Detection at Scale

What if the real risk isn't adopting AI agents, but refusing to? James Nettesheim, CISO & Head of Enterprise Technology at Block, argues that principled risk-taking beats playing it safe. James shares Block's journey co-designing the Model Context Protocol with Anthropic and building Goose, their open-source general-purpose agent that enables anyone in the company to write security detections using natural language.
James also explores Block's Binary Intelligent Triage system achieving 99.9% accuracy, their data safety levels framework, and practical strategies for balancing autonomous AI capabilities with human oversight. James offers candid insights about implementing AI security principles, the evolution from tool experts to domain experts, and why open source remains fundamental to Block's mission of economic empowerment and technological innovation. 
Topics discussed:
Co-designing of MCP with Anthropic and developing of Goose as an open-source general-purpose AI agent

Implementing prompt injection defenses and adversarial AI concepts to harden Goose against malicious instructions and attacks

Rolling out AI responsibly through data safety levels modeled after CDC bio-contamination protocols for sensitive data handling

Democratizing detection engineering by enabling anyone at Block to write detections using natural language

Achieving 40% of new detections created with AI assistance through recipes, playbooks, and automated tuning capabilities

Building Binary Intelligent Triage system that analyzes historical alerts and investigations to achieve 99.9% automated triage accuracy

Balancing autonomous AI capabilities with human oversight, requiring PR reviews and maintaining accountability for agent-generated code

Transitioning from tool expertise to domain expertise as the future skill set needed for detection and response professionals

Block's commitment to open source development driven by economic empowerment mission and desire to build accessible financial tools 

Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

Ryan Glynn, Staff Security Engineer at Compass, has a practical AI implementation strategy for security operations. His team built machine learning models that removed 95% of on-call burden from phishing triage by combining traditional ML techniques with LLM-powered semantic understanding. 
He also explores where AI agents excel versus where deterministic approaches still win, why tuning detection rules beats prompt-engineering agents, and how to build company-specific models that solve your actual security problems rather than chasing vendor promises about autonomous SOCs.
Topics discussed:
Language models excel at documentation and semantic understanding of log data for security analysis purposes
Using LLMs to create binary feature flags for machine learning models enables more flexible detection engineering
Agentic SOC platforms sometimes claim to analyze data they aren't actually querying accurately in practice
Tuning detection rules directly proves more reliable than trying to prompt-engineer agent analysis behavior
Intent classification in email workflows helps automate triage of forwarded and reported phishing attempts effectively
Custom ML models addressing company-specific burdens can achieve 95% reduction in analyst workload for targeted problems
Alert tagging systems with simple binary classifications enable better feedback loops for AI-assisted detection tuning
Context gathering costs in security make efficiency critical when deploying AI agents across diverse data sources
Query language complexity across SIEM platforms creates challenges for general-purpose LLM code generation capabilities
Explainable machine learning models remain essential for security decisions requiring human oversight and accountability
Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

Mike Vetri, Sr. Director of Security Operations at Veeva Systems, reflects on transforming SOC investigations through AI-powered data aggregation and building threat operations teams with the analytical mindset required for proactive defense. Mike introduces the C3 Matrix framework for prioritizing security efforts across centers of gravity, crown jewels, and capability enablers, and explains the seven Ds of cyber defense from discovery through deception operations. 

Drawing from 10+ years of Air Force cyber intelligence experience, Mike details why threat operations requires fundamentally different system-two thinking than detection engineering, and how this discipline shift moves organizations from reactive firefighting to proactive threat anticipation. He covers practical examples of AI cutting investigation time by aggregating data from multiple tools, the importance of defense in personnel for operational resilience, and strategies for preventing analyst burnout while maintaining effective security operations. 

Topics discussed:

How AI transforms insider threat investigations by aggregating workstation logs, browsing history, and DLP alerts into single queries

The C3 Matrix framework prioritizes security controls across centers of gravity, crown jewels, and capability enablers based on organizational impact and recoverability

Why threat operations requires system-two analytical thinking fundamentally different from the engineering mindset

The seven Ds of cyber defense: discover, detect, deny, disrupt, degrade, destroy, and deception operations for comprehensive threat mitigation

How deception operations provide the most accurate intelligence by studying adversary behavior in controlled environments

The distinction between threat intelligence and threat operations, and why mature SOCs need teams focused on proactive defense strategies

Defense in personnel ensures multiple team members can handle each security capability, preventing single points of failure

Time-sensitive investigation scenarios where AI delivers maximum ROI by eliminating the need to manually query dozens of security tools

The evolution of cyber threats from technical attacks to psychological warfare using AI to challenge human judgment and decision-making

Why security culture must extend beyond traditional boundaries as AI-powered threats increasingly target HR processes, financial operations, and business functions

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website

Gary Hunter, Head of Security Operations at Trustpilot, built a security team from scratch at a company synonymous with trust. Gary shares how his ten-person team leverages AI agents across alert triage, multimodal brand protection, and incident response. 

He explores why he and his team treat AI agents like interns with codified guardrails, why competitive prompt testing reveals the best approaches, and how restricting AI to specific documentation sets prevents confusion. Gary also offers his tips on building weatherproof team members who adapt to any technology shift and reflects on why constraints breed creativity in resource-limited environments.

Topics discussed:

Building security operations from scratch by identifying pain points, understanding technology gaps, and systematically increasing detection coverage and visibility

Leveraging AI agents for alert triage and workflows to enable teams to run as fast as attackers while maintaining appropriate human oversight

Implementing competitive prompt testing by running multiple AI models to identify the most effective approach before deployment

Creating cultural buy-in for AI adoption by empowering team members to contribute prompts and democratizing learning across skill levels

Using AI for multimodal brand protection, analyzing screenshots and HTML content to score potential infringements and automate response workflows appropriately

Treating AI agents like interns, codifying processes, and limiting tool access based on what you'd delegate to junior team members

Building detection strategies that focus on behaviors and crown jewels while using AI to triage noisy but potentially valuable alerts

Documenting institutional knowledge concisely rather than overwhelming AI models with extensive documentation that creates conflicting or irrelevant responses

Shifting team focus from alert triaging to high-impact prevention work, vendor management, and building relationships across the business 

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website

Vjaceslavs Klimovs, Distinguished Engineer at CoreWeave, reflects on building security programs in AI infrastructure companies operating at massive scale. He explores how security observability must be the foundation of any program, how to ensure all security work connects to concrete threat models, and why AI agents will make previously tolerable security gaps completely unacceptable. 

Vjaceslavs also discusses CoreWeave's approach to host integrity from firmware to user space, the transition from SOC analysts to detection engineers, and building AI-first detection platforms. He shares insights on where LLMs excel in security operations, from customer questionnaires to forensic analysis, while emphasizing the continued need for deterministic controls in compliance-regulated environments.

Topics discussed:

The importance of security observability as the foundation for any security program, even before data is perfectly parsed.

Why 40 to 50 percent of security work across the industry lacks connection to concrete threat models or meaningful risk reduction.

The prioritization framework for detection over prevention in fast-moving environments due to lower organizational friction.

How AI agents will expose previously tolerable security gaps like over-provisioned access, bearer tokens, and lack of source control.

Building an AI-first detection platform with assistance for analysis, detection writing, and forensic investigations.

The transition from traditional SOC analyst tiers to full-stack detection engineering with end-to-end ownership of verticals.

Strategic use of LLMs for customer questionnaires, design doc refinement, and forensic analysis.

Why authentication and authorization systems cannot rely on autonomous AI decision-making in compliance-regulated environments requiring strong accountability.