Armis’ Andrew Grealy on Left-of-Boom Threat Actor Intelligence episode artwork

EPISODE · Aug 26, 2025 · 28 MIN

Armis’ Andrew Grealy on Left-of-Boom Threat Actor Intelligence

from Ahead of the Breach · host Sprocket

What if you could predict which vulnerabilities threat actors will weaponize months before CISA adds them to their Known Exploited Vulnerabilities list? Andrew Grealy, Head of Armis Labs, has built exactly that capability, providing organizations with threat intelligence that arrives 3-12 months ahead of traditional indicators. His "left of boom" approach changes how security teams prioritize patches and allocate resources. But early warning is just the beginning, Andrew tells Casey. From mom and pop honeypots that catch nation-state actors to AI-powered supply chain attacks that slip malicious packages into enterprise applications, Andrew details how attackers are weaponizing the same AI tools that security teams use for defense. He also offers insights on the "triple threat" evolution of ransomware and practical frameworks for securing AI-generated code. Topics discussed: Building CVE early warning systems that identify threat actor targets 56% faster than CISA's Known Exploited Vulnerabilities list. Implementing "left of boom" intelligence collection through honeypots in mom and pop infrastructure. Moving beyond CVSS scores as risk indicators to prioritize patches based on actual threat actor behavior and CWE patterns. Deploying strategic security controls like WAFs to eliminate 28% of ESX server console attacks, reducing patch urgency and operational disruption. Understanding the "triple threat" ransomware evolution that combines traditional encryption with data exfiltration and AI-powered internal investigation for multiple revenue streams. Combating AI-accelerated supply chain attacks where 54% of coding assistants automatically introduce vulnerabilities into generated code. Preventing typosquatting attacks where threat actors create packages with similar name that AI tools recommend to infiltrate internal applications. Establishing approved package repositories with exact version matching and implementing coding checks throughout the development pipeline as countermeasures. Evaluating LLMs for security applications by testing with known answers first, then gradually increasing complexity to validate capabilities before deployment. Listen to more episodes:  Apple  Spotify  YouTube Website

What if you could predict which vulnerabilities threat actors will weaponize months before CISA adds them to their Known Exploited Vulnerabilities list? Andrew Grealy, Head of Armis Labs, has built exactly that capability, providing organizations with threat intelligence that arrives 3-12 months ahead of traditional indicators. His "left of boom" approach changes how security teams prioritize patches and allocate resources. But early warning is just the beginning, Andrew tells Casey. From mom and pop honeypots that catch nation-state actors to AI-powered supply chain attacks that slip malicious packages into enterprise applications, Andrew details how attackers are weaponizing the same AI tools that security teams use for defense. He also offers insights on the "triple threat" evolution of ransomware and practical frameworks for securing AI-generated code. Topics discussed: Building CVE early warning systems that identify threat actor targets 56% faster than CISA's Known Exploited Vulnerabilities list. Implementing "left of boom" intelligence collection through honeypots in mom and pop infrastructure. Moving beyond CVSS scores as risk indicators to prioritize patches based on actual threat actor behavior and CWE patterns. Deploying strategic security controls like WAFs to eliminate 28% of ESX server console attacks, reducing patch urgency and operational disruption. Understanding the "triple threat" ransomware evolution that combines traditional encryption with data exfiltration and AI-powered internal investigation for multiple revenue streams. Combating AI-accelerated supply chain attacks where 54% of coding assistants automatically introduce vulnerabilities into generated code. Preventing typosquatting attacks where threat actors create packages with similar name that AI tools recommend to infiltrate internal applications. Establishing approved package repositories with exact version matching and implementing coding checks throughout the development pipeline as countermeasures. Evaluating LLMs for security applications by testing with known answers first, then gradually increasing complexity to validate capabilities before deployment. Listen to more episodes:  Apple  Spotify  YouTube Website

NOW PLAYING

Armis’ Andrew Grealy on Left-of-Boom Threat Actor Intelligence

0:00 28:09

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

Frequently Asked Questions

How long is this episode of Ahead of the Breach?

This episode is 28 minutes long.

When was this Ahead of the Breach episode published?

This episode was published on August 26, 2025.

What is this episode about?

What if you could predict which vulnerabilities threat actors will weaponize months before CISA adds them to their Known Exploited Vulnerabilities list? Andrew Grealy, Head of Armis Labs, has built exactly that capability, providing organizations...

Can I download this Ahead of the Breach episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!