Interviews | August 14, 2025

Lack of Shared Context Presents the Biggest Incident Response Challenge


Cymulate | Google | Microsoft | Mimecast | Varonis

Avihai Ben Yossef
Co-Founder and CTO

Cymulate

Q1. How are you helping organizations move beyond traditional vulnerability scanning to actually proving which exposures pose real business risk? How does Cymulate’s recently introduced exposure validation platform enable this shift?

Traditional vulnerability management focuses on CVSS, EPSS, and threat intel to estimate risk. Cymulate goes further by validating resilience to real threats known to exploit those vulnerabilities. Our Exposure Validation platform shifts the focus from theoretical risk to practical exposure, enabling organizations to implement alternative mitigations beyond patching and optimize security controls instead.

Q2. How do you see AI impacting the future of continuous security validation from both an attack and defense standpoint? Could human-designed attack simulations become obsolete, or will it remain essential in modeling real-world adversary behavior?

AI accelerates simulation development and enhances threat coverage, enabling faster adaptation to evolving threats. While human expertise remains vital for context and creativity, AI-driven validation—guided by seasoned experts—will increasingly cover most validation activities at scale.

Q3. What were the key messages or innovations that Cymulate wanted to highlight at Black Hat USA 2025? How do they reflect the company’s vision for continuous threat exposure management going forward?

We emphasized our commitment to CTEM with a strong focus on “Threat” as the driver of prioritization. Our innovations help organizations focus on what truly matters—validating and mitigating real threats, not just managing vulnerabilities—while offering actionable alternatives to improve overall resilience.


Heather Adkins
VP of Security Engineering and Cybersecurity Resilience Officer

Google

Q1. As a founding member of Google’s Security Team how do you balance the push for engineering speed and innovation at Google with the need for deeply embedded, systemic security resilience? What specific advancements or approaches have you seen as being most impactful in this regard?

Security and reliability are inherent properties of a system, and if we can build strong foundations into the technology stacks and frameworks that innovators use for speed, then we get safety for free. For example, at Google we tackled stubborn weaknesses like XSS and SQL injection by giving developers safe libraries for writing applications that prevent these errors altogether. These frameworks allow developers to write new applications quickly, but also safely, by default. Similarly, we’ve found that going after systemic ecosystem weaknesses enables velocity in the business. Our internal Zero Trust architecture (which we call Beyond Corp), along with use of security keys and Chrome OS, has helped free up resources that might otherwise be used reacting to threats faced by traditional IT technologies. We also found that they enable engineering by providing low-friction travel, authentication and web experiences.

Q2. How is Google collaborating with public and private sector entities to strengthen global cybersecurity resilience? What key challenges do you foresee in scaling these collaborative efforts to address rapidly evolving threats?

Cybersecurity is a team sport, and we’re only as strong as the weakest link. Thus collaboration is key: if only select platforms or services are protected then attackers win. By coming together to make technology safe for everyone, everywhere, we can build common solutions that work across the many types of environments users encounter. That’s why we partnered with FIDO Alliance and industry peers like Apple and Microsoft to launch passkeys in the last few years, and why we’re teaming up with DARPA at DEF CON for their AI Cyber Challenge (AIxCC).

These collaborations are essential to leveraging our collective resources and expertise to move the needle in a way that better safeguards online users and to shore up our national security defenses.

Q3. What is Google's main messaging and focus at Black Hat USA 2025? How will that tie into the company's broader vision for industry collaboration and security transparency?

Like the rest of the security industry, AI is a focal point for us this year. I'm excited about how AI is being leveraged to help cyber defenders who are tasked with protecting everything from schools and businesses, to critical infrastructure.

At Google, we've been using machine learning and AI for security for over a decade, whether that's to automatically protect Gmail inboxes from spam, or flagging malicious websites through Chrome. This work is crucial to keeping people safe, but sharing our insights is equally important. We don't want to gate-keep. We want to share our findings because AI holds immense potential and this is only the beginning.

That's why we've created our Secure AI Framework (SAIF) and helped launch the cross-industry Coalition for Secure AI (CoSAI), focused on the safe implementation of AI systems. We just announced we'll be donating SAIF data to CoSAI to help further its workstreams on agentic AI, supply chain security and more. And our security researchers are expanding this work through some amazing Black Hat briefings this year.

On Wednesday, our Google security researchers will deliver a briefing on how we're expanding Timesketch, our open-source collaborative digital forensics platform, with agentic capabilities. They'll demonstrate how leveraging Sec-Gemini, our security AI model, Timesketch can accelerate incident response and automatically perform initial forensic investigations. This is a huge leap forward in alleviating the pressure put on cybersecurity analysts, helping them cut down on investigation time and freeing them up to focus on other tasks.

Then on Thursday, our researchers will give a behind the scenes look at FACADE (Fast and Accurate Contextual Anomaly Detection) — an AI-based system that we've been using to detect insider threats within Google since 2018.


