Razorwire Cyber Security & InfoSec Insights

What happens when an AI model can find more vulnerabilities in a day than a red team could find in a year?
Welcome to Razorwire, the podcast where we share our take on the world of cybersecurity with direct, practical advice for professionals and business owners alike. I'm Jim and in this episode, I'm joined by Martin Voelk, penetration tester and AI red teamer, and Jonathan Care, lead analyst at KuppingerCole covering AI and cybersecurity.
Anthropic recently announced Mythos, a security-focused AI model reportedly capable of discovering vulnerabilities that have gone undetected for decades, including a 27-year-old bug in OpenBSD. But how much of this is genuine breakthrough and how much is marketing? This episode cuts through the hype and asks what Mythos actually means for the cybersecurity industry, from the arms race it signals between AI model providers to the competitive implications of restricting access to a small group of US-based companies.
The conversation goes well beyond Mythos itself, into the reality that AI-powered hacking at scale is already happening, that existing models have already been used to compromise government infrastructure, and that open source and non-Western alternatives are freely available to anyone who wants them. With 80% of code now being vibe coded with minimal security checks, jailbreaking tools available on the open web and CISOs unable to keep pace with the speed of adoption, the question isn't whether AI will change cybersecurity. It's whether the industry can adapt fast enough to survive what's already here.
Three key talking points:
The Mythos hype vs the reality of AI-powered hacking: Anthropic's announcement made headlines, but the capability to find and exploit vulnerabilities at scale already exists in models available to anyone. This episode asks whether Mythos is really the breakthrough it's been presented as, or whether the industry should be more concerned about what's already out there, including a recent attack on the Mexican government carried out entirely using standard AI models.
The competitive and geopolitical implications of restricted AI models: Mythos has been restricted to a small group of US-based companies, giving at least one major EDR vendor a significant edge over every competitor. But by announcing the capability publicly, Anthropic has effectively told the rest of the world it's possible to build. With Chinese, Russian and open source models already filling the gap, the question is whether restricting access to Western models actually contains anything at all.
Why security practitioners can't keep up and what comes next: The pace of AI development has outstripped the ability of security teams to keep up. Even full-time practitioners can't stay on top of the daily volume of new models, new vulnerabilities and new attack techniques. If the people doing this for a living are struggling, what chance does an SMB with a part-time security person have? And where does it end? Possibly with offensive and defensive AI agents fighting it out at scale, with humans increasingly on the sidelines.

Whether Mythos lives up to the hype or not, the arms race it signals is already underway. If you want to understand what that means for cybersecurity, this is the conversation to listen to.

On the implications of restricting AI security models:
“Anthropic may be doing this, but for those of us who are not lucky enough to be Anthropic's friend, other countries, other organisations are not so circumspect.”
Jonathan Care
Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:
Anthropic's Mythos Announcement Find out what Anthropic is claiming about Mythos, why it reportedly found a 27-year-old vulnerability in OpenBSD and why not everyone is convinced it's the breakthrough the headlines suggest.
AI-Powered Vulnerability Discovery at Scale Understand why the ability to find and exploit vulnerabilities at machine speed already exists and why Mythos may be less of a leap forward than it first appears.
The Mexican Government Hack Hear how standard, publicly available AI models were used to compromise multiple government entities and exfiltrate massive amounts of sensitive data over a matter of weeks, without any zero days involved.
Restricted Access and Competitive Advantage Explore why limiting Mythos to a handful of US-based companies raises questions about competitive fairness and what it means when one EDR vendor gets capabilities that nobody else has access to.
The Open Source and Non-Western Model Landscape Discover why restricting Western models may not contain much at all, with Chinese, Russian and uncensored open source alternatives already being used by security researchers and attackers worldwide.
Vibe Coding and Unchecked AI-Generated Code Find out why an estimated 80% of code is now vibe coded, why most of it isn't being properly tested and what that means for the attack surface organisations are unknowingly building.
Jailbreaking and Uncensored Models Learn why tools that can jailbreak frontier models on the fly are freely available on the open web and what that tells us about the limits of trying to restrict AI capability.
The CISO's Impossible Position Understand why CISOs are caught between an industry that's moving faster than they can govern and organisations that want to adopt AI regardless of whether the security is ready.
Keeping Up With the Pace of Change Explore why even full-time security practitioners are struggling to stay on top of the daily volume of new developments and what that means for organisations with fewer resources.
The Future: Agent vs Agent Hear why the near future of cybersecurity may look less like humans defending networks and more like offensive and defensive AI agents battling it out at scale, with practitioners increasingly in a supervisory role.

