The Hacker News Webinar: Winning the AI Arms Race
TL;DR
Full Transcript
Hello, security pros, and welcome back to the Hacker News webinar series. If you missed us from the last time, I don't know why we do these so often. You think and and they're available on demand. No reason to miss what we do here at the Hacker News. But in case you do, well, we've got a lot to talk about today. The keyword of winning the AI arms race is now in full play. Our friends from Beyond Identity are here to walk you through it.
We have a lot to talk about on today's webinar. So before we get started, though, just some housekeeping stuff. Questions are always welcome. You can submit your questions.
They'll be answered after the webinar by our amazing speakers today. They've both committed to spending hours answering all of your emails, including what's the secret to AI? How does life revolve around AI? All of the AI questions you have, Sarah and Jane will walk you through them because they're just that good.
But, so so make sure to submit those there. This webinar is available on demand at the hacker news dot com forward slash webinars. So as you enjoy it the way I'm going to, I'm sure, just make sure to share it with your friends and colleagues who can definitely benefit from today's webinar. Let me introduce our amazing speakers.
Our speakers here are not new to this webinar, path here at the Hacker News. They've been around before a few times. Or right? Like, Jing, you've been here before.
Like, we've done this before.
We've done this before.
Yeah. We've done this before. So Jing Rehan is the VP of marketing over at Beyond Identity. And Sarah, Sarah, how how do we say it in Italian? Is it?
Cecchetti. It's beautiful. I'm gonna go make an espresso wall. It makes me wanna have a pizza, gelato, and an espresso all at the same time.
And she's the director of product strategy at Beyond Identity. They're gonna be talking about winning the AI arms race, practical steps as to how we start winning in defense against AI. I'll pass this off to both of y'all amazing ladies. Floor is all yours.
Hello. Welcome to our webinar. We are gonna have fun today because AI is fun. And if you actually wanna talk about the meaning of life and AI, feel free to hit us up.
I'm on Twitter if you prefer.
I actually have a philosophy degree, so I will go on about this. Be warned. Warned. Alright. So we're gonna talk about winning the AI arms race because this is not just a theoretical thing anymore. This is in production, and this is a real and accelerating threat. I have some numbers here because, you know, sometimes it can feel quite vague to say accelerating threat.
But if you haven't started seeing this in your organization, you will. But my guess is most of you have actually started seeing this because just in the last twelve months, you know, Zscaler put out a report that there's been a sixty percent increase in AI powered phishing.
And then the state of phish from Proofpoint has also shown that eighty four percent of organizations have been hit by AI enhanced social engineering attacks.
I spent a lot of time on Reddit too. There was one post recently that was, you know, my CFO requested a a token reset, and the deepfake was so good. It even had his accent. So we were about to reset it until the CFO literally walked into the office.
And if he hadn't done that, the adversary would have had a, a token. Right? So there was this air of desperation with the Reddit post in which the person was basically saying, what do I do about this? More training?
How do you train against this? So it it's quite a quite a, an existentially threatening type of, vector because you're expecting human beings to kind of be your defense. Right? However, the adversaries are fully implementing AI to accelerate their workflows and to just be more convincing.
We're actually gonna dive into a bunch of research, threat intel, around these malicious GPCs. I think they're so interesting interesting because of how much they lower the barrier to entry. And then, of course, I I like the stat about the four thousand percent increase in phishing attacks since the launch of ChatGPT. Thanks, ChatGPT.
And then if you, you know, read the Anthropic report recently, we have gone beyond live coding. We are now live hacking. It is almost almost autonomous. So the thread is quite right. Right?
It's ninety percent Autonomous.
That's right. That's right.
That's no joke.
That's your that's full self driving on on on your Tesla for those that are Full self that's that's ninety percent autonomous.
That's How do know that?
Yeah. Full self driving by Tesla, kinda like their autopilot. Is it like, that's the example I used when I was trying to explain it to our executive team was they go, well, what's this autonomous thing going? I go, think of your Tesla, like, full self driving, and they go, yeah, I go, that's ninety percent autonomous.
Oh, that's pretty good. I might steal that from you. So in this analogy, Anthropic is the Tesla of AI bypacking.
I won't go down the different LLM models, but yeah.
It's it's crazy. And and by the way, you can't train for this.
Right? You can't train when they like, what what did we use to train for, security awareness for social engineering attacks? Misspelling. Right?
They don't misspell anymore. Yeah. Or dear madam. I'm like, dear madam. Come on. That's not real.
Like, no one says madam anymore unless you're in France. And even then, it's pretentious. So Yeah. Don't do it.
Yeah. Don't do it. Don't do it. Yeah.
We actually have some comparisons of, like, the before and after.
I think it would really drive the point home of, like, you can't train for this. You can't pit humans against robots.
So like I said, we have some threat re research. It's it's meta research, on some malicious AI in the new arsenal, so to speak. They are just fun. They're fun.
They're not fun if you're a defender and you have to defend against them. But the way in which the, sort of dark web and underground of, malicious tooling has evolved, is really interesting to me. And the way that these are implemented, I think you guys will really enjoy it. So, Sarah, why don't we jump in with WarmGPT?
Yeah. So WarmGPT is an interesting tool that's now available to hackers, and it, as James said, creates flawless emails, pixel perfect, perfect grammar. It can even take a corpus of emails from someone you are trying to fish and mimic their exact style and tone so that the email sounds like it's coming from someone you know using their exact tone. There is no way to tell the difference between a valid email and an invalid email anymore because of this WarmGBT software. Attackers are now able to create picture perfect writing and emails that are that are completely indistinguishable and that are asking to exfiltrate information or to buy gift cards or to do other things that that will compromise your company. And so this makes it very easy for attackers, especially attackers who don't necessarily speak English, to attack your company via email.
Yeah. I am. The, the researchers who discovered this, particular kit called it, unsettling and remarkably persuasive. So I thought that was just interesting that it can be unsettling in a in an uncanny valley kind of way, but obviously, executed via email.
Yep. The next one we're seeing in the field is called fraud GPT, and this is really a fully featured tool. It's only two hundred dollars a month, which is amazing. You can get it right from Telegram, and it will generate entire pixel perfect phishing pages.
So it looks exactly like Gmail or it looks exactly like your corporate SSO where you're supposed to enter your username and your password, and it will capture those and give them to the attacker. It will also search if it has access to your code base for vulnerabilities and exploits. So once it installs malware, it goes and searches everything that it has access to to find other ways to break in, and then it automates those hacking workflows. So like we said, there's it's doing ninety percent of the work here.
It really is. Like, it is doing ninety percent of the work, and it works twenty four hours a day, seven days a week for only two hundred dollars a month. So it is really nearly impossible to defend against something that is this robust, in a probabilistic way. Or to say, hey, you know, I can tell that's a phishing page because it doesn't look exactly like our SSO.
It will look exactly like your SSO. It will look exactly the same. No misspellings. No different pixels.
This is the this is the sort of thing that, that really terrifies, the CSOs we're talking to.
Yeah. For sure.
I Including this guy. I'm a just go ahead and admit to it that it is it's it's very the the the sheer speed of attack is I think one of the scariest parts to it. Meaning, you've really got no time to blink.
Yeah. Right? The idea that but, like, your mean time to detect or remediate, like, now it's gotta be minutes. It cannot be hours.
Yeah. Yeah. And, also, if you think about the total addressable market, if you will, before, if you wanted to hack an organization or break into an organization, you had to have some technical skill, just a little bit, right, you know, with the GPTs and stuff. Nowadays, all of a sudden, you can have people with no technical background. Like, I'm convinced I can buy back my way into an organization using FraudGPT. I I just think I can.
Yeah. It is all push button. It's all nice slick GUI. It is very simple to operate.
Yeah. That's right. I forgot to to mention that that's actually, like, the UI for Fraud GPT. Right? Like, that's just how it looks like. It's it looks like a product, like a real product.
Alright. This next one, I think, if you're scared by this one, James, the next one will send a shiver down your spine.
Yeah. So this is one of the scariest ones we've seen. It's called SpamGPT, and, it is essentially a clone of some of the best valid marketing software, like SaaS software that is on the market today only for evil. And so it can take everyone in your company and write completely personalized messages to each of them. It can generate thousands of unique emails instantly. It can AB test subject lines to see which one is getting opened more often.
It is really like, when we say there was a four thousand percent increase, this is how the attackers are accomplishing that. That there are these massive tools that let attackers not just work at scale, but literally become more effective at scale by a b testing and optimizing timing. So this is just like the email marketing tools that we have for for good. They have these same email marketing tools to help get those those phishing emails opened and make sure that they are as attractive as possible.
