So for around ten years now, I've been trying to figure out where all this AI stuff is going, and I want to talk about what I figured out so far and what brought me to this conclusion. And I'm going to do that by sort of taking you through how I drunk stumbled my way along to this idea. So background wise, I'm a security person going back to 1999, spent my whole career doing that offensive security Pentesting web Appsec threat modeling Vuln management. But I would say my overall container is essentially security assessment. And going back like 15 years, when I do a security assessment for a customer, I do it in an unconventional way. And this is how I still do it today. I start with like the CEO and the CEO and like the head of legal and basically all the top people who like, run the company, uh, from the very top level. And I asked them essentially, what is the business? How do they think about the business? What fundamentally do they do? If they had to strip everything away? Like what would that be like? What is the core of it? Right. And I started getting into like what data comes in, what comes out, what are their primary outputs. And then I moved on to the next level of like senior management. Then I moved through management. Then I talked to the people on the actual ground who are like actually doing things. And I start to hear discrepancies. I start to see overlaps, I start to find all the patterns and I adjust my questions accordingly. So I basically moved through the whole structure in that way and try to figure out exactly what that company is doing and how they're doing it. So as I keep gathering more and more of this information, I start filling in like this elaborate diagram for the company. All their information flows, all their vendors where they're storing data. And I start to notice things right. And ultimately I'm figuring out like, what is this company actually look like? And what's really fun is to have people come in and so they modify the screen. They say, oh, that actually doesn't exist anymore. Oh, you forgot this piece. And invariably after, like the first day, people come in and they start taking pictures. I'm like, what are you taking a picture for? And they're like, this is the best view of the company. I've never seen a clearer understanding of what we actually do than this diagram here. Like all the other ones are incomplete, so that's always fun to see. So after a week or two of this, I then do the technical assessment, and then I start asking more and more questions to figure out, hey, so isn't this a problem? They're like, oh yeah, that actually is a problem. But the key idea is taking all this content from all these interviews, including from the highest level and the lowest level, and getting all that into a single context so I can start asking questions. So speaking of security, if you have a company or any digital assets that you're responsible for protecting, I recommend you check out one of my favorite companies ever going back, like, I don't know, 10 or 15 years, which is Project Discovery. So I've been using their open source security tools like Sub finder, DNS, HTTP nuclei, and a bunch of other tools from them for like ten years now. And they just recently released a cloud solution that takes what I was doing, like chaining all these commands together on the command line. And it does it automatically for you. So you come over here, you put in a domain that you want to start with. We'll go with like Tesla because they have an open security program. And you start that and you start collecting tons of stuff on whatever target you put in there. So in the background, it's doing a whole bunch of discovery stuff on the target. It's finding domains, sub domains, making sure those domains are valid. It's finding the web applications. It's taking screenshots of those like login pages. It's finding open ports. It's even getting the tech stack for every service that you find. So here are the type of results that you get from the discovery. And from here you can actually launch a full scan using nuclei and other tools. Okay. From here we can actually go into remediation and start actually fixing these things. So basically they started all these years ago as Pentester and bug bounty and command line focused, and now they brought all that functionality together into a full vulnerability management platform. So definitely go check them out. It's cloud CIO and thanks to Project Discovery for sponsoring today's video. So separate from that in a completely different thread on the consumer side, in 2013, I started to get a picture of where I thought all this AI tech was going. At the time I called it IoT, so I wrote this book in 2016. It's kind of a crappy book. I don't recommend you read it. Honestly. There's a blog version of it online on my site, which you should go check out. It's much better. Typography is much better as well, so definitely go check it out there. But the ideas are pretty decent. So the basic concept first idea is you have digital assistants that know everything about you and they advocate for you. Then the second piece is everything gets an API, including people and objects and businesses, and our digital assistants will also have that. And your Da basically uses those services to interact with the world on your behalf and then your Da. The third piece is augmented reality. It will use all those different services, all the data from those different APIs, to present to you inside of your glasses or your lenses or whatever. It is, the proper context for whatever you're doing, right? And finally, the last piece is once you have a company or a business or an individual or family or whatever with sort of information about them presented at as APIs, you could then take your AI, whatever the smartest AI you have with the largest context, and sort of look down at that entity that you're trying to manage, and you could give it goals. You could say, I am trying to achieve this in my family, in my business, for my county, for my city, for my country. And then your. I can sort of help you manage that. So those are the concepts from the book. Then in 2018, I got a job at Apple doing information security stuff. But the team I came in with was actually a machine learning team. So I had to refresh my horrible math, and I went and did the full Andrew Ng machine Learning course, which was on YouTube at the time, and I ended up spending multiple years there at Apple building out a security product, which they still use today. Pretty happy about that. But, um, lots of practical experience of using the ML stuff in the context of security. Um, so really happy to have come in for