Resources Mentioned
Anthropic – Mythos/Project Glasswing
Mexican Government Cyberattack
GodMode AI / Pliny the Prompter (jailbreaking harness)
Hugging Face (uncensored models)
OpenClaw
DeepSeek (Chinese AI model)
KuppingerCole
SpartanX Technologies / SpartanX AI
Connect with your host James Rees
Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cyber security professionals who dedicate their careers to making a hacker’s life that much more difficult.
Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.
With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and professionals providing insights, news and fresh ideas on protecting your organisation from hackers.
For more information about us or if you have any questions you would like us to discuss email [email protected].
If you need consultation, visit www.razorthorn.com, We give our clients a personalised, integrated approach to information security, driven by our belief in quality and discretion.
LinkedIn: Razorthorn Security
YouTube: Razorthorn Security
TikTok: Razorwire Podcast
Instagram: Razorwire Podcast
Twitter: @RazorThornLTD
Website: www.razorthorn.com
All rights reserved. © Razorthorn Security

What happens when your organisation adopts AI faster than your security strategy can keep up?
Welcome to Razorwire, the podcast where we share our take on the world of cybersecurity with direct, practical advice for professionals and business owners alike. I'm Jim, and in this episode, I'm joined by Martin Voelk, penetration tester and AI red teamer, and Jonathan Care, lead analyst covering the intersection of AI, cybersecurity and identity.
We started out planning to talk about the rise of CTEM (Continuous Threat Exposure Management) and why traditional pentesting and vulnerability scanning can't keep up anymore. But the conversation quickly went further than that, into the real security risks of AI agents, prompt injection, vibe coding and the speed at which organisations are adopting AI without thinking about what happens when it goes wrong.
Martin shares examples from his red teaming work of how AI agents can be tricked into exfiltrating data and executing malicious code, Jonathan makes the case for why identity needs to become a first class attack surface in any CTEM programme; and all three of us end up genuinely concerned about what happens when CISOs are expected to govern technology that's moving faster than anyone can keep up with. This one ended up not going quite as planned, and it's all the better for it.
Three key talking points:
Why traditional security testing can't keep up with AI and agent-driven attacks: Annual pentests and periodic vulnerability scans were built for a world where things changed slowly. Martin and Jonathan explain why that model is no longer suitable when new AI vulnerabilities are emerging daily, most of them without a CVE number attached, and why CTEM as a continuous programme rather than a one-off exercise is becoming essential.
How prompt injection and invisible exploits are rewriting the rules of risk: Martin shares examples from his red teaming work where AI agents were tricked into exfiltrating data through a fake spellchecker and downloading malicious code disguised as a support tool. He and Jonathan discuss why prompt injections are so difficult to defend against, how they can be hidden in emails, PDFs, code and even voice, and why traditional security tools don't detect them.
What CISOs and tech leaders must face as responsibility and risk escalate: Organisations are adopting AI faster than security teams can govern it, and CISOs are caught between being seen as obstructionist if they slow things down or negligent if they let things through. Jonathan and Martin get into the legal grey areas around who's responsible when an AI agent causes harm and why the lack of clear legislation makes this even harder to navigate.

If your organisation is adopting AI and your security model hasn't changed to match, this is a conversation worth listening to.

