In this episode of Chasing Entropy, I sit down with Heidi Potter, longtime organizer of ShmooCon and now CEO of Turngate, for a heartfelt conversation about community, chaos, and legacy in cybersecurity.

From ShmooCon to What’s Next

For 20 years, Heidi helped shape ShmooCon into one of the most influential community-driven conferences in the industry. She reflects on the decision to sunset the event, sharing stories of the unexpected impact it had: first talks that launched careers, lifelong friendships, even marriages that began at the con. What started as a grassroots gathering became a cornerstone of hacker culture, thanks to her team’s dedication and her philosophy of “happy staff, happy event.”

Lessons in Transparency and Leadership

Heidi shares how ShmooCon embraced radical transparency through its Own the Con sessions—revealing the financial realities, challenges, and choices behind running a conference. She explains why building the right team and treating the venue itself as part of that team are essential to success. Her guiding principle of “lead with kindness” underscores both her event leadership style and her approach to life.

Stories, Chaos, and Community Magic

From snowstorms that stranded attendees for days, to the legendary “Shmoo Bus,” to the serendipity of LobbyCon, Heidi and Dave trade stories that highlight the humor, chaos, and magic that defined the event. For Heidi, coordinating chaos isn’t just a skill, it’s a way of finding order, meaning, and connection in unpredictable moments.

Looking Forward

While ShmooCon has closed its doors, Heidi isn’t done building community. She’s already laying the groundwork for new events under her Moose Meat initiative, with plans to create smaller, more flexible gatherings in the future. Above all, her focus remains on giving back to the community and leading with kindness.

Listen now to hear Heidi’s reflections on two decades of ShmooCon, her insights on building inclusive communities, and why the stories we create together matter just as much as the code we write.

In this episode of Chasing Entropy Podcast, I spoke with Paul Klein about the emerging “agentic web”, where AI agents perform real-world digital tasks on our behalf. Paul shares how Browserbase builds secure infrastructure for these agents to interact with websites safely, and how new integrations with 1Password’s Agentic Autofill enable secure, human-approved credential use without exposing secrets to AI models.

Together, they explore how this evolution of automation can make the web more useful, while keeping it secure, observable, and aligned with human intent.

Key takeaways

1. The rise of the “agentic web”

• The internet still runs on legacy systems with no APIs—think DMV forms and government portals.
• Browserbase enables AI agents to safely automate tasks on these sites using headless browsers (full browsers without a GUI).
• These agents can perform structured, repetitive workflows—like procurement, compliance checks, or data lookups—without human micromanagement.

2. Automation that works like an intern

• AI isn’t magic, it needs structure.
• Klein compares AI agents to interns: they’re capable but need clear instructions, context, and defined steps.
• Repetitive “SOP-style” tasks are ideal; vague one-line prompts aren’t.

3. Stagehand & Director: Building automation for everyone

• Stagehand (open-source) allows natural-language automation using “fuzzy selectors” like “click the login button”, instead of brittle scripts.
• Director lets anyone prompt AI to build web workflows, see the generated code in real time, and reuse it in production environments.

4. Guardrails: Observability before autonomy

• Browserbase includes live session replay—you can literally watch what your AI agent is doing in a headless browser.
• Observability ensures safety and accountability; cached workflows reduce dependency on LLMs over time.
• Governance best practice: treat AI tool use as remote code execution—sandbox it, restrict tool access, and monitor every action.

5. Secure authentication for agents

• 1Password Agentic Autofill now works in Director, allowing agents to securely log in with stored credentials.
• The human stays in the loop: every login request is approved (or denied) in real time.
• Passwords are never shared with the model, 1Password fills them directly into the browser.

The pragmatic future of AI automation

Paul sees agentic browsing not as a replacement for humans, but as a relief valve for digital drudgery. AI can handle the tedious work, checking orders, renewing passports, filling government forms, so humans can focus on creative and strategic thinking.

For CISOs and security leaders

Paul’s advice:

• Treat AI agents like RCE: Lock down execution environments, sandbox them, and validate every dependency.
• Constrain tool access: Only approved connectors or MCPs should be callable.
• Start with observability: Log every action and enable real-time oversight before allowing automation to run at scale.

