#581 From Alerts to Business Risk: Mike Armistead on AI Agents and the Future of Cybersecurity

Mehmet: [00:00:00] Hello, and welcome back to an episode of the CTO Show with Mehmet today. I'm very pleased. Joining me, Mike, Mike Armistead. Uh, Mike is a serial tech entrepreneur and he's currently the CEO of Pulse security ai. Uh. Mike, I don't like to steal from the light of my guests. Usually I keep it to them to introduce themself.

So basically tell us a little more about you, your background, your journey, and what you're currently up to. And then we are gonna start the discussion from there. Of course, as the guest might, you know, uh, as the, the, the audience might guess is we're gonna talk a lot today about cybersecurity and ai. So the floor is yours, and then we will start discussion from there.

Mike: I appreciate it my Mehmet and, uh, thank you for having our show. It's, uh, kind of perusing the different, uh, episodes that you've had. It's, uh, a wide variety. It's really, uh, very interesting in a lot of cases for me. Uh, I'm currently the CEO and co-founder of a company called [00:01:00] Pulse Security ai. And, you know, I'm entering my fourth decade of professional life.

Uh, so I, I'll I won't give, uh, the gory details that'll bore you and, uh, and your audience. Um, but safe to say, I've been through a number of technology transitions 'cause I've been in technology, my whole professional career. Uh, you know, from the piece rise of the PCs to client server to cloud. Uh, and now in this wave of ai, um, and recently, really the last 10 years I've been in, uh, the AI space, uh, you know, and that was before it became really popular.

So, um, you know, that, uh, two companies ago, uh, I co-founded and CEO of a, of the company called Response Software. And it, it was using AI to. Uh, basically create a virtual security operations center analyst, uh, you know, to process all those alerts and everything that kind of come their way. Uh, actually very [00:02:00] popular space right now too.

Um, and most recently we're, we've taken a lot of our learning of what we've done and now that LLMs and other kinds of models and techniques are going. In, into the space, uh, we're doing using more agentic kind of systems and, uh, context graphs and, and these things to create, uh, something that is actually aimed at security leaders.

So, and, and AI agent for them that allows 'em to help translate what's going on from a technology standpoint into really business, uh, risk and business terms. 

Mehmet: Great, and thank you again, Mike, for being here with me today. I'm gonna kind start from a little bit your journey and because you said like you've seen it all, uh, you know, and what a time to be in.

Currently things are changing so fast and you know, people sometimes get lost between all the [00:03:00] headlines. You've built companies across multiple tech waves. I would say from the early internet till today with the AI age. I'm a big fan of spotting patterns. So what have you seen, like from patterns perspective, like things that.

Of course not the tech itself, but there are like some patterns that keep repeating in every cycle. What are like these patterns that you have spotted, Mike? 

Mike: Yeah, great question. I, I, you know, because there clearly are, are patterns that happen in this. I, I think, you know, we're all in technology. We get really excited about all this stuff.

I, I, one of the very core patterns is everybody thinks it's gonna happen very fast. And what I'm talking about the it is that. You know, the, our whole environment will transition to making use, in this case of, of AI and agent systems and that kind of thing. And we, you know, I do think we're, you know, we, we just assume it's gonna happen in the first few [00:04:00] years and realizing we're in the early adopter stage and, and it, and we have a long way to go.

I remember, 'cause I was in the consumer internet space when kind of the rise of Web 1.0. And, you know, it was, it was a lot of the same headlines you're hearing today about ai. It's, uh, gonna have massive disruptions there. You know, there won't be any other retailers. They'll all be online. The bricks and mor brick and mortar retailers are all gonna go away.

And it took us, I don't know, about 10, 15 years for Amazon really to get all the way there because they were just a little bookstore at the time. Um, so I, I think one of the clear patterns is. The, you know, there, it takes a long time to build a foundation to make these things reach, uh, the general population.

And I think that's, that's a clear pattern, uh, that that is one of those things that happen, uh, kind of with all the technology transitions. I, I think the other one is, uh, you do see, uh, [00:05:00] even within that transition, you see generations come and go. Uh, I was part of the first wave of search engines, um, and a company that, uh, you know, I was in a startup that got up by search engine called Lycos.

I don't know if you'll even remember Lycos, but you know, that was in the age of Infoseek and Yahoo. And, uh, excite these search engines. Does anyone really even remember that that first wave came and went and Google, you know, kind of came up through, uh, during that time? Uh, because it just focused on really the business aspect a lot of, a little bit more than the technology aspect.

And that's another pattern that I see is that, uh, in technology quite often we run to the technology and it's very important because you have to build foundation. But ultimately what wins is the business side of it. And the people that can figure out how to provide real value to customers are the ones that [00:06:00] really have the staying power, uh, through that.

