Ahead of the Breach

From intercepting key fob signals with HackRF devices to setting up rogue cellular networks with USRP transceivers, Ayyappan Rajesh, Offensive Security Engineer at Block Harbor Cybersecurity, takes Casey deep into the technical underbelly of wireless security testing in this illuminating episode of Ahead of the Breach. 
As an offensive security engineer with Block Harbor's VCL team, Ayyappan specializes in testing "everything that has a radio on it" — from automotive systems operating at 315 MHz to Bluetooth-enabled tire pressure monitoring systems and cellular networks requiring sophisticated Faraday cage environments. He shares how teams can intercept SPI and I2C communications to extract firmware directly from chips, implement GPS spoofing using NASA satellite constellation data, and why many vulnerabilities now require physical access rather than just wireless interception.
Topics discussed:
The evolution of RF exploitation from replay to rollback methodologies that deliberately desynchronize key fob counter synchronization, allowing security testers to exploit implementation weaknesses rather than breaking encryption algorithms directly.
Hardware-based firmware extraction techniques using direct chip interfaces that bypass wireless protections entirely, revealing how security researchers connect via SPI and I2C protocols to obtain proprietary algorithms from automotive security chips.
Lateral movement strategies from infotainment systems to critical vehicle controls through careful analysis of gateway implementations that act as rudimentary firewalls between entertainment and control networks.
Creating isolated cellular test environments using programmable SIM infrastructure and open-source base stations that enable comprehensive security testing without FCC violations through controlled Faraday environments.
Manipulating GPS-dependent systems through satellite constellation spoofing that leverages NASA ephemeris data processed through GPS-SDR-SIM to generate deceptive signals targeting both location and time-dependent security controls.
Building cost-effective wireless security testing labs that leverage increasingly affordable software-defined radio platforms like HackRF and USRPs, enabling more researchers to conduct sophisticated wireless security assessments.
Leveraging automotive security education resources like the Cyber Auto Challenge that provide aspiring security researchers with manufacturer-supported environments for learning without the significant financial barriers traditionally associated with automotive security testing.

Implementing effective DevSecOps requires balancing security controls with developer experience — a challenge Eyal Paz, VP of Research at OX Security, tackles with practical strategies drawn from his network security background. In this episode of Ahead of the Breach, Eyal explains to Casey how organizations can gradually build shift-left security programs without disrupting development workflows, using a strategic phased approach similar to transitioning from IDS to IPS systems. 
Eyal explores multiple implementation methods from pipeline scans to pre-commit hooks, explains why "making developers angry" is the greatest security risk to shift-left adoption, and shares research from his Black Hat presentation on the exploitation likelihood of transitive dependencies. Drawing from the Log4j crisis, Eyal also emphasizes the critical importance of maintaining a comprehensive software bill of materials (SBOM) and strategically prioritizing vulnerabilities based on actual exploitation risk rather than raw CVE counts.  
Topics discussed:
Gradual shift-left security implementation that mirrors IDS-to-IPS transition, starting with detection mode for 1-2 weeks, collecting pipeline data on hundreds of scans, then engaging development managers with concrete findings before enabling blocking mode.
Leveraging recent security incidents as strategic entry points for DevSecOps adoption, targeting tools that address specific vulnerabilities developers recognize as harmful like XSS or exposed S3 buckets to maximize buy-in and patience with implementation challenges.
Optimizing developer experience as a critical success factor in security programs by choosing implementation points with minimal workflow disruption, focusing on pipeline scans over pre-commit hooks and cautioning against IDE-level scanning that creates excessive friction.
Multi-layered scanning strategy framework addressing static analysis (SAS), software composition (SCA), infrastructure-as-code, and container scanning, with guidance on prioritizing integration based on organizational maturity and security history.
Strategic vulnerability triage approach based on Black Hat research showing that while 70% of vulnerabilities come from transitive dependencies, the likelihood of exploitation decreases dramatically deeper in the dependency tree.
Software bill of materials (SBOM) as critical infrastructure for rapid vulnerability response, drawing lessons from Log4j when organizations without dependency visibility wasted remediation time locating affected systems during active exploitation.
Build vs. buy considerations for security tooling that balances the simplicity of open-source implementation against the hidden costs of building comprehensive workflows and integrations at enterprise scale.

