Back to Blog

Life Finds a Way: Securing the Enterprise When Everyone Is a Developer

Every few weeks the ground under security shifts again. A new agent, a new capability, a new class of exposure that didn’t exist the last time you looked. Keeping up is no longer about reading the news. It’s about living at the edge.

I sat down with Gadi Evron, founder and CEO of Knostic and CISO-in-Residence for AI at the Cloud Security Alliance, to talk about what that actually means for defenders right now. Gadi has spent the last couple of years thinking about how AI changes both attack and defense, and he doesn’t hedge.

We covered a lot. Why the assumptions behind most security programs are quietly breaking. Why “do the basics” stopped being a strategy the moment agents arrived. Why staying relevant now means throwing away the work you did last month. I hope you find it as useful as I did. Watch it in the video below.


Takeaways:

  • Why the security assumptions we built our programs on are quietly breaking
  • How AI collapsed time to exploitation from weeks to hours, and what that changes
  • Why “do the basics” stopped being enough the moment agents arrived
  • The shift from depth to coverage, and why scale is now the real problem
  • What it takes to stay a power user when the tools reset every few weeks

Transcript

This conversation has been lightly edited for length and clarity.

Rob Gurzeev: Hello, everyone. I’m Rob Gurzeev, CEO and co-founder of CyCognito. For those who don’t know us, we’re one of the leaders in attack surface management, focused on helping Global 2000 enterprises understand where their assets are and what’s exploitable to attackers. With me today is Gadi Evron, founder and CEO of Knostic and CISO-in-Residence for AI at the Cloud Security Alliance. Gadi, great to have you. Where are you today?

Gadi Evron: Thank you, Rob, appreciate it. I’m in Tel Aviv. I travel so much that I’m genuinely excited to be home for this.

Rob Gurzeev: The last time you and I met in person was about a year ago, here in Tel Aviv. So much has happened since. One of the things we talked about back then was the state of AI, and where things really are, which is never straightforward. So let’s start there. On the AI side, what are the big things you’ve been watching over the last twelve months?

Gadi Evron: Can we do the last two weeks instead?

The Big Shifts

Gadi Evron: Look back to 2023. We all thought this was going to be about prompts, defending us or attacking us. A little later, we thought the DLP firewall gateway was going to save us. I never believed that, but plenty of people did, for good reason. Now one of the latest buzzwords is identity and authorization. We all care about identity and authorization. But we haven’t even managed to do it for people, so trying to do it for agents is almost absurd.

The biggest thing, just in the last two weeks, has been crazy. Let me throw the biggest buzzword out there and then move past it: Mythos. The thing about Mythos is that it’s just a name for two or three years of research into finding vulnerabilities with AI. Then Mythos comes along and breaks through the New York Times and CNN barrier. From that point on, every congressperson, board member, parent, and child knows about it. Yes, a lot of it was marketing and hype. But there’s a lot of truth behind it. Honestly, the truth is bigger than the hype. The hard part is separating the two.

Let me give you four things, at different altitudes.

Number one, the hundred-thousand-foot view. It’s becoming clear we’re moving from a world of deterministic configuration to non-deterministic configuration. People talk about non-deterministic code, about English as code. How do you do access control for the English language? When your configuration is monitored, controlled, and enforced by agents, you can’t fully trust what you’re seeing or what’s happening. So how do we operate in that world?

The second thing, down at five thousand feet, more tactical. Attackers had their singularity moment. They now know what it means for LLMs to be part of an attack. On defense, we use AI, but we haven’t had that moment yet. We’re still trying to automate what we already did, to build a few workflows. We’re making progress, but we haven’t had the aha moment where AI genuinely saves us and pushes us forward in a consistent, mature way. I can’t wait for it. I think it will be wonderful.

Third, at thirty thousand feet. The one real power we have right now is agents. Coding agents specifically, and not just for coding. Salesforce just made the shift across the whole organization. Everyone there is now measured on it, and keeps their job, based on whether they use Claude Code. Everyone. So it’s not just developers anymore. The citizen coder is everyone. We have to do this, because we don’t yet have autonomous capabilities the way attackers do. But we can at least empower our people to move at machine speed.

Fourth, and I’m biased here. The moment everyone builds their own infrastructure, the moment everyone is their own developer, it’s not about shadow AI or shadow IT anymore. It’s AI everywhere. And when everyone builds their own IT and workflows, IT itself fragments. It’s no longer centrally managed. That shifts a lot of the assumptions behind how we build a security program, even beyond time to exploitation or the zero-day clock.