On why traditional security testing no longer works:
“You have new releases and new technology popping up almost on a daily basis. And you have vulnerabilities popping up on a daily basis as well. The traditional model we have in place with regular penetration testing, once every three months, once every year, that doesn't cut it anymore.”
Martin Voelk
Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:
The Acceleration of AI Adoption Find out why organisations are pushing AI adoption at a pace that's leaving security teams behind and why the pressure from upper management to automate is creating serious blind spots.
Continuous Threat Exposure Management (CTEM) Evolution Learn why CTEM is a programme not a product, how it differs from traditional vulnerability management and why it focuses on what an attacker can actually exploit right now rather than theoretical CVE scores.
Limitations of Traditional Security Testing Understand why annual pentests and periodic vulnerability scans were built for a different era and why they can't keep up with a landscape where new AI vulnerabilities emerge daily.
The Changing Nature of Exploits Discover why many of the attacks hitting AI systems don't have a CVE associated with them at all, and why the traditional model of scoring and prioritising vulnerabilities is falling short.
Prompt Injection Risks Learn how prompt injections work, why they can be embedded in almost anything from emails and PDFs to code comments and voice, and why they're so difficult to defend against compared to traditional injection attacks.
Agentic AI and Chained Attacks Find out why compromising a single AI agent in an orchestrated system can have a knock-on effect across the entire ecosystem, and why the blast radius is far greater than with traditional vulnerabilities.
Visibility and Explainability Understand why maintaining oversight of AI systems matters, why security teams risk rubber-stamping AI-driven decisions they don't fully understand and why explainability is becoming a critical requirement.
Supply Chain and Third-Party AI Concerns Explore how the use of open source models, third-party AI agents and tools like OpenClaw is exposing organisations to indirect vulnerabilities they may not even know about.
Identity as the New Attack Surface Learn why misconfigured identities, over-privileged service accounts and weak authentication between AI agents are becoming primary targets, and why CTEM programmes need to treat identity as a first class concern.
Regulatory and Legal Accountability Find out why jurisdictions are still divided on who's responsible when an AI agent causes harm, from the Air Canada chatbot ruling to the question of what accountability looks like when AI is making autonomous decisions.

Resources Mentioned
Gartner
OpenClaw
PCI DSS
Tenable
Nessus
Anthropic
Claude
Claude Secure Code
Groq
Air Canada - AI Lawsuit
Engineering Council of Great Britain
11 Labs
Voicebox
SpartanX Technologies
SpartanX AI
Mexican Government Cyberattack
Connect with your host James Rees
Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cyber security professionals who dedicate their careers to making a hacker’s life that much more difficult.
Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.
With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and professionals providing insights, news and fresh ideas on protecting your organisation from hackers.
For more information about us or if you have any questions you would like us to discuss email [email protected].
If you need consultation, visit www.razorthorn.com, We give our clients a personalised, integrated approach to information security, driven by our belief in quality and discretion.
LinkedIn: Razorthorn Security
YouTube:

Are you ready for the cybersecurity incident that could bring your business to a standstill?
On this episode of Razorwire, I sit down with Marius Poskus, a CISO and vCISO, to tackle one of the most crucial yet overlooked aspects of information security: incident response. Whether you’re leading a cyber team, supporting your board, or simply keen to sharpen your readiness, we dig into what happens when your best defences fail and chaos strikes.

We talk about what actually happens when an incident hits and why polished policies on their own aren't enough. From the practical realities CISOs face at the sharp end of an incident, through the pitfalls of security theatre, to the importance of clear communications and building resilience, we get into the lessons the playbooks often miss. Marius and I talk through wargaming, learning from unexpected scenarios and how to empower teams to make tough decisions on the fly.