But they might. So, you know, here we are in ai, uh, is it gonna be the same? Is it gonna be open ai? Is it gonna be anthropic? Is it gonna be, I don't know, you know, it's, uh, history would tell you that one of those companies might make it, um, but the rest of ultimately won't. 

Mehmet: It's a destiny. I believe Mike, like, and I'm with you, like history kind of.

They say repeat itself really. History repeats itself. But what surprises me, you know, I thought like before the internet, like I. I thought like maybe not all people have access to, let's say, history books or let's say not everyone can go and access the archives like of certain things and learn from it.

And the internet kind of changed that because information became available to all of us. But looks like we still. Don't go and learn from the things, which actually they are under our fingertips. Right? So, so it's thing, [00:07:00] it, I think it's something which, uh, it's a human nature to, to get these excitements.

And maybe I'll discuss it later with you in on the show today. And also, like, you know, the, the, the, the. People call it hype. Some people they call it the bubble, whatever that is, which also let people become skeptics. Some people become so excited and we, we don't have this, you know, I would call it the balance.

Now I want to come to the area which currently you, you know, building with and you have an expertise in, which is cybersecurity, right? Uh, two years ago, one of my guests, like, you know, he was kind of quote unquote having a rant, and he said the cybersecurity failed us. I mean, as a market, as, as all the vendors.

Why? Because, you know, people couldn't understand what are the gaps, and you talk about the security value gap, so. People spend [00:08:00] billions maybe of dollars if, if we count globally on security, but still we get breached. We still hear about ransomware attacks, we still hear about now with the AI impersonating other people and all these things.

Why this happens. 

Mike: Boy, if I had the exact answer to that, I'd be, uh, in a, in a good spot. No, I think there's a number of things as to why, uh, that has happened. Some of it is the history of how the cybersecurity market kind of grew up. Um. It's, it all started with network engineers looking at packets to see if there was something malicious in the, the network packets.

And it, it really, how it evolved was every time we expanded our attack surface from internal networks to, you know, external cloud to, you know, all sorts of other things the cybersecurity market kinda [00:09:00] ran to, to figure out a solution to that. What it, what it resulted in was, uh, many, many technologies all kind of focused on really a pretty narrow, you know, problem space.

And so when organizations have had to build their security program, they end up with a whole bunch of vendors with a whole bunch of, you know, solutions to different things. And. Nobody really took much of a step back and say, well, how do we manage this whole thing? Um, you know, it's kind of like, uh, you know, fighting a, a battle and just focusing on every little skirmish that's going on.

Uh, and, and then somehow. Usually with people though, we, we, we translate that to what does it mean to me as an organization, you know, if I'm, if I'm a corporation doing, um, cybersecurity defense. Uh, so, you know, part of that [00:10:00] evolution just made it very difficult to take a strategic view and to help that.

And so now you see in cybersecurity it, it's very obvious. We've, we've swung that pendulum all the way over to detection. So that's almost all, only, the only thing we do is try to detect and respond to things, whereas the, the more prevention side, uh, has, has really been, uh, something that's, that's lacking.

And again, not for trying, it's more that how do you keep up? And now we're in this age of we're even, you know, have. Have the adversaries using AI to, you know, create attacks that are so fast and so broad in scope. Um, how are you gonna keep up with that without having really thought about the prevention kind of side to it?

So, you know, there's, there's many other reasons, but I, I think that's, that's a real core part. And, you know, I've really, I like to liken it to look at the other functions in an organization. So walk [00:11:00] into the office of the CFO, who's in charge of risk, but. Financial risk for the company, much like a CISO is in charge of risk, but cyber risk.

They, they, where do they go? They go to their ERP system to gain really the foundation of, uh, what, what the answers are, first of all, like, where, where are we with our cash? Uh, what are inflows and outflows? How well we doing? How much cash do we have left? Um, if you're a startup, you think about that. Um, but it might be, you know, what opportunities can we take because of our situation?

And you know, for many public companies, it's how do we report exactly where we're at? You walk into the office of a VP of sales or a, a Chief Revenue Officer and they're gonna go to their CRM system to tell 'em, you know, any particular deal. Where's it, where's it at in the stage of the pipeline, um, to be able to do forecasting of what they think will happen over the quarter, all that kind of thing.[00:12:00] 

Go to a, a Chief Information Security officer and ask them to go to their system. What do they do? They go to their people because that's, we use human middleware to try to connect the dots between all these stove pipes of technologies. And it's really, like I said, very difficult, uh, to do that. And, um, you know, as you, as you can tell, I'm, I, I think we can use.

These age of AI and especially ag agentic systems to help make that transition and give something to the security leaders so they can manage, better manage and really think about the prevention side of their security program. 

Mehmet: Right. I, I gonna, you know, follow up on this and start from kind of, uh, you know, the.

47 foot or 30 south foot, whatever that is, and you know, try to narrow down later. So on this point, there is no doubt, Mike, and I hope [00:13:00] you would agree with me, is that from translating. The business to the business, the, the, the value of, of the cybersecurity technologies in general have failed. And the reason I'm saying I gotta take a more holistic approach.

