Alexander Vanyurikhin

@anton_chuvakin It was a bit of irony. Everyone claims AI would replace people, so maybe it could fix vulnerability management if humans can’t ;)

@vanyuale How would AI solve the vulnerability management problem? The only route I see is making prioritization even better.. but that's hardly fixing it.

"Shadow Agents: A New Era of Shadow AI Risk in the Enterprise" security.googlecloudcommunity.com/community-blog… <- this is a bit more hypothetical than our typical blogs, but I suspect we will be talking a lot about this in 2026...

@anton_chuvakin I guess people thought that "preventative" is too boring or "old school" and came up with something new. However, English is not my native language and maybe there is deep meaningful difference in these two words.

Can someone explain the difference between "preemptive" security vs traditional preventative security? #random

@anton_chuvakin I saw some situations where newly released Gartner MQ impacted RfP process or vendor selection.

It is absolutely fascinating how some people will report that "somethin is better" based on headlines or "ratings" rather than based on them trying it. Example: I just asked ChatGPT (5?) to rank top 10 security vendors by revenue and it ... missed Microsoft completely.

@0xdabbad00 Somehow I feel that Wiz is using CTF to tune Wiz Sensor to detect all the crazy things hundreds of people are doing ;)

The second challenge in our monthly CTF series is out! This time focused on a container escape.

@anton_chuvakin @TankDerek Just imagine a future where systems can agree on approach purely on pros/cons for a company, without considering corporate politics, ego, etc. But I would be happy if AI can do expense reports and accruals for me.

@TankDerek Yes, but identical to humans in every relevant work related way. Not just in CL per our productivity and code quality. But stakeholder negotiations, debating approaches, pros/cons, etc

I am legit curious to hear the arguments of someone who honestly believes that AI will replace all SWEs or all "tech people" real soon. Have they seen the inside of a large enterprise? What am I missing?

@matthewdfuller Bring-Your-Own-Car now sounds completely different.

Your enterprise trust model now extends to… employees’ personal cars.

@matthewdfuller I agree with “idiot proof” way in theory. In practice I can see it is almost impossible within one company, hence I don’t know how it would be even achievable by CSP. I always blame shared responsibility model, as most people are having vague understanding of it.

@vanyuale I gently disagree. If you give people options to move fast by providing insecure configs, people will use them. My opinion is that it shouldn’t even be an option, but if it absolutely has to be, at least hide it somewhere other than the main “create database” screen.

My spicy take is that Google deserves at least 51% of the blame here. The fact that it's even possible to configure a public-facing Firebase database in 2025 is an unmitigated cloud provider failure. But they'll shirk responsibility by citing the shared responsibility model.

@0xdabbad00 Ahaha, you also added some smoke screens, but I don’t want to spoil things for others. Will it be closed at some point soon or stay open until all challenges would be released?

@vanyuale Yep, I figured people would say "Oh, that wasn't so bad. There's the flag." and then the real challenge begins. :)

Folks coming to fwd:cloudsec, my face looks different. I have a beard. Come find me and let's chat about the new CTF I put together. lnkd.in/geRrC3aN

@anton_chuvakin Yes. Because these problems have no definitive solution for a reason. All require persistence and certain level of resolve to push people to do “boring” and unpleasant things. Easier to jump on a hype wagon in current cycle.

Quick weird #question: is it valuable to continue giving the same security advice that people have been giving for 30+ years, IF you believe that it is philosophically correct? (1/2)

@anton_chuvakin @rekdt I don't know if I should laugh or just cry in a dark room

@vanyuale @rekdt Right, and AI will update that unpatched Windows 2003 box in the closet. Oh wait ... there are no more updates for that one...

Vulnerability Management: The beatings will continue regardless whether moral improves

@anton_chuvakin @rekdt Maybe AI will save us all. I’m sure there were several vendors on RSA who promised to fix everything

@rekdt The beatings also have been going on since the mid 1990s, largely non stop :-)

@rekdt Real conversation: “Hey, we did a great job! We found a way to prioritize vulnerabilities. Out of 300k, we can only focus on 17k which are critical, with high EPSS score and in KEV database”. On this stage I wanted to cry in some dark place.

On a flip-note, it would be interesting to observe how LLMs adoption would impact critical thinking. Before you had to find an information, analyze it. Now you are getting everything on a silver plate. There is no catch, right?

Used NotebookLM to generate a podcast based on M-Trends, Verizon DBIR and IBM X-Force reports. @anton_chuvakin you need to tell Gemini team to stop making you a competitor.

@anton_chuvakin Now you need to get Wiz guys on your podcast ;)

Just cut it out with "it is not ***THAT*** expensive!" jokes, please. They are only funny the first 3 times :-)

@anton_chuvakin @bettersafetynet On every vendor’s meeting I’m playing a game “on which minute they are going to add something about AI”.

@bettersafetynet A most excellent thread. I think we are very much in the spaghetti throwing at walls stage of AI use cases for security.

Stop trying to put AI into all security tools! First, AI is neat. I won an award for an AI framework we've built. I am actively working on 2 major AI tools. I. Like. AI. But it does NOT belong everywhere. 1

@anton_chuvakin I already saw a vendor who added LLM for their query engine, so normal humans can just ask what they want. So, I hope no more new query languages (had to learn several in the past).

#WeirdQuestion Is there a single BEST language to write detections in? SPL, KQL, YARA-L, Sigma, SQL (yuck 🤮) ... the choices seem to be about HABIT and not about MERIT?