that team at Apple. Then in early 21, I left to go build Appsec and Vulnerability Management at Robinhood with Caleb Sima. And there I did a talk at Blackhat about building vulnerability management based on company context and specifically asset management, which turned out to be another sort of brick in this path towards context. So after doing that, I decided it was time to build things on my own and do consulting stuff independently. So I went independent with unsupervised learning in like August of 22. And that was just a few months before ChatGPT came out. So obviously I go absolutely insane when I see ChatGPT and I start calling everyone I know. All my friends got that call, my mom got that call, everyone got this call multiple times. I was freaking out, basically saying drop everything, go do AI. And the first place that my head went with all this was thinking about the context that I would gather in these security assessments and thinking about how I could use this for security, obviously, because that's my background. But I pretty quickly realized that this was bigger than just security. It's actually more about the context first. So in March of 23, I wrote this post called Sspca, which says everything is about state policy questions and actions. Basically, you have the current context for the company or the program or the department, whatever it is you're trying to manage, you have that current context. Then you have the policy, which is what you're trying to accomplish. Then you have the questions that you continuously want the answers to, and then you have actions or what you know, what we as people or I could take what we could do to make that policy happen, make the desired state come true. So with this, I start feeling like, okay, now I'm starting to lock this thing in and make it more solid. So that got decent traction, but I wanted to actually demonstrate this. So I started working immediately on something more practical as like a demo. So I did a talk at Black Hat. I think the following year maybe, and I put together this fake company called alma. And I gave it tons of context for, like, everything about the company. So its mission, how they differentiate from competitors, all their different products, their goals, where they do business, the risk register security team and its members and all their skill sets. Right. The projects that they're working on, the list of applications are it stack the dev teams, how they push code like everything about this company. I put it into this file. So now I can ask questions just like I do in security assessments. And I was doing this using an agent back in 23 to basically call this thing. And the agent would look up all this different tools or whatever, look at the context. And I could do planning for this. I could do threat modeling, actually output reports. I could write emails to auditors, I could respond to one off security questionnaire questions because, you know, you have a problem of like you have this database of security answers, but the question always comes in different. This solves that. So here's an example of a CISO making a statement about no more connections to a particular resource. And we're asking the question should this connection be allowed. And the AI responds back that, no, this connection should not be allowed, because the CISO said a minute ago that no more connections to that particular resource. So you could do really cool stuff when you have context. And throughout 23, 24 and now into 25, I've been building more and more stuff that circulates around this central theme of context plus AI. So later in 23, I built this thing called threshold. It's an app that takes over 3000 sources on the internet, tells me how good the context is independent of the source. And it basically uses context about me It so it knows what I like. And it's using that as the level of quality of the ideas, right? The novelty of the ideas, the number of ideas and having them being shaped in a particular direction. Right. And I could slide this lever and it only shows me content that exceeds a certain threshold of quality. Currently about to launch another product called Same Page, which is an enterprise product that helps companies manage pretty much anything based on their company context. Um, doing a lot of stuff with security programs here. Another thing I've had for like nine years now, or maybe longer, is my attack service monitoring system called Helios. And it started off as basically pure automations, right? This is like directory stuff, Linux stuff, using a bunch of tools, mostly from project Discovery and a bunch of custom tooling and Python and Bash and stuff. So it was very kind of like a dumb system, very effective. Very fast. Very good. But what I've done now is I'm turning this into a complete AI model, and I'm rewriting it to be context central. So everything goes into a particular location and I start operating on it from there. So once again, it's actions running against context. And the last one I'll mention is like a daily brief for myself. So basically looks at all these different sources that I have for like open source intelligence, national security, like really smart people who could, like, tell what's in the back of a truck looking at a satellite photo based on the fact of like the tire treads that are in the grass. So I follow, you know, hundreds of people like that, and I know they have good signal. So what I do is I bring that all together, I do analysis on it using a bunch of AI, and then it gives me like the President's Daily Brief. So now I could say, oh, it looks like this might be happening, um, which I can start thinking about. I could talk about whatever. So all these separate areas are kind of loosely revolving around this concept of context. And I so I feel like or have felt like for a long time that this is congealing. It's coalescing into this single theme. Right. But a couple of weeks ago I'm like, this is not quite it. This is not quite it. I'm close, but not not quite there. And I think I have a much simpler way of describing this now. And that's what I'm calling this unified entity context. And of course, that won't be the real name that gets used because Gartner will name it something and that'll be the new name. No big deal. If we look at security specifically and we look at some use cases, we find some really interesting patterns. So for like a SOC analyst you got tons of different logs, you got threat Intel reports, you got identity stuff, endpoint data, all these different sources for incident response. You've got the same stuff you have to look at, but it's more focused around, like the