Notable verbatim quotes

⚠ All quotes are from Joseph unless marked. The transcript has no per-speaker labels, but the speaker is consistently Joseph throughout the main body. Speech-to-text artifacts are preserved verbatim.

The gap

• The 1-to-100 problem: "there is just one application security specialist for every 100 software developers. This gap is the opportunity that we can help minimize with AI." (Section 3)
• The risk of getting it wrong: "if we are not equipped with the right knowledge, the gap maybe is going to widen or is not going to close because we didn't maximize our potential there." (Section 3)

Start left

• Start left, not shift left: "The problem when you shift left is that you keep having a gap on the left. The whole point and the opportunity here is to start left." (Section 4)

Hallucinations & non-determinism

• Hallucinations are permanent: "we suffered from hallucinations and we will never get away with zero hallucinations." (Section 4)
• Non-determinism in action: "I reduce the context. And it didn't come up. So this is not determinism at its best." (Section 4)
• It's not about the model: "it's not about models about the rest of things… you can't cheat more when you have better scaffolding" (Section 4)

Fixing, not detection

• The core reframe: "in cyber security, we have a fixing problem. We have so much ways to find what's wrong. And we don't have the ways to minimize that gap by get up to the fixing speed." (Section 5)
• AI's role: "I can use AI to be the reasoning layer to help me fix this." (Section 5)
• Boundaries: "AI… is not here to replace the human in the loop or skip security testing entirely. However, AI is definitely changing the scene of security testing." (Section 5)

MCP × Skills

• MCP without skills: "if you have MCPs without skills that are going to give structure, your AI agents are just going to have capability but without. Your process." (Section 7)
• Skills without MCP: "If you have just skills… and you don't have MCPs. Maybe here you don't have enough power to execute what you want to execute." (Section 7)
• What good skills look like: "they are auditable audible maintainable extensible" (Section 7)

In the PR

• One place for developers: "developers have to be working on one place. And this should be that for request." (Section 8)
• 3x faster fixes: "by being in the PR we manage… to become three times faster when it comes to fixed… they have fixed 600 vulnerabilities in two weeks" (Section 8)

Agentic workflows

• Why agents beat SAST: "the big advantage of this one is tailored" (Section 9)
• Context bloat warning: "if I put every structure I have and all the rules and all the things are applied to my team in one script. I'm definitely bloating the AI context… some things should be going into agents.md some other things should be part of these files" (Section 9)

Education & SLOs

• The CSO move: "if I was a chief security officer I will push down to my developer team service level objectives. About expectations I have that are tightly. Aligned with their performance objective." (Section 15)
• Insecure = low quality: "it's not about shipping code, it's about shipping code that secure because if the code is not secure is own quality code" (Section 15)

Dual-LLM / least privilege

• One success is enough: "I attack your house to succeed once. No matter how much you defend and how much bucket you spend in everything in your company." (Section 16)
• Least privilege first: "the number one thing list privilege access right AI shouldn't be touching anything sensitive because assume it's gonna take it… agents should have been negotiating any boundaries." (Section 16)
• Layer order: "don't give access to anything that AI shouldn't have access use containers and then use LLM to validation" (Section 16)