Interviews | March 19, 2026
Attackers Can Afford Inefficiency, Defenders Cannot
BitDefender | Broadcom | SOCRadar | ThreatLocker
Q1. AI has dramatically lowered the barrier to entry for sophisticated attacks. Is defensive AI keeping pace? Or are we entering a period where asymmetry again favors the attacker?
Artificial Intelligence (AI) has unquestionably lowered the barrier to entry for building and modifying malware. A recent example is what we call "vibeware", an attack strategy derived from the concept of "vibe coding," where AI-assisted development tools are used to rapidly rewrite the same malware across multiple obscure programming languages, flooding targets with variants designed to overwhelm defenses. AI had enabled threat actors to quickly generate large volumes of disposable implants, port code into niche languages such as Nim, Zig, or Crystal, and easily integrate with cloud services.
The result is less about technical brilliance and more about volume. In some cases, it resembles a "Distributed Denial of Detection," where defenders are pressured not by breakthrough capabilities but by the sheer cadence and diversity of new variants. In certain ways, attackers are favored, particularly in terms of experimentation speed and cost of AI. Attackers only need to succeed once. They can discard broken tooling and try again tomorrow. AI accelerates that development cycle dramatically.
On the attacker side, most of what we're seeing today is a hybrid model. AI is accelerating malware production, but the actual operations (lateral movement, staging, exfiltration, hands-on-keyboard activity) remain manual. We are not yet in an era of fully autonomous AI attackers operating at scale. Human operators are still required, and that places natural limits on how far the asymmetry can tilt.
Where the imbalance becomes more complex is operational economics. For defenders, especially lean teams, AI is not plug-and-play magic. It requires tuning, validation, integration into workflows, and skilled interpretation. Poorly implemented AI can increase noise rather than reduce it. Meanwhile, attackers can afford inefficiency; defenders cannot. That economic asymmetry is real.
So, are defenders losing ground? Not necessarily, but we are entering a phase defined by acceleration. Defensive AI, when combined with skilled human teams and strong operational discipline, is keeping pace technologically. The decisive factor isn't who has more AI tools, but who operationalizes them more effectively.
Q2. How should boards in the APAC region be thinking about cyber resilience as a governance priority rather than just an IT responsibility?
Cyber resilience needs to be driven from the top down to be truly effective. Boards and C-suite leaders should own it as a core governance issue, not delegate it solely to IT or security teams. When security culture starts at the executive level, it cascades through the organization: policies get enforced consistently, budgets align with real risks, and everyone—from finance to HR to operations, starts treating it as part of their day-to-day accountability.
In the APAC region especially, where regulatory pressures (like DORA-inspired rules, Singapore's cybersecurity act updates, or Australia's critical infrastructure obligations) are ramping up fast, leadership that treat cyber as a strategic risk are seeing immediate returns. The entire workforce becomes more vigilant, with employees questioning suspicious emails, unusual access requests, or odd behavior from customers and partners, which dramatically reduces human-enabled breaches.
Beyond defense, there's a strong business upside: for companies selling into enterprise accounts (especially in finance, manufacturing, or tech), robust cyber resilience and third-party risk management become real sales enablers and competitive differentiators. Large customers increasingly demand proof of strong supplier security postures during procurement. Investing here isn't just risk mitigation, it's a way to build trust, win deals, and protect revenue. Boards that get this right, position their organizations as reliable partners in a region where supply-chain attacks and regional geopolitics are making resilience a boardroom imperative.
Q3. What are Bitdefender's priorities at Black Hat Asia 2026? How do you plan on engaging with customers, researchers, and other stakeholders at the event?
We have two major priorities for Black Hat Asia 2026. First, it's about our engineers, threat researchers, and cyber operations professionals diving deep into the latest attacker TTPs, emerging defenses, and groundbreaking research, especially around AI-powered threats and supply chain vulnerabilities, which are key topics this year. Black Hat is one of the best places to stay ahead of the curve on real-world threats and innovative countermeasures.
