EPISODE 066 – Digital Trust in the Age of AI

Together, they share NetSPI’s remarkable growth trajectory to become the largest pure-play penetration testing provider in the world. They also discuss how fostering customer trust through technology innovation has become the foundation of NetSPI’s success. 

Tune in as they tackle pressing challenges in security, share insights on adopting AI, and forecast the future of cybersecurity trends.

Show Notes: 

• 00:40 – NetSPI’s Journey
• 02:28 – Evolution of Pentesting
• 08:05 – Cyber Trends in 2025
• 10:22 – Tool Consolidation vs Best in Breed
• 12:10 – Finding the Right People
• 16:21– Keeping Culture while Scaling
• 20:30 – The Future of AI
• 27:08 – AI Preparedness

Transcript between Nabil and Aaron

Topics covered: Evolution of pentesting, customer trust, securing AI systems, NetSPI’s journey, qualities of effective teams

This transcript has been edited for clarity and readability. 

Nabil: Some people lead others, some inspire others, and some have an amazing knack for hitting the golf ball into water hazards. Today’s guest does all three. He’s the CEO of NetSPI. Welcome to the podcast, Aaron. 

Aaron: Thanks, Nabil. I clearly do some better than others. Golfing into water hazards is a specialty. 

Nabil: I’ve told people that some golf courses have extra water management just when you’re coming to play. 

Aaron: Exactly. I’ve given up a lot of balls.

00:40: Tell us about your journey at NetSPI and its transition over the years.

Nabil: Today we want to talk to you about various topics. Let’s start by learning more about you and NetSPI. Can you tell us about your journey here and the transition you’ve seen at NetSPI over the years? 

Aaron: It’s been an amazing journey. My background, even before NetSPI, was coming up through the technical ranks. That’s my experience and where I started earlier in my career in cybersecurity. I had some opportunities early in my career and ended up being one of the early team members at a place called FishNet Security, that ultimately became Optiv. I spent 14 years there—it was the foundation of my career. Before that, I did some independent consulting and other things. 

NetSPI had taken its first outside funding at the time, with an organization called Sunstone Partners. I had an opportunity to come in and work with the founders, and it’s gone fast, almost at 8 years.  

We’ve brought an amazing team together globally. When I came in, we were probably at 40 people. We’re now pushing 700, and just fortunate to work with some great customers.  

I mean we were with a great customer in Europe last weekend, a long-time customer, and just talking about business, but also enjoying time together.

So yeah, fun journey. I love having people like you on the team that are passionate about what they do. It just makes this all a lot of fun.

02:28: What would have been your prediction for NetSPI when you started?

Nabil: If I can take you back to when you started at NetSPI, can you share the ‘why’ behind why NetSPI was the right fit for you? And also, since we’re going to talk about predictions, what would have been your prediction for NetSPI back then? From there, we’ll transition to predictions for NetSPI going forward in 2025. 

Aaron: Early on, we had a thesis around what we felt was a market ripe for disruption. If you’re a customer who has been doing pentesting or assessments for a long time, you probably have a couple of concerns. One is that it’s very manual and arduous. You’re sifting through endless PDF documents, making it hard to take action on the results. The results can also be inconsistent, depending on the tester and the quality of the work. 

It starts with building the right team and ensuring you’re training them the right way. We quickly leaned into technology that already had a footprint, and they were already building technology when I came to NetSPI. There was a thesis that it just needed funding, time, and attention. We’ve come a long way from a small boutique, locally focused in Minneapolis-St. Paul, with some great anchor customers in financial services and a couple other areas, where small customers have expanded and we’ve served them in a much bigger way. 

Nabil: Five to eight years ago, maybe 10 years ago, I think of how pentesting was viewed in the industry, as well. We’ve also started to see a shift in the paradigm of how people are leveraging and utilizing pentesting.

I think as people get more mature, they’re evolving to a space where they treat pentesting almost as a gate or a litmus test to see how effective other things they have done in the past are, versus using it as the first way to detect problems.  