narrative, determining the scope, the timeline, stuff like that. With Pentesting, you're also gathering tons of data and then trying to put the pieces together and figure out like what to go after. Same with Red team, but you're even more focused on a larger scope, more interested in like the context of everything and the impact that you can generate. And with vulnerability management, we need to understand the organization really well. Otherwise, it's really hard to do remediation, which is kind of the whole point, program management. You got to have project management, budgeting strategy, time management, all those things combined. GRC you have to know what we need to be compliant with and why. And we have to know what our gaps are in terms of like the risk register vulnerabilities, stuff like that. So the common issue with most of these, really all of these is that you have to be able to see multiple parts of the organization all at once in context at the same time, and then connect those pieces together. This is why security analysts and incident responders and red teamers are so valuable. It's not the single task in the problem that's hard. It's integrating all the different sources to be able to actually do that task. And I'm going to go a little deeper into vulnerability management to illustrate this point. Since I've lived in that hellscape for so long. What is it that's actually hard about vulnerability management? Is it that we don't have enough vulnerabilities? Is it that our dashboards aren't pretty enough? That is not the problem. The problem is when you have a given vulnerability, what application is it part of? What engineering team is responsible for that application? What repo do they work from? What DevOps workflows do they use? Like how do they actually push code? How do they fix things day to day? What is the best way to get a really good fix to the right person that doesn't annoy them, which causes their manager to call over security and say stop bothering me. You might think this is easy to find that person, but keep in mind things are changing constantly. Reorgs team changes. Tools are changing like the whole company is constantly in motion. So here's the question how much of our inability to do a great job at vulnerability management for the last 15 years is a security problem, and how much of it is actually an organizational knowledge problem? And now ask that for other areas of security. Even crazier, it's not just security. The software and services industries in general are all based on asking specific questions to a specific set of data and giving you an output in like a kind of a specific type of UI, right? You have HR data, right? You ask HR questions to the HR data and they put that in an HR interface. Right. Same with project management. Right. You have project management data. You ask those questions. You put it into some sort of PM UI. Do we really think that these things are going to need their own separate databases and their own separate APIs, their own separate tools, their own separate UIs? I don't think so. I think that all goes away. And what we end up with is this thing which I'm calling unified entity context. So if you're an individual, your history, your belief system, your aspirations, your favorite books and music, past traumas, salary, high blood pressure, your friends, your job, your career, family goals, upbringing, medical history. Your agenda, your calendar, right, your financial goals for that particular day, like what you're trying to do for this particular year, getting ready for, you know, a half marathon, whatever it is. But then, just like with the security program, you can ask all sorts of questions. Why is my relationship with my mother in law not working? What can I do to improve my health? Right. Different questions you can ask. If you're a company. It's back to the same thing that we collected with the Alma context goals. The state of all IT systems. What are my Kubernetes pods doing? What are all my EC2 instances doing? What's going on GCP? I want all slack messages, current projects, team members, the state of HR. How many people are we hiring? How many people just left? Why did they leave? Desired IRR for the company. All products that we have, our current marketing campaigns, all of our competitors, marketing campaigns for their products. This becomes the baseline for everything. Once you have that, then you have the smartest AI you have with the largest context. Look down at the entire thing and soak it in all at once. Let's think about this from the attacker defender perspective, because this is another way that I came at this and I came up with this thing called Acad, which is AI capabilities for attackers and defenders. And the basic idea was figure out what the attackers want to do to us, and let's just make a list of those so we can defend against them. So the number one question I get asked is essentially where do I spend money for cybersecurity. And this Acad thing is basically a way to answer that is you give the answer of, well, you think about what they're about to do to you and you make sure you can respond to it. So that turned into this project where I'm gathering tons of these attacker capabilities, and I'm building a corresponding set of defender capabilities. And we're trying to figure out like, how do these play off of each other? So basically the attacker capabilities will be gathering a whole bunch of data, right? The idea is that when you run these attacker capabilities or when they run them against you, they're going to put them into their own version of your context. They're going to have a target unified entity context for you, for you as the target, which is you as a company. Right. And I thought it would look like this. I thought the most important thing was actually these capabilities are like the most important. And I'm like, well, we obviously want to maintain that inside of a state bucket, right. The unified entity context. So I thought that was that. But after thinking about it a lot more, I think it's actually this the accuracy and the freshness of the target context is actually the most important thing because the ability to attack and pivot and hinge off of all this different stuff and, you know, go a different route, be dynamic, do attacker things and defender things. It all hinges off the quality of this context. So where this all takes us is that the top priority of attackers will be having better USC models of your organization than you do. So it'll be a competition between your attacker and you, between who has the most accurate and up to date context for your company. And this is absolutely insane, because