What if your next great cyber defender is a teenager gaming in their bedroom right now?

In this Threat Talks episode, Lieuwe Jan Koning and former FBI Supervisory Special Agent William McKean (founder of The Redirect Project) explore how young digital natives go From Hacker to Hero.

They chart the journey from gaming and online communities to real-world intrusions.
Then they show how to redirect that curiosity into ethical hacking, cyber defense, and a Zero Trust mindset at home and at work.

You’ll get practical questions to ask kids, simple “safe word” tactics, and concrete steps security leaders can use to grow defenders instead of future attackers.

Key Topics Covered
From gamer to attacker: How curiosity, gaming communities and digital “mentors” funnel kids into cybercrime, and how to redirect that path toward ethical hacking.

Psychology of recruitment: Why belonging, status and rewards override an undeveloped moral compass, and how grooming patterns mirror terrorism and gang recruitment.

Parent & educator playbook: Practical ways to talk about online life, spot early warning signs, use “safe words,” and apply a Zero Trust mindset at home.

Diversion, not destruction: How programs like The re_direct Project, HackShield, re_B00TCMP, Hack_Right, and The Hacking Games turn justice-involved kids into defenders instead of life-long offenders.

• (00:00) - - Introduction
• (01:25) - - What does FBI’s cyber division do
• (05:40) - - Children as hackers
• (08:14) - - From hacker to helper
• (10:31) - - It all starts with curiosity
• (17:56) - - What about AI development
• (21:27) - - Other mechanisms to worry about
• (22:32) - - 27:17 What can we do to help
• (27:17) - - The re_direct Project
• (33:45) - - What should the consequences be for child hackers
• (37:09) - - Recommendations for parents
• (42:02) - - What can organizations do

Episode Guest & Projects Mentioned
• The re_direct Project (youth cyber diversion & mentorship): https://www.redirectproject.org/
• HackShield (elementary school cyber game): https://www.hackshieldgame.com/
• Dutch Police re_B00TCMP “Reboot Camp”: https://www.politie.nl/informatie/re_b00tcmp.html
• Hack_Right juvenile cyber program: https://www.om.nl/onderwerpen/cybercrime/hack_right
• The Hacking Games (ethical hacker esports): https://www.thehackinggames.com/

If this episode helped you rethink your From Hacker to Hero strategy for your family or your workforce, don’t forget to hit Like, subscribe to Threat Talks.

🔔 Follow and Support our channel! 🔔 ===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520
👕 Receive your Threat Talks T-shirt https://threat-talks.com/
🗺️ Explore the Hack's Route in Detail
🗺️ https://threat-talks.com 🕵️
Threat Talks is a collaboration between @ON2IT and @AMS-IX

The world’s biggest open-source ecosystem - npm - faced its first self-spreading worm.

They called it Shai Hulud.

It didn’t just infect one package. It infected developers themselves.

When a maintainer got phished, the worm harvested credentials, hijacked tokens, and created new CI/CD workflows to keep spreading - automatically.

No command-and-control. No manual uploads. Just a chain reaction across the npm registry.

And while the world was busy shouting about “2.6 billion downloads affected,” this real threat was quietly exfiltrating GitHub, cloud, and npm secrets - right under everyone’s nose.

This isn’t just another npm story.

It’s the first-ever self-replicating supply chain worm - and a wake-up call for every developer and security team building in the open.

Watch host Rob Maas (Field CTO, ON2IT) and Yuri Wit (SOC Analyst, ON2IT)

break down how it started, how it spread, and how to make sure your pipeline isn’t the next one to go viral.

• (00:00) - Intro, welcome & what npm is
• (00:01) - Crypto drainer: how it worked, maintainer phish & real impact
• (00:05) - “Shai Hulud” worm: credential harvesting & package spread
• (00:07) - Hype vs reality: the “2.6 billion downloads” myth & media reaction
• (00:10) - Defenses: dependency strategy & CI/CD workflow alerts
• (00:14) - Secrets hygiene, OS targeting (Windows exit), end-user/EDR tips & takeaways

• How a maintainer phish and TOTP capture led to a crypto drainer in npm.
• Why Shai Hulud’s credential harvesting + CI/CD persistence makes it high-impact.
• Practical defenses: pin/review dependencies, CI/CD change alerts, secret rotation, egress monitoring.
• What developers vs. end users can (and can’t) do in supply-chain attacks.

Got your attention?

Subscribe to Threat Talks and turn on notifications for more content on the world’s leading cyber threats and trends.