And as that maturity has happened, I think organizations also want more visibility and want to get closer to the pentesting process overall, which is why we’ve seen the evolution in technology where people don’t just want a traditional PDF report, but they want to be able to ingest pentesting as part of their normal life cycle and ecosystem through integrations, being able to onboard additional team members to get visibility and so on.  

So that journey has been really interesting to watch, and I’m actually a little surprised at how immature we were maybe five to eight years ago, even though pentesting has been around for such a long time. So that investment in technology, I think, is paying off dividends, and we’re seeing that with our customers who are eagerly adopting the technology as well. I’m curious, from your perspective, beyond the actual technology used to consume pentests, are there changes you’re seeing in terms of automation and trends for how pentesting is approached by different organizations? 

Aaron: If you think about it, the old school way of sitting down with us as a provider, sitting down with an enterprise, and they tell us what their attack surface or the scope is, and then, we go very specifically attack those things and tell them where their vulnerabilities are. It’s just not enough. We need to help them.  

One of the biggest issues we know is visibility and understanding what they have. It’s a massive problem. There’s all kinds of different CMDBs and asset configurations and data systems that help them understand what they have, and they are rarely tied together and connected. They just don’t have a cohesive view of what they have. So that’s the beginning of it. You look at the work we’ve done in acquiring Hubble to give our customers a CAASM functionality, or essentially internal ASM, just correlating, de-duplicating, and taking a ton of data feeds to help an enterprise understand what they have behind the firewall. External ASM, it’s been around a little longer, giving them a view of what they have from the outside. You want to start there with visibility.  

One of the themes I’ve heard so often talking with customers is, ‘enough already on the vulnerabilities. We don’t struggle to understand what they are.’ Of course in some cases, they do. We struggle with remediation, and not only the technical process of how you remediate and fix these things, but just the process of it overall. How you work with development teams to fix things, and how you educate them, and move things back further in the development life cycle.  

For us, it’s about getting proactive in the first place, helping our customers understand what they have, then understanding where there are flaws, which is essentially what a vulnerability is. There are flaws in software and hardware, and then helping them fix it faster. We’re just building technology and teams to do that. You kind of think about it in those simple terms, and that’s what seems to be resonating in our customer base. 

08:05: What are some trends you expect to continue into 2025?

Nabil: As a long-term veteran in the cyber space and coming from the technical to the leadership side, what are some trends you’re seeing that you expect to continue in 2025?  

Aaron: It’s interesting, and you’ve been in the industry a long time as well, so you see a lot of these themes replay themselves, doing it for over 20 years. It’s like, that’s exactly what we were talking about 15 years ago. 

Nabil: It’s just called something else now.  

Aaron: Yeah, some different terminology, but it’s the same general struggles, usually around visibility – that’s a really big one. Just understanding what’s there.

They’re overwhelmed from a staffing perspective, of finding qualified staff and talent in the shortage of cybersecurity experts that we have in the market. Those are some of the things we continue to see.  

Now in 2024, it was an interesting environment economically between inflation and rate pressure and all these different things. What we saw in our customer base was a real focus on efficiency. Looking at every line item from an accounts payable perspective, it’s like, what’s our security stack? Who are all the vendors that we are acquiring cybersecurity solutions from? And where are they adding value? And we need to measure that value. And of course, what they found was, in many cases, shelfware, things that weren’t even deployed, things that are spitting out a ton of alerts, but not having any action taken on them.  

So back to your question around thematically, where do we see things going? And again, this has been a theme for a long time, but consolidation certainly. Less of these point solutions that, by the way, are very difficult to administer and manage. If it takes you and an FTE or two or three to manage each of these solutions, they get a lot more expensive than the license cost of the solution, so the more they can bring more together and have the different point solutions learn from each other and give them kind of like outsized returns or returns that they wouldn’t have in point solutions, there’s a massive focus on that in the industry.

10:22: Can you share any guidance for security leaders deciding between a consolidated platform versus best-in-breed technology?

Nabil: What would you say to some of the security leaders out there who, when they see consolidation happening in the industry, they feel like they may not be getting the best-of-breed in everything. So if you decide to go with one vendor, and they try to provide a plethora of offerings, chances are, not all of them can be best-of-breed. Chances are, some of them are better than others. As expected, what type of messaging are you hearing over there, and what type of guidance do you have for security leaders? 