And as you can see at the bottom there, like, ten thousand plus emails per hour per attacker. Not saying, dear madam, but saying, hey, Jing or hey, James.
I just need this spreadsheet. Send it over.
I mean, to me, what what this means is beyond just the traditional threat is your your emails gotta go away at some point. Right? Like, we we've gotta reach the conclusion of is how sorry, Jang, for about saying this because I know you're the VP of marketing.
But how effective are emails anymore beyond just spamming someone's inbox to retarget them with more ads on a platform they spend time on? Sorry, Jing. Again, I I apologize.
But You're right.
I'm not trying to diss I'm not trying to dismiss your work.
I'm just saying, like, there's gotta be better marketing ways of going on.
There has to be. Right?
Until we get to telepathy, Some people would argue we're already there.
Right? They'll they'll talk about something and then all of a sudden Amazon's like, hey.
That's true.
You know, was looking at a rower yesterday and all day today, all I've seen is rowers on every feed in my life.
Well, you better not say it out loud.
I did. I just did. I just did to the whole world.
Oh my gosh. You're done for it. What what did the kids say cooked? Absolutely cooked.
Yeah. Email is interesting.
I mean, the Hacker News too. Right? Like, you send out emails because you want people to know about something, presumably about the great content you're putting out, the great threat research, the the the newest, you know, demo or whatever it might be. So you wanna reach them. But I personally anytime I receive an email I'm not expecting, mark it as spam instantly. Like, it's gone.
So MGBT, it can look like it came directly from the CFO just to you.
Right? It doesn't look like spam at all.
Mean, yeah.
Different. It's very personalized. It's just for you.
You're talking about this you're talking about the type of the the type of ability that stresses your email filters and your blocking technology on your inbox. Like, without talking about specific vendors, just that defense in-depth on the mailbox, which, you know, kinda had this conversation around identity a few weeks ago at a panel we were having. Remember when we said complex passwords were the way? Yeah. Then it became MFAs the way, then it became, well, a different type of MFA the way. Single sign on was the way, and now we're at a point where we're like, you know, single sign on plus MFA plus complex passwords plus all and it still doesn't stop.
Yeah. That's right.
Like, not trying to be a Debbie Downer.
Don't worry. We we will leave you feeling optimistic.
That's why we started the part that.
Because we're both smiling because I feel like I feel like I'm going through, like, a like a fear factor episode where Joe Rogan's smiling at the contestant as they're all just, like, flipping out over what's in front of them. And Joe Rogan's like, you're both Joe Rogan right now on fear Yeah.
No. That's one of the reasons why we started Beyond Identity was because it's not enough anymore. And No. There has to be a better solution because the AI is too good.
It's not just tricking the people. You're right. It's tricking the literal email clients into saying, you know what? I'm not gonna put this in spam folder.
This is a valid email.
Right. And and and and it knows how to do it really well.
Yeah.
No. It knows how to do it better than, like, marketing team probably for, let's say, not a world class marketing team, but a general purpose marketing team.
That jinks marketing.
That's right. That's right. That's right. This one is slightly more expensive than a fraud GFT. This one is five thousand dollars, but it's a cheap infrastructure for threat distribution. So, you know, you get what you pay for. Right?
Yeah. So, this is all to say what we talked about kind of at the top of the webinar that, the things that we train for when we do phishing training are no longer indicators that this is a valid email. So, it might have spelling and grammar errors. It might not. It might intentionally have a tone that is not perfect so that it sounds like it's coming from a real human and not written by a GPT.
It will not have generic greetings. It will have whatever greetings it finds elsewhere in your inbox. If most of your emails that are valid start with, hey, Jing, it'll start with, hey, Jing.
We teach people that, like, if there are obvious pressure tactics that you should immediately be suspicious of that of, hey, send me gift cards right now. I need them in the next hour. Right?
SpamGPT is gonna figure out that those those sorts of emails don't perform, and it's gonna stop using that and start saying, hey. Can you send me this Excel file with our financial data because we need it for the board meeting? Right? It'll it will sound much less threatening and much less urgent, but still be able to compromise your organization.
And, the suspicious links were easier to spot. You could see the mismatched URLs, and now those are completely invisible to the user. And they have URLs that look completely legitimate. And so there is no probabilistic way. There is no way to do phishing training against these new tools.
Yeah. Yeah. It's it's really not a fair fight. I know we put it on the slide, but we we genuinely mean it.
Right? Like, you're pitting human beings against machines and robots. And I think just to emphasize the point here. Right?
Like, when we say AI arms race, what we mean is there's, like, this fatal flaw. AI powered attacks are explicitly designed to learn from and effectively mimic the good patterns, the non suspicious patterns. So then when you actually think about how a lot of cybersecurity, especially in detection response, relies on a model of probabilistic defense. Right?
It's a security of, like, this is maybe bad. It's likely, malicious. It's, you know, really, really smart pattern recognition, like IP reputation, anomaly, behavior analytics, etcetera. In the world of AI, when you're in this situation where you're you have this arms race where the adversary is learning in real time from good behavior, a probabilistic system just doesn't work.
Right? And this is where we can, relieve you of this, fear factor response. There is hope. There is hope.
We're not politicians. We don't deal in, like, pessimism and, and all that fud. So if you remember high school, I I it's probably high school math. Right?
The opposite of probabilistic is deterministic. This is where you can actually say, okay. I know for a fact. I I have this proof that something is true.
So instead of the security of, guesses or security of maybes, you can move on to kind of the security of proofs. In a deterministic system, it doesn't guess. It operates on binaristic, cryptographic, and preferably hardware backed certainty. Right?
So, for Beyond Identity, you know, we really emphasize the fact that you need to verify your users and the devices they're logging in from continuously. So we implement, you know, all sorts of defense in-depth techniques. Like, first of all, that identity needs to be device bound and protected by hardware so that it's tamper proof, unsinkable, and unstealable. Because when something can't be like, there's no shared secret.
Right? When something doesn't exist, it can't be stolen. So we we deliver that via a hardware backed passkey to assert an identity with no ifs and buts. And then we layer on actual device posture.
What is the operating security posture of this device? Is the let's say, is the biometric enforcement on? Is it patched? Is it up to date?
Is it running a known version of an application with a zero day? Right? So once and only when the device passes those checks can it gain access to your systems. And not only do we pull from the native OS itself, we can also pull from your security stack.
You have a bunch of tools. Let's put them to use in access policy. So the malicious attempt is shut down before they can ever gain access. And then we are crazy people who just love security so much, and we said, okay.
Checking once at login is not enough. We're actually gonna check every ten, fifteen minutes just in case.
Because a lot of you know, you know, configuration drifts just happen. Misconfigurations also happen. End users are also unpredictable creatures. I turned off some stuff on my settings today and got a message from IT and was like, why did you do that?
I was like, oh, I thought it was the thing that was making my computer give me that pop up every once in a while. And they were like, no. No. Turn that back on.
I was like, okay. Sorry about that. So with, you know, security settings and configurations can drift for one reason or another. Sometimes it's malicious, sometimes it's not.
But either way, we check it, and we make sure that if something were to shift out of compliance, you have a a way to remediate that within the session itself.
And because we really wanted to, keep this educational, I'm going to spare you the demo. But James has this magical QR code that you can scan that takes you directly to the demo. It says fifteen minutes. It's actually, like, twelve and a half. And if you skip to minute two, you can spare yourself some preamble.
So fun fact, go for it. It's ungated.
Yeah. Yeah. It's a fun demo. I did it. So go check it out.
Yeah. The great part about having shared secrets is that there is nothing to disclose. Your employees don't know anything that could help attackers, So they can click on links all day long. Right?
They they will get these emails. They will click on these emails. We know that that's gonna happen, but we have architected your identity system in such a way that it doesn't matter. They can click on the link, and they can't do anything bad after that happens.
Yeah. So but check out the QR code, scan it right now using your phone, or take a picture of it with your screenshot, whatever way you like to to do it, and and go check out the demo. It's pretty cool. I'll say that.
Thank you. Thank you. And, yeah, that's a great point, Sarah. You can't stop people from clicking.
Well but you can work with human nature. Right? Like, you're gonna click. You're gonna click.
Okay? The way I've always said that the way we look at security technology is is a bit flawed because we assume that we can train humans at a bad behavior, but what in our five thousand year human history tells you that you could do that?