Key talking points:
Wargaming the Unthinkable:
What happens when your CEO dies? When your entire C-suite is on a plane for six hours and unreachable? When someone poisons the fish at a team dinner? Jim and Marius talk about why the most valuable wargaming exercises aren't the predictable ones. Testing unusual, uncomfortable scenarios is what exposes the single points of failure nobody thought about and builds the kind of muscle memory that no written policy can replace.
Decision-making Authority in Crisis:
One of Marius's contacts had a major ransomware incident and needed to hire 200 people within hours. The biggest problem wasn't the attack itself, it was getting budget approved and contracts signed fast enough. Learn why pre-agreed access to emergency funds, signing authority and the ability to bypass normal procurement processes can be the difference between a swift response and days of lost time.
Security Theatre and Why It Falls Apart Under Pressure:
Marius has been making waves on LinkedIn talking about companies that want the appearance of security rather than the real thing. In this episode, he and Jim get into why polished policies that have never been tested crumble the moment a real incident hits, how to tell the difference between genuine preparedness and box-ticking and what it actually takes to build an incident response capability that works when it matters.
Listen and step inside the mindset every cybersecurity professional needs before the worst happens.
On testing your plan:
"You never want to run through an incident response scenario first time when the real thing happens."
Marius Poskus

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

In this episode, we covered the following topics:
The Importance of Incident Response Find out why incident response is still one of the most neglected areas of security, how to get organisational buy-in for proper preparation and what happens when the first time you test your plan is during the real thing.
Security Theatre vs. Real Preparedness Learn how focusing on the appearance of security rather than genuine preparedness leaves organisations vulnerable when a real incident hits, and what it takes to build real readiness through testing and practice.
Practical Testing and Muscle Memory Discover why written policies aren't enough on their own and how regular testing and tabletop exercises help teams build the confidence to act effectively under pressure.
Authority and Decision-Making During Events Learn how to set up clear escalation paths and decision-making authority before an incident happens, including access to emergency funds and the ability to hire specialist support at short notice.
C-Suite Engagement and Support Find out how senior executives can best support their security teams during an incident, from trusting CISOs to lead the response to providing practical help like food, hotel rooms and team rotations.
Communication and PR During Incidents Explore how thoughtful, transparent communication can protect reputation and rebuild trust after a breach, and why generic "we take security seriously" messaging does more harm than good.
Resilience and Recovery Strategies Learn how to maintain business operations while an incident is unfolding, from planned team rotations and post-breach customer support to quantifying downtime for the board.
Wargaming and Scenario Thinking Find out why testing unusual scenarios, not just technical failures, helps organisations expose single points of failure and prepare for real-world unpredictability.
Critical Thinking and Cybersecurity Career Skills Discover why curiosity, initiative and adaptability matter more than following prescribed instructions, both for handling incidents and for building a career in cybersecurity.
Learning from Mistakes and History Explore how drawing on real historical events and shared industry experiences equips professionals to handle crisis situations, make tough decisions and build personal resilience.

Resources Mentioned
SolarWinds
Cited as a high-impact security incident affecting third parties and requiring significant communication. https://www.solarwinds.com/
Professor Messer
Cited as a free educational resource for CompTIA courses.
https://www.professormesser.com/
Network Chuck
Mentioned as a well-known YouTuber focused on networking tutorials and resources.
https://www.youtube.com/c/NetworkChuck
CompTIA
Reference to a popular provider of IT and cybersecurity certifications.
https://www.comptia.org/
Y2K (Year 2000 problem)
Discussed as a past example of widespread incident response planning.
https://en.wikipedia.org/wiki/Year_2000_problem
Changi Jail
Historical site referenced during a discussion of resilience and decision-making under pressure.
https://en.wikipedia.org/wiki/Changi_Prison
Rorke’s Drift
Brought up as a historical account to learn about resilience.
https://en.wikipedia.org/wiki/Battle_of_Rorke%27s_Drift
Apollo 13 (“Houston, we have a problem”)
Referenced as an example of problem solving under extreme pressure with limited resources.
https://en.wikipedia.org/wiki/Apollo_13
US Military zombie apocalypse wargaming
Referenced as an example of creative scenario planning for incident response.
https://en.wikipedia.org/wiki/CONOP_8888
The Y-Files
Referenced as a source of conspiracy theories and unusual scenarios Jim enjoys.
https://www.youtube.com/@TheYFiles

Connect with your host James Rees

Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cyber security professionals who dedicate their careers to making a hacker’s life that much more difficult.
Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.
With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and...