In this episode of the CISO Tradecraft podcast, host G Mark Hardy interviews early tech adopter Chris Brogan to explore the intersection of high-performance leadership and effective communication. Drawing from his interviews with Navy SEALs and his tenure as a Chief of Staff, Brogan emphasizes that leadership is essentially the management of options and the cultivation of repetitive training to build a reliable team base. The discussion highlights the necessity of aligning staff roles with business needs, which sometimes requires the difficult but professional decision to let individuals go when they no longer fit the objective. Both experts stress that fully qualifying personnel for their next level of responsibility is a vital duty for any leader aiming for organizational excellence. Ultimately, the conversation advocates for authenticity, a willingness to fail forward, and the use of technology to foster genuine human interaction.

Chris Brogan's LinkedIn - https://www.linkedin.com/in/cbrogan/

In this CISO Tradecraft episode, host G Mark Hardy interviews recovering CISO Rock Lambros (Zenity) about securing Agentic AI and the emerging risks beyond LLM hallucinations. Lambros recounts his path from Oracle developer to CISO and AI standards work, then explains how agentic AI increases risk by connecting models to tools and actions. They discuss agentic AI supply chain attacks, including backdoored LiteLLM packages on PyPI and a compromised Amazon Q update, and the resulting shift from “patch fast” to more cautious dependency controls. The conversation highlights the OWASP Top 10 for Agentic Applications 2026, covering threats like goal hijack, tool misuse, identity/privilege abuse, memory/context injection, insecure inter-agent communication, cascading failures, human trust exploitation, and rogue agents, concluding with practical steps: inventory, kill switches, least agency, intent gates, and observability.

OWASP Top 10 for Agentic Applications -

https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/

In this CISO Tradecraft episode, host G Mark Hardy talks with Anton Chuvakin and Alex Hurtado about how SIEM programs fail and how organizations overspend when implementations prioritize dashboards or compliance over actionable detection engineering and collecting the right data. They share costly war stories ranging from multi-million and eight-figure deployments that became expensive “log toilets” or missed incidents due to data rationing and gaps, to mid-market teams burned by next-gen startup SIEMs going end-of-life and forcing replatforming. The discussion covers why Gartner Magic Quadrants can be useful depending on organizational context, the tradeoffs of decoupled/hybrid SIEM and security data lake architectures (cost, coverage, vendor management, and real-time detection limits), migration and egress/lock-in concerns, emerging AI/agentic SOC models and pricing, and the need to define requirements and measure effectiveness with realistic detection testing metrics.

In this episode of CISO Tradecraft, host G Mark Hardy speaks with Gadi Evron about the paper “The AI Vulnerability Storm Building: A Mythos Ready Security Program,” a community-driven draft produced in days with extensive input from security leaders. Evron explains how advances in LLMs and agents are accelerating vulnerability discovery and exploitation, shrinking time-to-exploit assumptions and likely increasing the volume of real vulnerability reports and patches. They discuss separating hype from real risk, the impact of Anthropic’s Mythos and limited access via Project Glasswing, and what CISOs should do now: adopt agents to operate at machine speed, use them defensively to find issues, build “vuln ops” capabilities, secure coding agents in the enterprise, and communicate shifting risk metrics to boards. They also preview the next Unprompted conference planned for September.

VulnAxis - https://vulnaxis.com/

Gadi Evron - https://www.linkedin.com/in/gadievron/

Knostic - https://www.knostic.ai/

The AI Vulnerability Storm Paper - https://labs.cloudsecurityalliance.org/mythos-ciso/

Unprompted - https://unpromptedcon.org/

On CISO Tradecraft, host G Mark Hardy welcomes back JP Bourgeet to discuss what “AI readiness” means for organizations, framing it as both a data governance challenge and a change-management problem. JP defines readiness for CISOs as strong threat protection, data security/governance, and device management, with the biggest gaps typically in labeling, DLP/DSPM, and poor information architecture (e.g., commingled data in SharePoint/Drive). They cover re-architecting past and future data into role-based structures so Copilot can honor permissions and sensitivity labels, plus the value of visibility, auditability, and insider-risk alerting for file access and LLM prompts. JP also discusses agentic systems and upcoming identity challenges for AI agents, compares AI readiness to platform engineering, emphasizes use-case-driven adoption (lunch-and-learns and ROI tracking), and highlights Daniel Miessler’s personal AI infrastructure work and a future shift toward AI-driven security products.