Second, it's a prime opportunity for our go-to-market (GTM) teams to connect directly with security leaders, practitioners, and our existing customer base across the APAC region. With cyber investments surging here, these interactions help us understand evolving regional challenges and show how Bitdefender's innovative solutions like GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) deliver integrate, high-efficacy security, especially for organizations with lean IT security teams. We will be running an active presence at Booth 302, where attendees can see live demos of our GravityZone platform, discuss real-world use cases, and explore how we're addressing current threats like AI-assisted attacks and supply-chain risks. We'll also participate in networking sessions, briefings, and side events to foster deeper discussions.
For Bitdefender, Black Hat Asia is about connecting, learning and demonstrating that we remain committed to delivering advanced prevention, protection, detection, and response, streamlining security operations and improving efficiency for organizations across the region. We're looking forward to seeing everyone there.
Q1. Mid-market companies are attractive cyberattack targets but rarely have the security resources or expertise to match those of large enterprises. How do you see AI-driven automation genuinely help bridging that resourcing gap? Is there a risk of AI creating a false sense of security for organizations that may not have the expertise to know when it's failing them?
For mid-market companies, the challenge has always been "the asymmetric battlefield." They face nation-state-level threats but generally lack the people, funding and tools to counter them. More and more organizations need to tip the balance with security platforms that natively correlate signals across endpoint, network, and data to eliminate blind spots and make detection and response fast and intuitive. Combining that platform with AI-driven automation as the ultimate equalizer. By shifting from reactive "detect and respond" to predictive security, AI can handle the heavy lifting—correlating telemetry across the network and endpoint to stop an attack before it fully manifests.
Regarding the risk of a false sense of security: it is real. If AI is a "black box," practitioners won’t know when a model has drifted or is being bypassed. The fix is transparency and trust. We believe in "AI-assisted," not just "AI-automated." Automation should handle the volume, but the system must provide clear, "plain language" insights that guide analysts to make the right decisions fast. This builds the team’s expertise rather than replacing it. At Broadcom, our goal for 2026 is to make this type of Incident Prediction and enhanced description capability a standard, ensuring mid-market firms aren't just faster, but smarter.
Q2. Considering that supply chain compromises often happen upstream of the endpoint, how do EDR tools need to evolve to address this attack vector? Where do you think organizations are most underestimating their exposure to supply chain risk right now?
The industry is waking up to the fact that an attacker doesn't need to "break in" if they can simply "check in" via a trusted update. EDR tools must evolve from being isolated "flight recorders" of a single device to becoming integrated sensors in a larger, correlated defense spanning the infrastructure. Historically, EDR focused on process executions on the laptop. To address supply chain risks, EDR needs to have visibility into network, cloud and data layers. If a trusted, signed application suddenly starts communicating with a new C2 server or attempting a Living-off-the-Land (LotL) technique, the EDR must correlate that with network-layer insights immediately and flag the analyst with human readable ceontext and the best next steps.
Where is the risk most underestimated? Non-human identities. Organizations are securing their employees' logins, but they are often blind to the service accounts, API keys, and automated scripts that keep the supply chain moving. These are the "digital backdoors." In 2026, we are integrating Carbon Black’s endpoint telemetry with Symantec’s network and cloud visibility to ensure that when a supply chain compromise happens, the endpoint isn't an island—it's part of a unified, data-centric defense.
Q3. What's the conversation that Broadcom most wants to be having with security practitioners at Black Hat Asia 2026? What are your plans at the event?
The conversation we most want to have at Black Hat Asia is about platform consolidation and resilience. The Asia-Pacific region is seeing a massive surge in cyber investment, but too much of that is going into "shiny object" point solutions that create console fatigue. We want to talk to practitioners about how to strip away the noise.
Our plan for the event is to showcase how we are operationalizing the "legendary" portfolios of Symantec and Carbon Black into a single, high-fidelity engine. We’ll be demonstrating:
- Predictive Defense: How we use Broadcom’s massive R&D engine to move beyond traditional XDR.
- Private Cloud Security: Helping organizations in the region balance the need for AI innovation with the strict data sovereignty and "sovereign cloud" requirements prevalent in Asia.
We aren't just here to show off tools; we're here to listen to the specific challenges of the regional landscape—from securing critical OT infrastructure to defending against the latest AI-driven phishing. My message is simple: You deserve every advantage, and we’re here to provide the scale and trust to give it to you.