I, I'm sure, and I'm transparency usually with my audience. We are recording on the 25th of, uh, so probably again, I will go in the second week of March, um, two weeks ago. And last week we saw, like, you know, how investors reacted to news about, you know. Entropic, they released some tools that they can go and check the security of the code, right?

So, uh, and the, and the whole market, like especially the stock market related to cybersecurity, fell down. The first thing that came to my mind, Mike, is looks like me included, because I was also, and sometimes still I do it from time to time, you know, as [00:14:00] consultants, as people in tech. It looks like we failed to translate to the business.

You know, these technologies. That we use the different technologies and we start to talk more about tools rather than talking about business outcomes. Right. So now this is why I'm trying to relate to what you were mentioning. If I were to relate this to agents, do you think agents would do better job than us explaining to everyone, the boardroom, including like, this is actually the business outcomes.

This is what we are saving, this is where we are like. Mitigating risks when we have these tools in-house, how agents can be better than us. And we have to admit that we didn't do a good job because you know, even I put a post couple of days ago and I said on LinkedIn and I said, all what we have done for years, decades, just put [00:15:00] buzzwords there.

Zero trust. I don't know what, and again, don't get me wrong, I'm not against the technology. I know like what zero trust is, and I know exactly technically how it works. But I mean, we did these fancy words, we put them in front of the business and then the business said, Hey, what's the outcome of this? So I wrote a loaded question, but I would love to hear your opinion on this.

Mike: No, I think it's a, it's a great question 'cause it, I, I think it very specifically, uh, articulates the problem that we have in cybersecurity a little bit, is that, uh, it is truly that translation from the technology that we love to the, like you said, the business outcome. And I think the reason we have a hard time doing that is generally, uh.

Every business is in a different situation. Uh, I like to call it kind of situational security. So you, you know, you, you know, and when you have tools that are trying [00:16:00] to help you do the defense, uh, and the mitigation of, of your risks, uh. Not a, you know, they have to take it generically. 'cause that's what the vendors do.

They have to try to broad keep their market really broad. And so, um, you know that, that's one of the reasons why I think some things has failed because you have, uh, something that's producing alerts. And certain alerts may be important. Certain alerts are not important depending on your situation, what technology you have in your stack, uh, the skills of your people, how many people you have, how much budget you have to actually, you know, even use all these factors, uh, are incredibly important.

And I, I would say, you know, there's, there's something that I think is gonna become more and more important in this space is the discussion about context. There's a technology behind this a little bit that a AI and agent systems kind of enable and it's, uh, uh, you may have heard this term, but it's uh, you know, a [00:17:00] context graph, but it's really just a construction of what's the context for a particular organization because the security equation is.

Uh, part did you detect something and part doesn't mean anything in my context, and that's why you hear so much about false positives and why it's, it's always hard to kind of weed through all that to get it in. So much energy in the cybersecurity space has gone into just trying to prioritize and optimize all this information.

That happens. But that equation is, is the key. And, and the part that's been missing has been the context. And so what have, what have we done well to, to fill that void of the context. We've stuck people in the middle of it. Because people are really good at that, is like connecting the dots between, oh, I'm seeing this over here, but I know that doesn't matter to me because we bought, you know, where our whole thing is based off of this technology.

[00:18:00] And so I'm not gonna worry about that alert. And so your original question, or where you started that from was, do we, do I think ag agentic systems can, uh, help in this? Absolutely. I do. I think, and it's because of the, the scope and. Speed and the things that a agent system can help us do. Now, what I don't think they're gonna help us with, certainly in the short term is, is the final judgment.

I think we still need people in there with their experience and knowing the business side to do that, but the heavy lift of getting at least the initial context, uh, to any kind of technology or any kind of signal that we're seeing, I think there's a lot that technology can be applied to that. And I do think.

You know, that's the exciting part about, uh, these ENT systems is I think that, you know, I've been in this business a long time and, and I tried to, we tried to do a lot of that, you know, even eight years ago, 10 years ago, and we had to use very different kinds of things. But the [00:19:00] LLMs bring, you know, a, a kind of a, this secret sauce to, to this problem.

And, uh, but boy, uh, there's a long, still a long way to go. I mean, we, at our company, you know, we're. We are putting the scaffolding around that because it isn't just a write a single prompt and you're gonna get the right answer, you know, kind of thing. It's gonna be very complex, prompt books. Uh, you have to, you know, really do all you can to weed out the hallucinations.

And there's all sorts of techniques to do that. Uh, you know, there's, so, there's all sorts of things about using those models. Um, but at the same time, the big part of that. Is the context. And I think that's where the, and we as humans haven't been able to keep up with the the context. I think that's where the great promise of this technology really lies.