Memorable quote

Listen to this episode of Chasing Entropy wherever you get your podcasts, no hype, no FUD, just the humans behind the next wave of cybersecurity and AI automation.

Also on YouTube: https://www.youtube.com/watch?v=o4tgJz_4WcM

In this episode of Chasing Entropy, I sit down with Dhillon Kannabhiran, the founder of the long-running Hack in the Box (HITB) Security Conference, to explore the origins, evolution, and impact of one of the world’s most influential hacker gatherings.

From Kuala Lumpur to Global Stages

Dhillon shares the unlikely beginnings of HITB in Malaysia, started as a scrappy, accessible alternative to high-cost events like Black Hat. Against all odds, and skepticism that “nobody would come to Malaysia”, HITB attracted global speakers and quickly became a fixture in Asia, the Middle East, and Europe. Along the way came wild stories of last-minute chaos, cultural exchanges, and the conference’s deliberate focus on building community through face-to-face connections.

Curating Talks and Building Community

The conversation dives into how talks are chosen, balancing technical depth with accessibility, and ensuring new voices get a platform. Dhillon emphasizes that HITB isn’t just about the talks you can rewatch later, it’s about hallway conversations, TCP/IP networking sessions, and serendipitous encounters that spark startups, collaborations, and lifelong friendships.

Security Lessons (and Non-Lessons)

Looking back at two decades of research presented at HITB, Dhillon is candid: many of the same problems persist, only shifted into new technologies. From classic exploits to today’s “vibe coding” and AI-assisted development, human error and misunderstanding remain the root causes of vulnerabilities. Still, this constant reinvention ensures hackers, and defenders, will never run out of work.

AI, Translation, and the Future of Conferences

The discussion expands to how AI is reshaping both hacking and events. From bug-hunting orchestration with AI agents to real-time language translation devices, the tools are changing fast. Dhillon warns of risks like AI-generated deepfakes but also highlights opportunities for accessibility, inclusivity, and global collaboration.

Words to Hack By

Dhillon closes with advice for hackers and builders alike: “Try stuff out. Don’t hold back. Don’t think there’s going to be a tomorrow. Do whatever you can today. Keep hacking, bro.”

In this episode of Chasing Entropy, I sit down with Cole Grolmus, founder of Strategy of Security, to explore the often-overlooked world where cybersecurity and mergers & acquisitions (M&A) collide.

The Journey to Strategy of Security

Cole shares his path from early sysadmin roles in Iowa to a decade at PwC, where he worked on large-scale cybersecurity transformations. Along the way, he blended business acumen with technical expertise, ultimately founding Strategy of Security to bridge the gap between practitioners and the commercial side of the industry.

M&A and Cybersecurity: Where Risk Meets Value

The conversation dives deep into the realities of cybersecurity in M&A:

• The real “gotchas” - Rarely do deals fall apart solely due to security issues, but identifying problems early can shape budgets and integration strategies.
• Integration challenges - From identity platforms to logging, customer management systems, and vendor contracts, successful acquisitions depend on planning for forward-looking integration, not just current posture.
• Reasonable assurance - Much like audits, due diligence can only go so far. Complete certainty is impossible, and security leaders must manage risk with contingencies like holdbacks and clawbacks.

The AI Wild West

Cole and Dave touch on the rising role of agentic AI in enterprises. Whether it’s ephemeral developer tools or standing customer-facing agents, the lack of maturity and consistency makes integration during M&A even more complex.

Advice for Security Leaders

For CISOs facing M&A, Cole emphasizes:

• Have a playbook - Not all M&A is bad, but leaders must prepare to handle inherited risks.
• Factor M&A into your vendor strategy - The cybersecurity industry itself is consolidating rapidly, with billion-dollar deals becoming common. Vendor stability (or lack thereof) is now a core risk to manage.
• Pay attention to the business side - As careers progress, understanding the industry landscape matters as much as technical defenses.