JP Bourget's Website https://www.bluecycle.net/

JP Bourget's Linkedin https://www.linkedin.com/in/jpbourget/

SaltCon- https://naclcon.com/

In this CISO Tradecraft episode, G Mark Hardy, Ross Young, and Andy Ellis share RSAC insights from the vendor floor, including Andy’s effort to visit about 607 booths. They highlight dominant themes like AI SOC offerings and agentic/agent security messaging, noting that many booths used unclear marketing or even failed to describe what they do. The discussion critiques activity-based metrics like badge scans, arguing for outcome-focused goals such as awareness, qualified follow-ups, and customer-driven product feedback. They explore how marketing should create informed buyers, how startups should communicate problem, urgency, and differentiation, and how AI and “vibe coding” may pressure vendor pricing or encourage internal tool-building. The episode also covers open-source sustainability and recommends networking via both major conferences and smaller private CISO events.

Take a look at these three helpful RSAC Reviews:

DUHA - https://www.duha.co/reports/state-of-security-vendors-rsac-2026/

VibeCoded - https://vibecoded.vc/cooked/

Jake Epstein's RSA 2026 Startup Landscape - https://jakee.vc/rsa-2026-landscape.html

In this CISO Tradecraft episode, co-hosts G Mark Hardy and Ross Young discuss how large language models are transforming software development and shifting cybersecurity from buying Software as a Service to “Service as Software,” and ultimately to "Systems of AI agents". They explain how writing code in English enables rapid prototyping, changing cost models by reducing labor hours and increasing speed and scale, with metrics like shrinking a 40-hour threat model effort to a 10-minute agent output. Ross outlines three generations, SIEM (SaaS), SOAR (services as software), and systems of agents (AI SOC), highlighting broader, evolving detection coverage. They cover risks including underestimated maintenance, scope creep, automating bad processes, and insecure AI-generated code, and demo a prompt-built software composition analysis/SBOM tool using CycloneDX and OSV. Ross also introduces his company, Clear Capabilities, focused on agentic workforce automation for governance, privacy, architecture, and compliance.

Cybersecurity's Dirty Secret: Why Most Budgets Go To Waste - https://www.amazon.com/Cybersecuritys-Dirty-Secret-Budgets-Tradecraft%C2%AE/dp/B0G26WHVTG/

Ross Young -

https://www.linkedin.com/in/mrrossyoung/

Developer AI Threats -

https://threats.backslash.security/

In this episode of CISO Tradecraft, host G Mark Hardy speaks with Brian Long, CEO and co-founder of Adaptive Security, about how AI is accelerating and scaling social engineering through deepfakes, OSINT-driven personalization, and real-time conversational attacks. Brian says people remain the biggest opportunity in cyber defense, citing rapid growth in deepfake-enabled incidents and examples including a widely reported $25M wire fraud involving a fake Zoom meeting of “peers,” plus a CFO/controller case where a deepfaked CEO pushed secrecy and urgency. They argue detection alone is unreliable due to an arms race and attackers shifting to unverified channels (phone, Teams/Slack, Signal). Key mitigations include workforce awareness, stronger organizational controls (especially for hiring and payments), verification habits, and personalized training paired with AI-powered simulations and reporting/automated email handling.

Big thanks to our sponsor Adaptive Security. Note, you can learn more about them by visiting their website:

https://www.adaptivesecurity.com/demo/security-awareness-training