Mehmet: Right now, because you mentioned AI and you know, the agents, we've, we've, we've, you know, seeing more [00:20:00] and more talk about keeping humans in the loop, right. While using AI and think ai. Now, historically, also, and I don't like some, some people not like what I'm saying, but as humans, we did terrible mistakes in cybersecurity as well.

So we do, we really want to keep humans in the loop when it comes to, to, to cybersecurity. 

Mike: Oh, I, I, I think, uh, short answer would be we do, at least right now, that technology, you know, we judgment isn't part of really a lot of that technology yet. I mean, there's, there's things it can do and it can bring forward.

You know, the interesting things that connect the dots, and it obviously, as we all know, 'cause we all use those LLMs, they speak very well and they're very confident in their answers, but sometimes they make up the different parts of it. So you actually do need, uh, I, I believe, uh, people in there, in the, in that final judgment, now there's gonna be certain [00:21:00] tasks that, yeah.

Can you. Can you make it more autonomous and you uhhuh, you'll be able to Absolutely. But there'll be typically low level tasks and not making big strategic decisions. Like, I'm gonna shut off this server. You know, which happens to be your main, you know, transaction processing, uh, uh, engine. You know, you don't want the technology to do that, uh, quite yet.

Now that's a simplified version. I mean, you're obviously can give the LM the cut 

Mehmet: right 

Mike: context in the smarts to not do that. But I still believe that. Um, that at least, you know, here in these next few years, it's, it's gonna be very important that you have a, a human in the middle of, of many of these workflows.

Uh, uh, and especially the ones that deal with, with strategy in that too, because the LMS are, you know, they're, they're getting better. But, um, heck, even six months ago, it couldn't do a lot of the things that, that they're doing now. So we'll be able to ride that wave through and [00:22:00] more and more can be autonomous.

Uh. But, you know, yeah, I, I don't, I still think you want, uh, people watching, you know, the, the real important aspects, uh, in cybersecurity, especially 

Mehmet: right now, I'm gonna kind link the beginning of, of this episode with, with, with this, and, you know, talking about the AI hype in cybersecurity specifically right now.

Of course, I just mentioned the example of Atropic and you know, the tool that they have released and everyone will think, oh, like now, yeah, like we don't need all these cybersecurity vendors because I can go and vibe code them, which is of course not true. But I mean, if we want to think about it realistically, what do you think the areas that AI would really make it.

And where do you think, like, we still need probably, I don't know, like at least five years [00:23:00] before we reach, you know, what people think they can do with the AI when it comes to cybersecurity specifically? 

Mike: Yeah. I, I would, what's gonna make it is, um, and I'll, I'll talk about a little thing a little outside of cybersecurity just for a second because we're seeing Sure.

Where it's making it is in, uh, coding. Uh, you know, even, even our developers, I think very differently about building a company, uh, on the tooling that we have. And if you're in software, you, you see it, it's, uh, you know, no longer are the, the, the tasks that take long, the actual. Code, you know, typing out the code.

Um, those aren't really even part of what you do today. You know, you're, you're, you're very much a general manager of your code base and you're trying to determine which agents do which tasks and. And getting that. But you know, what's interesting that you're, that you're [00:24:00] bringing up is even within that, uh, our developers at times struggle with keeping, uh, keeping all the balls in the air or the plate spinning or however you, you kind of talk about that because they'll have, they'll have, uh, dozens of agents doing hundreds of tasks all at the same time, and.

It's tough for them as the conductor of all these agents to keep track of that. So, um, when you, when you start to talk about now rolling this kind of tech technology out to the rest of, let's say cybersecurity and that we don't really have the scaffolding to do a lot of that yet. Um, you know, and it's.

Really even how the models have evolved. You know, even with developers, it, it started out with, oh, they'll give me advice. Then it's, oh, they'll generate the code. Oh, now I gotta think about, is that code secure? Is it high performance? Is it, you know, what, what's all the attributes of it? That whole scaffolding about how they're doing it, they're still [00:25:00] experimenting with many different ways to go about that.

And so we're, we're gonna see that happen into the different functions. Now, what. Now to kinda the heart of your question, uh, uh, I do think there are certain things that the agents will actually do better than humans. We get, we, you know, processing hundreds of thousands, sometimes millions in large organizations of the alerts.

Come from all the tools that we bought over all the years and being able to, um, make some sense of them. Especially if you have, again, the, the context graph that kind of goes with all this. Uh, they'll be able to do it faster and quicker, much like our developers can. Uh, I mean, one, one just recently came to me and said.

Overnight. I, I completed 147 tasks that were part of our, uh, our tasks, but it was overnight because I, I let this whole crew of agents go about it and [00:26:00] he spent a lot of time building scaffolding around it. But that, that's, that's what he, that's the end business result. Same thing in cybersecurity. The end result is mitigating risk.