"It's kind of like homeowners’ insurance," says Joshua Brown, Founder of Digital Defense Consulting & CISO at Spektrum Labs, about security programs — they’re helping to mitigate risks, not remove them entirely. “If you have homeowners insurance and your house never burns down, it doesn't mean you wasted money. You were there to mitigate the impact of that potentially catastrophic event.”
On this episode of Ahead of the Breach, Josh helps Casey dive deep into why security leaders must abandon technical jargon for financial impact metrics when speaking to executives. He also shares how his strategic approach to the FAIR risk model helps convert everything into business impact dollars. 
Josh tells Casey his multi-source technique for identifying security gaps by correlating CMDB, cloud services, and EDR data, as well as his three-point leadership framework that emphasizes purpose, ownership, and mentorship to retain talent in an era where AI-powered attackers are developing exploits and sophisticated phishing campaigns faster than defenders can patch.
Topics discussed:
Translating risk using the FAIR model to convert complex security risks into financial terms, because boards care less about technical risk metrics and more about potential business impact in dollars.
How his team at H&R Block built an internal threat team that monitored dark web markets to provide contextualized, industry-specific intelligence.
Managing dynamic attack surfaces across hybrid environments with a multi-source approach to asset management, including correlated data from CMDB, cloud services, EDR solutions, and Active Directory to identify security gaps and configuration drift in highly dynamic environments.
How attackers are currently leveraging AI more effectively than defenders, and how this is dramatically reducing the timeline for exploiting vulnerabilities and making phishing campaigns more sophisticated and harder to detect.
Rather than fearing investment in team growth will lead to turnover, Joshua advocates for three principles: connecting team members to their "why," instilling ownership through budget control and OKRs, and embracing a mentorship mindset even if it means team members eventually outgrow their positions.
The "Illusion of Control" fallacy in modern security, which argues that security teams should abandon the outdated notion that they can fully control their environments, especially with personal devices accessing corporate resources, and instead focus on building influence across the organization.

In this episode of Ahead of the Breach, Donika Mirdita, Security Researcher at Fraunhofer Institute for Secure Information Technology, details the technical discovery and exploitation of RPKI manifest file vulnerabilities in BGP routing infrastructure. Through precise manipulation of relay party processing patterns and repository query timing, her "Stellaris downgrade attack" exploits manifest files with 2-48 hour lifecycles to achieve undetected RPKI security downgrades. 
Using a sophisticated test environment with Krill publication points and FRR routing software, Donika validated that 47% of publication points are vulnerable to targeted rate limiting attacks that can stall processing for 6-8 hours, effectively enabling BGP prefix hijacking without triggering monitoring alerts.
Topics discussed:
Technical analysis of how predictable relay party query patterns (default 10-minute intervals) enable precisely timed attacks against RPKI infrastructure.
Methodology for constructing publication point subtrees with 50-100 nodes to achieve extended processing delays without triggering timeout mechanisms.
Implementation details of targeted rate limiting using spoofed packets to prevent repository updates during critical processing windows.
Development of isolated BGP/RPKI test environments using self-signed certificates and custom trust anchors to validate attacks without Internet connectivity.
Impact analysis across different relay party implementations and their varying susceptibility to processing stalls.
Architectural improvements for RPKI systems, including manifest lifecycle management and decoupled router data generation.
Analysis of why seemingly aggressive manifest expiration times (2-48 hours) create an exploitable security tradeoff between data freshness and processing resilience.
Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

