Transforming Frontline Workflows with Passwordless Access, AI costs, and the News – Joel Burleson-Davis – ESW #431
Segment 1: Interview with Joel Burleson-Davis
Frontline workers can’t afford to be slowed down by manual, repetitive logins, especially in mission-critical industries where both security and productivity are crucial. This segment will explore how inefficient login methods erode productivity, while workarounds like shared credentials increase risk, highlighting why passwordless authentication is emerging as a game-changer for frontline access to shared devices. Joel Burleson-Davis, Chief Technology Officer of Imprivata, will share how organizations can adopt frictionless and secure access management to improve both security and frontline efficiency at scale.
Segment Resources:
This segment is sponsored by Imprivata. Visit https://securityweekly.com/imprivata to learn more about them!
Topic Segment: The Economics of AI Agents
Vendors are finding, after integrating agents into their processes, that agentic AI can get expensive very quickly. Of course, this isn't surprising when your goal is "review all my third party contracts and fill out questionnaires for me" and the pricing is X DOLLARS for 1M TOKENS blah blah context window, max model thinking model blah blah. No one knows what the conversion is from "review my contracts" to millions of tokens, so everyone is left to just test it out and see what the bill is at the end of the month.
As we saw with Cloud when adoption started increasing in the early 2010s, we are naturally entering the era of AI cost optimization. In this segment, we'll discuss what that means, how it affects the market, and how it affects the use of AI in cybersecurity.
Jackie mentions this story from Wired in the segment: https://www.wired.com/story/ai-bubble-will-burst/
News Segment
Finally, in the enterprise security news,
- we’ve got funding and acquisitions
- 7 red flags you’re doing cloud wrong
- security standards for open source projects
- post mortems of attacks on open source supply chain
- some analysis on current and historic AWS outages
- a deep dive
- some dumpster fires
- and how much would you pay for a robot that puts away the dishes?
All that and more, on this episode of Enterprise Security Weekly.
Joel Burleson-Davis is the Chief Technology Officer at Imprivata where he’s responsible for building, delivering, and evolving the suite of Imprivata’s cybersecurity products that include Privileged Access Management and Privacy Monitoring solutions. Prior to joining Imprivata, Joel was Chief Technical Officer at SecureLink, the leader in critical access management for organizations in need of advanced solutions to secure access to their most valuable assets, including networks, systems, and data. While at SecureLink, Joel was responsible for the overall technology and operational strategy and execution including direction and oversight for Product Development, Quality Assurance, IT and Cybersecurity Operations, Compliance, and Customer Success.
Adrian Sanabria
- FUNDING/M&A: Courtesy of the Security, Funded newsletter, issue 217 – Running [Smart Beds] On-Prem
VIBE CHECK
What's the real reason most orgs don't have AI governance yet?
The answer, overwhelmingly: "Too esoteric - don't' actually understand the risks"
FUNDING
- Chainguard, a United States-based software supply chain company, raised a $280.0M Debt Financing round from General Catalyst.
- Sublime Security raises $150m in Series C funding
- nexos.ai, a Lithuania-based shadow AI discovery and governance platform, raised a $34.8M Series A from Evantic Capital and Index Ventures.
- Defakto Security, a United States-based non-human identity security platform, raised a $30.8M Series B from XYZ Venture Capital.
- Keycard, a Canada-based identity and access management platform for AI agents, raised a $30.0M Series A from Acrew Capital
- Gravwell, a United States-based security data and analytics platform, raised a $15.4M Series A from Two Bear Capital.
- Darwin AI, a United States-based AI application governance and compliance platform for the federal sector, raised a $15.0M Series A from Insight Partners.
- Keycard, a Canada-based identity and access management platform for AI agents, raised a $8.0M Seed from Andreessen Horowitz and boldstart Ventures.
- Bricklayer.ai, a United States-based AI-agent-enabled security operations platform, raised a $5.0M Seed from Tech Square Ventures.
ACQUISITIONS
- ThreatConnect, a United States-based cyber threat intelligence platform, was acquired by Dataminr for $290.0M. ThreatConnect had previously raised $22.0M in funding.
- Breez, a United States-based identity threat detection and response platform, was acquired by JumpCloud for an undisclosed amount. Breez has not previously disclosed any funding events. (more)
- BLOG: Do cloud wrong: 7 red flags your strategy needs a reset
This one jumped out at me after hearing so many folks scoffing at organizations that don't have multi-region HA set up for their apps. Should everyone do that? Does all that expense and added complexity make sense, vs 6-8 hours of downtime every 2 years when US-EAST-1 has a hiccup?
- STANDARDS: The Geomys Standard of Care
A standard for open source projects that sets a high bar.
- POST MORTEMS: A Retrospective Survey of 2024/2025 Open Source Supply Chain Compromises
Super useful compilation of supply chain incident root causes!
- ANALYSIS: Summary of the Amazon DynamoDB Service Disruption in the Northern Virginia (US-EAST-1) Region
Was it DNS? Is it really always DNS?
What was Adrian supposed to be working on when his ADHD convinced him it was a good idea to analyze all major AWS breaches and compile them into a spreadsheet?
