Ahead of the Breach

Welcome to a special edition of Ahead of the Breach, where our host Casey Cammilleri answers the top questions our listeners have asked us. In today's episode, Casey addresses how to prepare for the future of pentesting. 
Would you like to have Casey answer one of your questions in a future episode? Email podcast@sprocketsecurity.com with your question and a short summary of why you're looking for an answer!
Get in touch with your host, Casey Cammilleri: 
LinkedIn 
X
Website 
Listen to more episodes: 
Apple 
Spotify
YouTube 

The shift from annual compliance-driven security testing to continuous validation represents one of the most critical evolutions in modern cybersecurity practice. Vivek Menon, CISO & Head of Data at Digital Turbine, discovered this firsthand when his team's focus on modern cloud applications nearly missed a critical legacy system that could have triggered cascading failures across their entire infrastructure. On this episode of Ahead of the Breach, Vivek tells Casey how quarterly penetration testing aligned with engineering roadmaps delivers superior security outcomes while building rather than eroding trust with development teams.
Vivek has developed frameworks that balance thorough security validation with business agility. His approach to shadow AI governance, stakeholder communication strategies, and leveraging AI simulation for previously impossible attack scenarios offers practical guidance for security leaders navigating today's rapid development cycles while maintaining robust defensive postures.
Topics discussed:
Quarterly penetration testing frameworks that align with product roadmaps and engineering milestones rather than annual compliance cycles to catch vulnerabilities as they're introduced.
The critical importance of comprehensive asset discovery, particularly legacy systems that may be interconnected with modern cloud infrastructure in ways that create cascading vulnerability risks.
Building trust equations with engineering teams through consistent, non-disruptive testing practices that demonstrate security as an enabler rather than a blocker to development velocity.
Shadow AI governance challenges as employees enthusiastically adopt tools like Zapier agents without proper controls, creating new data exposure vectors that require immediate attention.
Risk register development using business risk alignment rather than treating all systems equally, focusing testing resources on revenue-generating and business-critical components.
AI-driven attack simulation capabilities that make previously cost-prohibitive or technically impossible testing scenarios accessible for better adversary understanding.
Stakeholder communication strategies that tailor security messaging across three distinct audiences: technical implementers, middle management, and executive leadership with board reporting requirements.
Leveraging AI agents for frictionless continuous testing that reduces visible pain points for engineering organizations while maintaining security thoroughness.
Integration strategies for penetration testing platforms with existing productivity tools like Jira, Confluence, and Slack to streamline vulnerability management workflows.
Non-traditional hiring approaches for security teams, particularly recruiting from MLOps and data science backgrounds to address machine learning security gaps that traditional cybersecurity professionals often miss.
Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

Welcome to a special edition of Ahead of the Breach, where our host Casey Cammilleri answers the top questions our listeners have asked us. In today's episode, Casey addresses what is broken about legacy pentesting. 
Would you like to have Casey answer one of your questions in a future episode? Email podcast@sprocketsecurity.com with your question and a short summary of why you're looking for an answer!

From a casual gaming project at NASA's JPL to powering 700+ cybersecurity vendors, WhoisXML API has become the foundation of modern threat intelligence. In this episode of Ahead of the Breach, recorded at RSA Conference 2025, Casey sits down with Vice President Alex Ronquillo to explore how domain registration data has become critical infrastructure for security tools and how penetration testers can leverage this intelligence in their work.
Alex takes us behind the scenes of the massive data collection operation that tracks billions of domain events monthly, explaining how even the most heavily reviewed security tools rely on WhoisXML API to identify potentially malicious domains based on registration patterns. He also reveals surprising research showing that 90% of subdomains in security databases don't actually exist — they're artifacts of security scanning against wildcard DNS configurations that respond to any query. 
Topics discussed:
Research showing that domains created within the last 30 days are significantly more likely to be malicious, forcing penetration testers to deliberately "age" domains to avoid detection by security tools that automatically flag new registrations.
How security professionals can use reverse WHOIS lookups based on email addresses, organization names, and nameservers to discover hidden attack surfaces and verify domain ownership during testing.
Rather than performing millions of individual WHOIS queries, major security platforms license structured data dumps to perform local lookups for domain intelligence at massive scale.
Since GDPR implementation in 2018, approximately 80-90% of domains have non-public registrant information, forcing security teams to rely on alternative signals like SSL certificates and hosting infrastructure.
WhoisXML API's partnership network with cybersecurity vendors creates a collaborative intelligence platform that tracks malicious domains and infrastructure across the internet ecosystem.
How security tools inadvertently pollute passive DNS databases by triggering wildcard DNS records, creating the illusion that millions of non-existent subdomains are real assets.
How the Registration Data Access Protocol is modernizing domain registration data access while preserving the critical information that security tools need for threat intelligence.
How companies like Doppel use WhoisXML API's data to identify phishing domains targeting their customers within minutes of registration, enabling rapid takedown before damage occurs.
How investment analysts and technology companies use WHOIS and hosting data to track market share and adoption patterns across cloud providers and services.
Listen to more episodes: 
Apple 
Spotify 

Welcome to a special edition of Ahead of the Breach, where our host Casey Cammilleri answers the top questions our listeners have asked us. In today’s episode, Casey addresses “Why does continuous penetration testing outperform bug bounties?”Would you like to have Casey answer one of your questions in a future episode? Email podcast@sprocketsecurity.com with your question and a short summary of why you’re looking for an answer!