I mean, nothing. Right? I mean, literally nothing. I mean, humans have been have always had bad behavior from the inception of human.
And if you believe in creation, then it's Adam and Eve and then downstream of that. Or if, you know, then just look at the history of of evolution and tell me there was something good at any point that humans like, there was always good with evil. Like, there's always good with bad. It's never just one way or the other.
It's never you you can't train in out of people.
Yeah. You can't.
Pretty isn't their job. Right? They they are great at accounting. They're great at engineering. They shouldn't have to know anything about cybersecurity. And our product makes it so that they don't have to know anything. We don't have to train them.
Yeah. They don't touch it.
They just do their own jobs. Yeah.
Yeah. That's wonderful. That's a beautiful world.
And because you are still here and on this webinar, you get a special treat, which is an early early preview at something we've been cooking up. Sarah, can you talk a little bit about what this is?
And that's the new new QR code for this AI security product.
Oh, that was fast. Nice.
Yeah. So this is a different QR code leading to a different page where we would like to invite the Hacker News, community to give us feedback on a new product that we are demoing. So we are, only releasing this to a limited audience.
And the idea is that your, developers and your employees are using AI tools, and those tools are those, those AI agents are calling out to tools. So you might use Cloud Code and say, hey, I wanna go have Cloud Code summarize my linear tickets or update my linear tickets. Or I might wanna have it read my, granola notes. Right?
I wanna I wanna go call tools all over my SaaS infrastructure. And the fact is that that's actually quite dangerous. That can cause, data ex filtration. It can cause data leakage across tools, and there's almost no visibility into that.
Additionally, your developers and your employees can download MCP servers off of the off of the Internet, off of GitHub and install them on their machines, and you have no visibility into what those are doing and to how those are updated. And so they open up supply chain attacks, remote code execution attacks, data exfiltration attacks.
There's a huge attack surface that MCP opens up that did not exist before. And so what our customers are telling us is, hey, we love the Beyond Identity technology. We love this authorization engine you have that sits in the middle of everything. We want you to do that for MCP.
And so what we've built is an MCP proxy, an MCP gateway that sits in the middle between the MCP servers that your employees are using and right now, just Anthropic. So if you are a Cloud Code shop, we're really interested in talking to you, but we're gonna be adding more tools over time.
And enforces real time policy on those tools. What tools are allowed, what tools are disallowed, and how, your employees can use them, and then gives you visibility into everything that's going on in your organization. What tools are being called? Hey. Are they are they looking for SSH keys in your organization? What exactly are they doing in there?
So that you have a complete control and complete visibility over what's going on with MCP. So, we have some customers who are really excited about this, but we wanna test it with people who aren't Beyond Identity customers to see if that message resonates. And we especially technical people to help us out, which is why we're reaching out to the Hacker News community specifically. And we wanna get you into this early access program. We do have limited slots, so please get a hold of us as soon as you can. Use that QR code in the upper right and let us know what you think.
That's exciting.
Like, I love when when when organizations do that. I think getting market feedback over kinda how stuff works and and what you're thinking and is it right and then how does it differ from organization to organization to different AI use cases. There's so much nothing is the same anymore Yeah. In every environment. Like, everything just has a little bit of a twist that that just changes things over over over some of that.
For sure. For sure. It's a brave new world when AI in agency.
Yeah. I'm a put this is the by the way, the new QR code on the screen, there is the demo one. If you missed it, you can scan that one for the demo. I'll leave it on for ten more seconds.
Yeah.
Well, you know, we gave you a little sneak preview. This is kind of how it looks like.
I so I've been playing with Cloud Code a lot, and I just press when it asks, hey. Can I do this? I'm like, yes. Yes.
Yes. Yes. Yes. Yes. Yes. So I'm just constantly spamming yes. And then I finally realized, what are you doing?
What is bash? What is web?
So, yeah, you it's not just protecting your developers, but also your eager vibe coders who want to do the right thing by the company, but, perhaps doesn't have the tools to do it. So I think that is all we have for you today.
Thank you for your time. This was a blast. Thank you for hosting us, James.
Well, this was so much fun. I kinda don't want it to end. I'm almost like, why is this ending?
We'll do more. We'll do lots more.
Yeah. We we have to do many plenty, plenty more. For everyone watching, thank you so much for for taking time to watch this webinar. And you know that everything we do at the Hacker News is driven by you, our community.
So more topics that you wanna hear about in twenty twenty six, please let us know. Go to the hacker news dot com forward slash webinars. Don't check out our friends at Beyond Identity. When our community engages with our friends at Beyond Identity and and the likes, it only makes us get you better and more relevant content.
And that's really the goal of everything we do here at the Hacker News. So thank you, Jing. Thank you, Sarah, so very much. Thank you to all of you as we end this year.
Again, in retrospect, we'll look back at this year and we say, wow. It's already December, and who in the world could have thunk it? But here we are. We're looking forward to a really, really successful twenty twenty six together.
Thank you all for watching. Thank you for tuning in. And most importantly, y'all, stay cyber safe.
TL;DR
Full Transcript
Hello, security pros, and welcome back to the Hacker News webinar series. If you missed us from the last time, I don't know why we do these so often. You think and and they're available on demand. No reason to miss what we do here at the Hacker News. But in case you do, well, we've got a lot to talk about today. The keyword of winning the AI arms race is now in full play. Our friends from Beyond Identity are here to walk you through it.
We have a lot to talk about on today's webinar. So before we get started, though, just some housekeeping stuff. Questions are always welcome. You can submit your questions.
They'll be answered after the webinar by our amazing speakers today. They've both committed to spending hours answering all of your emails, including what's the secret to AI? How does life revolve around AI? All of the AI questions you have, Sarah and Jane will walk you through them because they're just that good.
But, so so make sure to submit those there. This webinar is available on demand at the hacker news dot com forward slash webinars. So as you enjoy it the way I'm going to, I'm sure, just make sure to share it with your friends and colleagues who can definitely benefit from today's webinar. Let me introduce our amazing speakers.
Our speakers here are not new to this webinar, path here at the Hacker News. They've been around before a few times. Or right? Like, Jing, you've been here before.
Like, we've done this before.
We've done this before.
Yeah. We've done this before. So Jing Rehan is the VP of marketing over at Beyond Identity. And Sarah, Sarah, how how do we say it in Italian? Is it?
Cecchetti. It's beautiful. I'm gonna go make an espresso wall. It makes me wanna have a pizza, gelato, and an espresso all at the same time.
And she's the director of product strategy at Beyond Identity. They're gonna be talking about winning the AI arms race, practical steps as to how we start winning in defense against AI. I'll pass this off to both of y'all amazing ladies. Floor is all yours.
Hello. Welcome to our webinar. We are gonna have fun today because AI is fun. And if you actually wanna talk about the meaning of life and AI, feel free to hit us up.
I'm on Twitter if you prefer.
I actually have a philosophy degree, so I will go on about this. Be warned. Warned. Alright. So we're gonna talk about winning the AI arms race because this is not just a theoretical thing anymore. This is in production, and this is a real and accelerating threat. I have some numbers here because, you know, sometimes it can feel quite vague to say accelerating threat.
But if you haven't started seeing this in your organization, you will. But my guess is most of you have actually started seeing this because just in the last twelve months, you know, Zscaler put out a report that there's been a sixty percent increase in AI powered phishing.
And then the state of phish from Proofpoint has also shown that eighty four percent of organizations have been hit by AI enhanced social engineering attacks.
I spent a lot of time on Reddit too. There was one post recently that was, you know, my CFO requested a a token reset, and the deepfake was so good. It even had his accent. So we were about to reset it until the CFO literally walked into the office.
And if he hadn't done that, the adversary would have had a, a token. Right? So there was this air of desperation with the Reddit post in which the person was basically saying, what do I do about this? More training?
How do you train against this? So it it's quite a quite a, an existentially threatening type of, vector because you're expecting human beings to kind of be your defense. Right? However, the adversaries are fully implementing AI to accelerate their workflows and to just be more convincing.
We're actually gonna dive into a bunch of research, threat intel, around these malicious GPCs. I think they're so interesting interesting because of how much they lower the barrier to entry. And then, of course, I I like the stat about the four thousand percent increase in phishing attacks since the launch of ChatGPT. Thanks, ChatGPT.
And then if you, you know, read the Anthropic report recently, we have gone beyond live coding. We are now live hacking. It is almost almost autonomous. So the thread is quite right. Right?
It's ninety percent Autonomous.
That's right. That's right.