Aarti Borkar
CVP of Microsoft Security, Customer Success and Incident Response

Microsoft

Q1. How is Microsoft evolving its approach to incident response to protect customers against attacks targeting the identity and collaboration layers?

Our response to threats tightly integrates our identity, collaboration, and threat intel teams. This means when identity-based attacks like BEC or privilege escalation emerge, we’re not reacting in silos, we’re responding with shared signals and context.

We want teams, whether identity admins or SOC analysts, to think and respond in sync. That’s why we’ve embedded threat intel and automation across tools like Microsoft Defender, Sentinel, and Entra.

It’s not just about seeing the threat; it’s about helping everyone speak the same language when it matters most. That shift is helping our customers detect and contain identity attacks faster and with more confidence.

Q2. What recurring blind spots or systemic challenges do you see across enterprise environments when responding to incidents?

The biggest challenge isn’t lack of data; it’s lack of shared context. Too often, identity, email, and endpoint teams are looking at separate systems. That delay gives attackers time to move.

We also see friction between teams. They’re solving the same problem but speaking different languages. We’re addressing this by aligning signals across the stack and building in guidance that bridges those gaps, especially in post-breach investigations.

More customers are also adopting a resilience-first mindset: segmenting environments, limiting blast radius, and proactively planning for incidents.

These sound basic but many customers don’t have an IR plan, haven’t done a compromise assessment or proactive planning or even implement basic risk based conditional access policies. These fundamentals help improve resiliency and bring customers’ security teams together.

Q3. What were the key themes Microsoft aimed to highlight at Black Hat USA 2025?

At Black Hat, our focus was on helping teams defend at AI speed. That means sharing how we break down internal silos, between intel, red team, incident response; and how others can adopt similar models.

We will talk about mental models, not just tooling. How teams think and communicate during an attack is often what makes or breaks the response. We will bring those lessons to life through real-world examples of phishing, ransomware, and other relevant threats.

We will also emphasize collaboration. Not just among tools, but between people. When the right context reaches the right teams faster, everyone responds better. That’s what we wanted attendees to walk away with: ideas they can take back and apply, regardless of what tech they use.


Jeff Schumann
Mimecast VP & AI Strategist

Mimecast

Q1. Cyber threats are increasingly targeting the human layer via tactics like phishing and social engineering. How should organizations be evolving their strategy to better secure the human element and not just infrastructure?

Threat actors are sophisticated – they use the latest tools at their disposal and refine their approach day after day. Today that can take the form of a highly convincing deepfake, a personalized note leveraging an employee’s real job responsibilities or phishing threats backed by AI – making them more powerful, prolific, and unfortunately, successful.

Because of this, it’s no longer enough for organizations to focus solely on securing their infrastructure. We’ve reached a critical point in time where protecting people must be the central part of any cybersecurity strategy. The cybersecurity landscape is always unpredictable, but to be a resilient organization, engraining a 24/7 human-centric approach is key.

This starts by creating an ongoing process for adaptive security awareness training that reflects real-world attack techniques. These types of trainings need to be engaging and continuous and not just a “once-a-year” checkbox situation. It’s important to empower and educate employees with the right tools in real time. This means having email and collaboration security platforms that deliver intelligent threat detection and contextual guidance directly within the tools employees use every day. By having this process in place, it allows for better and safer decision making without disrupting employee productivity.

Organizations should continue to have a sharp eye on behavioral insights and leverage threat intelligence to help identify risk patterns. Consider this: just 8% of employees account for 80% of incidents. When a company is equipped with the skills to identify which individuals or departments are most likely to be targeted, they can take a more robust and personalized approach to defense.

Historically, cybersecurity has been categorized strictly as an IT-only responsibility, but today, it needs to become an organizational mindset. Securing the human element means integrating education, technology and intelligence into a single, cohesive strategy that protects every employee as effectively as it protects infrastructure.

Q2. As someone with experience building platforms that analyze digital behavior, how do you see AI being used to not just also detect threats, but to also understand user intent and context?

Having built platforms that analyze digital behavior at scale, there’s huge potential in using AI not just for threat detection, but also to interpret user intent and context in real time. This is important to understand because not all anomalous behavior is malicious, and without understanding the ‘why’ behind the ‘what,’ we risk either overreacting or missing real threats.

The real challenge lies in attackers increasingly exploiting trusted services, making it harder than ever for security controls to distinguish between authorized and unauthorized activity. For example, malicious AI-powered tools like WormGPT and FraudGPT, which are rogue versions of legitimate GenAI models, are being used to craft highly convincing phishing emails, generate more efficient malware and automate cyberattacks at scale.

Mimecast’s detection engine has learned to identify specific characteristics that distinguish human-written emails from AI-generated ones. By analyzing tens of thousands of emails, along with synthetic data generated by models like the newly introduced GPT-5, we found that certain phrases, like “delve deeper into this” or overly casual greetings like “hello!” from senders who don’t typically use such language, often signal a phishing attempt.

