Rob T. Lee

6K posts

Rob T. Lee banner
Rob T. Lee

Rob T. Lee

@robtlee

Chief AI Officer, Chief of Research, @SANSInstitute | Cybersecurity Expert & Threat Hunter | Godfather of DFIR | Technical Advisor to US Govt

Denver, CO Katılım Şubat 2008
1.4K Takip Edilen26.6K Takipçiler
Rob T. Lee
Rob T. Lee@robtlee·
The [un]prompted II CFP just opened. October 27-29, San Francisco. It's the AI security practitioner conference from the volunteers behind Prompt||GTFO, fwd:cloudsec, ACoD, and ISOI. March had engineers from Google, Meta, OpenAI, Anthropic, and Stripe showing what they built and what failed. I gave a talk on giving Claude Code root on SIFT. (It worked, mostly.) The review board is asking for failures, data instead of vibes, and demos instead of slides. Banned: vendor pitches, talks that could have been an email, and Sun Tzu quotes "unless they're brand new 0day ones." Submit: sessionize.com/unprompted-cfp… Register: luma.com/pywdcwal (in person) or luma.com/knostic-pi28 (online) Write up the thing that broke. This crowd wants the failure modes left in. Honored to serve as part of CFP committee for the Operate track alongside @mroesch, @argvee, David Weston, @RonGula, @JohnHultquist, @anton_chuvakin, Stefano Zanero, @DanielMiessle, @clintgibler, Saad Ullah, Heng Yin, John Yeoh, Pablo Breuer, Ph.D., John "Four" Flynn, Jamie Levy, Emmanuelle Tassa, chaired by Michael Colao and @SilasCutler. @gadievron @sounilyu
Rob T. Lee tweet media
English
2
8
12
1.8K
Rob T. Lee
Rob T. Lee@robtlee·
Jason Clinton, Anthropic’s dCISO will share live on the @SANSCloudSec Summit on August 18. I will be watching for the detection story after the provider is no longer in the path, where frontier capabilities actually help defenders, and what continued scaling does to engineering and the SDLC. Day 1 keynotes stream free. (hands-on workshops with AWS, Google Cloud, and Microsoft are live in person only, and worth the trip to SF.) Agenda and registration: go.sans.org/1HvrGU
English
0
0
1
324
Rob T. Lee
Rob T. Lee@robtlee·
If an AI provider saw attacker activity only because they used Claude Code, why are we acting as if defenders inherit that same visibility once the attacker is using the latest open-weight models where we have no visibility? If Anthropic is not in the middle anymore, security is on the hook for seeing the attack first. (Always defenders are on the hook.) We need to budget, instrument, and prioritize as if that visibility is gone. Somebody in your org is going to assume "security tooling" covers this. And the questions get expensive: Does the next generation of AI capabilities materially increase attacker throughput in a way that changes operations? Does it materially improve defender workflows? Which part of your security program breaks first when attackers put those capabilities to work against it? Some of this also traces back to @rmogull's work on turning AI security into a measurable enterprise program with implementation choices, control objectives, and operating tradeoffs. Train the team you have. Skilled defenders who know how to use AI and understand your systems, your priorities, your infra. Vet the ones you want to hire from the very thin market out there. This problem is not going to get easier.