Right. And so what you're trying to do is get the picture of risk for yourself and that can come from the alerts from all sorts of places, you know, outside, externally, you know, new threats that are around, um, and are they targeting your peers? And, you know, all these things that be, that become factors.

And I think they can help piece that, that together. Um, but you know, you still need controls, security controls. You, you still need a lot of the infrastructure that's gonna run your business, um, and protect your business from, uh, malicious, uh, intent. Uh, and so the AI and agents will do a good job of that.

I think they'll also help support people in making judgements about, okay, knowing what I know about my business. And knowing what my [00:27:00] budget is and knowing, you know, what kind of attacks, 10 and attackers tend to target me, um, here's my strategy to go about mitigating that risk. That's still a very human, uh, function and, uh, at least, hey, at least for, uh, five to 10 years, you know, I, I don't know.

Yeah, a lot of, lot of progression. Maybe you can embed a lot of that in into something as well. But, um, today you gotta kind of, uh, you know, build that up. 

Mehmet: Right Now you kept mentioning the word, uh, scaffolding Mike couple of times, right? So if I want to put this into something tangible, I would say, how does this, you know, scaffolding looks like, is it like a system of record?

Like what is it exactly? 

Mike: Again, different things in different, different kind of settings, but yeah, for the, for the security leaders, uh, imagine I do think [00:28:00] it's a modern security of record. You know, I, you know, it's funny, I, I, I hesitate a little bit using that term because. E what pops into everybody's mind is, oh, that's a user interface in front of a database.

It's like, no. I mean, that is what security of records and a lot of things were, uh, but Ingenix systems, they're way, they're way more active. They, they, you know, they're, they're able to to do more. And in fact, I think they're able to build that context graph that allows 'em to be very custom to every organization.

So, so yeah, I think part, part of the scaffolding is just having. And then figuring out what are those indicators that the leaders need to know if they're under attack, to know if they're, uh, uh, secure in a certain way, to know if they're mature enough to be able to handle, you know, if something goes wrong.

All those kinds of things, uh, are really bits and pieces all around cybersecurity programming. [00:29:00] When we say cybersecurity program, I think people, you know, probably have different views that come to mind. Right. But it's every, it's everything from the program that helps employees recognize phishing attacks to very, you know, the endpoint detection that's going on there to, you know, uh, what you had mentioned, like, you know, access control, you know, do you do that in a zero trust way or do you just, you know, there's all sorts of things that go into it.

It's taking all that and making sense of did I mitigate the risk to my business? You know, did So to your board of directors, you as a security leader have to say or give a, give a good presentation of, and this is where the business relevancy comes in. I've protected maybe our customers in this way.

Because I've mitigated these risks and, and you know, there's a lot that rolls up into that. And I think that's the scaffolding that needs to get there. And, and the, for security leaders, I'll make one this last final point. I do [00:30:00] believe it's this, the context, you know, the, this context graph is the scaffolding that allows them to say, for me and my business.

Um, and since my job is to mitigate the cyber risk, uh, this, this is, this is how I'd answer this. This is for programs I put in place to do that. 

Mehmet: Right Now, we talked a lot about, let's say, one side of the, of, of the story, you know, which is defense, right? Mm-hmm. Um, I have a very dear friend, you know, when we used to work together and he's trying to explain, you know, uh, how, uh, bad actors work.

He used to say like, there are people like us, they have, uh, kids that they go to school, uh, wives. That they have to go do shopping, so they have to be creative. And of course, you know, uh, the, the idea is like also these guys, they are also also following the trends. So now when it comes to ai, and we've seen it, we've, we've, we've seen it many times and, [00:31:00] you know, offensive, uh.

Cybersecurity attacks are becoming more and more sophisticated, and we know for a fact that they are utilizing also, you know, the technology that is out, it's in the wild and everyone can, can, can do it. And I think, you know, the open source kind of, you know, these LLMs without going into the, any geopolitical things I've seen like also ways you can extract LLM.

Train another LM on that. So bunch of ways where you can bypass the security. Uh, and, and, you know, the, the, I would say the guardrails that usually, at least this is what they say, the, the LLM producers, whether it's open AI and drop Google, everyone else. So the technology is in the hands of the bad actors also as well, Mike.

So me as first as a. Cybersecurity leader, should I be more worried? Me as someone sitting on the board [00:32:00] and I'm maybe listening to this or maybe someone pointed me out to, to, to listen to this episode, how much should I be worried? And the question that comes to mind, okay. What we do now, like if, if, if whatever technology we're gonna implement.

Whatever measurements we're gonna take. These, uh, bad actors gonna try to counter attack us with the same technology, what we do. 

Mike: Yeah. I, as you said, this is, uh, clearly already, uh, going on. I mean, cybersecurity in many ways has always been an arms race. You know, you have the adversaries. They get advantages, the defenders, you know, counter counteract that, you know, and then it kind of goes back and forth, back and forth.