My own number five. We have to defend these agents, and we have to do it now. How is a whole other question. I’m CEO of Knostic, where we defend agents, so I’m biased. But I also believe it’s the genuinely important thing to do right now. Deploy agents. Don’t stand in the way, because people will bypass you and won’t care. Security used to slow the business down. That doesn’t fly anymore. I want people to feel safe doing it. Those are my big five, though I could add fifty more.

Rob Gurzeev: I completely agree, and there’s so much to choose from. The biggest thing I’m seeing is exactly your Salesforce example: citizen developers, everyone can now build. I like to say that now even the HR and finance people, the last people you’d expect to, are shipping software.

Citizen Developers, and “Life Finds a Way”

Gadi Evron: A friend of mine called me two weeks ago and said, “Gadi, I’m so scared.” He’s a CTO. I said, what’s going on? He said, “One of my salespeople just called me and said Claude is telling him to use GitHub. What’s GitHub?”

Rob Gurzeev: Right. A salesperson asking you to help debug something. Two years ago I couldn’t have imagined everyone starting to build, and actually making an impact. And I agree the risk landscape and attack surface change completely. Shadow AI or shadow assets may not even be useful terms anymore when anyone can create anything. You can put a Claude markdown file in front of the whole team and tell it “don’t do X, Y, and Z.” And in plenty of situations Claude Code will do it anyway.

Gadi Evron: You’re old enough to remember Jurassic Park, right? You remember the line, which is a meme now, not just the movie: life finds a way. My version is: agents find a way. You can work on your basics. They find a way. And you might not even know what the agent did.

Whenever one of these agent incidents happens, I see most of my friends go work on their basics, or harden GitHub, or whatever it is. It makes sense. We always want to work on the basics. But I have a beef with that, and let me go on a side quest for a second. The basics are not just about hygiene, best practices, or tech debt. They’re about our appetite for the silver bullet. There are economic papers about how much we love to buy the latest, coolest, most innovative technology, whether it helps us or not. The way we treat “do the basics” is the counterweight to that. And it annoys me, because we’ve turned the basics into their own silver bullet.

If you look at nearly every single data breach report out there, there’s always an admin-admin, or an unpatched machine, or something uncovered. And we point left and say, they should have done their basics. They tried. Maybe not everyone, maybe not the same way. But they tried. And now, with agents, twenty, thirty, forty years of debt is coming due. Even if it weren’t, agents find a way. So secure your agents. You might say, I won’t deploy agents until I can secure them. Well, who’s asking you? You’re just security.

Rob Gurzeev: Good point, and I’m glad you brought it up. We’re seeing a lot of MCPs and AI applications with minimal, if any, security, and they often have access to the most sensitive and interesting data a company has, its intellectual property. And with the AI pentesting capability we’re releasing, which takes exposure signals and actually tries to exploit them, we’re seeing even more default credentials, missing authentication, and careless misconfigurations.

Gadi Evron: And that’s critical, because the only thing that will let us stay on top of the basics is the agents we’re afraid of. You can’t move at human speed. So the thing that scares us is exactly what finally lets organizations catch up. That’s where my company comes in and secures them, so I’m happy.

The Assumptions That No Longer Hold

Gadi Evron: Here’s what people can’t quite accept yet. The industry keeps shifting under us. This year, if you read the Verizon DBIR, is the first year the top pattern wasn’t two-factor issues or phishing. It’s vulnerabilities that let people get in. But being the industry we are, it takes us about ten years to change our narrative. Back in 2004, I was at a CISO conference where every CISO on stage said, “We all know most attacks come from the inside.” That hadn’t been true since the internet became widely used. But it stayed an industry truth for years.

So we have to treat vulnerabilities as a top priority again, because the ground shifted. And it’s not just about time to exploitation. Our very assumptions about how we build security programs are shifting. Take the classic one: vulnerabilities are hard to find. Not anymore. Not all of them, and I’m hedging, but point Claude Code at code and see what you find. Verifying them is a different issue, exploitability is a different issue, but finding them is close to trivial now.