English
3
1
5
1.2K
Rob T. Lee
Rob T. Lee@robtlee·
Excited to share that @SANSInstitute and @OWASP AI Exchange have aligned two control sets into one shared structure, mapped to the same taxonomy behind ISO/IEC, CEN/CENELEC. The industry's answer to "too many AI security frameworks" has mostly been to write more of them. (I have contributed to that pile, so I am not throwing stones.) Defenders do not need another AI security framework. They need reduced ambiguity, common language, and to know that the technical creators and operational defenders writing controls are on the same page on recommended guidelines. SANS added controls for limiting model behavior and managing AI supply chain risk. The AI Exchange wove governance through its technical control set. Together, the shared control set now covers model behavior, supply chain risk, and governance side by side. This effort is part MOSAIC standards, Multi-Organization Secure AI Coordination coalition. Founding forum with @robvanderveer held at at the SANS AI Cybersecurity Summit with charter members NIST, CIS, BIML, CSA, CoSAI, the OWASP GenAI Security Project, the OWASP AI Exchange, and SANS. The reason MOSAIC exists: too many AI security standards, too little shared language between them. I have sat in enough standards rooms to tell you that two organizations actually conceding ground to each other almost never happens. Really proud of this work! mosaicstandards.org
Rob T. Lee tweet media
English
0
1
2
1.2K
Rob T. Lee
Rob T. Lee@robtlee·
World Cup 2026. Scotland versus Morocco in Boston. I definitely felt out of place not wearing a kilt. The vibe was amazing. Brought my son Connor and a few friends. They were over the moon. All rooted for Morocco. I joined the tartan army rooting for the underdog Scotland. Morocco is a very strong team, and scored in the first two minutes and 30 seconds, and then played a defensive game for the rest of the 90 mins. Scotland had a bunch of close calls, but in the end, couldn't hit the back of the net. Just being able to go to the World Cup while in the United States, while watching all the Europeans around the U.S. fall in love with places like Buc-ee's has been thrilling. Who are you rooting for?
English
3
3
36
7.7K
Rob T. Lee
Rob T. Lee@robtlee·
Monday’s @Google Threat Intelligence report got a fraction of the attention it earned. Call it Salt Typhoon Jr.: a PRC-linked group sat inside North American military research and medical networks for more than a year, undetected, and walked out with the research that decides who wins the next decade. It was easy to miss under the flood of Mythos, Fable, and zero-days-for-days coverage. (Which tells you we still rank threats by how frightening they sound to a general audience, not by what they cost national security.) GTIG tracks the group as UNC6508. Their collection list reads like a tasking order: nearly 150 keywords spanning: Defense intelligence Indo-Pacific operations Artificial intelligence (AI) Uncrewed systems Cyber offensive programs Medical research This was public-health surveillance running inside a military espionage campaign, out of the same institutions, on the same wire. The attackers used a Google Workspace content-compliance rule to silently BCC matching emails to a Gmail account they controlled. Any operator can copy that playbook tomorrow against every university, hospital, and defense contractor running Workspace. This is a clean test case for the question I get in CISO rooms: where would AI have helped the defenders? 1. Admin control-plane monitoring. A brand-new rule that BCC-forwards sensitive mail to a consumer Gmail account should trip an alert the day it is created. That is pattern-spotting across thousands of admin events, which is what a model is good for. 2. Cross-victim correlation. The same campaign hit multiple organizations at once, and each intrusion looked isolated because nobody had visibility across all of them. Correlation across organizations, identity providers, and SaaS logs could have surfaced the pattern months earlier. 3. Behavioral EDR over the dwell window. INFINITERED sat on the REDCap server for more than a year, harvesting credentials, before the attackers used them to pivot into the internal network. That is a long baseline, long enough for behavior-based detection to flag a novel dropper and its callbacks even on malware nobody had seen before. (In theory. In practice, most shops never tuned the baseline.) Where AI would not have helped? What should you do this week? Read here: robtlee73.substack.com/p/salt-typhoon…
Rob T. Lee tweet media
English
3
21
55
11.7K
Rob T. Lee retweetledi
Alex Stamos
Alex Stamos@alexstamos·
Really interesting campaign and good ideas for defensive AI use by @robtlee. I’ll add another potential way to detect: hunt by having an AI agent look through Workspace admin plane and compare security sensitive configs to IT tickets. Might have caught keywords.