How do you effectively measure security operations in a world where vulnerabilities never stop coming? Cody Florek, Director of Information Security Operations at Sentry, brings a refreshing approach that combines agile methodology with practical security execution. In this episode of Ahead of the Breach, he tells Casey how his journey from computer repair technician to security leader shaped his perspective on measuring capacity, building AppSec programs that don't antagonize developers, and communicating security risk effectively to leadership.
Cody explains why many AppSec programs fail by overwhelming development teams with vulnerability findings without context, and offers a better approach using DREAD modeling to prioritize what truly matters. He also reveals his strategies for conducting effective tabletop exercises that uncover critical security blind spots most organizations miss. Whether you're running security operations or building an application security program, Cody's practical insights on balancing project work with operational demands will transform how you measure security effectiveness.  
Topics discussed:
Measuring security operations capacity with agile methodology, using story points to quantify both project work and operational demands, with each day representing two points to realistically plan team bandwidth.
The evolution of application security implementation from vulnerability scanning to strategic DREAD modeling that helps prioritize findings based on context, exploitability, and real-world impact rather than overwhelming developers.
Strategic approaches to communicating security risk to leadership by translating technical issues into business impact while leveraging technical background to accurately assess vulnerability context.
Implementing structured vulnerability prioritization frameworks that combine CVSS scores with business context, exploitability analysis, and threat intelligence to focus remediation on what truly matters.
Building effective partnerships with development teams by avoiding the "throw it over the fence" mentality and instead providing context-driven vulnerability assessments with prioritized remediation plans.
Practical shift-left security implementation strategies that recognize organizational maturity levels and gradually empower developers after cleaning up existing vulnerabilities.
Designing and conducting effective tabletop exercises that uncover critical security blind spots, including encouraging reluctant participants to actively engage in scenario planning.
Holistic security metrics frameworks that balance operational effectiveness, program impact measurement, and threat intelligence to provide comprehensive security oversight.
Creating comprehensive security coverage using a "Plinko game" metaphor to ensure multiple defensive layers prevent attacks from finding direct paths through defenses.
The importance of curiosity-driven incident analysis that goes beyond immediate fixes to understand root causes and systemic improvements needed for long-term security posture enhancement.
Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

From intercepting key fob signals with HackRF devices to setting up rogue cellular networks with USRP transceivers, Ayyappan Rajesh, Offensive Security Engineer at Block Harbor Cybersecurity, takes Casey deep into the technical underbelly of wireless security testing in this illuminating episode of Ahead of the Breach. 
As an offensive security engineer with Block Harbor's VCL team, Ayyappan specializes in testing "everything that has a radio on it" — from automotive systems operating at 315 MHz to Bluetooth-enabled tire pressure monitoring systems and cellular networks requiring sophisticated Faraday cage environments. He shares how teams can intercept SPI and I2C communications to extract firmware directly from chips, implement GPS spoofing using NASA satellite constellation data, and why many vulnerabilities now require physical access rather than just wireless interception.
Topics discussed:
The evolution of RF exploitation from replay to rollback methodologies that deliberately desynchronize key fob counter synchronization, allowing security testers to exploit implementation weaknesses rather than breaking encryption algorithms directly.
Hardware-based firmware extraction techniques using direct chip interfaces that bypass wireless protections entirely, revealing how security researchers connect via SPI and I2C protocols to obtain proprietary algorithms from automotive security chips.
Lateral movement strategies from infotainment systems to critical vehicle controls through careful analysis of gateway implementations that act as rudimentary firewalls between entertainment and control networks.
Creating isolated cellular test environments using programmable SIM infrastructure and open-source base stations that enable comprehensive security testing without FCC violations through controlled Faraday environments.
Manipulating GPS-dependent systems through satellite constellation spoofing that leverages NASA ephemeris data processed through GPS-SDR-SIM to generate deceptive signals targeting both location and time-dependent security controls.
Building cost-effective wireless security testing labs that leverage increasingly affordable software-defined radio platforms like HackRF and USRPs, enabling more researchers to conduct sophisticated wireless security assessments.
Leveraging automotive security education resources like the Cyber Auto Challenge that provide aspiring security researchers with manufacturer-supported environments for learning without the significant financial barriers traditionally associated with automotive security testing.