And I think that's clearly something that's happening right now. I, I do think that the adversaries have the advantage as of, you know, the state in late February of 2026. Um, uh, you know, even I, I noticed, you [00:33:00] know, you had a recent guest on that talked about, uh, the, um, different governance and the ISO standards and things like that.

Mehmet: Yeah. 

Mike: A crazy thing is, um, that's even way behind to help, you know, they're there to assist the corporations to say, you know, here, here's some guidelines to help you. Not one of 'em mentions ag agentic systems. They talk about AI and AI models, but they don't talk about there's gonna be. Thousands, millions of agents running around pretty soon.

How do you know what they're doing? How do you know what same thing, you know? And, and to relate it back? I mean, that is how the adversaries do it. They're, they're writing very agentic systems that can be very patient at the times they need to be patient and very fast and targeted at. Areas they need to be fast and targeted, very difficult to defend on.

Um, and so, um, absolutely, uh, we need another crop of tools, [00:34:00] uh, to do that. But that's why I guess I, I made the distinction of you're not gonna be able to detect everything in the, in the speed. Now you're gonna have to act at that speed and you're gonna have to do some detection there. But this is why prevention becomes so much more important.

You know, if you think about, let me take a, a case in cybersecurity that everyone will be familiar with, you know? Sure. Uh, ransomware is had been a big problem in, in many, uh, industries in that too. Um. The, the prevention of ransomware, you know, and that typically starts with like a, a phishing attack or something like that where someone accidentally gives up some information.

So same old vulnerabilities, same old techniques get, get used. They just happen at, at different speeds in that. But the to counter, um, like say the ransomware and the malware attacks, it, it's, it's a multi, uh, pronged. Mitigation strategy that organizations should take? Yes, they should have something on their end points that [00:35:00] detect, uh, when something odd is going on, but they also should segment their network so that the blast radius of when something comes in and tries to take over can only, can only affect a little bit.

Um, uh, they, they need to train their folks to do that and to, so there's multiple, multiple things, but that's. That's thinking prevention with ai. We gotta think that way too, right? I mean these, we know the adversaries are equipped with these tools and so we need to be thinking, okay, if it is an actually an agent that can come in, that's probably generically just looking at all the vulnerabilities I've got and putting a little piece of software somewhere and then sitting there for 10 months.

And then, then reactivating and, and that, I mean, we're gonna see a lot of that stuff. And I think you gotta think about your overall strategy and just think through, um, you know, put yourself in the adversary's shoes. And that's why there's many organizations that also do that in cybersecurity because it's very helpful.

And I also [00:36:00] think you have to. You have to practice. So, um, it's surprising how few people really do tabletop exercises, um, into, if I were to get breached, what happens? How do we tell our customers, you know, what does the board do? How do we tell the press, what do we, I mean, and that, that's like maybe a high level one.

And also just. Just at the operator's level, like what do we do when there's a breach in, in that too? So you gotta practice, you know, if you're gonna play the game, you know, you can't, if it's game time, you're, you don't wanna wing it. You know, you have to at least know what you're doing, so, 

Mehmet: right. 

Mike: There's a lot of prevention things that you can do, um, that should be part of your overall security program.

And you know, you're gonna see, because already every vendor, if every, if you encounter a vendor that doesn't say they have an AI component, ah, you know, we're, we're about to come up to, you know, our, our big trade show at, uh, RSA, you know, and it's, yeah. It's gonna be like that. Everyone's gonna be talking about that.[00:37:00] 

Mehmet: I'm gonna be railing ai. 

Mike: Yeah. Yeah. And we need that. We need that at in the different Absolutely. Silos. Absolutely. But we need something that cuts across the silos too. And hopefully it pulses security, ai, this is partly what we're doing. 

Mehmet: Hopefully now, Mike, just, you know, two takes for me, and I think, you know, and thank you for sharing your, your, your point of view also as well.

So this is for the audience, like whether you are in the tech yourself or maybe if you are. You know, a business leader or maybe even if you are like out in the market and you are wondering what gonna happen, actually there's no better time to be innovating in this space. Like now, like this is my own point of view.

It's not a financial advice guy, but you know, like if you think like we are done because AI can now do everything just 'cause one model. They can do some. Quality check on the security of the code. That's not all. Like, you know these guys now they have better tools and it's now time to, and again, to your point, Mike, I think it's, I call [00:38:00] it always back to basics.

When you talked about going back to prevention and I think this is what. Unfortunately, and maybe I'm guilty as well because 15 years ago, you know what we used to do when I was working, you know, in the disaster recovery team, we used to take like templates because we are lazy. We just like put them and we say, Hey, yeah, we tick the box because we have done this.

It's not really prevention, like, you know, it's like just you say, I have an insurance on my car, but at the end of the day, your car insurance provider actually, they went bankrupt and they can't do anything. So, right. So you, yeah, you 

gotta 

Mike: be a good driver. You gotta gotta be a defensive driver. You gotta do all those.