Rob T. Lee@robtlee

Monday’s @Google Threat Intelligence report got a fraction of the attention it earned. Call it Salt Typhoon Jr.: a PRC-linked group sat inside North American military research and medical networks for more than a year, undetected, and walked out with the research that decides who wins the next decade. It was easy to miss under the flood of Mythos, Fable, and zero-days-for-days coverage. (Which tells you we still rank threats by how frightening they sound to a general audience, not by what they cost national security.) GTIG tracks the group as UNC6508. Their collection list reads like a tasking order: nearly 150 keywords spanning: Defense intelligence Indo-Pacific operations Artificial intelligence (AI) Uncrewed systems Cyber offensive programs Medical research This was public-health surveillance running inside a military espionage campaign, out of the same institutions, on the same wire. The attackers used a Google Workspace content-compliance rule to silently BCC matching emails to a Gmail account they controlled. Any operator can copy that playbook tomorrow against every university, hospital, and defense contractor running Workspace. This is a clean test case for the question I get in CISO rooms: where would AI have helped the defenders? 1. Admin control-plane monitoring. A brand-new rule that BCC-forwards sensitive mail to a consumer Gmail account should trip an alert the day it is created. That is pattern-spotting across thousands of admin events, which is what a model is good for. 2. Cross-victim correlation. The same campaign hit multiple organizations at once, and each intrusion looked isolated because nobody had visibility across all of them. Correlation across organizations, identity providers, and SaaS logs could have surfaced the pattern months earlier. 3. Behavioral EDR over the dwell window. INFINITERED sat on the REDCap server for more than a year, harvesting credentials, before the attackers used them to pivot into the internal network. That is a long baseline, long enough for behavior-based detection to flag a novel dropper and its callbacks even on malware nobody had seen before. (In theory. In practice, most shops never tuned the baseline.) Where AI would not have helped? What should you do this week? Read here: robtlee73.substack.com/p/salt-typhoon…

English
0
6
23
5.5K
Rob T. Lee
Rob T. Lee@robtlee·
(4 DAYS BEFORE SUBMISSIONS CLOSE) I get this question a lot about the Find Evil! hackathon: What does “find evil” actually mean? In this case, the name comes from a real command. I built an autonomous incident response agent I built on the SIFT Workstation. Then I typed “find evil” as a prompt into Claude Code. And it did (watch the demo). I was blown away to watch the autonomous agent run a complete C drive forensic analysis, across 200+ tools via MCP. The agent identified threat actor and context, the attack chain, malware deployment method, persistence mechanisms, code injection analysis, network connections, command-and-control (C2) infrastructure, a complete malicious process tree, and a chronological activity timeline. Two days after I shared initial findings, Anthropic released their report on how threat actors were deploying Claude Code with operational tools and letting it go do evil. (Same thing I was doing.) Find Evil! is the first hackathon dedicated to building autonomous AI agents for incident response. 4,178 defenders are working on final Find Evil! hackathon submits. (This number makes me very happy to see so many diving in. And wishing that the thousands more in our community were experimenting with us.) Your job: teach an AI agent to think like a senior analyst, how to sequence its approach, recognize when something doesn’t add up, and self-correct when it gets it wrong. There are FOUR DAYS left to build with us! (Very few of us are actual AI experts. The rest of us including me are learning.) Register: findevil.devpost.com Apply to judge: We need DFIR, AI, cybersecurity, and open-source reviewers who can separate useful autonomous response tools from polished demos. Apply: findjudges-9kvkxt6m.manus.space I am SO EXCITED to see what comes out of this hackathon and goes back to the community. Sponsored by @SANSInstitute
English
0
3
7
14.5K
Rob T. Lee
Rob T. Lee@robtlee·
When Mythos was released, the entire community was asking the same question: what do we actually DO about this? /@gadievron, @rmogull and I worked on a paper, The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program, with coauthors Jen Easterly, Bruce Schneier, Chris Inglis, @RGB_Lights, @argvee, Joshua Saxe, @sounilyu, John Stewart, @k8em0, Dave Lewis, Maxim Kovalsky and 250+ CISOs. Read it, share it: labs.cloudsecurityalliance.org/mythos-ciso/ If you're a CISO or senior security leader, we're getting the community together this week (8 June in NY, 9 June in DC) to talk about the impacts are and how we change our playbooks now. Links here: labs.cloudsecurityalliance.org/mythos-ciso/ And if your defenders have never used Claude Code, never automated a workflow with natural language, never seen how fast a capable attacker can enumerate a surface, they are cognitively behind. You cannot defend against a capability you have never touched. Every analyst, red teamer, and IR person needs personal reps with these tools. Yes, this is a hurricane warning. We have a buffer and some time to prepare. Workforce readiness is how you put boards on windows. Tools are meaningless without the people who know how to use them. Thanks to @politico @magmill95 and Dana Nickel for including me in this writeup: politico.com/news/2026/06/0… @SANSInstitute @cloudsa {un]prompted @OWASPGenAISec
Rob T. Lee tweet media
English
0
6
14
1.1K
Rob T. Lee
Rob T. Lee@robtlee·
Ten things you need to know about the judges of the Find Evil! Hackathon: 1. They put cybercriminals in prison, testifying in military, federal, and state courtrooms. 2. Built some of the first government cyber-forensics labs. 3. Investigate computer intrusions, fraud, counterintelligence, narcotics, and homicide. 4. Stood up entire countries' national cyber-defense teams from scratch. 5. Hunt nation-state attackers inside Fortune 500 networks. 6. Wrote the books and shaped the standards the AI security field now follows, from OWASP to NIST. 7. Shipped the AI honeypots, cyber ranges, and autonomous agents deployed by defenders. 8. Wrote the rulebooks the AI industry follows today. 9. Engineer the identity and safety systems behind OpenAI, Google, Meta, and Palo Alto. 10. Carry more than five hundred years combined, with day jobs today at OpenAI, Google Mandiant, Palo Alto Unit 42, Adobe, and Stanford. _____ FINAL CALL for Judges and Builders in the Find Evil! hackathon for autonomous Al incident response, sponsored by SANS Institute. Judges: Find Evil! needs DFIR, AI, cybersecurity, and open-source reviewers who can separate useful autonomous response tools from polished demos. Apply here: findjudges-9kvkxt6m.manus.space (orientation call Friday, June 12!) Builders! Enter and compete for $22,000+ in prizes. Join here: findevil.devpost.com Submissions due 15 June 11:45 PM ET. Please share with your community!!
Rob T. Lee tweet media
English
0
1
3
633
Rob T. Lee
Rob T. Lee@robtlee·
In 1996, I was part of a small team that stood up the Air Force's first information warfare unit. There was no name for the work, no career path, no doctrine. We were writing it down as we went. Thirty years later, I was proud to be included in the CSIS Commission on U.S. Cyber Force Generation and contribute perspectives from my military background, experience as a Title 10/50 operator, and work educating the military's workforce. The commission spent the last ten months on a bigger version of the question I was living at the start of my career: if the country built a dedicated military service for cyber, how would you staff it, train it, and keep good people in it? Whatever the country decides to do, the questions in this report are worth sitting with and help inform the status quo. @SANSInstitute @CSIS Report: csis.org/analysis/csis-…
Rob T. Lee tweet media
English
3
3
22
1.4K
Rob T. Lee retweetledi
Gadi Evron
Gadi Evron@gadievron·
Have you tried Knostic yet? Another day, another coding agent supply chain attack. GitHub's breach with a VS Code extension unleashed the flood.
English
1
1
4
1K
Rob T. Lee
Rob T. Lee@robtlee·
The executive order signed Tuesday asks AI developers to give the federal government up to 30 days with a frontier model before anyone else gets it. The draft floated 90. Security people wanted as much warning as they could get. The labs wanted less. At 30 days, nobody got what they asked for, which is usually how you know a compromise is real. (Both sides are now sufficiently disappointed. On schedule.) 30 days isn't a fix, though. It's a hurricane warning. You board the windows, you move the boat, and the storm still makes landfall. The buffer buys preparation, not prevention, and it only counts if you do something with it. The part nobody's arguing about: access to these capabilities is not equal, and it won't be. JPMorgan and Amazon will be fine. The order names rural hospitals, community banks, and local utilities as a concern, then leaves them a discretionary "where appropriate" while early access goes to trusted partners selected with the government. The hospital in Springfield sits at the back of that line. And closing your source code doesn't save you. Source code analysis is where Mythos is focused right now, which is why open source gets scanned first, but it does black box exploitation just as well. Nation-state teams have broken Microsoft, Apple, and Google for years without ever seeing their source. The vulnerabilities get found either way. (Adversaries don't wait for their tier assignment.) Under all of it is the oldest question in cyber defense: what is the government actually responsible for? The critical infrastructure everyone is worried about sits in private hands. The military can't defend a bank's network. The FBI takes the report after the breach. CISA runs real threat intelligence and coordination, but it doesn't have the authority to operate inside a private company and defend it. When Volt Typhoon and Salt Typhoon hit American infrastructure, they hit private companies, because that's where the front line is. (I came up through the military side. That gap still bothers me.) The order doesn't solve any of this. It documents the threat and starts the argument, and the risk now is that people read "signed" as "handled." The work is what the community builds during the buffer, which is why @gadievron, @rmogull, and I, with @cloudsa, @SANSInstitute, and [un]prompted, are running closed-door CISO sessions in DC (luma.com/jzr25473), New York (luma.com/kn2djk5v), and San Francisco. The people in the fight, writing the playbook before the vendors write it for us. If you're a senior security leader, you should apply to attend. Read the Mythos-ready security program paper: labs.cloudsecurityalliance.org/mythos-ciso CISOs: do you actually know where your organization sits in that access structure? If not, that's worth finding out this week.
Rob T. Lee tweet media
English
1
8
20
2.9K
hal9ninesrel1k
hal9ninesrel1k@HALNine9sRel1k·
@robtlee @anton_chuvakin Always a *Good Time* at SANS. Never would've passed that CISSP if it wasn't for Dr. Eric Cole; had great classes with Hal Pomeranz, Ed Skoudis, and others. Always good venues, great instruction, useful references and takeaways to use on the job. Serious as an 0-Day! Best, HTM III
hal9ninesrel1k tweet mediahal9ninesrel1k tweet mediahal9ninesrel1k tweet media
English
1
0
2
235
Rob T. Lee
Rob T. Lee@robtlee·
Anthropic and roughly 50 partners used Claude Mythos Preview to find more than 10,000 high or critical severity vulnerabilities in the first month of Project Glasswing. Most partners found hundreds of high or critical issues in their own code. (One month. Let that sit for a second.) Of those 10,000-plus, 97 have been patched upstream as of May 22. That number is not a measure of how hard anyone tried. It is a measure of where the work now jams. The Glasswing update says it plainly: software security used to be limited by how fast you could find vulnerabilities, and now it is limited by how fast you can verify, disclose, and patch them. High and critical bugs are taking about two weeks each to patch. Several maintainers have already asked Anthropic to slow its disclosure rate, because they cannot keep up. Discovery is no longer the bottleneck. The humans in the pipeline are. The patch playbook itself, coordinated disclosure on a 90-day clock, monthly patch cycles, the quarterly review, was built for a world where finding a flaw was slow. That world is gone. The playbook is not strained. It is finished, and most of us have not said that out loud yet. (I would love to be wrong on this. Correct me, and tell me what planet still runs on a 90-day clock.) Rebuilding it is not a tooling purchase. It is a skills problem, and a specific one. Working at this volume means triaging AI-generated findings ten deep, judging which severity ratings hold up, and deciding what gets fixed in what order when the queue is a thousand items long. That is human judgment under machine-scale load, and almost nobody has trained for it, because the tools that create the problem are months old. You cannot hire your way out of this, because the talent pool does not exist yet. All of us are figuring it out at the same time. So the people who can help you most are already on your team. They are the ones who know your business, who have worked real incidents, who understand what a finding actually means in your environment. What they are missing is reps on AI tools under realistic pressure. The @SANSInstitute Find Evil! hackathon is one place to get those reps fast. Practitioners build autonomous incident response agents, run them against real case data, and watch where the AI is sharp and where it falls apart. That last part is the point. The skill that transfers is not the agent, it is the calibrated judgment of when to trust the machine and when to override it, and that is exactly the muscle the patch pipeline now needs. Find Evil! runs through June 15, with $22,000 in prizes, at findevil.devpost.com. If you manage defenders, here is the Monday version. Pick two people who know your environment cold. Give them protected time this month to put AI tools against your own findings backlog and report back on where the tools broke. That is the rewrite starting, in miniature, on your team. The Glasswing numbers should change what you do this week, not how well you sleep.
Rob T. Lee tweet media
English
5
5
20
3.2K