Key Takeaway

M&A in cybersecurity isn’t just about dollars and deals, it’s about managing complexity, risk, and people. Whether you’re a CISO preparing for an acquisition or a practitioner navigating vendor shakeups, the ability to translate between business imperatives and technical realities is critical.

From a tank driver in the Gulf War to the founder of one of the U.S.’s largest regional cybersecurity conferences, Michael Farnum’s journey is a study in discipline, community, and curiosity. He shares how early exposure to cryptography, BASIC programming pranks, and first encounters with firewalls led him into security.

We dive into how Farnum built the Houston Security Conference (HOU.SEC.CON) from 120 attendees in 2010 into a 3,000-person international event

He also discusses the rapid rise of agentic AI, what excites him, and the risks of unauthenticated MCP servers, shaky credential governance, and invisible AI triggers. Despite looming challenges, Farnum is optimistic that security conversations are starting earlier this time around.

He closes with timeless advice: don’t be overly cautious, advocate for your value and take the smart risks you might otherwise pass up.

Key Takeaways

• Military lessons: Encryption mishaps in the Gulf War taught discipline, planning, and after-action reviews that later informed his cybersecurity mindset
  
  
• The hook into security: First exposure to a Unix firewall showing live traffic convinced him this was the path to follow
  
  
• Community builder: Founded HOU.SEC.CON to unite a fragmented Houston infosec scene; it has since grown into a national/international draw with thousands of attendees
  
  
• AI & agentic AI: Rising volume of submissions at security conferences; risks include unauthenticated MCP endpoints, hidden triggers, and weak credential governance
  
  
• CISO struggles:
  • Data security remains the #1 challenge—knowing what you have, where it is, and who can access it.
  • Application security continues to lag despite new tools.
  • Modern infrastructure & APIs can help if applied well.
  • AI-driven SOCs are already shifting MDR/MSSP models, often without customers realizing
• Career advice: Be less cautious and ask for what you’re worth, take smart risks, and don’t undersell yourself

This week I got to sit down with Brian Levine who is a cybersecurity consultant and former U.S. DOJ cybercrime prosecutor, to unpack how security risks shape mergers, acquisitions, divestitures, and investments. We cover what really moves deal price and structure, why early cyber due diligence matters, and how to protect “Day 1” operations without blowing up the integration plan.

Brian Levine, Cybersecurity consultant; former DOJ national coordinator for cybercrime prosecutors; founder of FormerGov, a directory connecting former government and military professionals with employers and recruiters.

Key takeaways

• Incidents move deals. Known or newly discovered breaches often pause negotiations, change terms, and drive down price—even if they don’t kill the deal.
• Do diligence in three passes:
  1. Inside-out (docs, policies, IR records, pen tests, insurance);
  2. Outside-in (OSINT, dark-web intel);
  3. Technical testing (when permitted pre-sign/close).
• Start early. The earlier you assess cyber risk, the more leverage you have to shape price, integration plans, and pre-close remediation.
• MFA, IAM, backups = table stakes. Missing basics can invalidate cyber-insurance claims and should be fixed before announcement to avoid “signal flare” attacks.
• Cloud reality check. Many targets lack visibility into their cloud posture; prioritize third-party assessments and guardrails that protect PII, IP, and operations.
• Vendor blast radius matters. Mature third-party risk management includes annual reassessments, contractual obligations, insurance checks, and vendor-involved tabletops, plus contingency (“backup vendor”) planning.
• Culture can be a blocker. If “everyone is an admin,” expect friction; design an identity plan that tightens controls without triggering mass attrition.
• Day-1 playbook, security-first. Run a compromise assessment pre-connect, harden the first systems to integrate (often O365), and sequence identity, segmentation, and logging before broad access.
• Boards should ask: What did we actually do for cyber diligence, what didn’t we do, and why? Reasonableness, and the paper trail, matters.

Notable moments

• Unearthing issues outside-in: spotting malware beacons and leaked data for sale before the target even knows.
• Regulatory context: Europe’s heavier regime (GDPR, DORA, AI rules) vs. U.S. patchwork, either way, negligence standards still bite.
• Real-world stakes: from payroll outages to healthcare delays, cyber incidents can rapidly become safety and livelihood issues.