That's no joke.
That's your that's full self driving on on on your Tesla for those that are Full self that's that's ninety percent autonomous.
That's How do know that?
Yeah. Full self driving by Tesla, kinda like their autopilot. Is it like, that's the example I used when I was trying to explain it to our executive team was they go, well, what's this autonomous thing going? I go, think of your Tesla, like, full self driving, and they go, yeah, I go, that's ninety percent autonomous.
Oh, that's pretty good. I might steal that from you. So in this analogy, Anthropic is the Tesla of AI bypacking.
I won't go down the different LLM models, but yeah.
It's it's crazy. And and by the way, you can't train for this.
Right? You can't train when they like, what what did we use to train for, security awareness for social engineering attacks? Misspelling. Right?
They don't misspell anymore. Yeah. Or dear madam. I'm like, dear madam. Come on. That's not real.
Like, no one says madam anymore unless you're in France. And even then, it's pretentious. So Yeah. Don't do it.
Yeah. Don't do it. Don't do it. Yeah.
We actually have some comparisons of, like, the before and after.
I think it would really drive the point home of, like, you can't train for this. You can't pit humans against robots.
So like I said, we have some threat re research. It's it's meta research, on some malicious AI in the new arsenal, so to speak. They are just fun. They're fun.
They're not fun if you're a defender and you have to defend against them. But the way in which the, sort of dark web and underground of, malicious tooling has evolved, is really interesting to me. And the way that these are implemented, I think you guys will really enjoy it. So, Sarah, why don't we jump in with WarmGPT?
Yeah. So WarmGPT is an interesting tool that's now available to hackers, and it, as James said, creates flawless emails, pixel perfect, perfect grammar. It can even take a corpus of emails from someone you are trying to fish and mimic their exact style and tone so that the email sounds like it's coming from someone you know using their exact tone. There is no way to tell the difference between a valid email and an invalid email anymore because of this WarmGBT software. Attackers are now able to create picture perfect writing and emails that are that are completely indistinguishable and that are asking to exfiltrate information or to buy gift cards or to do other things that that will compromise your company. And so this makes it very easy for attackers, especially attackers who don't necessarily speak English, to attack your company via email.
Yeah. I am. The, the researchers who discovered this, particular kit called it, unsettling and remarkably persuasive. So I thought that was just interesting that it can be unsettling in a in an uncanny valley kind of way, but obviously, executed via email.
Yep. The next one we're seeing in the field is called fraud GPT, and this is really a fully featured tool. It's only two hundred dollars a month, which is amazing. You can get it right from Telegram, and it will generate entire pixel perfect phishing pages.
So it looks exactly like Gmail or it looks exactly like your corporate SSO where you're supposed to enter your username and your password, and it will capture those and give them to the attacker. It will also search if it has access to your code base for vulnerabilities and exploits. So once it installs malware, it goes and searches everything that it has access to to find other ways to break in, and then it automates those hacking workflows. So like we said, there's it's doing ninety percent of the work here.
It really is. Like, it is doing ninety percent of the work, and it works twenty four hours a day, seven days a week for only two hundred dollars a month. So it is really nearly impossible to defend against something that is this robust, in a probabilistic way. Or to say, hey, you know, I can tell that's a phishing page because it doesn't look exactly like our SSO.
It will look exactly like your SSO. It will look exactly the same. No misspellings. No different pixels.
This is the this is the sort of thing that, that really terrifies, the CSOs we're talking to.
Yeah. For sure.
I Including this guy. I'm a just go ahead and admit to it that it is it's it's very the the the sheer speed of attack is I think one of the scariest parts to it. Meaning, you've really got no time to blink.
Yeah. Right? The idea that but, like, your mean time to detect or remediate, like, now it's gotta be minutes. It cannot be hours.
Yeah. Yeah. And, also, if you think about the total addressable market, if you will, before, if you wanted to hack an organization or break into an organization, you had to have some technical skill, just a little bit, right, you know, with the GPTs and stuff. Nowadays, all of a sudden, you can have people with no technical background. Like, I'm convinced I can buy back my way into an organization using FraudGPT. I I just think I can.
Yeah. It is all push button. It's all nice slick GUI. It is very simple to operate.
Yeah. That's right. I forgot to to mention that that's actually, like, the UI for Fraud GPT. Right? Like, that's just how it looks like. It's it looks like a product, like a real product.
Alright. This next one, I think, if you're scared by this one, James, the next one will send a shiver down your spine.
Yeah. So this is one of the scariest ones we've seen. It's called SpamGPT, and, it is essentially a clone of some of the best valid marketing software, like SaaS software that is on the market today only for evil. And so it can take everyone in your company and write completely personalized messages to each of them. It can generate thousands of unique emails instantly. It can AB test subject lines to see which one is getting opened more often.
It is really like, when we say there was a four thousand percent increase, this is how the attackers are accomplishing that. That there are these massive tools that let attackers not just work at scale, but literally become more effective at scale by a b testing and optimizing timing. So this is just like the email marketing tools that we have for for good. They have these same email marketing tools to help get those those phishing emails opened and make sure that they are as attractive as possible.
And as you can see at the bottom there, like, ten thousand plus emails per hour per attacker. Not saying, dear madam, but saying, hey, Jing or hey, James.
I just need this spreadsheet. Send it over.
I mean, to me, what what this means is beyond just the traditional threat is your your emails gotta go away at some point. Right? Like, we we've gotta reach the conclusion of is how sorry, Jang, for about saying this because I know you're the VP of marketing.
But how effective are emails anymore beyond just spamming someone's inbox to retarget them with more ads on a platform they spend time on? Sorry, Jing. Again, I I apologize.
But You're right.
I'm not trying to diss I'm not trying to dismiss your work.
I'm just saying, like, there's gotta be better marketing ways of going on.
There has to be. Right?
Until we get to telepathy, Some people would argue we're already there.
Right? They'll they'll talk about something and then all of a sudden Amazon's like, hey.
That's true.
You know, was looking at a rower yesterday and all day today, all I've seen is rowers on every feed in my life.
Well, you better not say it out loud.
I did. I just did. I just did to the whole world.
Oh my gosh. You're done for it. What what did the kids say cooked? Absolutely cooked.
Yeah. Email is interesting.
I mean, the Hacker News too. Right? Like, you send out emails because you want people to know about something, presumably about the great content you're putting out, the great threat research, the the the newest, you know, demo or whatever it might be. So you wanna reach them. But I personally anytime I receive an email I'm not expecting, mark it as spam instantly. Like, it's gone.
So MGBT, it can look like it came directly from the CFO just to you.
Right? It doesn't look like spam at all.
Mean, yeah.
Different. It's very personalized. It's just for you.
You're talking about this you're talking about the type of the the type of ability that stresses your email filters and your blocking technology on your inbox. Like, without talking about specific vendors, just that defense in-depth on the mailbox, which, you know, kinda had this conversation around identity a few weeks ago at a panel we were having. Remember when we said complex passwords were the way? Yeah. Then it became MFAs the way, then it became, well, a different type of MFA the way. Single sign on was the way, and now we're at a point where we're like, you know, single sign on plus MFA plus complex passwords plus all and it still doesn't stop.
Yeah. That's right.
Like, not trying to be a Debbie Downer.
Don't worry. We we will leave you feeling optimistic.
That's why we started the part that.
Because we're both smiling because I feel like I feel like I'm going through, like, a like a fear factor episode where Joe Rogan's smiling at the contestant as they're all just, like, flipping out over what's in front of them. And Joe Rogan's like, you're both Joe Rogan right now on fear Yeah.
No. That's one of the reasons why we started Beyond Identity was because it's not enough anymore. And No. There has to be a better solution because the AI is too good.
It's not just tricking the people. You're right. It's tricking the literal email clients into saying, you know what? I'm not gonna put this in spam folder.
This is a valid email.
Right. And and and and it knows how to do it really well.
Yeah.
No. It knows how to do it better than, like, marketing team probably for, let's say, not a world class marketing team, but a general purpose marketing team.
That jinks marketing.
That's right. That's right. That's right. This one is slightly more expensive than a fraud GFT. This one is five thousand dollars, but it's a cheap infrastructure for threat distribution. So, you know, you get what you pay for. Right?
Yeah. So, this is all to say what we talked about kind of at the top of the webinar that, the things that we train for when we do phishing training are no longer indicators that this is a valid email. So, it might have spelling and grammar errors. It might not. It might intentionally have a tone that is not perfect so that it sounds like it's coming from a real human and not written by a GPT.