Implementing effective DevSecOps requires balancing security controls with developer experience — a challenge Eyal Paz, VP of Research at OX Security, tackles with practical strategies drawn from his network security background. In this episode of Ahead of the Breach, Eyal explains to Casey how organizations can gradually build shift-left security programs without disrupting development workflows, using a strategic phased approach similar to transitioning from IDS to IPS systems. 
Eyal explores multiple implementation methods from pipeline scans to pre-commit hooks, explains why "making developers angry" is the greatest security risk to shift-left adoption, and shares research from his Black Hat presentation on the exploitation likelihood of transitive dependencies. Drawing from the Log4j crisis, Eyal also emphasizes the critical importance of maintaining a comprehensive software bill of materials (SBOM) and strategically prioritizing vulnerabilities based on actual exploitation risk rather than raw CVE counts.  
Topics discussed:
Gradual shift-left security implementation that mirrors IDS-to-IPS transition, starting with detection mode for 1-2 weeks, collecting pipeline data on hundreds of scans, then engaging development managers with concrete findings before enabling blocking mode.
Leveraging recent security incidents as strategic entry points for DevSecOps adoption, targeting tools that address specific vulnerabilities developers recognize as harmful like XSS or exposed S3 buckets to maximize buy-in and patience with implementation challenges.
Optimizing developer experience as a critical success factor in security programs by choosing implementation points with minimal workflow disruption, focusing on pipeline scans over pre-commit hooks and cautioning against IDE-level scanning that creates excessive friction.
Multi-layered scanning strategy framework addressing static analysis (SAS), software composition (SCA), infrastructure-as-code, and container scanning, with guidance on prioritizing integration based on organizational maturity and security history.
Strategic vulnerability triage approach based on Black Hat research showing that while 70% of vulnerabilities come from transitive dependencies, the likelihood of exploitation decreases dramatically deeper in the dependency tree.
Software bill of materials (SBOM) as critical infrastructure for rapid vulnerability response, drawing lessons from Log4j when organizations without dependency visibility wasted remediation time locating affected systems during active exploitation.
Build vs. buy considerations for security tooling that balances the simplicity of open-source implementation against the hidden costs of building comprehensive workflows and integrations at enterprise scale.

"It's kind of like homeowners’ insurance," says Joshua Brown, Founder of Digital Defense Consulting & CISO at Spektrum Labs, about security programs — they’re helping to mitigate risks, not remove them entirely. “If you have homeowners insurance and your house never burns down, it doesn't mean you wasted money. You were there to mitigate the impact of that potentially catastrophic event.”
On this episode of Ahead of the Breach, Josh helps Casey dive deep into why security leaders must abandon technical jargon for financial impact metrics when speaking to executives. He also shares how his strategic approach to the FAIR risk model helps convert everything into business impact dollars. 
Josh tells Casey his multi-source technique for identifying security gaps by correlating CMDB, cloud services, and EDR data, as well as his three-point leadership framework that emphasizes purpose, ownership, and mentorship to retain talent in an era where AI-powered attackers are developing exploits and sophisticated phishing campaigns faster than defenders can patch.
Topics discussed:
Translating risk using the FAIR model to convert complex security risks into financial terms, because boards care less about technical risk metrics and more about potential business impact in dollars.
How his team at H&R Block built an internal threat team that monitored dark web markets to provide contextualized, industry-specific intelligence.
Managing dynamic attack surfaces across hybrid environments with a multi-source approach to asset management, including correlated data from CMDB, cloud services, EDR solutions, and Active Directory to identify security gaps and configuration drift in highly dynamic environments.
How attackers are currently leveraging AI more effectively than defenders, and how this is dramatically reducing the timeline for exploiting vulnerabilities and making phishing campaigns more sophisticated and harder to detect.
Rather than fearing investment in team growth will lead to turnover, Joshua advocates for three principles: connecting team members to their "why," instilling ownership through budget control and OKRs, and embracing a mentorship mindset even if it means team members eventually outgrow their positions.
The "Illusion of Control" fallacy in modern security, which argues that security teams should abandon the outdated notion that they can fully control their environments, especially with personal devices accessing corporate resources, and instead focus on building influence across the organization.

In this episode of Ahead of the Breach, Donika Mirdita, Security Researcher at Fraunhofer Institute for Secure Information Technology, details the technical discovery and exploitation of RPKI manifest file vulnerabilities in BGP routing infrastructure. Through precise manipulation of relay party processing patterns and repository query timing, her "Stellaris downgrade attack" exploits manifest files with 2-48 hour lifecycles to achieve undetected RPKI security downgrades. 
Using a sophisticated test environment with Krill publication points and FRR routing software, Donika validated that 47% of publication points are vulnerable to targeted rate limiting attacks that can stall processing for 6-8 hours, effectively enabling BGP prefix hijacking without triggering monitoring alerts.
Topics discussed:
Technical analysis of how predictable relay party query patterns (default 10-minute intervals) enable precisely timed attacks against RPKI infrastructure.
Methodology for constructing publication point subtrees with 50-100 nodes to achieve extended processing delays without triggering timeout mechanisms.
Implementation details of targeted rate limiting using spoofed packets to prevent repository updates during critical processing windows.
Development of isolated BGP/RPKI test environments using self-signed certificates and custom trust anchors to validate attacks without Internet connectivity.
Impact analysis across different relay party implementations and their varying susceptibility to processing stalls.
Architectural improvements for RPKI systems, including manifest lifecycle management and decoupled router data generation.
Analysis of why seemingly aggressive manifest expiration times (2-48 hours) create an exploitable security tradeoff between data freshness and processing resilience.
Listen to more episodes: 
Apple 
Spotify 
YouTube
Website