In this episode of CISO Tradecraft, host G Mark Hardy speaks with Gadi Evron about the paper “The AI Vulnerability Storm Building: A Mythos Ready Security Program,” a community-driven draft produced in days with extensive input from security leaders. Evron explains how advances in LLMs and agents are accelerating vulnerability discovery and exploitation, shrinking time-to-exploit assumptions and likely increasing the volume of real vulnerability reports and patches. They discuss separating hype from real risk, the impact of Anthropic’s Mythos and limited access via Project Glasswing, and what CISOs should do now: adopt agents to operate at machine speed, use them defensively to find issues, build “vuln ops” capabilities, secure coding agents in the enterprise, and communicate shifting risk metrics to boards. They also preview the next Unprompted conference planned for September.

VulnAxis - https://vulnaxis.com/

Gadi Evron - https://www.linkedin.com/in/gadievron/

Knostic - https://www.knostic.ai/

The AI Vulnerability Storm Paper - https://labs.cloudsecurityalliance.org/mythos-ciso/

Unprompted - https://unpromptedcon.org/

On CISO Tradecraft, host G Mark Hardy welcomes back JP Bourgeet to discuss what “AI readiness” means for organizations, framing it as both a data governance challenge and a change-management problem. JP defines readiness for CISOs as strong threat protection, data security/governance, and device management, with the biggest gaps typically in labeling, DLP/DSPM, and poor information architecture (e.g., commingled data in SharePoint/Drive). They cover re-architecting past and future data into role-based structures so Copilot can honor permissions and sensitivity labels, plus the value of visibility, auditability, and insider-risk alerting for file access and LLM prompts. JP also discusses agentic systems and upcoming identity challenges for AI agents, compares AI readiness to platform engineering, emphasizes use-case-driven adoption (lunch-and-learns and ROI tracking), and highlights Daniel Miessler’s personal AI infrastructure work and a future shift toward AI-driven security products.

JP Bourget's Website https://www.bluecycle.net/

JP Bourget's Linkedin https://www.linkedin.com/in/jpbourget/

SaltCon- https://naclcon.com/

In this CISO Tradecraft episode, G Mark Hardy, Ross Young, and Andy Ellis share RSAC insights from the vendor floor, including Andy’s effort to visit about 607 booths. They highlight dominant themes like AI SOC offerings and agentic/agent security messaging, noting that many booths used unclear marketing or even failed to describe what they do. The discussion critiques activity-based metrics like badge scans, arguing for outcome-focused goals such as awareness, qualified follow-ups, and customer-driven product feedback. They explore how marketing should create informed buyers, how startups should communicate problem, urgency, and differentiation, and how AI and “vibe coding” may pressure vendor pricing or encourage internal tool-building. The episode also covers open-source sustainability and recommends networking via both major conferences and smaller private CISO events.

Take a look at these three helpful RSAC Reviews:

DUHA - https://www.duha.co/reports/state-of-security-vendors-rsac-2026/

VibeCoded - https://vibecoded.vc/cooked/

Jake Epstein's RSA 2026 Startup Landscape - https://jakee.vc/rsa-2026-landscape.html