Guest and Host Links:

Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/

Yuri Wit (SOC Analyst, ON2IT): https://www.linkedin.com/in/yuriwit/

Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams
npm: https://www.npmjs.com/
Node.js: https://nodejs.org/
GitHub Docs: Actions & Workflows: https://docs.github.com/actions
MetaMask: https://metamask.io/
OWASP Dependency Management: https://owasp.org/www-project-dependency-check/
SLSA Supply-chain Levels for Software Artifacts: https://slsa.dev/

Click here to view the episode transcript.

How solid is your digital trust—or are you just hoping your PKI is secure?
Let’s be honest: too many companies run on borrowed trust and forgotten certificates. In this episode of Threat Talks, ON2IT’s Lieuwe Jan Koning and Rob Maas pull back the curtain on what really holds your digital world together—and what can tear it down overnight.
They break down PKI in plain language: the root of trust that must stay locked away, the intermediates that keep your systems running, and the automation that stops your team from clicking “ignore” on yet another warning.
You’ll see why rolling your own keys beats trusting anyone else, how to keep your devices speaking the same language of trust, and why short-lived certificates might just save you from the next big breach.
This isn’t theory—it’s how Zero Trust really starts: by proving that your organization can trust itself.

Additional Resources
• Threat Talks Episode on SSL Decryption – https://youtu.be/Xv_jVHVsD9w
• ON2IT Zero Trust: https://on2it.net/zero-trust/
• ACME protocol (RFC 8555): https://datatracker.ietf.org/doc/rfc8555/
• Let’s Encrypt / ACME protocol – https://letsencrypt.org
• DigiNotar case study background – https://en.wikipedia.org/wiki/DigiNotar
• Mozilla CA Program (trusted root store): https://wiki.mozilla.org/CA
• infographic about encryption  https://on2it.s3.us-east-1.amazonaws.com/20250304_Infographic_Encryption.pdf

Guest & Host Links:
Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/
Lieuwe Jan Koning (Founding Partner, ON2IT): https://www.linkedin.com/in/lieuwejan/

Key Topics Covered
• Why root certificates must never be online—and how intermediates provide a safe fallback.
• Real-world PKI failure: DigiNotar compromise and lessons for CISOs.
• How ON2IT built a secure, low-cost PKI with offline key bearers and ACME automation.
• The hidden risks of training employees to ignore certificate warnings—and how Zero Trust demands the opposite.

🔔 Follow and Support our channel! 🔔
===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

You were promised safe SaaS - but got silent data loss.
In Inside the Salesloft Breach, Rob Maas and Luca Cipriano expose how trusted integrations became the attack vector.

They trace how vishing calls, trojanized Salesforce tools, and GitHub-to-AWS pivots gave attackers OAuth access and drained CRMs without a single alert. You’ll hear how Drift integrations and bulk SOQL queries quietly moved data out of sight, while audit trails and API metadata disappeared.
If you need provable control over data exfiltration and a narrative your board will understand, this is your playbook.

Turn Zero Trust from slogan to stop - with IP allowlists, app inventories, token telemetry, and shared responsibility that actually blocks abuse at the source.

• (00:00) - Cloud first did not mean data safe.
• (00:45) - What Salesforce is and why attackers target it.
• (02:00) - Campaign one. Vishing and a trojanized data loader to OAuth access.
• (04:15) - Campaign two. Salesloft and Drift path from GitHub to AWS to Salesforce tokens.
• (07:00) - Impact and cover up. 700 plus orgs hit and API job metadata removed.
• (09:10) - Who was involved. ShinyHunters, Scattered Spider, Lapsus, and legal fallout.
• (11:00) - Zero Trust actions. IP allowlisting, app inventory, token monitoring, staff education, shared responsibility.

Found value and want outcome focused guidance every week?
Subscribe to Threat Talks, turn on notifications and add your questions for the next deep dive

Guest and Host Links:
Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/
Luca Cipriano (Cyber Threat Intelligence Program Lead, ON2IT): https://www.linkedin.com/in/luca-c-914973124/

Click here to view the episode transcript.

Additional resources:
Threat Talks https://threat-talks.com/
ON2IT https://on2it.net/?
AMS IX https://www.ams-ix.net/ams
Salesforce https://www.salesforce.com/
Salesloft https://www.salesloft.com/
Drift https://www.drift.com/
Okta https://www.okta.com/
Have I Been Pwned https://haveibeenpwned.com/

🔔 Follow and Support our channel! 🔔
===
► YOUTUBE: / @threattalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUE...
► APPLE: https://podcasts.apple.com/us/podcast...