From testing critical infrastructure and IoT devices to leading application security at NerdWallet, DK Koran, BISO, draws from his experience finding vulnerabilities in police cruisers and SCADA systems to discuss his transition to building and managing proactive security teams. On this episode of Ahead of the Breach, he and Casey explore the challenges of implementing security guardrails, running an internal red team, and testing AI systems for prompt injection vulnerabilities. 
Through candid insights about his evolution from individual contributor to security leader, DK emphasizes the importance of understanding the 'why' behind security requirements and building strong relationships with development teams.
Topics discussed:
Exploring vulnerabilities in automotive systems and IOT devices, including experiences testing police cruisers and critical infrastructure for security weaknesses.
Transitioning from offensive security testing to application security leadership, focusing on preventing recurring vulnerabilities through proactive measures.
Implementing automated security guardrails and requirements across infrastructure and applications to prevent security issues before production deployment.
Managing the evolution from individual contributor to security leader while maintaining technical relevance and fostering team growth.
Building and scaling an internal red team program, including strategies for target selection and maintaining continuous value delivery.
Testing AI systems and chatbots for prompt injection vulnerabilities, highlighting the resurgence of classic security issues in new technologies.
Developing effective relationships with development teams by focusing on the “why” behind security requirements and showing empathy for business needs.
Creating automated enforcement mechanisms through pre-commit hooks and pipeline controls to ensure security requirement compliance.
Balancing team autonomy with security controls in a single-threaded team model while managing infrastructure security at scale.
Supporting professional growth and certification pursuits while transitioning from technical roles to security leadership positions.

What can a controversial cyber weapon teach us about everyday security? From chemistry labs to cyber weapons development, Rapyd’s CISO/CIO, Nir Rothenberg’s, journey is anything but conventional. In his conversation with Casey on Ahead of the Breach, he cuts through the headlines about Pegasus to get down to the complex realities of intelligence operations and why most companies are focusing on the wrong security threats. 
Drawing from his vast experience, Nir challenges common security assumptions while offering practical wisdom about continuous testing, modern security architecture, and why worrying about nation-state actors might be distracting you from real risks.
Topics discussed:
Understanding the development, deployment, and oversight of sophisticated cyber capabilities in intelligence operations.
Examining the importance of context and complete information when evaluating security tools and their real-world applications.
Exploring the evolution of cybersecurity from IT assurance to a crucial component of modern business operations.
Building effective security programs that focus on probable threats rather than theoretical risks and nation-state actors.
Managing security in high-stakes environments while maintaining proper context and perspective about threats.
Implementing continuous security testing through bug bounties and regular assessments to validate security controls.
Transitioning from technical roles to security leadership while maintaining practical understanding of threats.
Balancing security requirements with business objectives in rapidly growing organizations.
Creating security programs that provide consistent friction and validation rather than annual compliance exercises.
Understanding the role of offensive security testing in building effective defense capabilities.

What if vulnerability management was less about filling backlogs with findings and more about strategic risk reduction? Sean Finley, Director of Application & Product Security at Eptura, brings a refreshing perspective to application security to his conversation with Casey on this episode of Ahead of the Breach. 
Shaped by years of experience as both a software analyst and security leader, his approach challenges the traditional "dump truck of data" mentality, instead advocating for thoughtful prioritization and strong stakeholder partnerships. From building bridges with development teams to making the case for security investments to business leaders, Sean shares practical wisdom for creating AppSec programs that truly serve organizational goals while keeping risks in check.
Topics discussed:
Understanding the limitations of traditional vulnerability management and why flooding backlogs with findings doesn't equate to effective security.
Building strategic partnerships with business stakeholders to ensure security efforts align with organizational priorities and risk tolerance.
Integrating security tools seamlessly into developer workflows to reduce friction and increase adoption across engineering teams.
Advocating for security considerations during the design phase to prevent costly fixes and potential data breaches later.
Managing the delicate balance between development speed and security requirements in modern Agile environments.
Creating effective risk-based approaches to vulnerability prioritization based on business context and threat intelligence.
Developing strategies for earning developer trust and respect while educating teams about security concepts and threats.
Implementing repeatable security processes that work across different release cadences, from quarterly to daily deployments.
Building quality assurance into the software development lifecycle through consistent security testing and validation.
Fostering a collaborative security culture that emphasizes enablement rather than obstruction or purely compliance-driven approaches.