the very next step is realizing that we have this entire thing completely backwards. Instead of cybersecurity or finance or whatever, being at the center, like in this diagram with context and I being like, oh, how do you add AI to cybersecurity? Oh, we should gather more context, you know, so we could do cybersecurity better. Nope. It's actually the opposite. The context of the entity is everything. It becomes primary along with the AI that operates. Looking down at that context, software verticals kind of go away. Software and service verticals just become use cases. They become modules on top of unified context. And here's a completely crazy question to think about. And this is currently like blowing my mind. It has not stopped freaking me out since I started thinking about this. What if all of our decisions are only hard because we actually lack context? What if the fog of war Is the thing that makes things difficult. Think about a junior analyst being asked if some connection is malicious or not, and they've got like 27 different sources they can pull from all these different repositories Google Docs, slack or whatever, and you're just like, have at it. Good luck. I need to know if this is dangerous or not. This is going to be really, really hard for a junior analyst, you know, with 1 or 2 years experience, even three years experience. But now imagine a principal analyst comes along to assist the junior analyst, and they build them this elaborate timeline of everything that happened. They take all the logs, they study them for 27 hours, and they build this giant, complex visual map. Then this happened, then this, this log in CrowdStrike that maps to this log in Palo Alto, blah, blah, blah. Connect all the dots. Oh, this is when the attacker did this. This is when the attacker did this. That's when this happened. So it looks like this person is actually the same person as that person. And you could see it clearly. Now can the junior analyst answer this question. Yes they can. They could probably just be like, what are you talking about? Oh that's obvious. I mean, yeah, look, obviously it's malicious because you see the story right here. It's a narrative. It's a story because of the context. Now watch this. Maybe that doesn't even require a junior SOC analyst to answer that. That could be an intern. That could be somebody still in college who's barely learned any security at all. And you're like, hey, so you're vaguely aware that there's a security like concept and like, bad things are bad. They're like, yeah, I guess it's like, well, what if I showed you this diagram here and all these are different logs that happened? Do you think that connection right there is actually malicious? They're like yeah, obviously. So maybe the problem isn't the difficulty of the task, but the difficulty of filling in the context that paints the picture. I think this is absolutely true. And it's why I think unified entity context actually ends up being the most important thing for the management of anything. An ice cream truck business, the local city council group, right? A gardening collective, right. A city government, a state, a country, a federation of planets. Basically, I can use its understanding of the entity of the thing that you care about to lower the difficulty of most decisions because it can take snapshots of the current state that's relevant to the decision that needs to be made, and put it in context, in a timeline, in a narrative that makes it obvious what you should do right. If you think about the fog of war for like a genius general. Oh, where's the enemy attacking? We don't know, sir. Okay. How many troops do we have? We're not sure. We're cut off from, uh, communication lines. How many troops do the enemy have? We're not exactly sure. Somewhere between 10,000 and 100,000. Okay, cool. That requires genius of that, general. That requires genius because they're operating in so much uncertainty. When you bring that uncertainty down, you could pull a private into that room and be like, okay, we know the exact current state of everyone. What should we do? And the private walks in is like, shouldn't we just blow up that truck? Since that's the most important thing and it has all the special plans in it, and it has the special device in it. Should we just blow that up? And everyone's like, yeah, exactly. That's exactly what we should do. It requires genius. If you don't have the information, it does not require genius if you do. So the natural question is what does this mean if this is correct? Well, if you're building a company, I think you need to be thinking very carefully about how to get access to unique data for your customers. You might have the best phone management scanner, but if your competitor partners with someone who provides unique data, or they have unique data themselves for some other reason and they have access to the customer's team structure, their GitHub repos, their HR, you know, workday, they know employees coming, they know all the org changes. They know all the dev pipelines. They know which application corresponds to which dev team and which developer. You are going to lose. It doesn't matter how good your scanner is, if they know more about the customer than you do, you're going to lose. So basically, avoid getting beat by someone who knows more about the customer's organization than you do. If you're in VC or you're really any kind of investor, I'd be looking at companies that are thinking deeper into this context and are thinking about USC early, how to make it themselves if they have to, how to partner with someone who's making it up. I don't think you should look for people who are trying to build the actual USC, because I think that is so big, it's going to be most likely the giant players that are doing it. But I would say avoid betting on companies that ignore this deep context threat and are probably going to lose as a result. And if you're a defender and you're trying to figure out, like what I do, I build. To improve my cybersecurity program, you should start building your own unique context for your company. Your attackers are going to have a version of context for your company. They are going to have a unique world model of you, and your version of that unique world model needs to be better than theirs. And finally, if you're just trying to figure out where things are going, just imagine this whole AI state management, unified entity context thing as a lens that you could use or not use to interpret new AI developments. Basically, one way of interpreting the news about AI that hopefully makes some sense. Thanks for your time and I'll see you in the next one.

