Free Trial
Contact Us
Podcast

Root Causes 472: AI Offensive Modeling

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
February 26, 2025

AI tools are now available to perform red-teaming activity for DevSecOps. Such tools are soon to be table stakes in the constantly escalating IT security arms race. Join us to learn more.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanSo Jason, we're here in Toronto. We're doing Toronto sessions season two, it's been a great session so far. What are we going to talk about today?
Jason SorokoJason SorokoTim, I think that one of our look forwards was about a lot of AI, exciting AI stuff. My goodness. Something we said during these sessions already, a couple times now, is that something has to change on the defender side. The world needs to defend better.
Tim CallanTim CallanBad guys are winning.
Jason SorokoJason SorokoTheir edge is growing. You and I had a great conversation last night when we both came into Toronto, and one of the things we talked about was how AI can act as a multiplier in the PKI world, where researchers who are trying to do bad things against RSA - -
Tim CallanTim CallanThey are trying to find the vulnerabilities in the cryptography, could use this to really vastly extend the surface of what they can explore.
Jason SorokoJason SorokoIf you only have a small handful of people in the world who truly understand how to do that kind of research in the math, I would argue that really, really well-trained AI right now can probably 10x to 100x a team, and that would make complete changes to the way that this research is done, because a lot of those researchers, you said it best, they've got kids, they've got dogs, they've got parks to have to go to and dinners to eat. Well, if eight people have 800 researchers working for them, which is what AI might give them the equivalent of, it'll change everything. I think the defenders, this whole notion of, and it's an old, old war idea that there's an asymmetric problem between the bad guys can choose how they attack.
Tim CallanTim CallanThe defenders have to defend everything.
Jason SorokoJason SorokoThe Blue Team has a hard job.
Tim CallanTim CallanAnd the hackers only need to get through one place.
Jason SorokoJason SorokoThe Blue Teamers. Who would ever want to be on a Blue Team, because you're going to lose right now. Well, the Blue Teamers need something to help fight against this asymmetric situation. I'm going to tell you, I think it's going to be this. Nothing makes a Blue Team learn faster than working with a really good Red Team. The thing is, I think that that's iterating too slowly. Good Blue Team. Red Team interactions are too slow.

Blue Team needs to learn faster. Blue Team needs to be prepared better on the first iteration than just getting slaughtered until 100 iterations in, until they reach a baseline. What happens if you could change that and make first iteration of Blue Teaming as good as the 100th? That’s the game.
Tim CallanTim CallanThat sounds good. How do we do it?
Jason SorokoJason SorokoThere are now uncensored – this is a key word - uncensored models, AI models, that are optimized for building offensive code, building offensive structures and automating offensive tactics against Blue Teams. If a Blue Team has this tool - -
Tim CallanTim CallanSo I can take this, and I can throw it at my defenses, and it will very quickly explore a lot of attack surfaces and attack methods just because it's going to be faster than a Red Team and because, like you said, it's not going to have to take breaks for food and sleep and kids’ birthday parties and all the rest.
Jason SorokoJason SorokoNow I'm gonna throw it a name. It's called White Rabbit Neo. But there's gonna be others. Guaranteed. Let's explore this for a moment. They're uncensored models. So I don't know if you've ever played with offline, large and small language models, but sometimes you can get these uncensored models, and you might wonder, well, what kind of nefarious stuff are you doing with an un - - that word uncensored makes me uncomfortable. Well, if you're asking a large language model, build me malware code, well, you can't use the censored tools because they're going to go, oh, my - -
Tim CallanTim CallanThey refuse to.
Jason SorokoJason SorokoMy policies say I can't do this. So we need carefully constructed, uncensored models that are built to do just this. So Blue Teamers now have tools that it's like maybe even my AI is smarter than the Red Team I'm going to be up against, and I could throw everything at it before my first iteration. So in other words, one of the things Tim, that I'm personally excited about AI right now is the fact that it's helping me to learn faster, faster and faster and faster. I think that that's what a Blue Team could use this for, is to learn faster. I give Blue Teams full credit for building good defense. The problem is that their imagination simply isn't big enough.
Tim CallanTim CallanI mean, fundamentally, it's the problem. How do you deal with the unforeseen? It's unforeseen. So the more of that you can expose more readily, more quickly, the better you are, because now you can have a sense for how to defend.
Jason SorokoJason SorokoAbsolutely. So you might ask me, well, what's the category of Blue Teamers that might benefit from this White Rabbit Neo and other tools that are coming out at the moment? Right now, it's DevSecOp teams. So people who are building Dev Op systems, who are the security analysts for that, if you are Blue Teaming that, my goodness, check into these tools, because your ability to learn from an absolutely rock solid Red Team teammate in order to test the armor that you've built - My goodness, that era is now with you. You can learn faster Blue Team and start to fight against this asymmetric situation that you're always just going to lose.
Tim CallanTim CallanSo I don't see any reason why this would need to be limited at all to DevSec.
Jason SorokoJason SorokoNo but these tools, these models right now are optimized.
Tim CallanTim CallanThat's what this is. That’s what that is. I get it. I get it. But I guess I'm trying to say this. We should expect this principle to show up in all aspects of security. So I like all of this. I think learning faster is always better. I think the problem with the security situation is you never know if tomorrow is the day you're going to be owned. So getting that hole plugged ASAP is extremely important. Do you feel that that need for speed increases as the opponents surely are doing their version of the exact same thing?
Jason SorokoJason SorokoThe Red Team can use Red Team tools, too. Absolutely.
Tim CallanTim CallanAnd not even the Red Team. The real bad guys.
Jason SorokoJason SorokoAbsolutely. Therefore, if Blue Team isn't using this, it just gets worse. Blue Teams, my goodness, some of you are incredible. Some of you can do orthogonal thinking. The problem is you can only put your fingers in so many places. And this helps. This helps to automate the testing of your defensive strategies. And fantastic. What a great way to use AI.
Tim CallanTim CallanWhat a great way to use AI. I love it. This feels like a story we want to follow, and we'll probably return to because this is early in this industry. And we're going to want to see how it develops and what it does.
Jason SorokoJason SorokoAdd agentic AI to these adversarial models, and it's quite something.
Tim CallanTim CallanYou start combining agentic AI with the rest of this, and you see where both the stakes and the speed of everything is magnified.
Jason SorokoJason SorokoI'm going to say this one more time, just because it's fun. Tim, you and I are working the world of Certificate Lifecycle Management, and we have people screaming on Reddit about, I don't want to automate my certificate renewal. I think it's hilarious that we live in a world where you'll have a legitimate Sys Op complaining about automating a cert renewal in a world where hyper, hyper, hyper automation is now all around them. It's hilarious to me that we live in literally extreme Luddite with, we're now going supernova with how we do automation.
Tim CallanTim CallanIt is funny. It's odd when you think about that break. Like this is something that's straightforward and basic and obvious and yes, you'd have to have really a Luddite attitude not to want to do it and then, and then right adjacent to it, we've got this kind of drive for hyper acceleration of technology adoption, and that's going to create problems when those two things are existing simultaneously.
Jason SorokoJason SorokoYou brought up a term earlier in the Toronto sessions, and I love what you said. You talked about being agility native, or even perhaps automation native. And those younger folks right now are going to come into a world where just systems automating other systems is just going to be natural. And there's a whole generation of us who didn't come in that way, who are, I have to be at a command line and do this manually. No. This is just another example, Tim. That's all.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud