Casey Ellis
Founder/executive and advisor (security sector); frequent executive advisory perspectives on risk, leadership, and operating in complex environments.
RunZero Masterfully Secures Fragile OT and ICS Environments
...In which hdmoore and I go "full packet-rat" and dig into what runzero have been developing to support the complicated , fragile, often safety-critical OT and ICS world. If you've ever knocked over a dusty Solaris box with an nmap scan before (and want to understand how to find it without doing that), this one is for you. Sponsored: RunZero accidentally got good at OT - Risky Business Media https://m.cje.io/4ubHXby
Vulnerability Economics 2026: Deep Insights and Future Outlook
One of my favorite humans talking about one of my favorite topics: Mark Dowd goes deep into what vulnerability economics looks like in 2026, and where he thinks it goes from here. In true TBP-style it's long (2h) but it's...
CIRCIA Rule Faces Funding Gap, Delays Past May 2026
Policy Pulse #11 just dropped. Top story: CIRCIA's final rule is on a collision course with a DHS funding lapse. Town halls cancelled, slippage past May 2026 looks likely. VDP programs: your intake needs to be 72-hour ready before the clock...
Open-Source Tools Quantify AI Offense-Defense Gap
👀 Mine the Gap: Open-Source Tools for Measuring the AI Offense-Defense Gap | Dreadnode https://m.cje.io/4mxNV3P
AI Democratizes Hacking, Worsening Cybersecurity Asymmetry
The 'Vulnpocalypse' is here. Just spoke with Kevin Collier for NBC News about how AI is changing cybersecurity. "AI puts the kind of tools available to do this in the hands of far more people." Defenders must be right all the time....
Compute Fuels Attacks, Committees Lag Defense Gap
Offense scales with compute. Defense scales with committees. New piece on why the attacker-defender gap is widening faster than anything we've built to close it -- and what actually moves the needle. Link in bio or cje.io
Bug Bounties Aren’t Universal, AI Hype Is Overblown
Had a great conversation with Mackenzie Jackson from Aikido Security on The Secure Disclosure — we got into some contrarian takes: not every org should run a bug bounty (yes, from the Bugcrowd founder), AI slop is really just 2014...
AI Reshapes Bug Bounties: Insights From Industry Veterans
If I had a nickel for every time I was asked "How does AI impact bug bounty programs" last week, I would have several nickels... That's partly (*) why it was a hoot to sit down with my long-time vulnerabilityresearch...
CVE Funding Secured, Yet Deal Details Remain Opaque
CVE funding secured, but the deal details remain a black box. Plus: lookup.disclose.io is live in beta, exploited vulns surged 105%, and the EU CRA clock is ticking. Policy Pulse #8: https://blog.disclose.io/policy-pulse-issue-8-week-of-march-29-2026/
Open‑Source XIAM: Seven Years of Identity Innovation
Talked to Fletcher Heisler from Authentik about Extended Identity Access Management — XIAM. Open source identity, seven years in the making. Worth a listen: https://risky.biz/RBNEWSSI120/
LLMs Can Unintentionally Expose API SQL Injection Vulnerabilities
Q: When is an SQLi bug just a sparkling API? A: When you ask an LLM to grab a bunch of data from a website, and it realizes that one is there. imho, this is one of those "don't hate the finder,...
Risk Assessments Are Performative; Focus on Impact, Not Count
🔥🔥🔥 This hits on something that has bothered me for most of my career... Much of what orgs do to "assess risk" is largely performative, and has very little do with actual risk. Impact is what matters. Your AI Pentester Found...