Send us Fan Mail

Ken and Mike are back in the AI trenches, this time unpacking the hype, fear, and practical security implications surrounding Anthropic’s Mythos preview. As the industry reacts to claims around AI-driven vulnerability discovery and exploit generation, the hosts ask a more important question: are we actually ready to fix what we already know is broken?

The conversation cuts through the zero-day panic and focuses on the fundamentals that still matter: patching, hardening, reducing attack surface, validating AI-generated code, and keeping deterministic security checks in place. From supply chain attacks and GitHub Actions misconfigurations to agentic development workflows and the future of CI/CD, Ken and Mike explore where AI may genuinely change the threat landscape and where security teams are still fighting the same old battles.

If your organization is rushing to build faster with AI, this episode is a reminder to also use it to build better.

Send us Fan Mail

Ken and Mike are back from the grave to kick off 2026 with a timely debate on the AI panic cycle hitting software and security. They dig into the biggest questions flying around the industry right now: Is AI taking developer and security jobs? Is SaaS dying? Is software engineering being replaced by vibe coding and agents? From maker-checker workflows and token costs to AI-generated bugs, false positives, and attackers using autonomous tooling to move faster, this episode cuts through the hype from both the doomer and evangelist camps. The conclusion: software isn’t dead, security definitely isn’t solved, and the teams that adapt their craft instead of abandoning it will be the ones that keep up.

Send us a text

In this candid and cathartic episode, Ken and Mike unpack the chaos that is Q4 for security professionals. From budget burnouts to end-of-year pentesting sprints, they explore why the final months of the year feel like a perfect storm for stress. Tune in as they share hard-earned lessons, practical advice for maintaining your sanity, and some gentle reminders that not everything needs to ship before Christmas. Whether you’re a tired vendor, an overwhelmed engineer, or just trying to make it to PTO, this episode is for you.

Send us Fan Mail

In this no-punches-pulled return from hiatus, Ken and Mike dig deep into the messy middle of vulnerability management, SLA fatigue, and the illusion of compliance. Are we building secure systems or just passing audits? From legacy cruft to exploitable CVEs, this episode unpacks the real-world pressures of SOC 2, the auditor dance, and whether fixing every “critical” is even feasible.

Perfect for practitioners trying to balance the checkbox culture with actual risk reduction, this one’s got stories, strategies, and spicy takes. Bonus: tips on managing auditors without losing your mind—or your security posture.

Send us Fan Mail

In this episode of Relating to DevSecOps, Ken and Mike discuss the challenges faced by CISOs in today's security landscape, particularly the struggle to balance immediate security needs with long-term preventative strategies. They explore the disconnect between security leadership and practitioners, the urgency of addressing security issues, and the importance of understanding the root causes of vulnerabilities. The conversation emphasizes the need for CISOs to engage more deeply with their teams and to focus on effective, context-driven security solutions rather than simply reacting to the latest threats.

Send us a text

In this must-listen episode of Relating to DevSecOps, Ken welcomes the ever-inspiring Tanya Janca, aka SheHacksPurple—author, AppSec expert, and champion of making security usable. Together, they dig into why so many application security policies fail, why developers ignore them, and how to make them actually work. Tanya shares real-world experiences from both dev and security perspectives, plus her journey from being ignored to lobbying governments for change.

From communication failures and TL;DR policy pages to leveraging wikis and code reuse, this episode is a practical masterclass in creating impactful, developer-friendly security standards.

Send us Fan Mail

In this episode of Relating to DevSecOps, Ken Toler and Mike McCabe dive deep into Google's blockbuster acquisition of Wiz.io for a reported $32 billion. They explore the implications for cloud security, the consolidation of the DevSecOps tooling landscape, and how this move compares to Google’s previous acquisitions like Mandiant and Chronicle. The duo debates the future of multi-cloud strategies, platform fatigue, and whether Wiz will remain the darling of the security community—or get lost in the labyrinth of Google Cloud products. With sharp insights and a dash of hot takes, they paint a picture of a cloud security ecosystem at a pivotal turning point

Send us a text

Welcome to 2025! Ken and Mike kick off the new year with their security resolutions (or lack thereof) before diving into the bittersweet farewell to ShmooCon, one of the most beloved hacker conferences. Ken shares his experiences from the final event, including insights on hardware hacking, radio security, and the unique hacker culture that made ShmooCon special.

They also unpack one of the most practical talks from the conference: a deep dive into open source security tools versus enterprise solutions, highlighting ways security teams can cut costs without sacrificing effectiveness. Speaking of open source, the hosts discuss the controversy surrounding Semgrep’s licensing changes and the rise of OpenGrep, the latest community-driven fork in response to closed-source shifts—drawing parallels to the Terraform/OpenTofu saga.

Finally, the duo explores cyber risk from an insurance perspective, breaking down how breaches translate into real-world financial costs (hint: mailing breach notifications alone could bankrupt you). Whether you're a security pro, an open source advocate, or just here for the ShmooBall nostalgia, this episode has something for you!