- TRENDS: Self-Hosted Alternatives: Control Your Data
It isn't just the EU and Canada moving away from using US-controlled hyperscalers. Businesses and individuals seem to be moving back to self-hosting as well. Has the subscription-based market become overbearing? Was this reversing of the SaaS/Cloud adoption trend inevitable?
- AI SECURITY: Piloting Claude for Chrome
At this point, Anthropic has established themselves as the 'cautious' AI company (relative to the other AI tech companies, at least). I wanted to draw attention to this post they released back in August. In the post, they explain why they're not releasing an AI browser yet. Of course, it basically calls out almost every problem we're seeing with AI browsers right now.
SC Media has 7 stories on AI browser vulnerabilities in October alone.
- Oct 29, 2025 ChatGPT Atlas, AI chatbots vulnerable to context poisoning
- Oct 28, 2025 ChatGPT Atlas susceptible to Tainted Memories exploit
- Oct 27, 2025 ChatGPT Atlas address bar a new avenue for prompt injection, researchers say
- Oct 24, 2025 AI browser risks demonstrated by PoC sidebar spoofing attack
- Oct 20, 2025 Malvertising campaign exploits Comet browser
- Oct 10, 2025 Cyber risks in AI browsers detailed
- Oct 6, 2025 New attack harnesses Perplexity's agentic AI browser for data exfiltration
- DEEP DIVE: Why Signal’s post-quantum makeover is an amazing engineering achievement
This is a very technical deep dive on why Signal's latest post-quantum crypto implementation (which they're calling PQXDH) is remarkable. The bar is set extremely high for Signal and they're aware of the stakes.
If this read isn't technical enough, you can also check out Signal's blog post.
If THAT isn't technical enough, they've also shared the whitepaper that details the entire spec.
- DUMPSTER FIRES: 23andMe’s Data-Theft Victims Offered ‘Genetic Monitoring’ to Ward Off Hackers
The 23 and Me story keeps getting messier and messier. Now they're offering 'genetic monitoring'. ID theft monitoring is already fairly limited in what it can do to help you. Genetic monitoring seems like an insult added to injury.
- DUMPSTER FIRES: After 35 Years, a Solution to the CIA’s Kryptos Puzzle Has Been Found
OMG, this is a classic hacker "you didn't follow the rules" moment. I love it.
- SURVEYS: How Are Companies Using AI? A New Survey Has Answers
We saw a report from Google stating that something like 90% of developers are using AI regularly in their workflows. This survey (full report here) from the University of Pennsylvania's Wharton School found that regular AI use is nearly as common among business leaders.
I was surprised to see that 72% are formally measuring the ROI they're getting out of GenAI, and are focused on "productivity gains" and "incremental profit". Three fourths of leaders see positive returns on GenAI investments.
Daily use is most common for IT and purchasing/procurement.
Ironically, I saw another headline that said senior leaders were the most likely to get laid off due to AI efficiencies...
- SQUIRREL: NEO The Home Robot
Kind of a half squirrel story, half serious tech milestone that security folks need to be aware of. Despite how this amazing product reveal video for 1X's Neo robot was filmed, it currently appear to be relying heavily on a tele-operator to perform many functions. Without which, it seemed to struggle with basic tasks, like opening a refrigerator door.
It's a $20k (or $500/mo lease) robot that has amazing potential, but also requires you to be cool with some stranger occasionally (or often?) piloting the robot remotely. Supposedly people are blurred out. Supposedly, you can label areas of your home as off-limits for Neo.
But what about more nuanced risks of the technology? What data goes back to the company? What control/visibility do you have over that data? How easy is it for Neo's eyes to take photos or screenshots of things? How actively does it OCR any text it sees? Where is that text sent? Are they using 3rd party LLM providers, or in-house? Could it shoulder-surf sensitive stuff on my laptop screen? Can it see my family calendar on the fridge? Did it get a peek at the content of my mail?
There was a period where hackers were having amazing success (mostly through SIM-swaps, I think) in getting sensitive photos off celebrity phones. When mostly celebrities and other wealthy individuals have in-home robots, will we see a similar trend?
Then there's the enterprise - 1X are also pitching fleets of these robots to enterprises. What does managing them at scale look like? Will the next Mirai botnet be a bunch of humanoid robots mining Monero on their NVIDIA Jetson Thor SOCs? If remote access exists, it will be remotely hacked at some point.
- Do they have a bug bounty? No, not that I could find.
- A vulnerability disclosure policy? Again, not that I could find (which is kinda the whole point of it).
- Do I want one to play around with, hack and explore? Yes, I do.
Is this the Segway of robotics? When the Segway came out, it was too expensive, too big, too ambitious. It turned out that everyone was much happier with a scooter or a bike (existing, familiar form factors) with a battery and electric motor added. They were cheaper and had an existing form factor that fit neatly into infrastructure without question.
Ayman Elsawah
Sean Metcalf
- Windows 11 KB5067036 update rolls out Administrator Protection feature
- EY Data Leak – Massive 4TB SQL Server Backup Exposed Publicly on Microsoft Azure
"EY responded swiftly and professionally, triaging and remediating the issue within a week, with no defensiveness, just effective action."
Adrian: <sarcasm> Within a week! Oh wow. How fast. So professional. </sarcasm>