So for around ten years now, I've been trying to figure out where all this AI stuff is going, and I want to talk about what I figured out so far and what brought me to this conclusion. And I'm going to do that by sort of taking you through how I drunk stumbled my way along to this idea. So background wise, I'm a security person going back to 1999, spent my whole career doing that offensive security Pentesting web Appsec threat modeling Vuln management. But I would say my overall container is essentially security assessment. And going back like 15 years, when I do a security assessment for a customer, I do it in an unconventional way. And this is how I still do it today. I start with like the CEO and the CEO and like the head of legal and basically all the top people who like, run the company, uh, from the very top level. And I asked them essentially, what is the business? How do they think about the business? What fundamentally do they do? If they had to strip everything away? Like what would that be like? What is the core of it? Right. And I started getting into like what data comes in, what comes out, what are their primary outputs. And then I moved on to the next level of like senior management. Then I moved through management. Then I talked to the people on the actual ground who are like actually doing things. And I start to hear discrepancies. I start to see overlaps, I start to find all the patterns and I adjust my questions accordingly. So I basically moved through the whole structure in that way and try to figure out exactly what that company is doing and how they're doing it. So as I keep gathering more and more of this information, I start filling in like this elaborate diagram for the company. All their information flows, all their vendors where they're storing data. And I start to notice things right. And ultimately I'm figuring out like, what is this company actually look like? And what's really fun is to have people come in and so they modify the screen. They say, oh, that actually doesn't exist anymore. Oh, you forgot this piece. And invariably after, like the first day, people come in and they start taking pictures. I'm like, what are you taking a picture for? And they're like, this is the best view of the company. I've never seen a clearer understanding of what we actually do than this diagram here. Like all the other ones are incomplete, so that's always fun to see. So after a week or two of this, I then do the technical assessment, and then I start asking more and more questions to figure out, hey, so isn't this a problem? They're like, oh yeah, that actually is a problem. But the key idea is taking all this content from all these interviews, including from the highest level and the lowest level, and getting all that into a single context so I can start asking questions. So speaking of security, if you have a company or any digital assets that you're responsible for protecting, I recommend you check out one of my favorite companies ever going back, like, I don't know, 10 or 15 years, which is Project Discovery. So I've been using their open source security tools like Sub finder, DNS, HTTP nuclei, and a bunch of other tools from them for like ten years now. And they just recently released a cloud solution that takes what I was doing, like chaining all these commands together on the command line. And it does it automatically for you. So you come over here, you put in a domain that you want to start with. We'll go with like Tesla because they have an open security program. And you start that and you start collecting tons of stuff on whatever target you put in there. So in the background, it's doing a whole bunch of discovery stuff on the target. It's finding domains, sub domains, making sure those domains are valid. It's finding the web applications. It's taking screenshots of those like login pages. It's finding open ports. It's even getting the tech stack for every service that you find. So here are the type of results that you get from the discovery. And from here you can actually launch a full scan using nuclei and other tools. Okay. From here we can actually go into remediation and start actually fixing these things. So basically they started all these years ago as Pentester and bug bounty and command line focused, and now they brought all that functionality together into a full vulnerability management platform. So definitely go check them out. It's cloud CIO and thanks to Project Discovery for sponsoring today's video. So separate from that in a completely different thread on the consumer side, in 2013, I started to get a picture of where I thought all this AI tech was going. At the time I called it IoT, so I wrote this book in 2016. It's kind of a crappy book. I don't recommend you read it. Honestly. There's a blog version of it online on my site, which you should go check out. It's much better. Typography is much better as well, so definitely go check it out there. But the ideas are pretty decent. So the basic concept first idea is you have digital assistants that know everything about you and they advocate for you. Then the second piece is everything gets an API, including people and objects and businesses, and our digital assistants will also have that. And your Da basically uses those services to interact with the world on your behalf and then your Da. The third piece is augmented reality. It will use all those different services, all the data from those different APIs, to present to you inside of your glasses or your lenses or whatever. It is, the proper context for whatever you're doing, right? And finally, the last piece is once you have a company or a business or an individual or family or whatever with sort of information about them presented at as APIs, you could then take your AI, whatever the smartest AI you have with the largest context, and sort of look down at that entity that you're trying to manage, and you could give it goals. You could say, I am trying to achieve this in my family, in my business, for my county, for my city, for my country. And then your. I can sort of help you manage that. So those are the concepts from the book. Then in 2018, I got a job at Apple doing information security stuff. But the team I came in with was actually a machine learning team. So I had to refresh my horrible math, and I went and did the full Andrew Ng machine Learning course, which was on YouTube at the time, and I ended up spending multiple years there at Apple building out a security product, which they still use today. Pretty happy about that. But, um, lots of practical experience of using the ML stuff in the context of security. Um, so really happy to have come in for