Aaron: It’s a fine line. One of the things for me that’s most rewarding leading the NetSPI organization is that we really do one thing. We’re very focused. We do one thing very, very well, and we’ve had opportunities to acquire in other spaces and to shift into other spaces, and it really becomes easy to be drawn to thinking we’ve got a certain revenue growth goal this year, let’s go create some new things, versus let’s continue to double down on what’s made this an amazing organization, delivering an incredible client experience, and just be the best in that.  

I think customers need to look very closely, because again, once a platform or organization gets too broad, by definition, it is no longer the best-of-breed and best-in-class.  

We feel like the solutions that we’ve brought together in our PTaaS, ASM, CAASM, BAS solutions all really make perfect sense, and they operate together under one common platform that delivers different outcomes for our customers that they wouldn’t have if they were acquiring those things separately as a standalone.  

But again, then it’s incumbent on us to look at each of those standalone vendors that may be best-in-class in their area and ensure we can match them on customer outcomes. Not features, necessarily, but the outcomes that they drive, that customers care about. 

Nabil: I think it’s a common trend we’ve seen in the industry, where there are often companies that grow just like you said, because they find a new revenue opportunity, so they make a bunch of acquisitions. But ultimately, the key that you mentioned, which is important for us to highlight, is all these solutions need to, at some point, work together, so they actually are more than their sum. So they’re giving you outcomes that are adding more value, maybe adding more business context, or helping you solve actual problems.  

But you can’t just buy new solutions and make that a new offering, unless you’re truly integrating and complementing each other. That’s been nice to see, and I know that we’re working towards that, which has been exciting for me to work towards. 

Aaron: Like I mentioned, coming up through the technical ranks, as technologists, we’re all really bad about finding cool technology or building cool technology, then going to look for a problem to solve. It’s a horrible idea. It never works, and we keep doing it. And I’m sure we’ll stub our toe on some of those things in the coming years. But some of the things, when we had our all-hands meeting with the entire company this morning, just reminding them how important focus is, and how important using customer stories and outcomes and requirements and pain points to drive everything we build is critical. It’s funny, you can really over complicate the process of innovation, or you can just double down and spend more time listening to customers.

12:10: How do you determine when you’ve found the right people for a job?

Nabil: You being a leader, you’re someone I look up to, you’ve been a great mentor to me. One piece of advice I’ve always meant to ask, and I never have, but this seems like the best opportunity to. 

Aaron: Is it about the golf game or something else? Because I don’t think you’ll take advice from me. I’ll take advice from you.  

Nabil: Well, golf game generally depends on the day. I think we’ve both seen our golf swings. Recently I heard a Tiktok that says true friends are ones that are still friends with you after they’ve played golf with you. So I’m glad we’re still connected in some way. But no, the thing that I really want to know from you is – you’ve been very successful in building a really large team of high performers, how do you determine when you found the right people for a job? 

Aaron: It’s tough, and there is nothing more important when you’re evaluating talent than understanding their ability to collaborate as a team and the culture fit that they have. I mean, you hear it over and over, we certainly do a lot of work, assessing technical talent and experience and where people have been. But ultimately it comes down to their fit in the culture, which ultimately leads to their ability to collaborate with their team members. And as we know, if you don’t have strong collaboration among teams and peers on an executive leadership team, forget it, game over. So that’s a huge piece of it is the culture fit. 

One of the things as we were building up the organization in 2017 and scaling it up to be much bigger than it was, and I’m hiring leaders. So being a leader of a leaders is a very different thing. I would tell them consistently, your number one job, the one thing that you cannot get wrong, there’s a lot of forgivable things and things you will get wrong, but bringing the right team together is the only thing that you need to focus on. Building the right team as a leader. We stub our toe. We have misses, and we work through those, and we adapt. But it’s building an incredible team, and one that when you try to define culture, and you talk to different people, and it’s kind of one of these ethereal things, like, what does it really mean?  