Things. It's a, 

Mehmet: yeah, exactly. So, so you, you, you also do your due diligence and prevention is all about due diligence. It's about to make sure, like have you set it up in the right way. And, and this is why, you know, again, I'm not here to blame. [00:39:00] Anyone, but I think we made it so simple that it's like tick boxes, right?

Checkbox, okay, this, this, this, this. But it's so unhuman, it's so robotic. And I would be happy to see an agent doing better job here than, than us as a humans, honestly. 

Mike: Yeah. Yeah. 'cause and I, I, I agree that, you know, we, I used to always have a a saying, which in some ways. The checkbox compliance thing is just, it gives a roadmap to the attackers too, because they go, oh, 

Mehmet: right, 

Mike: they probably did all these steps, and so here's our way we're gonna get around those.

So it, it actually, that is the place where I think some more innovation can happen because it's just that these, the agents could be watching all those points and they can be taking actions, um, to do that. But it's, and, and even suggesting what should be set up, uh, in, in that. Because the models pull in so much information from so many different places that they can, they know [00:40:00] generically what to do.

And that's, again, if you have the context now, you know specifically for you, you can use what's the best practice going on in a lot of places, and then your stack, what particularly do you need to do? And I, I think that's, that agents that can do that will provide great value, uh, in this whole space.

Because as you mentioned. A lot of security, even though we have adversaries using ai, they typically still go after the vulnerable parts that have been age old in their, they could still, you need to do good security hygiene, as they'd say. You know, you need to, you need to do the basics really well still, because often they're, they're making use of, of things that we've known about for decades.

Um, but we just haven't, like you said, a little bit lazy. Haven't, you know, no one's found it yet, so why don't have to worry about that patching that, you know, all those kinds of things. Uh, these days it's, it gets more and more important when you have the [00:41:00] adversaries using agents that can do this, that can look for stuff very quickly and, and make use of it.

Mehmet: Right. Now I gotta ask you something more related to, to you as a founder and the serial entrepreneur, Mike. Uh, you know, in, in your previous companies, like you were able to reach the, what we call the category leader, right? So. How do you identify the right problem I'm asking this for because as I was telling you, before we start recording, I like to give back to founders and entrepreneurs.

So especially in this domain or maybe in AI journal, how do you advise people now to identify the right problem before it becomes obvious? So to spot the signal, to spot the patterns and build something that can become a category leader, or even maybe they can create their own categories. 

Mike: Yeah. Great.

Great question. I, I, you know, a few words kind of there, I mean, part of it's got to do with, is what [00:42:00] we've talked about earlier, the, the different trends that you're seeing. But don't think about jumping onto that trend. Think about what are the, what are these, what's this particular trend? Um, going to need five years from now or a few years from now, and what's doing so like when we, when I co-founded a company called Fortify, which was an application security, um, it was really about, uh, you know, software had become just such a central part, you know, as, as they'd say.

You know, some of the largest banks, they're really software companies that happen to do a banking kind of thing. Now they're, they're not so much about the, um, you know, the vaults and the hard, you know, um, where part of that, uh, but look at these trends and say, you know, what are the things to do? So I've, I've tried to do that.

My, the very first company I was at, that was a great success. You know, when IPO and everything, it was. When it was around software quality mostly, but that was because software was becoming big and important. [00:43:00] So we knew that the quality would be at. And then this AppSec company that I started. It, it translated to, oh, now people are breaking into places because they're, they're looking at code vulnerabilities.

Maybe we should, you know, there's something like that. But it's all because of the software was growing and becoming more and more important, I think, you know, in this age of ai, you know, thinking about what, what AI can enable, but then what, what does it need? You know, it's, it's kind of the, I'd say my man, it's the kind of the classic, um, look for.

In the Gold rush, you could, you could join the gold Rush and try to find gold, or you could be, you know, you could sell picks and axes and tents, troubles, things like that. And so I've tended to be in my career part of that group that was selling the picks and axes and, and things that would help people do that.

And, and I think that's, there's a, a lot of, uh, you know, profit to doing that. And, and, and there's a great [00:44:00] need because the need is always there. And, and so yeah, we, um, I, I think it's a, anyone who's has an entrepreneurial bent it's looking at, at those kinds of things. And of course you look for gaps, you know, in that, right.

You know, people are supplying things and can we do it? And I think, you know, I'm in this one today because, uh. Three, four years ago, I don't think you could have even attacked this problem in a meaningful way. You know, providing a system of record for the security leader. You needed this ag agentic infrastructure to be able to do it.

So, so you know, you have to look for the confluence of new tech. Uh, same old problem, and can you solve it a different way? That's better. Um, you know, that those are the things that I, I know I look for. 

Mehmet: Yeah. If you might allow me, Mike, just, I would encourage people to one thing, like, although we know cybersecurity is a very, very, very, very crowded market, but if.