Q1. From a go-to-market perspective, what differentiates SOCRadar from other threat intelligence vendors today? Where do you see the next competitive battleground emerging?
At SOCRadar, our go-to-market philosophy centers on three principles: accessibility, depth, and speed. For years, threat intelligence platforms have operated behind long proof-of-concept cycles and opaque data models. We intentionally disrupted that approach by making high-quality threat intelligence easier to validate, adopt, and operationalize. One of our key differentiators is proprietary dark web visibility. Our intelligence team maintains deep access into the cybercriminal ecosystem, monitoring stealer logs and more than 10,000 Telegram channels where real threat activity unfolds. This gives our customers high-fidelity intelligence that goes beyond surface-level scraping and automated feeds.
Another important element is our freemium go-to-market model. Instead of forcing organizations into lengthy procurement processes, we allow them to test the platform and validate the intelligence themselves. This “free-to-try” approach removes friction from the adoption cycle and lets the quality of the data speak for itself.
We also benefit from a strong community network effect. With more than 35,000 users worldwide, our platform continuously benefits from crowd-validated signals. When our community identifies or confirms threat indicators, it improves the accuracy and reliability of the intelligence delivered to enterprise customers.
Looking ahead, the next competitive battleground will not be who collects the most data—it will be who can operationalize intelligence fastest. The future of threat intelligence is shifting from passive feeds to automated decision-making systems. At SOCRadar, we are leading that transition with agent-driven workflows and Model Context Protocol (MCP) infrastructure, enabling AI agents to analyze phishing content, perform OCR and logo detection, and orchestrate investigative workflows autonomously. In other words, the future of threat intelligence isn’t just information. It’s automated action at scale.
Q2. How should revenue leaders translate external threat intelligence into language that boards can use for capital allocation and risk governance decisions?
Board members rarely want to hear about indicators of compromise or threat feeds. What they care about is financial exposure and business continuity. To make cybersecurity meaningful at the executive level, revenue leaders need to translate technical risk into a framework the board understands—Cyber-Value-at-Risk (CyVaR).
Cybersecurity conversations often focus on incidents after they happen. But reactive security is one of the most expensive strategies an organization can adopt. When a breach occurs, the financial impact goes far beyond remediation. Organizations must deal with forensic investigations, regulatory scrutiny, legal liabilities, operational downtime, and long-term brand damage. The true cost of a breach is often measured in lost customer trust and disrupted revenue streams, not just technical recovery.
This is where external threat intelligence becomes strategically valuable. By monitoring the dark web, threat actor communities, and exposed infrastructure outside the organization’s perimeter, companies can detect risk signals long before an attacker exploits them. For example, identifying leaked credentials or compromised accounts in underground forums allows security teams to take preventive action before those credentials are weaponized. From a board perspective, that isn’t just a security event—it’s the prevention of a predictable financial loss.
When security leaders frame intelligence this way, the conversation changes. Instead of explaining threats, they demonstrate how proactive intelligence protects revenue, brand equity, and customer confidence. Ultimately, external threat intelligence transforms cybersecurity from a reactive operational expense into a forward-looking investment in risk management and resilience. That is the narrative boards understand and support when making capital allocation decisions.
Q3. What are SOCRadar's plans at Black Hat Asia 2026? What themes and topics do you plan on highlighting at the event?
At Black Hat Asia 2026, our core message is straightforward: modern attackers rarely break in—they log in. Identity-based attacks are rapidly replacing traditional malware-driven intrusions, and stolen credentials have become one of the most powerful weapons in the threat actor toolkit.
Recent research shows that over 80% of successful breaches involve legitimate credentials, often obtained through phishing, stealer malware, or dark web marketplaces. This shift means organizations can no longer focus solely on endpoint security or network defenses. They must also monitor identity exposure outside their own environment.
That is why, at Black Hat Asia, SOCRadar is introducing expanded capabilities in Identity and Access Threat Intelligence. Our goal is to close the growing gap between internal identity security controls and the external ecosystems where compromised credentials circulate.
