There's no shortage of cybersecurity tools, but most compromises don't happen because of technology failures, they happen because of a failure in organizational processes. In today's episode, we explore how penetration testing and red teaming expose the people, processes and operational weaknesses that technology alone cannot.

We discuss why security is ultimately a people problem, why organizations struggle to identify their own blind spots and how offensive testing reveals hidden vulnerabilities that technologies alone miss.

In today's broad ranging episode, we cover the following:

• Penetration testing vs. red team engagements
• What a real red team assessment looks like
• Attack vectors that still work surprisingly well
• Interesting "ins" from the real-world
• The ongoing role of social engineering
• Custom tooling vs. off-the-shelf frameworks
• Staying current with attacker techniques
• Finding business-logic flaws automated tools miss
• The hardest parts of offensive security work
• Common organizational mistakes that create risk
• Making findings actionable for engineering teams
• Skills the next generation of operators should build
• Soft skills that matter in offensive security
• How AI and cloud are changing modern red teaming
• Underestimated attack surfaces
• Whether offense will always outpace defense

In this episode, we dive into Zero Trust and how organizations can put it into practice. With the rise of cloud computing, traditional on-prem networking architectures began to fade. Yet the need for strong security never went away – it evolved. That's where Zero Trust comes in. At its core, Zero Trust isn't just about technology. It's about people, access, and trust – starting with the principle that no one is trusted by default.

Tune in to learn:

• Why Zero Trust is more of a mindset and not a technology or set of technologies
• The challenges organizations face when adopting it
• How Zero Trust technologies differ from traditional networking technologies

Reference material:

• NIST SP 800-207
• CISA Zero Trust Maturity Model

Waste, fraud, and abuse. These three words usually make headlines when government resources are misused on a massive scale. But the truth is, efforts to eliminate waste, fraud, and abuse extend far beyond the headline-grabbing cases.

In this episode, our experts explore how the government combats waste, fraud, and abuse, and why cybersecurity is now front and center in the conversation. Over the past 40 years, federal agencies have increasingly relied on contractors, which has in turn increased the need for enforcement mechanisms to combat waste, fraud, and abuse.

This episode goes over:

• The history and role of the False Claims Act
• How the Department of Justice's Civil Cyber-Fraud Initiative is using it to tackle cybersecurity-related fraud
• The unique role of whistleblowers, who gain both protections and incentives to report fraud
• A real-world use case that illustrates how enforcement plays out
• Practical strategies organizations can adopt to reduce their False Claims Act risk

If your organization works with the federal government, this conversation is a must-listen.

Resources:

• DOJ's False Claims Act website
• The False Claim Act (law)