It’s the attitudes that we have with our coworkers, the culture that we have with our coworkers, our excitement and ability to collaborate, and energy. One of the things that I love that I consistently hear from our customers, especially in our customer advisory board, we meet with some of the top executives in the space, customers that we’ve worked with for a long time, and they’re like, yeah, we can feel your culture. We feel that. It doesn’t end in the perimeter of this organization, it extends out to our customers, and that’s why it leads to growth and where it gets exciting.

16:21: Can you share any advice for maintaining culture in a company? 

Nabil: Do you have any advice for other leaders in this space who are trying to, or maybe who are struggling to, maintain culture, given that they may be in hyper-growth mode, or growing too fast, or growing to a size where managing culture and making sure you’re embodying the culture makes it much more challenging? Maybe it’s for distribution reasons, maybe it’s for international locations that are new, different cultures to worry about. What advice would you give them? 

Aaron: Culture is a really hard thing to actually make tangible and define. But all it really ultimately is, is just a summation of all the people and their attitudes and energy, right? So I think the first is as a leader, especially if you’ve been doing it a little while, it’s like trusting your instinct.  

If you’ve made it to a leadership position, generally, you have some level of instinct on what’s right and wrong in behavior that you see among team members. And then moving really fast. And one of the things I think, as leaders, we’re terrible about is giving quick, concise, detailed feedback to people.  

People want feedback. If they’re off the rails on something, or they’re treating someone a way that they shouldn’t, whatever it is, we’re often way too slow to give actionable feedback to them. What I see talking to team members is they’re just hungry for it. They want people to tell them where they’re off, and they will correct course. One of the other things I see for up-and-coming leaders, and I tell people all the time, if you want the job, do the job. You’re not always going to get this crown handed to you and this big, massive promotion, until someone sees you actually actively doing it. So really what it comes down to in leadership is, if you see problems, go fix them. And that, turns out to be all we do every day is identify little tweaks and problems and find solutions for them.  

If you see something, bring a solution to the table. As a leader in the organization as well, how refreshing is it when people actually bring solutions. I see the problem, totally understand this proposed solution. Now, let’s just go do it. And I’ve just seen people’s careers accelerate really quickly when they just assumed the role and jumped in and did it, regardless of title or anything else. Title comes eventually. 

Nabil: One thing I really admire about you, and one of the reasons I love working at NetSPI, is that I see all the leaders that are here, and they all lead by example. And I think that has a true impact on the culture, because that’s how you get the culture top down, disseminated throughout the organization. Has there been a time in your career where you felt culture was really off and that caused you to course correct? And what was that? 

Aaron: Yeah, many, and that’s really what’s informed my thoughts around leading by example. For me, it started earlier in my National Guard career. You can see people in the military that are leading by fear versus leading through inspiration, and you quickly feel the difference if you’re someone that is on a team being led with those two methodologies.  

For me, I didn’t know any other better way to do it. I can’t imagine how, again, when we talk about solving challenges in organization, the first step is figuring out what the problems are, where the bodies are buried, and where the things are that you need to fix and optimize in an organization.  

I don’t know how a leader would identify those things, unless you’re on the factory floor, unless you’re chatting with the teams and grabbing dinners and lunches. We were in India. We were in Europe a couple weeks ago, just spending time with people. There’s no substitute for that. And then again, this whole, and I think it is a little bit of an old school executive leadership, ivory tower approach, that is pretty much dead these days. I can’t think of a single leader that I respect that is like this ivory tower. I mean, they’re leading by example. They’re leading with grit and determination and working incredibly hard every day, solving challenges, just like the technical teams do, just a different type of challenge they solve.

20:30: Where is AI headed today?

Nabil: Let’s shift gears a little bit, because no conversation today would be complete without talking about our favorite topic, artificial intelligence. So let’s start there. What are your thoughts on AI and where it’s headed today? 

Aaron: It’s fascinating. We’ve brought together a team working on a lot of different technology solutions, service offerings, a lot of different pieces, and I love my time with them. It is a very diverse skill set, a different type of skill set. When you look at this traditional cybersecurity engineer, pentester, I get that skill set. We’ve been hiring for that forever.  

