Casey Ellis, founder of Bugcrowd, joins the show to talk about the evolution of bug bounty, how hackers went from outsiders to strategic assets, and why AI-generated bug reports are putting pressure on security teams. We also get into VDPs vs public bounties, pentesting, vulnerability economics, and where security research is headed over the next five years.

In this episode of the Secure Disclosure Podcast, we dive into the human side of security with Sean Juroviesky. From why people remain the biggest challenge in cybersecurity to how organizations can build effective security cultures, this conversation explores identity, access management, and the risks introduced by shadow IT and AI. We unpack how to make the secure path the easiest path, how to detect risky behavior without alienating employees, and why over-permissioned AI tools may be the next big threat. It’s a practical, honest discussion on balancing security, usability, and the rapid evolution of AI in modern organizations.SponsorThis episode is brought to you by Aikido — https://aikido.devSecure everything from code to cloud

AI agents are here, and they’re already transforming how we work. But beneath the hype lies a massive, unsolved security problem.In this episode, Mackenzie Jackson sits down with Johannes Keienburg to unpack the reality of autonomous agents: why they’re so powerful, why they’re so dangerous, and why access control is about to become the biggest challenge in cybersecurity.From broken authorization to “agents without brakes,” they explore how today’s systems are fundamentally unprepared—and what needs to change before things go seriously wrong.

Daniel Stenberg, creator of curl, explains how a small open source tool became core internet infrastructure. The conversation covers curl’s origin, maintainer pressure, AI-generated bug bounty spam, the future of vulnerability reporting, and how AI is changing software engineering and security.

We’re back in the “wild west” — only this time, the apps can be social engineered at machine speed. Live from CactusCon, Brooks McMillin breaks down malicious MCP servers, why we’re repeating the same security mistakes (hello again, broken access control), and why prompt injection probably isn’t going away. We get practical on what to lock down, how to roll out AI tooling safely, and why “AI lipstick” doesn’t change the underlying enterprise risk game.

In this week’s news brief, Mackenzie explores a comprehensive new report investigating data leakage and potential surveillance behavior in popular browser extensions. The researchers examined how extensions collect and transmit data, conducted behavioral payload analysis, and deployed honey URLs to detect suspicious activity.

The episode highlights a critical distinction. Some extensions may unintentionally leak data, while others appear purpose built to collect and transmit it. From creative exfiltration techniques to the broader implications for data loss prevention, this is a fascinating look at how modern browser extensions can quietly put user data at risk and how researchers uncovered it.

Recorded live at Cactus Con, ASU CISO Lester Godsey joins Secure Disclosure to unpack what’s truly new in AI security, and what’s just old problems getting fresh attention. From prompt injection and agentic AI to data classification and privacy, this episode explores how enterprise leaders should think about AI risk in a world where banning it simply isn’t an option.

AI is taking over the boring stuff — recon, noise, and tier-one work — but when it comes to real-world pentesting, business logic flaws, weird edge cases, and creative thinking still belong to humans.

In this episode, Paul Petefish (Evolve Security) and Mackenzie dig into what AI is actually changing in offensive security, why prompt injection is getting weirder, and how “man + machine” is quickly becoming the new normal.

#CyberSecurity #Pentesting #AI #AppSec #LLMSecurity #PromptInjection #InfoSec