lake

I'm gonna ask this question, and I know we it wasn't on the notes, but do you still have to put guardrails around these agentic red teaming approaches? Because everything you just described sounds it makes a ton of sense. But then I go and what's the what's to stop the agent from deciding to flip sides or you know, what if we decides what's next, right? I mean, so talk to me a little bit.

SPEAKER_00

So that's the difference between you know any hacker with cloud code, okay, uh, or a professional company that does it for a living. Okay. So the engineering, the f for example, we have a safety agent. So about third of the attacks that the first agent crafts are ruled out by the safety agent because they are potentially could leak data or you know, denial service, or there's a race condition in the server when you use this uh vulnerability, and this could cause some you know disruption. And we don't want. I tell you, so to be honest, we have two modes. We have the regular mode, which is put safety first, okay? And I don't need to get it to a domain admin in order to prove that you have problems in your tech surface, right? Uh it's enough to show that you have MFA disabled in a critical server, right, or application, that this is a problem. I don't need actually to brute force the password. Um but I I met a CISO of a very large bank uh two weeks ago, and he took his new in office and he said, you know, it's really good if you find all the bad things because I can show everyone it was my previous, and I can go to the board and ask for more budget, right? So can you be more aggressive? I don't care that you'll you know shut down my services. And we did it, we turned on and we found some other uh aspects that you know uh a little more brute forcing. But the reality is that the hackers don't ask for permission, they don't care, they don't coordinate, they just go. Um so this notion of we need approval, show us exactly what to do, is it safe, et cetera, is nice, but is almost not relevant, to be honest. Uh, I understand that someone has to sign, and if the service goes down, someone is liable and they need to show the paper trail, okay. Uh but it is safe. When we do it for thousands of organizations today, it is safe.

The Buy vs. Build Mentality Conundrum Facing Federal Agencies Over Next Two Years

Brian Lake

And I'm glad you mentioned that, CISO. And we're gonna I know we're running out of time here, so I'll I'll close with this final question with you. If you think about this new paradigm and you flash forward a year with CISOs having these type of capabilities that Checkpoint offers and with this concept of exposure management, what does reality look like for that organization compared to today? And and what should CISOs be thinking about when they start their day with this new mindset?

SPEAKER_00

I think everyone is experiencing with AI agent themselves now. So everyone tries to take what a human would have done and try to put it with an automation. Uh I can tell you from my own experience, it's very hard to um build your own agent and grow them in scale if it's not a product that you own. Um so I think we're still in the experimentation, experimenting phase where people try and will decide what they do themselves and what they will buy from others, right? And some things is your own knowledge and know-how and specific, and you want to invest there. In others, you just want to find the right tooling from the vendors you trust that you can use that and then focus your low amount of personnel with expertise on specific areas to you. So I think what will happen in the next two, three years, more vendors will come up with great solutions that will fight the problems we discussed, and it will be clear what they do not provide as well, and then this is where you have to build. So, what is an agentic sock today? Should I build one? Should I buy one? People say now, no, I can build my own agentic sock, right? Here I put some cloth codes at the time, I have an agent that runs something. Will it hold when the person who did it moved to another position who can maintain it? And all kinds of other questions, right? That are always in the buy versus build. And I I think I think this this balance will you know, find the right uh place in the next two, three years. Hopefully, um we'll not have too many attacks at this point, and your PII will not be out there in the dark web.

Sean Applegate

Yeah, to tie off on that, I will say is most and security shops are not great application development groups. So be careful biting off too much creative things that you need to build, because it's a very different operational approach when you have to develop and build in, maintain things. Um, also the speed of innovation when you look at application development teams and AI teams in line of business, when you think of building and their own capabilities, is only going to pick up speed. When they think of moving from waterfall to agile to true DevOps or no ops workloads and approaches. And so I think they're gonna continue to accelerate their speed of innovation. And a CISO needs a way at scale to be able to mitigate or patch or address those concerns. And again, that's only gonna get more complex and move faster. So you need to be able to move at the speed of the mission, and you have to change a little bit to achieve that.

Resources And Closing From DC

Brian Lake

Well, listen, this has been a great conversation. I wish we had more time, but I know you've got to catch a flight back home. And we certainly appreciate you sitting down and talking with us, excited about what you guys are doing, excited about this new paradigm. I feel like we continue to see the same threads in our conversation, Sean. Um, and clearly folks need to be listening to people that really understand the challenges in front of you. So um, thank you, Yokai. Thank you for joining us. Uh, thank you, Checkpoint, for having us, Gov Exec for hosting the Engage conference down here in DC. For those of you at home, you know what to do. All the resources, the ideas, the programs, solutions we discussed today, they'll be in the show notes. I'm gonna try to convince Yoshai to give us maybe one recipe from his wife, but at least go to his travel uh site as well. But for anything else, you can go to gist360.com. And as always, like, follow, and subscribe wherever you listen to your podcast. Gentlemen, thanks a lot. Really great to talk to you today. Thank you.

Sean Applegate

Thank you very much. Thank you, Yu High. Appreciate it. Excellent.

Head Shot

Brian Lake

Co-host
Head Shot

Sean Applegate

Co-host