Can AI help critical infrastructure, the state of the cyber market, and weekly news – Kara Sprague, Mike Privette – ESW #451
Interview with Kara Sprague - The AI Fix for Infrastructure’s Oldest Security Risks.
Critical infrastructure, often built on decades-old systems and legacy code, remains vulnerable to cyberattacks. From pipelines and energy grids to transportation networks, we break down where critical infrastructure is vulnerable and how AI could potentially help strengthen defenses.
Interview with Mike Privette - The State of the Cybersecurity Market
Here at ESW, we use Mike Privette's Security, Funded newsletter to prepare for every news segment. His newsletter covers the latest fundings, acquisitions, public market performance, layoffs, and other pertinent market details every week. We particularly enjoy the weekly Vibe Check.
In this interview, he joins us for the third year in a row, to discuss the most interesting insights from his annual State of Market Report.
Post recording Adrian here: Whooooo, so this conversation was SO good, I decided to punt the news segment in favor of a part 2 with Mike, so enjoy!
Also, though I punted the news segment, I did collect these stories and annotated them, so I think there's still some value in leaving them in the show notes. Scroll down for the links and my comments on each of these!
Weekly Enterprise News
Finally, in the enterprise security news,
- funding announcements seem to be ramping up before RSA
- Should security architects be shifting right?
- How McKinsley’s AI platform got hacked… by AI
- Amazon is having a bad time with AI lately
- Europe announces a Google Workspace/Microsoft 365 replacement
- Robot dogs are apparently guarding datacenters now
- Some much needed security humor in our squirrel stories before we all fly to San Francisco and lose our minds for a week
All that and more, on this episode of Enterprise Security Weekly.
Kara Sprague is the CEO of HackerOne, a global leader in Continuous Threat Exposure Management. She holds over 20 years of experience assisting public and private technology companies in growing their businesses at a global scale. Prior to HackerOne, Kara served as the Executive Vice President and Chief Product Officer at F5 where she led several enterprise-wide transformation initiatives to enable the company to adapt to changing market conditions and disruptive market forces. Kara received her bachelor’s and master’s degrees in Electrical Engineering and Computer Science as well as her master’s degree in Technology and Public Policy from the Massachusetts Institute of Technology. In her spare time, Kara remains passionate about equity and sustainability and served as a member of the Executive Committee of the Girls Who Code Board from 2016 through 2022.
Mike Privette is the founder of Return on Security and the industry’s first cybersecurity economist. With over 18 years of experience as a security engineer, leader, and CISO, Mike recognized a critical need for accessible intelligence on the cybersecurity landscape from a practitioner’s perspective.
Frustrated by the lack of concise resources to track emerging cybersecurity companies and industry trends, he created Return on Security to serve cybersecurity leaders, founders, investors, and policymakers. Mike analyzes data on technological advancements, regulatory changes, and economic indicators across major economies, providing insights that connect cybersecurity with global economic dynamics.
Security Weekly listeners save $100 on their RSAC 2026 All Access Pass! RSAC 2026 Conference will take place March 23rd to March 26th in San Francisco. To register using our discount code, please visit securityweekly.com/rsac26 and use the code 56U5SECWEEKLY! We hope to see you there!
Adrian Sanabria
- FUNDING/M&A: courtesy of the Security, Funded newsletter, issue #235 – Left of Boom
VIBE CHECK
What security spend would you cut first if forced?
- 35% - Threat intel subscriptions
- 24% - Consultant/advisory spend
- 24% - Bug bounty program
- 18% - MSSP/managed services
- 0% - Other (tell me)
FUNDING
- Kai, a United States-based autonomous security operations and orchestration platform, raised a $125.0M Series A from Evolution Equity Partners. <- weird, considering they've announced they're getting acquired by Palo Alto?
- Jazz, a United States-based data loss prevention platform, raised a $43.0M Series A from Glilot Capital Partners and Team8.
- Onyx Security, a United States-based AI application monitoring, governance, and security platform, raised a $40.0M Series A from Conviction VC.
- Qevlar AI, a France-based AI-agent-enabled security operations center support platform, raised a $30.0M Series A from Forgepoint Capital and Partech.
- Bold Security, a United States-based endpoint data exfiltration and insider threat protection platform, raised a $28.0M Series A from Bessemer Venture Partners, Picture Capital, and Red Dot Capital Partners.
- Tracebit announced a $25M Series A led by Firstmark and Accel <- exciting, the first real competitor to Thinkst!
- Scanner.dev, a United States-based security operations and data analytics platform, raised a $22.0M Series A from Sequoia Capital.
- Escape, a United States-based application security testing and monitoring platform, raised a $17.9M Series A from Balderton Capital.
- Quantro Security, a United States-based automated threat and vulnerability remediation platform, raised a $5.5M Seed from Gradient.
- Dropzone AI, a United States-based AI-agent-enabled security operations platform, raised an undisclosed Corporate Round from Leidos Holdings.
- Spin.AI, a United States-based ransomware protection and data recovery platform across Saas collaboration suites, raised an undisclosed Venture Round from K1 Investment Management.
ACQUISITIONS
- Promptfoo, a United States-based open-source platform for identifying and fixing vulnerabilities in AI models and applications, was acquired by OpenAI for an undisclosed amount. Promptfoo had previously raised $23.4M in funding.
- ESSAYS: Time for Security Architects to Shift Right
Loving this - it addresses the primary reason I do breach analysis and research work. It answers the question posed in this essay, "where did the threats in the threat model come from?"
There's a great quote in the essay, commenting on ATM fraud in 1993:
“System designers have suffered from a lack of information about how their products fail in practice, as opposed to how they might fail in theory. This lack of feedback has led to a false threat model being accepted. Designers focused on what could possibly go wrong, rather than on what was likely to”
That's exactly what we're doing now, by throwing darts at the MITRE ATT&CK framework and building detections where the darts land.
- VULNERABILITIES: How We Hacked McKinsey’s AI Platform
An amazing story and a huge win for both Codewall and bug bounties.
Also a cautionary tale for those that built and deployed AI-powered apps without security reviews or assessments.
- DUMPSTER FIRES: Amazon is regretting AI
Big oofs
Moving fast and breaking stuff was never so fast or easy, I guess!
TL;DR
- Amazon employees are required to use Kiro, Amazon's internal AI agent
- Kiro deletes production and they're down for 13 hours
- Amazon blames the employee
- Amazon employee uses Q, Amazon's other AI agent
- Q deletes a bunch of orders from Amazon.com
- A few weeks later, all orders are deleted by Q again
- BALKANIZATION: Office EU – Europe’s Open-Source Productivity Suite
Using Nextcloud behind the scenes for the SaaS functionality. I suspect this might be a fork of one of the existing FOSS office suites.
Yes, thanks to a Register article, we know it is using Collabora Online, which is based on LibreOffice.
- REPORTS: RSAC 2026 Innovation Sandbox: Finalist Analysis – Lenny Zeltser
AI-generated, but very useful primer on all the Innovation Sandbox finalists if you want to brush up on them.
Of course, the right response to this is, "forget Innovation Sandbox, I'm going to attend Adrian's talk at 9:40am PDT in Moscone West 2020"
- ROBOT UPRISING: Robot dogs priced at $300,000 a piece are now guarding some of the country’s biggest data centers
I'm definitely not doing this onsite security assessment
Nope.
My contract now reads: "No armed guards, or autonomous robots"
- SQUIRREL: Judge Sentences CISO to 8 Consecutive Hours on RSA Expo Floor as Formal Punishment for Security Breach
Very funny cybersecurity copy of The Onion, from AI vuln remediation security vendor Maze.
Ayman will particularly enjoy this story: https://www.theexploit.co/articles/blue-bottle-coffee-wins-rsa-innovation-sandbox
- SQUIRREL: A Day in the Life of an Ensh*ttificator
Yes, Cory Doctorow is both aware of this and in a way I haven't had time to understand, somehow responsible for this.