Then there’s time to exploitation. The zero-day clock was shown at the [un]prompted conference in March. It used to be years. Now it’s hours. And other assumptions are breaking too. We can no longer rely on CVEs. We can’t rely on threat intelligence like KEV being timely. For a while now we haven’t been able to rely on phishing being written in bad English. Can we even rely on the person we’re talking to being a real person? Bring it back to AppSec and we’re relying on patches even existing, let alone being deployed on time. On one hand we tell people to wait ninety days before patching because of supply chain risk. On the other hand we tell them to patch immediately. And underneath both is an assumption: will the vendor even have a patch ready in time, and can we deploy it if they do?

Rob Gurzeev: What would you say are the core assumptions many risk leaders still make that are simply wrong?

Gadi Evron: I just went through several. Let me give you two more people can’t accept yet. Go back to March and people did not accept that time to exploitation had collapsed. A few years ago a new zero-day would come out and you’d ask, is there a proof of concept on the dark web? No? Then you probably had three to six weeks before anything happened. You could choose not to keep your people in over the weekend. You could assume one to four huge zero-day incidents a year. Now you should expect them every day. Three or four months ago that would not have been acceptable. People’s narratives aren’t ready for it.

Here’s where it really bites. Can you build, with today’s technology and an endless budget, a security program for a medium-sized organization that could handle five continuous live breaches every day and keep operating safely? We’re not in a place where we can accept that assumption yet. So the most important thing for us isn’t even technological. It’s this: how do I adopt a new technology in less than three months, six months, a year? Everything has to compress, because the timeline isn’t waiting for us.

Why Scale and Coverage Beat Depth

Rob Gurzeev: That’s true, and the scary part with AI is that everyone is pushing everyone to adopt it. Inside companies, between companies, Wall Street, all of it. So maybe it’s not a hundred more vendors, it’s a thousand more applications, ten thousand more agents doing things and changing things for you. Most people would agree with the compressed timeline intellectually. Operationally, almost no one is there yet, regardless of budget.

The other shift that people agree with intellectually but haven’t operationalized is scale and coverage. When we talk about capabilities, we tend to think about depth. Can this thing do X, Y, and Z? Not enough about, can it cover all of my stuff, or all the meaningful use cases? That’s one of the biggest problems, especially if you assume attackers are mostly external and will take the path of least resistance. It’s now easy, with Claude Code or whatever you like, not just to find vulnerabilities but to exploit them. Domain takeover takes two minutes. Building a whole campaign around a cross-site scripting vulnerability takes fifteen or twenty. The infrastructure that used to take weeks now takes minutes, even for a non-technical person.

As risk leaders see more incidents tied to low-priority assets, like an MCP you never knew existed that accidentally exposes your Salesforce or SAP data in an unauthenticated way, they start telling themselves: the AI work is great, the board loves it, but I also need something for the scale problem. What are you seeing there?

Gadi Evron: I love hearing my own voice, but I just agree with you. Everything now has to be considered under the assumption of scale.

Rob Gurzeev: So you agree. But do you think risk leaders are actually prioritizing it?

Gadi Evron: I talk to hundreds of CISOs, and it’s not that they disagree. There’s a lot of confusion, even among the experts, and there are many experts. What am I supposed to invest in now? What matters now? Is it what my board is asking about, or what I believe technologically is important? I might decide to smartly prioritize defending agents and not touch my supply chain, and then a GitHub-style breach happens and that’s what I discover I didn’t prioritize. Now I need to deal with MCP servers, skills, hooks, VS Code extensions, this entire agentic supply chain. So the biggest challenge is: where do I start, where do I see volume, and where do I make progress.

If scale matters, and it does, the only way to get there is to work with your vendors and your people. Demand that your vendors give you what you need. It’s quite possible they won’t be able to. But demand more than support. Demand that they tell you how they keep up. Ask to be embedded in their roadmap. Ask them to inform you when things happen that you don’t know about yet. And on the other end, change the way you work so you can work with more startups. Maybe this startup dies in a quarter, but right now I’ll learn from it, and I’ll find more, and I’ll stay relevant, because things keep changing.

The whole business model is changing. There is no moat. Anyone can open Claude Code and build. It’s not quite that simple, and bringing things to production is harder, but I don’t buy software the way I used to. For something that would take me weeks or months to stabilize, I don’t build, I buy. But it changes all the time. So I frame it around ninety days to product-market fit. I want to be ready to pivot every month, whether or not I actually do.

A couple of examples. My research team is no longer under engineering, no longer R&D, no longer serving marketing. It’s its own unit, and its literal job is to find the next pivot every month. It’s painful to pull great engineers and researchers out of engineering when you need them most. But how else do I stay on top of shifting markets and build things outside the normal product-to-engineering pipeline? Worst case, I learned a lot. Good case, I open-source it. Very good case, it becomes a feature engineering maintains. Best case, it becomes the whole company.

The other example is the engagement model. We sell products, but we have to think of engagement as a services or consultancy model. Why would a customer need me in six months or a year? When everything is on fire on a Friday night, I want them to know I’ll be there. When the market shifts, I want them to know I’ll be on top of it. They want to know I’m part of their roadmap. And what genuinely gives me pause is that the way people engage with software is changing. Not just running things inside Claude Code instead of buying outside software. I mean no more UI. You just talk to the agent. That’s your customer now, which is mind-blowing. If I want to use something today, I tell Claude Code to go to that URL or that repo. I want people to use my software the same way, and it isn’t built for that. How do I even license around it? So all I can do is put research first and constantly think about what’s next, because there’s nothing else I can do.

Staying a Power User

Rob Gurzeev: It’s so hard, especially around AI, where the concerns move every couple of weeks. The best way to deal with it, like you said, is to spend as much time as possible with risk leaders and with the people on the ground doing the work, to understand the real daily challenges. In some areas people know exactly what they’re looking for. In others they can’t even tell where the pain is coming from, and you have to dig, both with technical research and with customers, to figure it out. Do you have favorite questions you like to ask when you’re investigating?

Gadi Evron: I have to be careful. My fiancée has banned me from talking about AI usage and coolness, because I go into techbro mode and start delivering manifestos. All SaaS is dead, and so on. So before I wax philosophical, let me just say: I spend every free minute inside agents like Claude Code. My purpose is to understand what’s possible, and especially what’s not possible yet. Where are the jagged edges, where the agent can play chess but can’t do one plus one? It can do that now, but a month ago it couldn’t.

By constantly failing forward at what I’m trying to build, I discover those edges, and I keep myself a power user. A month from now everything changes and I have to throw things away, which is the hardest part. You worked so hard on your harnesses, your scaffolding, your slash commands, your rules, and now they hold you back because the model improved. That mindset forces you to be a researcher, not an engineer or an analyst or an end user. It’s uncomfortable to live in that constant uncertainty, but you have to, to stay relevant. I’m a product person. I don’t code. I call it vibing into the abyss, because I refuse to look at the code, just to get to the edges.

My fiancée is a vulnerability researcher, at the very top of the field. We joke: should we both just pivot and become washing machine repair people? Will we still have jobs in two years? I don’t know. But I do know that if eighty percent of my job a year from now is the same as it is today, I should be fired.

Remember the nineties, when search engines came out? WebCrawler, AltaVista, Yahoo. Search really sucked, but you kept finding the edges. Maybe I search this way, maybe I ask on a forum, maybe I learn Google Hacking with AND and quotes. You learned how to do it. Now look at people who grew up with these tools rather than being trained on the old ones. It wires your brain differently. Most people barely talk to ChatGPT or Claude. Some use agents. Fewer know how. Fewer still build the whole scaffolding. And there’s no secret to it. Just download the agent and start using it, in plain English. The barrier is psychological. Once you do it, you don’t need to be a PhD, you don’t need to be in a big lab. You just have to stay a power user and look for where it fails.

Rob Gurzeev: I completely agree, and I’m doing the same. I got back to coding and I spend a lot of time building and researching. It’s fun, it takes a lot of your time, but you learn so much, and when you talk to customers about their biggest challenges you understand their world far better. People also take what you say differently when you’ve actually been at the edge. I met a public company CEO, a very smart, technical guy, on a Saturday night. He had a rack of Blackwell GPUs set up in one room and showed me how he was working on optimizations for some open-weight LLMs. I didn’t expect that from someone with thousands of employees. But maybe today it makes sense. Two years ago it would have sounded crazy.

Gadi Evron: I don’t know what it will look like in two months. So tell me, what do you vibe code? What are you working on?

Rob Gurzeev: For the last six months we’ve been building a new AI pentesting product. It started with a question: how do you leverage the deep context in attack surface management? Where are the APIs, where is the PII, how do you discover and classify AI assets, which tend to be more interesting and more vulnerable than other things? That’s plenty of context to make autonomous decisions about what should happen next. Then, how do you make AI pentesting far more effective and efficient by feeding the model all that context, to the point where you can exploit production systems for ten dollars, fully autonomously, which is honestly pretty scary.