that team at Apple. Then in early 21, I left to go build Appsec and Vulnerability Management at Robinhood with Caleb Sima. And there I did a talk at Blackhat about building vulnerability management based on company context and specifically asset management, which turned out to be another sort of brick in this path towards context. So after doing that, I decided it was time to build things on my own and do consulting stuff independently. So I went independent with unsupervised learning in like August of 22. And that was just a few months before ChatGPT came out. So obviously I go absolutely insane when I see ChatGPT and I start calling everyone I know. All my friends got that call, my mom got that call, everyone got this call multiple times. I was freaking out, basically saying drop everything, go do AI. And the first place that my head went with all this was thinking about the context that I would gather in these security assessments and thinking about how I could use this for security, obviously, because that's my background. But I pretty quickly realized that this was bigger than just security. It's actually more about the context first. So in March of 23, I wrote this post called Sspca, which says everything is about state policy questions and actions. Basically, you have the current context for the company or the program or the department, whatever it is you're trying to manage, you have that current context. Then you have the policy, which is what you're trying to accomplish. Then you have the questions that you continuously want the answers to, and then you have actions or what you know, what we as people or I could take what we could do to make that policy happen, make the desired state come true. So with this, I start feeling like, okay, now I'm starting to lock this thing in and make it more solid. So that got decent traction, but I wanted to actually demonstrate this. So I started working immediately on something more practical as like a demo. So I did a talk at Black Hat. I think the following year maybe, and I put together this fake company called alma. And I gave it tons of context for, like, everything about the company. So its mission, how they differentiate from competitors, all their different products, their goals, where they do business, the risk register security team and its members and all their skill sets. Right. The projects that they're working on, the list of applications are it stack the dev teams, how they push code like everything about this company. I put it into this file. So now I can ask questions just like I do in security assessments. And I was doing this using an agent back in 23 to basically call this thing. And the agent would look up all this different tools or whatever, look at the context. And I could do planning for this. I could do threat modeling, actually output reports. I could write emails to auditors, I could respond to one off security questionnaire questions because, you know, you have a problem of like you have this database of security answers, but the question always comes in different. This solves that. So here's an example of a CISO making a statement about no more connections to a particular resource. And we're asking the question should this connection be allowed. And the AI responds back that, no, this connection should not be allowed, because the CISO said a minute ago that no more connections to that particular resource. So you could do really cool stuff when you have context. And throughout 23, 24 and now into 25, I've been building more and more stuff that circulates around this central theme of context plus AI. So later in 23, I built this thing called threshold. It's an app that takes over 3000 sources on the internet, tells me how good the context is independent of the source. And it basically uses context about me It so it knows what I like. And it's using that as the level of quality of the ideas, right? The novelty of the ideas, the number of ideas and having them being shaped in a particular direction. Right. And I could slide this lever and it only shows me content that exceeds a certain threshold of quality. Currently about to launch another product called Same Page, which is an enterprise product that helps companies manage pretty much anything based on their company context. Um, doing a lot of stuff with security programs here. Another thing I've had for like nine years now, or maybe longer, is my attack service monitoring system called Helios. And it started off as basically pure automations, right? This is like directory stuff, Linux stuff, using a bunch of tools, mostly from project Discovery and a bunch of custom tooling and Python and Bash and stuff. So it was very kind of like a dumb system, very effective. Very fast. Very good. But what I've done now is I'm turning this into a complete AI model, and I'm rewriting it to be context central. So everything goes into a particular location and I start operating on it from there. So once again, it's actions running against context. And the last one I'll mention is like a daily brief for myself. So basically looks at all these different sources that I have for like open source intelligence, national security, like really smart people who could, like, tell what's in the back of a truck looking at a satellite photo based on the fact of like the tire treads that are in the grass. So I follow, you know, hundreds of people like that, and I know they have good signal. So what I do is I bring that all together, I do analysis on it using a bunch of AI, and then it gives me like the President's Daily Brief. So now I could say, oh, it looks like this might be happening, um, which I can start thinking about. I could talk about whatever. So all these separate areas are kind of loosely revolving around this concept of context. And I so I feel like or have felt like for a long time that this is congealing. It's coalescing into this single theme. Right. But a couple of weeks ago I'm like, this is not quite it. This is not quite it. I'm close, but not not quite there. And I think I have a much simpler way of describing this now. And that's what I'm calling this unified entity context. And of course, that won't be the real name that gets used because Gartner will name it something and that'll be the new name. No big deal. If we look at security specifically and we look at some use cases, we find some really interesting patterns. So for like a SOC analyst you got tons of different logs, you got threat Intel reports, you got identity stuff, endpoint data, all these different sources for incident response. You've got the same stuff you have to look at, but it's more focused around, like the