You start thinking about data scientists and mathematicians and PhDs in math, people like this that we’re hiring, and I’m interfacing with, and I’ve learned a ton. I only know this much compared to some of those guys’ knowledge.  

I think the industry, and this has always been my approach as we build things. Being pragmatic is a big thing for me. Growing up in the Midwest, it’s just the way we think about business and the way we think about growth.  

I think there’s an opportunity for NetSPI to be very pragmatic in its approach. There is certainly a mix of – it’s marketing, some of it is really good technology, but there’s obviously a lot of focus on AI. Some of the solutions being built, I would say, are more efficacious than others. Some are very effective, and some are just pure marketing.  

So I think we need to very cautiously watch the industry and understand which of these AI technologies will be more long-lasting and more impactful in the long-term. And be cautious about not jumping in too early to certain technologies that may not be as meaningful in 18 or 24 months. But the reality is, as we work to deliver more continuously for our customers and at greater scale, again, you think about legacy, old-school pentesting.  

The only way that you can do that is through more technology, better leverage of technology, and this intersection of technology and talent of human capital, which we obviously have that combination.  

There will be times when AI solutions are appropriate and helpful, and there are times that it’s just plain software and technology. So we’re trying to be thoughtful in the approach, but we’re also building some really cool things that help our testers to work faster and smarter and make their lives a little better when they’re performing testing work. There’s other AI testing methodologies and offerings that are brand new in the industry. Nobody’s thought about at scale, how you can perform jailbreaking against LLMs. We will have that in our Platform and in a user self-service way. So there’s a lot of ways we’re thinking about it, but I think we also want to be cautious and pragmatic. 

Nabil: From my perspective, I acknowledge that the acceleration we’ve seen in adoption of AI is no different than, let’s say, when the internet first started, or the first industrial revolution, and how it not only changed the work humans do, but it changes how they do what they do. I think we’re at that cusp of that type of a shift that’s about to happen now. And we’re seeing it accelerate pretty quickly.  

The thing that I find often funny is that I think the naming artificial intelligence is actually a misnomer, because what we’re dealing with, if you call it intelligent, to me, it implies there’s some level of sentience there. And what we’re dealing with is still software. 

Aaron: For now.  

Nabil: Yeah, exactly for now. There’s software that is doing things that it’s been programmed to do. The difference is, it’s now learning and creating output based on significantly large volumes of data that it’s being trained on. And the other thing that fascinates me is people think this is new, just like we talked about how there are older things that just keep changing. People have been using machine learning for a really long time. Some common use cases are malware detection or spam protection, etc. They’ve been using LLMs for a really long time now.  

The limiting factor historically has been hardware, and now that hardware is getting faster, more powerful and affordable, we’re seeing this acceleration where AI is being more available to the general population, which is changing how we do things today.  

I’m just worried that people are rushing to adopt it, because there’s FOMO around, not being the tech company or not being the business that doesn’t leverage AI, because everybody else is doing it, and I’m starting to see cracks and gaps when it comes to doing the basics. A lot of organizations, I think, are missing the basics, such as data classification, data inventory, etc., but they’re adopting models and training models with that data, which clearly leaves a lot of gaps that need to be addressed. So from my perspective, that’s some areas that I’m seeing. I’m hoping we’ll be able to help all these organizations think more strategically and pragmatically about AI. 

Aaron: I agree. And the reality is, the adversary is absolutely leveraging it and will continue to accelerate, probably the quantity of attacks, the nature of the attacks. So at some level, it’s an important part of the strategy.  

Nabil: What a lot of people also don’t realize – you bring up a really good point – is adversaries have been leveraging it for a really long time. The models they were leveraging did not need the guardrails that the new models have; did not need as much computation power because they weren’t making it available to everybody else. They were only using it themselves, and they have now just gotten better at using this. So one of my predictions for 2025… 

Aaron: Yeah, what are yours?  