Which raises a point. We mentioned attackers earlier. It’s wild to me that we aren’t seeing a thousand times more breaches, when you can compromise many production systems for ten dollars. I said the same thing five and ten years ago. How come attackers aren’t doing more? Maybe that’s a whole other conversation. Then the last piece is economics. I have a million assets. What needs to be tested, and when? An AI pentest can cost ten dollars, a thousand, sometimes tens of thousands. So how do I manage all of that within a budget? No customer I’ve met has said, here’s my formula, I’ve figured it out, someone just needs to build it. And no vendor does what I just described, so there’s nothing to copy and improve. Leading from the front there is fun, and tiring, because it means working until two in the morning or over the weekend on something you might throw away a few weeks later. Your spouse isn’t thrilled. But that’s the world we live in if you want to be at the edge and be useful to security teams.

Just Start

Gadi Evron: I see a lot of leaders doing the same. If I go to San Francisco, ninety-seven out of a hundred. New York, fifty. DC, four. But everybody is vibe coding. And I’m really positive about this, because it’s so empowering. My bottom line is about us as people. We have to be on top of this, and it isn’t hard. Get an agent. Download Claude Code, Cursor, Copilot, Kiro, Antigravity, it doesn’t matter. And start talking to it. If you don’t know how to download it, that’s okay. Go to YouTube, go to Google. Just talk to the agent.

There are a couple of failure patterns. If you think you need to learn how first, you already failed. You don’t. Work with the agent. If you think the problem is too big for the agent, you already failed. Talk to the agent and figure it out. And one more thing: take somebody with you for the journey. Once you’ve done it, find someone who hasn’t and show them how easy it is. Let’s not leave people behind, because it’s going to be hard enough on all of us.

Rob Gurzeev: Completely agree. It’s beautiful to see people who’ve been in sales for thirty-plus years building applications and creating real value.

Gadi Evron: And creating job security for us, because none of those applications are secure. They’re not updated when new vulnerabilities hit their dependencies. They do weird things, like open up a tailnet, connect to the world, or send your secrets out. So there’s plenty for security to do. There will always be security needs and always be an adversary. But I don’t think most of what we do today will still be what we do.

Is Software Actually Getting More Secure?

Gadi Evron: Take the whole hump of vulnerabilities we need to find for ourselves. That’s entirely possible now. We’ll never get to zero, but at [un]prompted, Google came on stage and said they want zero vulnerabilities at Google within two years, and asked how we get there. I’d go even further, to something people can’t accept yet. Zero vulnerabilities is really about code generation. Applications are being built more securely now. A friend put it better than I could: if all AI does is bring most of the world up to what we consider average security today, that’s enormous, because the vast majority of the world is nowhere near it. So bring the attacker’s technology and agents to defense. Those are the two things we can do right this second, because both already exist.

Rob Gurzeev: But do you really believe that on average software is becoming more secure? Here’s why I’m not sure. Maybe your top twenty applications are more secure. But I’m seeing crazy software sprawl. There are now a hundred or a thousand times more projects being created and changed, and the average understanding of the people touching them may have dropped seventy or eighty percent, because there are a hundred times more of them. So is the average piece of software really getting more secure?

Gadi Evron: Right now everything’s a mess. But I look at trends. Look at architecture, not just code. Training data is full of junk, but post-training keeps improving. Code architecture is better when you generate code now: fewer bugs, fewer serious ones. The same will happen with security. Even if all we do is discover vulnerabilities after the fact, we’ll get past the hump of finding more and more of them, and I think code generation itself will get more secure. So yes, there will be more issues, and yes, there’s endless dangerous code out there right now. But I believe we’ll get over the hump and things will get better. I absolutely believe that.

Rob Gurzeev: Over time, no question in my mind either. I just have no idea about the timeline. It’s not five or ten years. Maybe six, twelve, eighteen months. Hard to tell these days.

Gadi Evron: Everything I used to say ten years, I now say two. Everything I used to say two years, I now say six months. Everything I used to say six months, I now say a week. You just can’t tell. I thought I knew this industry well, and I’ve made critical mistakes. In 2014 a friend wanted to start an endpoint security company, an EDR, and I said nobody wants another endpoint agent. Someone bought his company for a hundred million. So I’ve misread the industry before. I’m good at predicting the next six months. But I did not see OpenClaw coming, and I should have. Low-probability, high-impact events are happening far more often now. Any prediction I make could be irrelevant within a month. The world a year from now will not look the same. It’s uncomfortable to constantly deal with change, so I have to make the change fun.