narrative, determining the scope, the timeline, stuff like that. With Pentesting, you're also gathering tons of data and then trying to put the pieces together and figure out like what to go after. Same with Red team, but you're even more focused on a larger scope, more interested in like the context of everything and the impact that you can generate. And with vulnerability management, we need to understand the organization really well. Otherwise, it's really hard to do remediation, which is kind of the whole point, program management. You got to have project management, budgeting strategy, time management, all those things combined. GRC you have to know what we need to be compliant with and why. And we have to know what our gaps are in terms of like the risk register vulnerabilities, stuff like that. So the common issue with most of these, really all of these is that you have to be able to see multiple parts of the organization all at once in context at the same time, and then connect those pieces together. This is why security analysts and incident responders and red teamers are so valuable. It's not the single task in the problem that's hard. It's integrating all the different sources to be able to actually do that task. And I'm going to go a little deeper into vulnerability management to illustrate this point. Since I've lived in that hellscape for so long. What is it that's actually hard about vulnerability management? Is it that we don't have enough vulnerabilities? Is it that our dashboards aren't pretty enough? That is not the problem. The problem is when you have a given vulnerability, what application is it part of? What engineering team is responsible for that application? What repo do they work from? What DevOps workflows do they use? Like how do they actually push code? How do they fix things day to day? What is the best way to get a really good fix to the right person that doesn't annoy them, which causes their manager to call over security and say stop bothering me. You might think this is easy to find that person, but keep in mind things are changing constantly. Reorgs team changes. Tools are changing like the whole company is constantly in motion. So here's the question how much of our inability to do a great job at vulnerability management for the last 15 years is a security problem, and how much of it is actually an organizational knowledge problem? And now ask that for other areas of security. Even crazier, it's not just security. The software and services industries in general are all based on asking specific questions to a specific set of data and giving you an output in like a kind of a specific type of UI, right? You have HR data, right? You ask HR questions to the HR data and they put that in an HR interface. Right. Same with project management. Right. You have project management data. You ask those questions. You put it into some sort of PM UI. Do we really think that these things are going to need their own separate databases and their own separate APIs, their own separate tools, their own separate UIs? I don't think so. I think that all goes away. And what we end up with is this thing which I'm calling unified entity context. So if you're an individual, your history, your belief system, your aspirations, your favorite books and music, past traumas, salary, high blood pressure, your friends, your job, your career, family goals, upbringing, medical history. Your agenda, your calendar, right, your financial goals for that particular day, like what you're trying to do for this particular year, getting ready for, you know, a half marathon, whatever it is. But then, just like with the security program, you can ask all sorts of questions. Why is my relationship with my mother in law not working? What can I do to improve my health? Right. Different questions you can ask. If you're a company. It's back to the same thing that we collected with the Alma context goals. The state of all IT systems. What are my Kubernetes pods doing? What are all my EC2 instances doing? What's going on GCP? I want all slack messages, current projects, team members, the state of HR. How many people are we hiring? How many people just left? Why did they leave? Desired IRR for the company. All products that we have, our current marketing campaigns, all of our competitors, marketing campaigns for their products. This becomes the baseline for everything. Once you have that, then you have the smartest AI you have with the largest context. Look down at the entire thing and soak it in all at once. Let's think about this from the attacker defender perspective, because this is another way that I came at this and I came up with this thing called Acad, which is AI capabilities for attackers and defenders. And the basic idea was figure out what the attackers want to do to us, and let's just make a list of those so we can defend against them. So the number one question I get asked is essentially where do I spend money for cybersecurity. And this Acad thing is basically a way to answer that is you give the answer of, well, you think about what they're about to do to you and you make sure you can respond to it. So that turned into this project where I'm gathering tons of these attacker capabilities, and I'm building a corresponding set of defender capabilities. And we're trying to figure out like, how do these play off of each other? So basically the attacker capabilities will be gathering a whole bunch of data, right? The idea is that when you run these attacker capabilities or when they run them against you, they're going to put them into their own version of your context. They're going to have a target unified entity context for you, for you as the target, which is you as a company. Right. And I thought it would look like this. I thought the most important thing was actually these capabilities are like the most important. And I'm like, well, we obviously want to maintain that inside of a state bucket, right. The unified entity context. So I thought that was that. But after thinking about it a lot more, I think it's actually this the accuracy and the freshness of the target context is actually the most important thing because the ability to attack and pivot and hinge off of all this different stuff and, you know, go a different route, be dynamic, do attacker things and defender things. It all hinges off the quality of this context. So where this all takes us is that the top priority of attackers will be having better USC models of your organization than you do. So it'll be a competition between your attacker and you, between who has the most accurate and up to date context for your company. And this is absolutely insane, because