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX

The new AI app store is here - and it’s already making choices for your company.
This episode shows you how to spot it, stop it, and stay safe.

Host Lieuwe Jan Koning with RobMaas (Field CTO, ON2IT) explain the app storenightmare in plain language. A new system (MCP) lets AI tools like ChatGPT, Claude, and Gemini do tasks for you - sometimes too much. When a bad tool or a sneaky document gets in, it can read, send, or delete things without you noticing.

Real cases, real damage:

• Postmark MCP backdoor - secretly BCC’d emails (email copies)
• Shadow Escape - “zero-click” data theft from a hidden prompt
• kubectl chaos - a command mistake that can wipe servers

Your quick fix: keep a list of every AI tool and give each only the access it needs. Example: let your document bot read just the “Policies” folder—not your whole drive. For more fixes, watch the full episode.

• (00:00) - — “There’s a new app store” (why this matters now)
• (01:05) - — MCP explained simply: agents vs. chatbots
• (03:45) - — Connectors & consent: the hidden back channel
• (06:20) - — Breach stories: Postmark backdoor, Shadow Escape theft
• (10:45) - — Kubernetes chaos: how one command can erase systems
• (14:30) - — App store & “vetting”: who’s actually checking?
• (18:10) - — Zero Trust plan: inventory, approvals, least privilege

· The app storenightmare: a new AI app store you don’t control

· How a tricked document can make your AI act against you

· A simple ZeroTrust plan anyone can start today

· How to cut tool sprawl, cost, and risk—without slowing the team

If you use ChatGPT, Claude, or Gemini at work, this is your survival brief.
Subscribe for more Threat Talks and ON2IT’s Zero Trust guidance.

Guest and Host Links:

Rob Maas (Field CTO, ON2IT): https://www.linkedin.com/in/robmaas83/

Lieuwe Jan Koning (Founding Partner, ON2IT): https://www.linkedin.com/in/lieuwejan/

Click here to view the episode transcript.

Additional Resources:
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams
Anthropic MCP announcement: https://www.anthropic.com/news/model-context-protocol
OpenAI Tools/Connectors/MCP: https://platform.openai.com/docs/guides/tools-connectors-mcp
Kubernetes (kubectl): https://kubernetes.io/docs/reference/kubectl/
Reported Postmark MCP backdoor: https://thehackernews.com/2025/09/first-malicious-mcp-server-found.html
Shadow Escape zero-click research: https://www.globenewswire.com/news-release/2025/10/22/3171164/0/en/Operant-AI-Discovers-Shadow-Escape-The-First-Zero-Click-Agentic-Attack-via-MCP.html

If this saved you a breach, subscribe to Threat Talks and follow ON2IT for weekly Zero Trust moves. New episode next week.

Cyber defense doesn’t just happen in code. It’s shaped in conversation. Behind every cyber norm or sanction, there’s a diplomat working to stop digital wars before they start.

In this episode of Threat Talks, Lieuwe Jan Koning (CTO & co-founder of ON2IT) sits down with Ernst Noorman, Ambassador at Large for Cyber Affairs for the Kingdom of the Netherlands. They reveal how backchannel talks, sanctions, and shared rules define what countries can and can’t do in cyberspace, and what CISOs can learn from a diplomat’s playbook. This isn’t patch management. It’s peacekeeping in real time.

What You’ll Learn (From Real-Life Example Discussions)

• What a cyber ambassador actually does – and why every nation needs one.
• How diplomacy helps prevent cyber conflicts between world powers.
• Why UN-backed cyber norms matters even when nations ignore them.
• How global collaboration builds cyber resilience, from Ukraine to Asia.
• What businesses can learn from diplomats about cooperation and intelligence sharing.

• (00:00) - - 02:29 - Intro
• (02:29) - - 03:46 - What is the role of a cyber ambassador?
• (03:46) - - 09:13 - What diplomacy achieves
• (09:13) - - 10:07 - The US and cyber diplomacy
• (10:07) - - 11:51 - Asian countries and their approach to cyber crime
• (11:51) - - 15:47 - The five ‘don’t’s and eight ‘do’s’ at UN level
• (15:47) - - 19:52 - What happens if someone violates a rule?
• (19:52) - - 21:09 - Helping Ukraine with cyber resilience + the Tallinn mechanism
• (21:09) - - 23:01 - Efforts against disinformation
• (23:01) - - 26:22 - How to ensure information integrity
• (26:22) - - 29:12 - What is the Brussels Effect?
• (29:12) - - 30:13 - Common ground on worldwide subjects
• (30:13) - - 30:35 - Treasure hunt
• (30:35) - - 34:51 - Diplomacy and skepticism
• (34:51) - - 37:59 - A European Splinternet - how realistic is this?
• (37:59) - - 39:07 - The Cyber Resilience Act and China
• (39:07) - - 47:23 - Initiatives to look forward to
• (47:23) - - 48:53 - Outro