Nabil: One of my predictions is that I think we’re also going to start to see defensive AI solutions come up, and then you’re going to have both the adversarial AIs and the defensive AIs duel it out, and it’s going to basically be a race to see who can be ahead of who. And we’re probably going to see some transitions. Sometimes the adversarial one will be much better. Eventually, the defensive one will catch up. Sometimes the defensive one will be better, until the adversarial one comes up. And I think that will be an interesting trend to follow and watch to see what happens there.

27:08: How are practitioners and CISOs responding to AI today?  

Aaron: At a minimum, change is coming rapidly. And you think about how much has changed in the last two years, think about two, three years from now. So I think just watching closely. As you spend time with customers, I mean you’re on the road every week, probably multiple cities, talking with practitioners and CISOs and different people. How do you think they’re responding? How do you think their knowledge level is on what’s coming? 

Nabil: There’s huge misinformation, a huge gap in information and how people interpret what AI is capable of doing and what AI is not. I’ve been seeing a lot of trends where organizations are trying to solve problems with AI that don’t necessarily require an AI-based solution. If you’re trying to determine if a number is odd or even, sure, you could build an AI model that tells you if the number’s odd or even, but you probably don’t need to. You can just use div and mod and determine if it’s odd or even. That’s an obvious exaggeration, but that’s not too far away from where organizations are going. Oh, you have this AI-based solution for this problem that I’m trying to solve? Let’s use it. 

Aaron: We’ve had to guard ourselves against that as we’re building tech as well, I get it. 

Nabil: It’s going to be a challenge, because I think until there’s proper education around what AI’s true capabilities are, where do they excel and what is the appropriate place to leverage it, I think organizations are going to either burn a lot of cycles, burn a lot of cash, burn a lot of resources, trying to manage these solutions when it probably wasn’t necessary in business. 

There are also challenges around organizations that are simply acquiring AI models and training them on their data. So they’re not necessarily building their own models. They’re going to OpenAI, Gemini, Copilot, etc., and they’re adopting them and then trying to customize them to manage how they get behavior out of that software.  

The challenge you have there is many of those organizations are forgetting the basics of going to a SaaS-based software solution. And I don’t know why, but you know, if you were trying to deploy something in, let’s say, a cloud tenant, there are all these questions you would ask, like, how do you ensure my data is protected? How do you ensure that my data doesn’t get intermingled? Right? Vendor risk, third-party risk stuff.  

But when you ask them, hey, you’re buying this model, do you have an agreement in place that if the model breaks your data, that you’re protected? Often, the answer is, I don’t know. 

Aaron: And it’s probably happening from different business units that the team isn’t even aware of. 

Nabil: They’re signing up for these things, and they just don’t know what type of risk they’re accepting. Because there’s that lack of education of truly understanding what they’re buying. And that’s a big gap, I think. 

Aaron: And a board pushing them to innovate and move fast and do the AI thing, and the CISO behind the scenes who’s just like… 

Nabil: The CISO behind the scenes, assuming that they understand what they’re buying. Because often they may not have the right education or background to make those decisions. The trend we are seeing now is there’s all this focus on potentially organizations having a Chief AI Officer whose sole focus is on how they de-risk the usage of AI and how they manage it. Maybe in the future, it’s an AI Officer. We can call it an AI Risk Officer. 

Aaron: You could work yourself out a job as the Chief AI Officer.  

Nabil: Yeah, if you do your job well enough and get a model to train behind you, maybe you can work yourself out of a job. I mean, I have a business idea if you want to invest.  

Aaron: Yeah let’s do it. More time golfing is needed. Back to that theme. 

Nabil: Before we wrap up, that actually gave me a thought: I’m trying to be better at investing my money, so I’m curious what brand golf balls are using lately?  

Aaron: I’ve come back from the from the Pro Vs, man. I’m into the Kirklands. I feel good ripping them into the woods, into the water, wherever. I buy the refinished ones that are like 40 cents each. It’s a beauty. 

Nabil: Yeah, I love it. Well, Aaron, before we wrap up, are there any last thoughts?  

Aaron: No, I appreciate the time, and just love how this podcast is coming together and the viewership. It’s, it’s a lot of fun. And thanks for all the work you do.  

Nabil: Thank you. Thank you for being here.

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please reach out to us at podcast@netspi.com.