the very next step is realizing that we have this entire thing completely backwards. Instead of cybersecurity or finance or whatever, being at the center, like in this diagram with context and I being like, oh, how do you add AI to cybersecurity? Oh, we should gather more context, you know, so we could do cybersecurity better. Nope. It's actually the opposite. The context of the entity is everything. It becomes primary along with the AI that operates. Looking down at that context, software verticals kind of go away. Software and service verticals just become use cases. They become modules on top of unified context. And here's a completely crazy question to think about. And this is currently like blowing my mind. It has not stopped freaking me out since I started thinking about this. What if all of our decisions are only hard because we actually lack context? What if the fog of war Is the thing that makes things difficult. Think about a junior analyst being asked if some connection is malicious or not, and they've got like 27 different sources they can pull from all these different repositories Google Docs, slack or whatever, and you're just like, have at it. Good luck. I need to know if this is dangerous or not. This is going to be really, really hard for a junior analyst, you know, with 1 or 2 years experience, even three years experience. But now imagine a principal analyst comes along to assist the junior analyst, and they build them this elaborate timeline of everything that happened. They take all the logs, they study them for 27 hours, and they build this giant, complex visual map. Then this happened, then this, this log in CrowdStrike that maps to this log in Palo Alto, blah, blah, blah. Connect all the dots. Oh, this is when the attacker did this. This is when the attacker did this. That's when this happened. So it looks like this person is actually the same person as that person. And you could see it clearly. Now can the junior analyst answer this question. Yes they can. They could probably just be like, what are you talking about? Oh that's obvious. I mean, yeah, look, obviously it's malicious because you see the story right here. It's a narrative. It's a story because of the context. Now watch this. Maybe that doesn't even require a junior SOC analyst to answer that. That could be an intern. That could be somebody still in college who's barely learned any security at all. And you're like, hey, so you're vaguely aware that there's a security like concept and like, bad things are bad. They're like, yeah, I guess it's like, well, what if I showed you this diagram here and all these are different logs that happened? Do you think that connection right there is actually malicious? They're like yeah, obviously. So maybe the problem isn't the difficulty of the task, but the difficulty of filling in the context that paints the picture. I think this is absolutely true. And it's why I think unified entity context actually ends up being the most important thing for the management of anything. An ice cream truck business, the local city council group, right? A gardening collective, right. A city government, a state, a country, a federation of planets. Basically, I can use its understanding of the entity of the thing that you care about to lower the difficulty of most decisions because it can take snapshots of the current state that's relevant to the decision that needs to be made, and put it in context, in a timeline, in a narrative that makes it obvious what you should do right. If you think about the fog of war for like a genius general. Oh, where's the enemy attacking? We don't know, sir. Okay. How many troops do we have? We're not sure. We're cut off from, uh, communication lines. How many troops do the enemy have? We're not exactly sure. Somewhere between 10,000 and 100,000. Okay, cool. That requires genius of that, general. That requires genius because they're operating in so much uncertainty. When you bring that uncertainty down, you could pull a private into that room and be like, okay, we know the exact current state of everyone. What should we do? And the private walks in is like, shouldn't we just blow up that truck? Since that's the most important thing and it has all the special plans in it, and it has the special device in it. Should we just blow that up? And everyone's like, yeah, exactly. That's exactly what we should do. It requires genius. If you don't have the information, it does not require genius if you do. So the natural question is what does this mean if this is correct? Well, if you're building a company, I think you need to be thinking very carefully about how to get access to unique data for your customers. You might have the best phone management scanner, but if your competitor partners with someone who provides unique data, or they have unique data themselves for some other reason and they have access to the customer's team structure, their GitHub repos, their HR, you know, workday, they know employees coming, they know all the org changes. They know all the dev pipelines. They know which application corresponds to which dev team and which developer. You are going to lose. It doesn't matter how good your scanner is, if they know more about the customer than you do, you're going to lose. So basically, avoid getting beat by someone who knows more about the customer's organization than you do. If you're in VC or you're really any kind of investor, I'd be looking at companies that are thinking deeper into this context and are thinking about USC early, how to make it themselves if they have to, how to partner with someone who's making it up. I don't think you should look for people who are trying to build the actual USC, because I think that is so big, it's going to be most likely the giant players that are doing it. But I would say avoid betting on companies that ignore this deep context threat and are probably going to lose as a result. And if you're a defender and you're trying to figure out, like what I do, I build. To improve my cybersecurity program, you should start building your own unique context for your company. Your attackers are going to have a version of context for your company. They are going to have a unique world model of you, and your version of that unique world model needs to be better than theirs. And finally, if you're just trying to figure out where things are going, just imagine this whole AI state management, unified entity context thing as a lens that you could use or not use to interpret new AI developments. Basically, one way of interpreting the news about AI that hopefully makes some sense. Thanks for your time and I'll see you in the next one.