Resources & mentions

• FormerGov, directory for former government and military professionals seeking roles in the private sector.
• Topics referenced: GDPR, DORA, MFA, IAM, immutable backups, zero-trust enclaves, dark-web monitoring, third-party risk management & vendor tabletop exercises.

About the show

Chasing Entropy goes beyond headlines, no hype, no FUD, exploring the human decisions and systemic cracks that put security to the test. Subscribe, share, and send me your questions for future episodes.

In the 20th episode of the Chasing Entropy Podcast, Dave Lewis sits down with Trey Ford, Chief Strategy & Trust Officer at Bugcrowd and former General Manager of Black Hat, to explore the realities of modern cybersecurity leadership.

From the pitfalls of annual penetration tests to the messy realities of vulnerability disclosure, Trey shares lessons from decades in the field. He explains why risk should be owned at the board level (not by the CISO alone), why disclosure remains the internet’s immune system, and what the rise of agentic AI means for governance and resilience.

The conversation also dives into leadership growth: shifting from arguing to win, to arguing to understand, and how CISOs can transform into true business partners rather than gatekeepers.

Key Takeaways

• Continuous resilience matters. Annual pen tests don’t reflect reality—continuous measurement does.
• Risk ownership belongs with the business. CISOs shouldn’t carry it alone.
• Disclosure is essential. Research-first venues like Black Hat make it safer.
• Agentic AI raises new risks. Guardrails, explainability, and governance must be designed in.
• CISO success = trust. Build partnerships across the executive team, not walls.

Memorable Quotes

• “If it’s accessible, it’s worth securing, scope is a convenience, not a defense.”
• “It’s not CISO vs. world; it’s the business deciding risk together.”
• “In the cloud you can ‘accidentally it all the way’, agentic AI just gives that accident agency.”

Listen to Episode 20 now wherever you get your podcasts!

In this episode of Chasing Entropy, host Dave Lewis, Global Advisory CISO at 1Password, sits down with Jacob DePriest, the newly appointed CISO and CIO at 1Password. Together, they explore the intersection of security, IT, and the human factors that shape how we defend and sometimes undermine our digital world.

From NSA to GitHub to 1Password

Jacob traces his path from early engineering work at the NSA to leading security operations at GitHub, and now into his dual role at 1Password. With roots in engineering and open source advocacy, he shares how those experiences shaped his approach to building secure yet productive environments.

Security and Development: A Necessary Partnership

A recurring theme is the relationship between security teams and developers. Jacob emphasizes that security cannot scale without deep integration into the engineering lifecycle. Rather than bolting on controls, he advocates for shared scoreboards, embedded guardrails, and empowering developers to focus on outcomes without unnecessary friction.

Secrets, AI, and the Future of Risk

The conversation dives into secrets management and the rise of AI in security. Jacob highlights how smarter alerting and AI-assisted scanning can help reduce noise around exposed credentials. They also discuss the promises and pitfalls of agentic AI, where transparency, governance, and credential security will become defining challenges for enterprises.

Balancing Productivity and Protection

As both CISO and CIO, Jacob is uniquely positioned to tackle the long-standing tension between IT enablement and security. He argues that these shouldn’t be opposing forces, the shared goal is enabling the business safely and responsibly. Hybrid teams and flexible models, such as customizable unlock experiences in 1Password, illustrate how to strike that balance.

Diversity, Culture, and Psychological Safety

The episode also touches on team culture: hiring for diversity of thought, encouraging dissenting voices, and building psychological safety. Jacob and Dave reflect on how recognition systems, open communication, and intentional leadership can foster stronger, more resilient security teams.

Parting Advice for Security Leaders

Jacob closes with two guiding principles:

1. Focus on outcomes and the big picture, don’t lose sight of the real problems in pursuit of perfect solutions.
2. Appreciate the community of security professionals who face daily challenges in an increasingly complex landscape.

Listen now to hear Jacob’s insights on navigating the evolving role of security leaders, the integration of IT and cybersecurity, and how to prepare for the next wave of challenges.

As always, be sure to like and subcribe!