GPT-5, which was just announced, now has ‘PhD level’ of intelligence. We knew this was coming, but that doesn’t lessen the astonishment of its power. We are in an AI arms race, and models will only get smarter. It’s essential that good AI is up to the task to defend against bad AI. At Mimecast, we are very much up to this challenge and look forward to harnessing the power of AI for good and deploying models in an ethical and fair way that secure our global customer base.

Q3. How did Mimecast engage with customers, partners, and the broader security community at Black Hat USA 2025? What key themes or technologies did the company focus on at the event?

Black Hat was a major success for us this year. We brought Human Risk to life at the Mimecast booth and found that our story resonated well with attendees.

Our Human Risk Command Center was on full display. We announced key enhancements and showed hundreds of security professionals why increased visibility and individual risk scoring is a game changer.

To that, we also allowed visitors to take a rapid human risk survey, a live diagnostic that instantly profiled their organization's exposure across key attack vectors. Based on the results, our team gave them a demo showing how the Mimecast platform mitigates the risk.

Another big focus was our expanding ecosystem of strategic integrations. With a wide array of technology partners and more than 150 prebuilt integrations, we’re enabling threat intelligence sharing and coordinated response across tools like SentinelOne, Zscaler, Netskope, and Arctic Wolf. These four partners also joined our booth for joint sessions that showed viewers how ‘the power of together’ in cybersecurity makes the entire community safer.

Through these integrations, we’re helping customers strengthen protection across email, web, and collaboration environments. At the end of the day, our message was simple: security is strongest when it’s connected, adaptive, and centered around people – and that’s exactly what we’re building.


Terry Ray
VP of Product Strategy

Varonis

Q1. How does the definition of "sensitive data" need to evolve as AI-generated content and synthetic data proliferate in enterprise organizations? What is your company's approach to helping organizations address the challenge?

As AI-generated content and synthetic data proliferate, the definition of "sensitive data" must expand beyond PII, PHI, or financial information. AI tools generate and interact with vast amounts of proprietary information, internal communications, and training datasets that may not be regulated but are still highly sensitive. The risk isn’t just exposure. It’s misuse, poisoning, or unauthorized access that can trigger downstream consequences.

Organizations are vastly unprepared for data security risks from AI. In our State of Data Risk report, we found that a surprising 99% of organizations had sensitive data exposed to AI tools. Nine of 10 organizations we examined had sensitive cloud data accessible to AI tools.

We’ve always believed in taking a data-first approach to security. As enterprises adopt AI tools like copilots and train their own models, we secure the data that powers these initiatives, whether it lives in Microsoft 365, Salesforce, or custom LLM environments. We were the first to secure Microsoft Copilot and Salesforce Agentforce, and we continue to lead in protecting the data behind AI.

Q2. Many organizations are struggling with data governance across multi-cloud environments where different cloud providers have varying compliance and security models. What's your vision for how enterprises should approach unified data protection in this landscape?

The challenge with multi-cloud is that each provider has its own security and compliance, which makes it difficult to maintain consistent visibility, control, and enforcement. This fragmentation creates blind spots—especially when sensitive data is spread across SaaS apps, IaaS platforms, and AI tools.

The solution isn’t more tools. It’s consolidation around a single source of truth for data security. That means adopting a platform that can continuously discover, classify, and protect sensitive data wherever it lives — at rest, in use, or in motion. It also means correlating data sensitivity with identity, permissions, and activity to understand risk in real time and take action automatically.

This unified approach is critical as cloud sprawl accelerates, AI amplifies risk, and the blast radius continues to grow. Data is no longer confined to a single environment. It moves between apps, users, and services constantly — and security needs to be ready for it.

Q3. What products, technologies or services does Varonis plan on showcasing at Black Hat USA 2025? What do you want customers and attendees to take away from your company's participation at the event?

We have plenty for Black Hat attendees to see and do during the conference. At our booth, we’re debuting Varonis’ Next-Gen Database Activity Monitoring (DAM) as part of our flagship Data Security Platform.

We’re introducing a groundbreaking new approach to database security that deploys quickly and overcomes the challenges legacy vendors face in preventing data breaches and ensuring regulatory compliance. It’s fast, cloud-based, and delivers security outcomes far beyond what legacy DAM offers.

Legacy DAM solutions use outdated, agent-based technology that takes years to deploy and require hardware and multiple FTEs to operate. Even when deployed successfully, legacy DAM rarely provides more than a compliance checkbox. Varonis offers customers a modern alternative that is fast, cloud-based, and delivers security outcomes far beyond what legacy DAM offers.

We’re hosting an expert session, “Navigating the Identity Crisis: Why Authentication Keeps Failing.” Varonis security team leader Mark Vaitsman will show how attackers continue to compromise authentication and steal identities. You’ll learn how to recognize the signs of post-authentication compromise, identify detection and response gaps, and harden security beyond MFA.

Attendees can also stop by the Varonis booth to play the first Snowflake GOAT, our new capture-the-flag challenge. Our Varonis Threat Labs team will be onsite to help with the challenge and get players on the leaderboard! We’ll also have some of the coolest swag for attendees.

Sustaining Partners