From a friendly gaming challenge to uncovering critical vulnerabilities, Vladimir Tokarev's journey showcases the power of curiosity in cybersecurity. As a Senior Security Researcher at Microsoft, Tokarev recently unveiled four significant vulnerabilities in OpenVPN's Windows implementation at Black Hat 2024, which he tells Casey all about in this episode of Ahead of the Breach. 
Vladimir’s discovery process, beginning with ExpressVPN and leading to wider implications across multiple VPN providers, demonstrates how deep technical expertise combined with creative thinking can uncover security flaws in even the most widely reviewed open source projects.
Topics discussed:
How a friendly gaming challenge to find ExpressVPN vulnerabilities led to discovering critical flaws in OpenVPN's core implementation
The technical details of four chained vulnerabilities, including integer overflow issues and privilege escalation in OpenVPN's Windows service
Exploring how vulnerable code propagated across VPN providers through shared components, affecting ExpressVPN, Proton VPN, and multiple other services
Walking through the vulnerability research process using IDA Pro for reverse engineering and WinDbg for kernel debugging in Windows environments
Understanding how natural curiosity and creative thinking drive successful vulnerability research, from initial discovery through full exploitation
Strategies for maintaining research momentum during long periods without findings, including the importance of switching tasks and maintaining work-life balance
Essential advice for newcomers to vulnerability research, focusing on building strong technical foundations and developing systematic approaches to discovery
How studying newly released CVEs without proof-of-concepts helps develop intuition and provides immediate feedback for improving research skills
Insights into balancing security research across different domains, from Microsoft's internal products to IoT devices and popular open source projects

From executing his first SQL injection at age 14 to contributing to the Linux kernel, Keiran Smith’s path to becoming Lead Pentest Engineer at N-able is anything but conventional, as he tells Casey in this episode of Ahead of the Breach. His journey weaves through roles as a senior developer, architect, and DevOps engineer — experiences that transformed him into a security leader who speaks both attacker and defender languages fluently. 
Drawing from his extensive software development background, Keiran explains how understanding code makes him a more effective penetration tester and enables him to build stronger relationships with development teams. Armed with Rust-based custom tools and a developer's mindset, he shows how technical expertise paired with engineering empathy creates a more effective approach to security testing.
Topics discussed:
Bug bounty programs have transformed security testing, creating legitimate paths for aspiring ethical hackers.
Understanding code architecture and development processes makes for more effective and impactful security testing results.
Creating productive partnerships with development teams by offering solutions rather than just pointing out problems.
Essential penetration testing tools, including Burp Suite extensions like Stepper and Hackvertor.
Streamlining security documentation with Obsidian, markdown-based notes, and automated report generation through custom CI/CD pipelines.
Strategies for tracking and testing constantly evolving attack surfaces in modern development environments.
Real-world guidance for newcomers about embracing failure and building strong technical foundations in security.
Lessons learned from multiple OSCP certification attempts and why persistence matters more than initial success.
How contributing to open source projects like Swagger Jacker and developing custom tools enhances the security community.

In this episode of Ahead of the Breach, Casey speaks with Lorenzo Pedroncelli, Senior Manager at RSA, who shares his insights on the evolving landscape of cybersecurity, emphasizing the critical role of identity security. He discusses the importance of fostering a security culture within organizations, where employees feel empowered to report suspicious activities. 
Lorenzo also highlights the challenges of combating identity fraud and the necessity of implementing effective identity proofing measures. Additionally, he explores how organizations can leverage advanced identity management solutions to strengthen their security posture. 
Topics discussed:
Identity security as a foundational element of modern cybersecurity strategies in protecting organizational assets and sensitive information.  
Fostering a security culture where employees feel comfortable verifying identities and reporting suspicious activities to enhance overall organizational security.  
The rise of identity fraud and phishing attacks, highlighting the need for robust identity verification processes.  
Implementing effective identity proofing measures during employee onboarding to ensure that the right individuals are granted access to sensitive systems.  
The importance of continuous risk assessment strategies to adapt to evolving threats and maintain a strong security posture.  
Leveraging advanced identity management solutions to streamline authentication processes and improve user experience while maintaining security.  
The role of open communication and regular training in empowering employees to recognize and respond to potential security threats.  
Strategies for separating machine identity from user identity to enhance security and reduce the risk of unauthorized access.  
The impact of regulatory compliance on identity security practices and the necessity for organizations to stay updated on best practices.  
Building collaborative relationships with other cybersecurity vendors to share intelligence and improve overall security measures across the industry.