One key theme we will highlight is closing the identity blind spot. Our platform tracks leaked credentials across dark web markets, stealer logs, and third-party SaaS environments, allowing organizations to identify compromised accounts before attackers use them for lateral movement.
We will also showcase Attack Flow Visualization, a new feature designed to provide analysts with a clear narrative of how attacks unfold—from the initial compromise to the final stage of data exfiltration. By visualizing the entire attack chain, security teams can better understand and prioritize real risk.
Finally, we are introducing our AI Agent Marketplace, including a specialized Identity & Access Threat Intelligence AI Agent capable of analyzing compromised endpoint files, session cookies, and logs to generate rapid risk reports.
With the average data breach now exceeding $4.4 million globally, our mission at Black Hat Asia is to demonstrate how organizations can move from reactive defense to proactive, intelligence-driven protection against identity-based threats.
Q1. ThreatLocker takes a fairly specific approach to zero trust centered on application control and ringfencing. How does that approach address the implementation barriers you see most often? Where do you think the broader security industry is still making zero trust harder than it needs to be?
Zero Trust is a defense posture built on deny-by-default and least-privilege access. Our platform enables application allowlisting, which ensures no software or code runs by default and must instead be explicitly approved. We also provide application containment, or “Ringfencing”. This limits the resources approved applications can access, significantly reducing the impact of a breach if one occurs.
In the past, these approaches were seen as cumbersome to implement. Now, with more than 13,000 pre-built apps recognized, you’ll gain immediate visibility, streamline your application list and get more policy suggestions quickly. Gone is manual list-building and creating policies from scratch, resutling in a significant reduction in your operational burden. Our clients choose us because our solution gives employees access to what they need to do their jobs without interference. Today, the platform extends beyond the endpoints as well, including recently launched solutions that apply Zero Trust to networks and cloud SaaS environments.
ThreatLocker encourages organizations to start with major questions: How do you ensure unapproved software cannot run on endpoints? How do we limit the damage when credentials are stolen in a phishing attack?
Q2. If you were advising a board that had just suffered a significant breach, what's the first assumption about their security posture you'd tell them to throw out?
Every business is different, and the assumptions they bring can vary widely. One common theme we see with companies that have been breached is the belief that their network was safe. That assumption needs to go. The first principle of Zero Trust is to assume the network has been, or eventually will be, breached despite an organization’s best efforts. From there, the focus shifts to limiting what an attacker can do. That means implementing controls based on deny-by-default, least-privilege access, just-in-time privileges, and continuous verification. As a final layer, organizations should have automated detection and response in place to identify and respond to harmful activity as quickly as possible.
Ultimately, a board must accept that breaches may be part of the reality they face. The goal is not to assume perfect prevention, but to design a security posture that assumes compromise and limits the damage when it happens.
A good example is our Zero Trust SaaS Access (ZTSA), which adds hardware verification through a fast and secure ThreatLocker broker before a user can access SaaS resources. This product assumes humans are imperfect and may occasionally be fooled by a phishing attack. To account for that reality, the system requires the correct credentials, from a specific device, through a specific network path. That means even if an employee is phished, attackers still cannot access services like Salesforce, Microsoft 365, or GitHub without the user’s device. The credential may be stolen, but it causes no damage because the attacker cannot use it.
Q3. What are ThreatLocker's main focus areas at Black Hat Asia 2026? How do you plan on engaging with stakeholders at the event?
The main focus for ThreatLocker at Black Hat Asia 2026 is connecting with security leaders across the region and advocating for practical Zero Trust cybersecurity. We want to make ourselves available to answer questions from cybersecurity practitioners and have direct conversations about the security challenges they face. Events like Black Hat are valuable because they allow for candid, technical discussions. Our team will be meeting with partners, customers, and security leaders throughout APAC to talk through how organizations can move from traditional perimeter-based security to controls built around deny-by-default and least-privilege access.
As cyberattacks continue to increase in both speed and frequency, we are also eager to explore how organizations in the region are adapting. The pace of attacks is accelerating, in part because artificial intelligence is making it easier for cybercriminals to automate and scale their operations. We are looking forward to working with organizations across APAC to see where ThreatLocker solutions can help them better manage that reality and reduce their exposure to rapidly evolving threats.