You know, and to [00:45:00] your point, like you can find, you know, how to be able to sell the accent pixel, right? So it's, it's a big, but also, you know, if you have. The, the distribution, like, you know, how, how you would be able to, to, to put it in the marketplace, and this is through a team you would gather maybe from your own experience.

And the second thing, which I'm seeing more and more like very important is, you know, the, the priority data that you might have. Um, this is becoming a mode also as well, and of course, you as, as a founder, you know, and, and how you are able to convince people with your vision. And I tell people now one thing, like of course, usually I'm into the blue ocean kind of mindset, but now with AI I started to say, okay, like anyone can create anything.

And I reminded myself the other day that. Because, you know, we're talking about the Googles and, uh, you know, the other, and Yahoo search, [00:46:00] when they started and actually Google, they were not like the first one. They actually, they were like number 20 maybe in this space. So there were like a lot of search engines, but they were able, first from technology perspective, but I think they, they, they cracked the code on the distribution.

So this is how they were able to, to, to grow the business. 

Mike: Yeah. To, to your point. I mean, I was part of Lycos and they came to us and said, let us be your search. 

Mehmet: Right. 

Mike: You know, for, for, so they, they, they OEMed people don't remember this, uh, Yahoo. They, they did the search. 

Mehmet: Yeah. 

Mike: Right. The technology for that, and what they, the, the thing they cracked was how to make money on it, you know, because they're, they're targeting and that is, that's their cash cow today.

So you're absolutely right. It's. You know, you don't remember that Google didn't start from scratch and Amazon didn't start from scratch either. I mean, these, these companies we hold up there. Uh, Netflix didn't start from scratch. I mean, these, all, all these places, they were a late, late entry into it.

Right? And there's lots of opportunity, even if you're late, it's 

Mehmet: the right moment, [00:47:00] right? Time, vision, like this is, this is of course like more than this, but I mean, these are the main ones. Now as we are close to to, to the end of this episode, Mike. Where people can find out more and, you know, get in touch.

Mike: Yeah. I, uh, you know, I told you earlier, we're still, uh, in stealth mode, uh, for that, but there's places where, uh, I would like to direct people because we're doing a couple other things. One is we have a, a site where, uh, we're just talking about a lot about the problems and, and, um, one of the areas that is very particular is how does security leaders talk to their board and, and do that.

And we have a. Um, a website called, uh, the, uh, security impact circle.org. So all one word, security impact circle.org. And it's just blogs from, uh, experienced people in the space, from directors, from security leaders, you know, all that. And we'll, you know, we, we have that as, uh, content and you'll learn more about pulse [00:48:00] security, AI from that.

Feel free to please go to our, our website, uh, and it's pulse security.ai, um, because you'll, you know, get ready for our journey too. And then you can, I mean, we'll, we'll soon have things where we'll be in preview mode and, and, and things that you can sign up for, uh, if you're interested in, in that. And you can see generally what we're doing.

Mehmet: Great. Of course, again, I make sure that I put all the links in the show notes so people who are listening on their favorite podcasting app, they can find that easily. Both the blog and of course the website of the company. Uh, and if you are watching this on YouTube, you'll find in description, I don't like to make this, but you know, this is the first time I gotta make it because it happened many times.

So Mike, I hope I'm right. Uh, people who appear on the show, especially when they are in the early stages, they go very big. So I'm, I'm, I'm pretty sure with your experience and, you know, the, the team that you have gathered together and the vision [00:49:00] that you have, uh, the company would, would go to the place that you wanted to be, uh, in.

I have no doubt on this, just without mentioning names. 'cause I didn't take permission, but. A couple of of you know, people who are on the show two years and three years ago. I've seen them either, they did big exit big acquisitions. I saw like people raising like very good series A, series B, who came from the show.

And I wasn't mistaken in my view. So just, you know, I, first time I mentioning this. And I feel glad that I was lucky to meet, you know, these founders early on in the career. And I'm be looking forward to watch the journey also of Pulse security, Mike as well. And at the end, this is how I end my episode.

This is for the audience. If you just discovered us by luck, I still have to say this because I'm waiting more people to join. Please subscribe, share it with your friends and colleagues, and if you are one of the people who keep coming. Again and again, thank you for doing so. Really, really, really, I'm so grateful for pushing the [00:50:00] show across, you know, multiple countries, apple top 200 podcasts in the category of entrepreneurship.

I decide to put it there because this is why the sweet spot tech is a little bit crowded. We are not like completely business. So this is where I saw it's, it's the good, but despite this. We are now at the week of the end of, uh, fab trending in three countries every week. I see, you know, the podcast in new countries.

So this cannot happen without, you know, people who are listening to, to, to us. And I really appreciate this, and as I say, always hope you enjoyed and they stay tuned for a new episode very soon. Thank you. Bye-bye.