• ON2IT: https://on2it.net/
• Threat Talks: https://threat-talks.com/
• AMS-IX: https://www.ams-ix.net/ams
• Lieuwe Jan Koning: https://www.linkedin.com/in/lieuwejan/
• Ernst Noorman: https://www.linkedin.com/in/ernst-noorman-b630ab6/

If this episode gave you a new view on global cybersecurity, subscribe to Threat Talks. Share it with your team – because in a connected world, every company plays a role in cyber peace.

Click here to view the episode transcript.

Patch smarter, not harder.
Lieuwe Jan Koning and ON2IT Field CTO Rob Maas break down why “patch everything now” isn’t a strategy, but a risk multiplier. In this session, they teach a practical patching strategy: know your assets, patch edge first, stage updates, and use Zero Trust segmentation to choke off exposure so you only patch what truly matters: fast, safely, and without outages.

• (00:00) - 01:11 - Intro
• (01:11) - - 02:28 - Reality check #1: Not everything can be patched
• (02:28) - - 05:02 - Reality check #2: Patches are scary
• (05:02) - - 08:45 - The solution: Patch in phases
• (08:45) - - 10:36 - How Zero Trust enables patch management
• (10:36) - - 11:23 - Prioritization matters
• (11:23) - - 14:50 - Patching tips and tricks
• (14:50) - - 16:21 - Guidelines for patching triage
• (16:21) - - 17:37 - Practical advice
• (17:37) - - END - Outro

Key Topics Covered

· Why “patch everything immediately” fails; availability vs. security

· Staged deployments and rollback safety for crown-jewel services

· Zero Trust segmentation to reduce urgency and shrink attack surface

· Priority signals that matter: asset criticality, exposure, KEV, CVSS

Related ON2IT content & explicitly referenced resources
ON2IT Zero Trust: https://on2it.net/zero-trust/
Threat Talks (site): https://threat-talks.com/
CVSS (FIRST): https://www.first.org/cvss/
CISA guidance – Citrix/NetScaler (Citrix Bleed example): https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed
Crowdstrike episode: https://youtu.be/IRvWVg1lSuo?si=f8Sj6WYG0KNxlkJD

Click here to view the episode transcript.

One unlocked phone can unravel the defenses of a billion-dollar enterprise—because in cybersecurity, small mistakes don’t stay small for long. Attackers can read notes, steal IDs, or impersonate you on WhatsApp. A reused password can launch a remote tool that looks completely legitimate.

Rob Maas (Field CTO, ON2IT) and Luca Cipriano (Cyber Threat Intelligence Program Lead, ON2IT) reveal how poor cyber hygiene erodes trust, endangers partners, and weakens enterprise defenses.
CISOs, CIO and IT managers remember: in a Zero Trust world, your weakest link might not even be inside your organization.

• (00:00) - Why your cyber hygiene affects others
• (00:28) - Meet the speakers (Rob Maas, Luca Cipriano)
• (00:47) - Cyber hygiene defined for CISOs
• (03:00) - Unlocked phone → passwords in notes, WhatsApp fraud, ID photos
• (05:53) - SOC case: contractor email compromise → remote tool drop (ConnectWise)
• (09:40) - OSINT: 19 breaches + iterative password reuse
• (17:01) - What to fix now: MFA, vaults, device lock, breach monitoring
• (20:24) - Final takeaways & resources

Click here to view the episode transcript.

Related ON2IT Content & Referenced Resources
• ON2IT: https://on2it.net/
• Threat Talks: https://threat-talks.com/
• AMS-IX: https://www.ams-ix.net/ams
• WatchYourHack: https://watchyourhack.com
• Have I Been Pwned: https://haveibeenpwned.com

Guest and Host Links:
Rob Maas, Field CTO, ON2IT: https://www.linkedin.com/in/robmaas83/
Luca Cipriano, Cyber Threat Intelligence Program Lead, ON2IT: https://www.linkedin.com/in/luca-c-914973124/

If this helped, subscribe to Threat Talks. Share this episode with your partners and contractors—stronger cyber hygiene across your ecosystem protects everyone.

🔔 Follow and Support our channel! 🔔
===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520

👕 Receive your Threat Talks T-shirt
https://threat-talks.com/

🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com

🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX