Episode 27: AI Hype, Cyber Stocks, and the End of Trust
Jerry Perullo, Mario Duarte, and Sounil Yu dive into the tension between AI buzz and cybersecurity substance in this wide-ranging episode covering everything from investing trends to browser hygiene. Topics include:
- The AI fundraising filter
If you’re pitching a cybersecurity startup today, you’d better have an AI story—even if your product doesn’t need it. The hosts talk about the divide between “AI for security” and “security for AI,” and how real value often lies beneath the surface-level hype. - Are cyber stocks undervalued?
Despite some market chatter, the group isn’t convinced. Valuations remain high, and multiples are still rich compared to other tech. That said, companies with strong data moats or positions in the AI supply chain—like Cloudflare—could be poised to benefit. - Prompt engineering is already old news
The conversation shifts from simple prompting to the rise of agentic AI. With enterprises demanding “bring your own model” (BYOM) flexibility, product teams are having to rethink architectures—while also facing challenges around IP leakage and prompt logging. - Microsoft locks down the kernel
In a post-CrowdStrike world, Microsoft is removing third-party EDRs from direct kernel access. The crew discusses how this could hobble vendors, reinforce Microsoft’s advantage, and reignite old debates about platform control and fair access. - Attackers using AI: Not new, just cheaper
The tools for malware evasion have existed for years, but AI is making them faster and more accessible. AV bypass is table stakes now—this just lowers the bar further. - The extension problem is worse than you think
VS Code forks and browser extensions are being hijacked post-install, and even formerly trusted plugins can turn malicious. The group shares how they isolate profiles, avoid extensions, and protect personal devices at home (especially from their kids). - North Korean developers and the moonlighting dilemma
DOJ headlines about DPRK IT workers may be real, but they’re often overblown. The bigger story might be just how many companies can’t detect when an employee is phoning it in—or working six jobs. - Security awareness training: Mostly broken
Jerry, Mario, and Sounil critique common phishing tests and the “training theater” they create. They call for training that emphasizes realistic risk, social engineering awareness, and company-specific guardrails—not typos in emails or fake Amazon logos.