It will not have generic greetings. It will have whatever greetings it finds elsewhere in your inbox. If most of your emails that are valid start with, hey, Jing, it'll start with, hey, Jing.
We teach people that, like, if there are obvious pressure tactics that you should immediately be suspicious of that of, hey, send me gift cards right now. I need them in the next hour. Right?
SpamGPT is gonna figure out that those those sorts of emails don't perform, and it's gonna stop using that and start saying, hey. Can you send me this Excel file with our financial data because we need it for the board meeting? Right? It'll it will sound much less threatening and much less urgent, but still be able to compromise your organization.
And, the suspicious links were easier to spot. You could see the mismatched URLs, and now those are completely invisible to the user. And they have URLs that look completely legitimate. And so there is no probabilistic way. There is no way to do phishing training against these new tools.
Yeah. Yeah. It's it's really not a fair fight. I know we put it on the slide, but we we genuinely mean it.
Right? Like, you're pitting human beings against machines and robots. And I think just to emphasize the point here. Right?
Like, when we say AI arms race, what we mean is there's, like, this fatal flaw. AI powered attacks are explicitly designed to learn from and effectively mimic the good patterns, the non suspicious patterns. So then when you actually think about how a lot of cybersecurity, especially in detection response, relies on a model of probabilistic defense. Right?
It's a security of, like, this is maybe bad. It's likely, malicious. It's, you know, really, really smart pattern recognition, like IP reputation, anomaly, behavior analytics, etcetera. In the world of AI, when you're in this situation where you're you have this arms race where the adversary is learning in real time from good behavior, a probabilistic system just doesn't work.
Right? And this is where we can, relieve you of this, fear factor response. There is hope. There is hope.
We're not politicians. We don't deal in, like, pessimism and, and all that fud. So if you remember high school, I I it's probably high school math. Right?
The opposite of probabilistic is deterministic. This is where you can actually say, okay. I know for a fact. I I have this proof that something is true.
So instead of the security of, guesses or security of maybes, you can move on to kind of the security of proofs. In a deterministic system, it doesn't guess. It operates on binaristic, cryptographic, and preferably hardware backed certainty. Right?
So, for Beyond Identity, you know, we really emphasize the fact that you need to verify your users and the devices they're logging in from continuously. So we implement, you know, all sorts of defense in-depth techniques. Like, first of all, that identity needs to be device bound and protected by hardware so that it's tamper proof, unsinkable, and unstealable. Because when something can't be like, there's no shared secret.
Right? When something doesn't exist, it can't be stolen. So we we deliver that via a hardware backed passkey to assert an identity with no ifs and buts. And then we layer on actual device posture.
What is the operating security posture of this device? Is the let's say, is the biometric enforcement on? Is it patched? Is it up to date?
Is it running a known version of an application with a zero day? Right? So once and only when the device passes those checks can it gain access to your systems. And not only do we pull from the native OS itself, we can also pull from your security stack.
You have a bunch of tools. Let's put them to use in access policy. So the malicious attempt is shut down before they can ever gain access. And then we are crazy people who just love security so much, and we said, okay.
Checking once at login is not enough. We're actually gonna check every ten, fifteen minutes just in case.
Because a lot of you know, you know, configuration drifts just happen. Misconfigurations also happen. End users are also unpredictable creatures. I turned off some stuff on my settings today and got a message from IT and was like, why did you do that?
I was like, oh, I thought it was the thing that was making my computer give me that pop up every once in a while. And they were like, no. No. Turn that back on.
I was like, okay. Sorry about that. So with, you know, security settings and configurations can drift for one reason or another. Sometimes it's malicious, sometimes it's not.
But either way, we check it, and we make sure that if something were to shift out of compliance, you have a a way to remediate that within the session itself.
And because we really wanted to, keep this educational, I'm going to spare you the demo. But James has this magical QR code that you can scan that takes you directly to the demo. It says fifteen minutes. It's actually, like, twelve and a half. And if you skip to minute two, you can spare yourself some preamble.
So fun fact, go for it. It's ungated.
Yeah. Yeah. It's a fun demo. I did it. So go check it out.
Yeah. The great part about having shared secrets is that there is nothing to disclose. Your employees don't know anything that could help attackers, So they can click on links all day long. Right?
They they will get these emails. They will click on these emails. We know that that's gonna happen, but we have architected your identity system in such a way that it doesn't matter. They can click on the link, and they can't do anything bad after that happens.
Yeah. So but check out the QR code, scan it right now using your phone, or take a picture of it with your screenshot, whatever way you like to to do it, and and go check out the demo. It's pretty cool. I'll say that.
Thank you. Thank you. And, yeah, that's a great point, Sarah. You can't stop people from clicking.
Well but you can work with human nature. Right? Like, you're gonna click. You're gonna click.
Okay? The way I've always said that the way we look at security technology is is a bit flawed because we assume that we can train humans at a bad behavior, but what in our five thousand year human history tells you that you could do that?
I mean, nothing. Right? I mean, literally nothing. I mean, humans have been have always had bad behavior from the inception of human.
And if you believe in creation, then it's Adam and Eve and then downstream of that. Or if, you know, then just look at the history of of evolution and tell me there was something good at any point that humans like, there was always good with evil. Like, there's always good with bad. It's never just one way or the other.
It's never you you can't train in out of people.
Yeah. You can't.
Pretty isn't their job. Right? They they are great at accounting. They're great at engineering. They shouldn't have to know anything about cybersecurity. And our product makes it so that they don't have to know anything. We don't have to train them.
Yeah. They don't touch it.
They just do their own jobs. Yeah.
Yeah. That's wonderful. That's a beautiful world.
And because you are still here and on this webinar, you get a special treat, which is an early early preview at something we've been cooking up. Sarah, can you talk a little bit about what this is?
And that's the new new QR code for this AI security product.
Oh, that was fast. Nice.
Yeah. So this is a different QR code leading to a different page where we would like to invite the Hacker News, community to give us feedback on a new product that we are demoing. So we are, only releasing this to a limited audience.
And the idea is that your, developers and your employees are using AI tools, and those tools are those, those AI agents are calling out to tools. So you might use Cloud Code and say, hey, I wanna go have Cloud Code summarize my linear tickets or update my linear tickets. Or I might wanna have it read my, granola notes. Right?
I wanna I wanna go call tools all over my SaaS infrastructure. And the fact is that that's actually quite dangerous. That can cause, data ex filtration. It can cause data leakage across tools, and there's almost no visibility into that.
Additionally, your developers and your employees can download MCP servers off of the off of the Internet, off of GitHub and install them on their machines, and you have no visibility into what those are doing and to how those are updated. And so they open up supply chain attacks, remote code execution attacks, data exfiltration attacks.
There's a huge attack surface that MCP opens up that did not exist before. And so what our customers are telling us is, hey, we love the Beyond Identity technology. We love this authorization engine you have that sits in the middle of everything. We want you to do that for MCP.
And so what we've built is an MCP proxy, an MCP gateway that sits in the middle between the MCP servers that your employees are using and right now, just Anthropic. So if you are a Cloud Code shop, we're really interested in talking to you, but we're gonna be adding more tools over time.
And enforces real time policy on those tools. What tools are allowed, what tools are disallowed, and how, your employees can use them, and then gives you visibility into everything that's going on in your organization. What tools are being called? Hey. Are they are they looking for SSH keys in your organization? What exactly are they doing in there?
So that you have a complete control and complete visibility over what's going on with MCP. So, we have some customers who are really excited about this, but we wanna test it with people who aren't Beyond Identity customers to see if that message resonates. And we especially technical people to help us out, which is why we're reaching out to the Hacker News community specifically. And we wanna get you into this early access program. We do have limited slots, so please get a hold of us as soon as you can. Use that QR code in the upper right and let us know what you think.
That's exciting.
Like, I love when when when organizations do that. I think getting market feedback over kinda how stuff works and and what you're thinking and is it right and then how does it differ from organization to organization to different AI use cases. There's so much nothing is the same anymore Yeah. In every environment. Like, everything just has a little bit of a twist that that just changes things over over over some of that.
For sure. For sure. It's a brave new world when AI in agency.
Yeah. I'm a put this is the by the way, the new QR code on the screen, there is the demo one. If you missed it, you can scan that one for the demo. I'll leave it on for ten more seconds.
Yeah.
Well, you know, we gave you a little sneak preview. This is kind of how it looks like.
I so I've been playing with Cloud Code a lot, and I just press when it asks, hey. Can I do this? I'm like, yes. Yes.