Here’s one example. I have undiagnosed ADHD, which I’m sure surprises you given this conversation.

Rob Gurzeev: You couldn’t tell at all.

Gadi Evron: Right? But Claude Code and other agents made a few of my gaps disappear. I no longer have an initiation problem. I used to stare at the wall for months before starting something. Now I just start. My hyperfocus is fully there, because the dopamine hits, it’s built a bit like social media, except you actually did something. And I used to have imposter syndrome. Now I’m just an imposter. If I spend enough tokens, I can be an expert, to a good degree, in nearly anything.

Rob Gurzeev: On a human level that’s a very strange feeling. You can start on some random chemistry topic because you saw something in a movie and, thirty minutes later, reach a genuinely interesting insight.

Bringing Your People With You

Gadi Evron: Beyond the philosophical questions of what happens to humanity, and how we make sure that when jobs become redundant people don’t, there’s the organization itself. How do you take people with you? Someone told me about research, though I didn’t see it myself, where they ran training courses with small, fixed cohorts and a fixed duration. Any bigger or longer and people couldn’t complete them or didn’t convert as well. So you need infrastructure, and you need it to be reliable and repeatable. And yet you can’t use a new tool every day, even though a startup born today would leapfrog everything I’ve built in the last year.

I sat down with my VP of engineering and asked, are we an AI company? What does that even mean? We build with AI, we sell AI technology. Two analogies came to mind. One is the 2016 Bezos letter to shareholders, where he talks about staying a company that keeps searching for what it does rather than just scaling what it already does, and he uses machine learning as the example: don’t just build AI, make sure every team uses it everywhere. The other was an old co-founder of mine who said we should be a fully digitized technology company: replace even the paper stuck to the refrigerator with an online form. Overkill, maybe, but I got the point.

So we started, gently at first and then less gently, pushing people. You have to use Cursor. I’ll sit with you and watch how you do it. Every Thursday the whole company gets on a call, optional, and shares something they built or failed at, whether it’s a dumb prompt or a whole AI product. Interviews changed too. They used to be about LeetCode-style coding tests. Then they became: can you review code, and can you talk to me about engineering concepts? Now it’s more like, here’s a challenge, you have thirty minutes and any tool you want, can you make it happen? You see how people work. Some copy-paste. Some use ChatGPT. Some understand that in thirty minutes they have to use the agent agentically, spin up a POC, run tests autonomously, and ship something.

But we also have to remember: researchers and engineers didn’t sign up for this. They didn’t sign up to be harness engineers or to talk in English. They signed up for the therapy of writing code. I look at the very large companies that impose token usage, that ask why you aren’t using more tokens, and I used to think counting lines of code never worked, so this is the wrong measure too. But I’ve come around. What other measure is there?

Rob Gurzeev: There are two things you might be trying to achieve. One is pushing people to experiment and change how they think. The other is doing it efficiently. You may have to start with the first, because it’s such a big change in how you see yourself as a productive person, the professional image you’ve built over ten or twenty years. Then, over time, you want to get more efficient. It was interesting to watch very smart people focus on efficiency too early. Until they were pushed hard enough on experimentation, they didn’t experiment enough.

Gadi Evron: It’s a maturity model. Start by using tokens and exploring. Then use them efficiently. Every developer who wants to stay on top has to spend two or three days a week just researching. They aren’t coding in that time, but they can then code much faster. And if coding is just English now, any moment spent writing code by hand is a waste, because that’s ten minutes of the work. Let product write ten versions and let the developer decide what to do.

I’ll also say this about the big companies that force people off their actual jobs to use AI. It’s a horrible management move, but I understand it now, because I can’t imagine what else they’d do. Sometimes at a certain scale you do things that look stupid, and they still produce enough value to be worth it. Microsoft spent tens of billions trying to make Copilot for Office 365 work. They did all the right things and forced people to use it. And then OpenClaw comes out over a weekend. So don’t rule Microsoft out.

Rob Gurzeev: We’ll see. Interesting developments on a weekly basis. This was great, Gadi. We should do it again. Really enjoyed the conversation, and looking forward to seeing you in person.

Gadi Evron: Thank you. And of course, if you want to defend your agents, discover your agents, and use your agents safely, remember Knostic.


Request a free scan

See Exactly What Attackers See

Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally .

Request a Scan
Top Attack Paths