Yes. Yes. Yes. Yes. Yes. So I'm just constantly spamming yes. And then I finally realized, what are you doing?
What is bash? What is web?
So, yeah, you it's not just protecting your developers, but also your eager vibe coders who want to do the right thing by the company, but, perhaps doesn't have the tools to do it. So I think that is all we have for you today.
Thank you for your time. This was a blast. Thank you for hosting us, James.
Well, this was so much fun. I kinda don't want it to end. I'm almost like, why is this ending?
We'll do more. We'll do lots more.
Yeah. We we have to do many plenty, plenty more. For everyone watching, thank you so much for for taking time to watch this webinar. And you know that everything we do at the Hacker News is driven by you, our community.
So more topics that you wanna hear about in twenty twenty six, please let us know. Go to the hacker news dot com forward slash webinars. Don't check out our friends at Beyond Identity. When our community engages with our friends at Beyond Identity and and the likes, it only makes us get you better and more relevant content.
And that's really the goal of everything we do here at the Hacker News. So thank you, Jing. Thank you, Sarah, so very much. Thank you to all of you as we end this year.
Again, in retrospect, we'll look back at this year and we say, wow. It's already December, and who in the world could have thunk it? But here we are. We're looking forward to a really, really successful twenty twenty six together.
Thank you all for watching. Thank you for tuning in. And most importantly, y'all, stay cyber safe.
TL;DR
Full Transcript
Hello, security pros, and welcome back to the Hacker News webinar series. If you missed us from the last time, I don't know why we do these so often. You think and and they're available on demand. No reason to miss what we do here at the Hacker News. But in case you do, well, we've got a lot to talk about today. The keyword of winning the AI arms race is now in full play. Our friends from Beyond Identity are here to walk you through it.
We have a lot to talk about on today's webinar. So before we get started, though, just some housekeeping stuff. Questions are always welcome. You can submit your questions.
They'll be answered after the webinar by our amazing speakers today. They've both committed to spending hours answering all of your emails, including what's the secret to AI? How does life revolve around AI? All of the AI questions you have, Sarah and Jane will walk you through them because they're just that good.
But, so so make sure to submit those there. This webinar is available on demand at the hacker news dot com forward slash webinars. So as you enjoy it the way I'm going to, I'm sure, just make sure to share it with your friends and colleagues who can definitely benefit from today's webinar. Let me introduce our amazing speakers.
Our speakers here are not new to this webinar, path here at the Hacker News. They've been around before a few times. Or right? Like, Jing, you've been here before.
Like, we've done this before.
We've done this before.
Yeah. We've done this before. So Jing Rehan is the VP of marketing over at Beyond Identity. And Sarah, Sarah, how how do we say it in Italian? Is it?
Cecchetti. It's beautiful. I'm gonna go make an espresso wall. It makes me wanna have a pizza, gelato, and an espresso all at the same time.
And she's the director of product strategy at Beyond Identity. They're gonna be talking about winning the AI arms race, practical steps as to how we start winning in defense against AI. I'll pass this off to both of y'all amazing ladies. Floor is all yours.
Hello. Welcome to our webinar. We are gonna have fun today because AI is fun. And if you actually wanna talk about the meaning of life and AI, feel free to hit us up.
I'm on Twitter if you prefer.
I actually have a philosophy degree, so I will go on about this. Be warned. Warned. Alright. So we're gonna talk about winning the AI arms race because this is not just a theoretical thing anymore. This is in production, and this is a real and accelerating threat. I have some numbers here because, you know, sometimes it can feel quite vague to say accelerating threat.
But if you haven't started seeing this in your organization, you will. But my guess is most of you have actually started seeing this because just in the last twelve months, you know, Zscaler put out a report that there's been a sixty percent increase in AI powered phishing.
And then the state of phish from Proofpoint has also shown that eighty four percent of organizations have been hit by AI enhanced social engineering attacks.
I spent a lot of time on Reddit too. There was one post recently that was, you know, my CFO requested a a token reset, and the deepfake was so good. It even had his accent. So we were about to reset it until the CFO literally walked into the office.
And if he hadn't done that, the adversary would have had a, a token. Right? So there was this air of desperation with the Reddit post in which the person was basically saying, what do I do about this? More training?
How do you train against this? So it it's quite a quite a, an existentially threatening type of, vector because you're expecting human beings to kind of be your defense. Right? However, the adversaries are fully implementing AI to accelerate their workflows and to just be more convincing.
We're actually gonna dive into a bunch of research, threat intel, around these malicious GPCs. I think they're so interesting interesting because of how much they lower the barrier to entry. And then, of course, I I like the stat about the four thousand percent increase in phishing attacks since the launch of ChatGPT. Thanks, ChatGPT.
And then if you, you know, read the Anthropic report recently, we have gone beyond live coding. We are now live hacking. It is almost almost autonomous. So the thread is quite right. Right?
It's ninety percent Autonomous.
That's right. That's right.
That's no joke.
That's your that's full self driving on on on your Tesla for those that are Full self that's that's ninety percent autonomous.
That's How do know that?
Yeah. Full self driving by Tesla, kinda like their autopilot. Is it like, that's the example I used when I was trying to explain it to our executive team was they go, well, what's this autonomous thing going? I go, think of your Tesla, like, full self driving, and they go, yeah, I go, that's ninety percent autonomous.
Oh, that's pretty good. I might steal that from you. So in this analogy, Anthropic is the Tesla of AI bypacking.
I won't go down the different LLM models, but yeah.
It's it's crazy. And and by the way, you can't train for this.
Right? You can't train when they like, what what did we use to train for, security awareness for social engineering attacks? Misspelling. Right?
They don't misspell anymore. Yeah. Or dear madam. I'm like, dear madam. Come on. That's not real.
Like, no one says madam anymore unless you're in France. And even then, it's pretentious. So Yeah. Don't do it.
Yeah. Don't do it. Don't do it. Yeah.
We actually have some comparisons of, like, the before and after.
I think it would really drive the point home of, like, you can't train for this. You can't pit humans against robots.
So like I said, we have some threat re research. It's it's meta research, on some malicious AI in the new arsenal, so to speak. They are just fun. They're fun.
They're not fun if you're a defender and you have to defend against them. But the way in which the, sort of dark web and underground of, malicious tooling has evolved, is really interesting to me. And the way that these are implemented, I think you guys will really enjoy it. So, Sarah, why don't we jump in with WarmGPT?
Yeah. So WarmGPT is an interesting tool that's now available to hackers, and it, as James said, creates flawless emails, pixel perfect, perfect grammar. It can even take a corpus of emails from someone you are trying to fish and mimic their exact style and tone so that the email sounds like it's coming from someone you know using their exact tone. There is no way to tell the difference between a valid email and an invalid email anymore because of this WarmGBT software. Attackers are now able to create picture perfect writing and emails that are that are completely indistinguishable and that are asking to exfiltrate information or to buy gift cards or to do other things that that will compromise your company. And so this makes it very easy for attackers, especially attackers who don't necessarily speak English, to attack your company via email.
Yeah. I am. The, the researchers who discovered this, particular kit called it, unsettling and remarkably persuasive. So I thought that was just interesting that it can be unsettling in a in an uncanny valley kind of way, but obviously, executed via email.
Yep. The next one we're seeing in the field is called fraud GPT, and this is really a fully featured tool. It's only two hundred dollars a month, which is amazing. You can get it right from Telegram, and it will generate entire pixel perfect phishing pages.
So it looks exactly like Gmail or it looks exactly like your corporate SSO where you're supposed to enter your username and your password, and it will capture those and give them to the attacker. It will also search if it has access to your code base for vulnerabilities and exploits. So once it installs malware, it goes and searches everything that it has access to to find other ways to break in, and then it automates those hacking workflows. So like we said, there's it's doing ninety percent of the work here.
It really is. Like, it is doing ninety percent of the work, and it works twenty four hours a day, seven days a week for only two hundred dollars a month. So it is really nearly impossible to defend against something that is this robust, in a probabilistic way. Or to say, hey, you know, I can tell that's a phishing page because it doesn't look exactly like our SSO.
It will look exactly like your SSO. It will look exactly the same. No misspellings. No different pixels.
This is the this is the sort of thing that, that really terrifies, the CSOs we're talking to.
Yeah. For sure.
I Including this guy. I'm a just go ahead and admit to it that it is it's it's very the the the sheer speed of attack is I think one of the scariest parts to it. Meaning, you've really got no time to blink.
Yeah. Right? The idea that but, like, your mean time to detect or remediate, like, now it's gotta be minutes. It cannot be hours.
Yeah. Yeah. And, also, if you think about the total addressable market, if you will, before, if you wanted to hack an organization or break into an organization, you had to have some technical skill, just a little bit, right, you know, with the GPTs and stuff. Nowadays, all of a sudden, you can have people with no technical background. Like, I'm convinced I can buy back my way into an organization using FraudGPT. I I just think I can.
Yeah. It is all push button. It's all nice slick GUI. It is very simple to operate.
Yeah. That's right. I forgot to to mention that that's actually, like, the UI for Fraud GPT. Right? Like, that's just how it looks like. It's it looks like a product, like a real product.
Alright. This next one, I think, if you're scared by this one, James, the next one will send a shiver down your spine.
Yeah. So this is one of the scariest ones we've seen. It's called SpamGPT, and, it is essentially a clone of some of the best valid marketing software, like SaaS software that is on the market today only for evil. And so it can take everyone in your company and write completely personalized messages to each of them. It can generate thousands of unique emails instantly. It can AB test subject lines to see which one is getting opened more often.
It is really like, when we say there was a four thousand percent increase, this is how the attackers are accomplishing that. That there are these massive tools that let attackers not just work at scale, but literally become more effective at scale by a b testing and optimizing timing. So this is just like the email marketing tools that we have for for good. They have these same email marketing tools to help get those those phishing emails opened and make sure that they are as attractive as possible.
And as you can see at the bottom there, like, ten thousand plus emails per hour per attacker. Not saying, dear madam, but saying, hey, Jing or hey, James.
I just need this spreadsheet. Send it over.
I mean, to me, what what this means is beyond just the traditional threat is your your emails gotta go away at some point. Right? Like, we we've gotta reach the conclusion of is how sorry, Jang, for about saying this because I know you're the VP of marketing.
But how effective are emails anymore beyond just spamming someone's inbox to retarget them with more ads on a platform they spend time on? Sorry, Jing. Again, I I apologize.
But You're right.
I'm not trying to diss I'm not trying to dismiss your work.
I'm just saying, like, there's gotta be better marketing ways of going on.
There has to be. Right?
Until we get to telepathy, Some people would argue we're already there.
Right? They'll they'll talk about something and then all of a sudden Amazon's like, hey.
That's true.
You know, was looking at a rower yesterday and all day today, all I've seen is rowers on every feed in my life.
Well, you better not say it out loud.
I did. I just did. I just did to the whole world.
Oh my gosh. You're done for it. What what did the kids say cooked? Absolutely cooked.
Yeah. Email is interesting.
I mean, the Hacker News too. Right? Like, you send out emails because you want people to know about something, presumably about the great content you're putting out, the great threat research, the the the newest, you know, demo or whatever it might be. So you wanna reach them. But I personally anytime I receive an email I'm not expecting, mark it as spam instantly. Like, it's gone.
So MGBT, it can look like it came directly from the CFO just to you.
Right? It doesn't look like spam at all.
Mean, yeah.
Different. It's very personalized. It's just for you.
You're talking about this you're talking about the type of the the type of ability that stresses your email filters and your blocking technology on your inbox. Like, without talking about specific vendors, just that defense in-depth on the mailbox, which, you know, kinda had this conversation around identity a few weeks ago at a panel we were having. Remember when we said complex passwords were the way? Yeah. Then it became MFAs the way, then it became, well, a different type of MFA the way. Single sign on was the way, and now we're at a point where we're like, you know, single sign on plus MFA plus complex passwords plus all and it still doesn't stop.
Yeah. That's right.
Like, not trying to be a Debbie Downer.
Don't worry. We we will leave you feeling optimistic.
That's why we started the part that.
Because we're both smiling because I feel like I feel like I'm going through, like, a like a fear factor episode where Joe Rogan's smiling at the contestant as they're all just, like, flipping out over what's in front of them. And Joe Rogan's like, you're both Joe Rogan right now on fear Yeah.
No. That's one of the reasons why we started Beyond Identity was because it's not enough anymore. And No. There has to be a better solution because the AI is too good.
It's not just tricking the people. You're right. It's tricking the literal email clients into saying, you know what? I'm not gonna put this in spam folder.
This is a valid email.
Right. And and and and it knows how to do it really well.
Yeah.
No. It knows how to do it better than, like, marketing team probably for, let's say, not a world class marketing team, but a general purpose marketing team.
That jinks marketing.
That's right. That's right. That's right. This one is slightly more expensive than a fraud GFT. This one is five thousand dollars, but it's a cheap infrastructure for threat distribution. So, you know, you get what you pay for. Right?
Yeah. So, this is all to say what we talked about kind of at the top of the webinar that, the things that we train for when we do phishing training are no longer indicators that this is a valid email. So, it might have spelling and grammar errors. It might not. It might intentionally have a tone that is not perfect so that it sounds like it's coming from a real human and not written by a GPT.
It will not have generic greetings. It will have whatever greetings it finds elsewhere in your inbox. If most of your emails that are valid start with, hey, Jing, it'll start with, hey, Jing.
We teach people that, like, if there are obvious pressure tactics that you should immediately be suspicious of that of, hey, send me gift cards right now. I need them in the next hour. Right?
SpamGPT is gonna figure out that those those sorts of emails don't perform, and it's gonna stop using that and start saying, hey. Can you send me this Excel file with our financial data because we need it for the board meeting? Right? It'll it will sound much less threatening and much less urgent, but still be able to compromise your organization.
And, the suspicious links were easier to spot. You could see the mismatched URLs, and now those are completely invisible to the user. And they have URLs that look completely legitimate. And so there is no probabilistic way. There is no way to do phishing training against these new tools.
Yeah. Yeah. It's it's really not a fair fight. I know we put it on the slide, but we we genuinely mean it.
Right? Like, you're pitting human beings against machines and robots. And I think just to emphasize the point here. Right?
Like, when we say AI arms race, what we mean is there's, like, this fatal flaw. AI powered attacks are explicitly designed to learn from and effectively mimic the good patterns, the non suspicious patterns. So then when you actually think about how a lot of cybersecurity, especially in detection response, relies on a model of probabilistic defense. Right?
It's a security of, like, this is maybe bad. It's likely, malicious. It's, you know, really, really smart pattern recognition, like IP reputation, anomaly, behavior analytics, etcetera. In the world of AI, when you're in this situation where you're you have this arms race where the adversary is learning in real time from good behavior, a probabilistic system just doesn't work.
Right? And this is where we can, relieve you of this, fear factor response. There is hope. There is hope.
We're not politicians. We don't deal in, like, pessimism and, and all that fud. So if you remember high school, I I it's probably high school math. Right?
The opposite of probabilistic is deterministic. This is where you can actually say, okay. I know for a fact. I I have this proof that something is true.
So instead of the security of, guesses or security of maybes, you can move on to kind of the security of proofs. In a deterministic system, it doesn't guess. It operates on binaristic, cryptographic, and preferably hardware backed certainty. Right?
So, for Beyond Identity, you know, we really emphasize the fact that you need to verify your users and the devices they're logging in from continuously. So we implement, you know, all sorts of defense in-depth techniques. Like, first of all, that identity needs to be device bound and protected by hardware so that it's tamper proof, unsinkable, and unstealable. Because when something can't be like, there's no shared secret.
Right? When something doesn't exist, it can't be stolen. So we we deliver that via a hardware backed passkey to assert an identity with no ifs and buts. And then we layer on actual device posture.
What is the operating security posture of this device? Is the let's say, is the biometric enforcement on? Is it patched? Is it up to date?
Is it running a known version of an application with a zero day? Right? So once and only when the device passes those checks can it gain access to your systems. And not only do we pull from the native OS itself, we can also pull from your security stack.
You have a bunch of tools. Let's put them to use in access policy. So the malicious attempt is shut down before they can ever gain access. And then we are crazy people who just love security so much, and we said, okay.
Checking once at login is not enough. We're actually gonna check every ten, fifteen minutes just in case.
Because a lot of you know, you know, configuration drifts just happen. Misconfigurations also happen. End users are also unpredictable creatures. I turned off some stuff on my settings today and got a message from IT and was like, why did you do that?
I was like, oh, I thought it was the thing that was making my computer give me that pop up every once in a while. And they were like, no. No. Turn that back on.
I was like, okay. Sorry about that. So with, you know, security settings and configurations can drift for one reason or another. Sometimes it's malicious, sometimes it's not.
But either way, we check it, and we make sure that if something were to shift out of compliance, you have a a way to remediate that within the session itself.
And because we really wanted to, keep this educational, I'm going to spare you the demo. But James has this magical QR code that you can scan that takes you directly to the demo. It says fifteen minutes. It's actually, like, twelve and a half. And if you skip to minute two, you can spare yourself some preamble.
So fun fact, go for it. It's ungated.
Yeah. Yeah. It's a fun demo. I did it. So go check it out.
Yeah. The great part about having shared secrets is that there is nothing to disclose. Your employees don't know anything that could help attackers, So they can click on links all day long. Right?
They they will get these emails. They will click on these emails. We know that that's gonna happen, but we have architected your identity system in such a way that it doesn't matter. They can click on the link, and they can't do anything bad after that happens.
Yeah. So but check out the QR code, scan it right now using your phone, or take a picture of it with your screenshot, whatever way you like to to do it, and and go check out the demo. It's pretty cool. I'll say that.
Thank you. Thank you. And, yeah, that's a great point, Sarah. You can't stop people from clicking.
Well but you can work with human nature. Right? Like, you're gonna click. You're gonna click.
Okay? The way I've always said that the way we look at security technology is is a bit flawed because we assume that we can train humans at a bad behavior, but what in our five thousand year human history tells you that you could do that?
I mean, nothing. Right? I mean, literally nothing. I mean, humans have been have always had bad behavior from the inception of human.
And if you believe in creation, then it's Adam and Eve and then downstream of that. Or if, you know, then just look at the history of of evolution and tell me there was something good at any point that humans like, there was always good with evil. Like, there's always good with bad. It's never just one way or the other.
It's never you you can't train in out of people.
Yeah. You can't.
Pretty isn't their job. Right? They they are great at accounting. They're great at engineering. They shouldn't have to know anything about cybersecurity. And our product makes it so that they don't have to know anything. We don't have to train them.
Yeah. They don't touch it.
They just do their own jobs. Yeah.
Yeah. That's wonderful. That's a beautiful world.
And because you are still here and on this webinar, you get a special treat, which is an early early preview at something we've been cooking up. Sarah, can you talk a little bit about what this is?
And that's the new new QR code for this AI security product.
Oh, that was fast. Nice.
Yeah. So this is a different QR code leading to a different page where we would like to invite the Hacker News, community to give us feedback on a new product that we are demoing. So we are, only releasing this to a limited audience.
And the idea is that your, developers and your employees are using AI tools, and those tools are those, those AI agents are calling out to tools. So you might use Cloud Code and say, hey, I wanna go have Cloud Code summarize my linear tickets or update my linear tickets. Or I might wanna have it read my, granola notes. Right?
I wanna I wanna go call tools all over my SaaS infrastructure. And the fact is that that's actually quite dangerous. That can cause, data ex filtration. It can cause data leakage across tools, and there's almost no visibility into that.
Additionally, your developers and your employees can download MCP servers off of the off of the Internet, off of GitHub and install them on their machines, and you have no visibility into what those are doing and to how those are updated. And so they open up supply chain attacks, remote code execution attacks, data exfiltration attacks.
There's a huge attack surface that MCP opens up that did not exist before. And so what our customers are telling us is, hey, we love the Beyond Identity technology. We love this authorization engine you have that sits in the middle of everything. We want you to do that for MCP.
And so what we've built is an MCP proxy, an MCP gateway that sits in the middle between the MCP servers that your employees are using and right now, just Anthropic. So if you are a Cloud Code shop, we're really interested in talking to you, but we're gonna be adding more tools over time.
And enforces real time policy on those tools. What tools are allowed, what tools are disallowed, and how, your employees can use them, and then gives you visibility into everything that's going on in your organization. What tools are being called? Hey. Are they are they looking for SSH keys in your organization? What exactly are they doing in there?
So that you have a complete control and complete visibility over what's going on with MCP. So, we have some customers who are really excited about this, but we wanna test it with people who aren't Beyond Identity customers to see if that message resonates. And we especially technical people to help us out, which is why we're reaching out to the Hacker News community specifically. And we wanna get you into this early access program. We do have limited slots, so please get a hold of us as soon as you can. Use that QR code in the upper right and let us know what you think.
That's exciting.
Like, I love when when when organizations do that. I think getting market feedback over kinda how stuff works and and what you're thinking and is it right and then how does it differ from organization to organization to different AI use cases. There's so much nothing is the same anymore Yeah. In every environment. Like, everything just has a little bit of a twist that that just changes things over over over some of that.
For sure. For sure. It's a brave new world when AI in agency.
Yeah. I'm a put this is the by the way, the new QR code on the screen, there is the demo one. If you missed it, you can scan that one for the demo. I'll leave it on for ten more seconds.
Yeah.
Well, you know, we gave you a little sneak preview. This is kind of how it looks like.
I so I've been playing with Cloud Code a lot, and I just press when it asks, hey. Can I do this? I'm like, yes. Yes.
Yes. Yes. Yes. Yes. Yes. So I'm just constantly spamming yes. And then I finally realized, what are you doing?
What is bash? What is web?
So, yeah, you it's not just protecting your developers, but also your eager vibe coders who want to do the right thing by the company, but, perhaps doesn't have the tools to do it. So I think that is all we have for you today.
Thank you for your time. This was a blast. Thank you for hosting us, James.
Well, this was so much fun. I kinda don't want it to end. I'm almost like, why is this ending?
We'll do more. We'll do lots more.
Yeah. We we have to do many plenty, plenty more. For everyone watching, thank you so much for for taking time to watch this webinar. And you know that everything we do at the Hacker News is driven by you, our community.
So more topics that you wanna hear about in twenty twenty six, please let us know. Go to the hacker news dot com forward slash webinars. Don't check out our friends at Beyond Identity. When our community engages with our friends at Beyond Identity and and the likes, it only makes us get you better and more relevant content.
And that's really the goal of everything we do here at the Hacker News. So thank you, Jing. Thank you, Sarah, so very much. Thank you to all of you as we end this year.
Again, in retrospect, we'll look back at this year and we say, wow. It's already December, and who in the world could have thunk it? But here we are. We're looking forward to a really, really successful twenty twenty six together.
Thank you all for watching. Thank you for tuning in. And most importantly, y'all, stay cyber safe.
Trending Resources
.jpg)
How Beyond Identity & Nametag Stop Identity Fraud at Onboarding & Recovery
November 19, 2025
.jpg)
New: Self Remediation Features to Reduce Help Desk Tickets and Improve UX
November 13, 2025
.jpg)
NYDFS Part 500 in 2025: Key Deadlines, New Requirements, and Compliance Strategies
October 28, 2025
From Reactive to Proactive: A Practitioner's Guide to Zero Trust After the F5 Breach
October 17, 2025
.jpg)
FIDO Is Not Enough for Enterprise Security
October 9, 2025
.jpg)
CVE-2025-59363: OneLogin Breach Highlights Urgent Need to Secure Non-Human Identities
October 2, 2025
.jpg)
The Unpatchable User: The Case for Continuous Device Security
October 1, 2025
.jpg)
Goodbye Legacy Microsoft MFA: Future-Proofing with Modern Authentication
September 25, 2025
Make Identity-Based Attacks Impossible
August 11, 2025
Meeting CJIS Compliance with WDL
May 27, 2025
PCI DSS Compliance with Beyond Identity
March 6, 2025
.jpeg)
Online Job Board Safety: How and Why To Avoid a Scam
March 7, 2024
ChatGPT's Dark Side: Cyber Experts Warn AI Will Aid Cyberattacks in 2023
February 29, 2024
Improving User Access and Identity Management to Address Modern Enterprise Risk
February 20, 2024
Okta Cyber Trust Report
January 5, 2024
Securing Remote Work: Insights into Cyber Threats and Solutions
October 30, 2023
Networking Dinner with MightyID and Tevora
December 9, 2025
Alphinia CISO Mastermind Dinner
December 1, 2025
Myriad360 Client Appreciation Celebration
November 20, 2025
GuidePoint Security Movie Premeire of Wicked
November 19, 2025
.png)
How AI Is Accelerating Threats: The Inside Scoop on Emerging Phishing GPTs
November 18, 2025
GuidePoint Security 3rd Annual Houston Golf Outing
November 13, 2025
GuidePoint Security's Pinehurst Golf Outing
November 12, 2025
GuidePoint Security Public Sector Vendor Fair
November 5, 2025
