Let's Talk Security Testing

In this episode of Let’s Talk Security Testing, we revisit PTaaS (Pen Testing as a Service) — a buzzword that never quite settled on a definition.Was it just pen testing with a portal? Continuous testing? Cheaper delivery?We break down what PTaaS was meant to be, how it evolved, and why it seems to have faded, without ever being clearly defined.

Anthropic recently announced a new code analysis capability that’s sparked a lot of discussion across the AppSec community.In this episode of Let’s Talk Security Testing, we break down what the announcement actually means for application security teams, whether it represents real progress or just another wave of industry hype.We also dive into one of the hardest problems in security testing - business logic flaws, and discuss whether tools can realistically detect them.Finally, we play a game: build an AppSec programme with only $10, exploring the trade-offs security teams face when budgets are limited.

AI is reshaping how software is built. But is it reshaping how it’s secured?In this episode, we’re joined by NCC Group to explore what’s really happening across the AppSec landscape. From AI adoption in development workflows to the rise of AI-driven pentesting tools, we unpack what’s progressing, and what’s still marketing.We cover:The reality of AI in modern development pipelinesThe current maturity of AI-powered pentestingHow buyer expectations are shiftingWhether pentesting is evolving or simply being rebrandedFor CISOs, Heads of AppSec, and security leaders trying to make sense of the noise, this is the grounded perspective you need.

Agentic AI is the latest shift in application security, but how much of it is delivering real results? In this episode, we break down: - What “agentic” really means in AppSec - Where agentic workflows are genuinely adding value - The limits of automation, and where human expertise still leads - How enterprises are adopting it without overcommitting If you’re trying to separate practical capability from future promise in AI-driven security, this one’s for you!

Is AI Pentesting Just DAST in Disguise? 🤖💥Everyone’s talking about AI-powered pentesting - but is it actually useful, or just dressed-up DAST?In this episode, we dig into:- What AI tools really test (and what they miss)- Why they sometimes look better than they are- Hallucinations, pricing, and trust- How they compare to micro pen tests and manual reviewsIf you’re trying to make sense of AI in security testing, this one’s for you.

In Season 2, Episode 9, we ask a big question: does the Change Advisory Board (CAB) still have a place in today’s fast-moving DevSecOps world? Traditionally seen as a gatekeeper for risk, CABs are often accused of slowing things down, blocking innovation, and creating more process than value. But can AI shift the role of CAB from bottleneck to enabler? We explore what a modern, AI-assisted CAB could look like, and whether change governance can finally move at the speed of development.

In Season 2, Episode 8, we throw planning out the window and build a web app purely on vibes. No specs, no structure, just straight-up code. Then, we do what any responsible team would do... we try to hack it. In this live pen testing session, we explore what happens when code is written without rules, and whether security still holds up under pressure.

In Season 2, Episode 7, we put human intuition to the test against machine precision. As AI tools become more embedded in secure design workflows, we ask the big question: can AI threat model as well as a real human? We pit a seasoned pentester against our own AI tool in a live challenge, and the results might surprise you. 👉 Try the tool for yourself: https://www.cytix.io/change-analysis-tool

In Episode 6, Season 2, we unpack the explosive growth of AI and ask the critical question: could AI ever replace human pentesters?Subscribe to keep up to date with all new episodes, released every 2 weeks!

In Episode 5, Season 2, we dive into vulnerabilities and their detection methods, from automated scanners to human-led pen testing. Plus, we put our skills to the test in Hack it or Track it, where we break down real vulnerabilities, discussing how we’d exploit them and how we’d detect them before attackers do.Subscribe to keep up to date with all new episodes, released every 2 weeks!

In episode 4 season 2, explore the innovative world of Micro Pen-Tests - a targeted, bite-sized approach to security testing that stems from threat modelling and development changes.Subscribe to keep up to date with all new episodes - released every 2 weeks!

In episode 3 season 2, explore the power of Threat Modelling in security testing and how it helps organisations predict, identify, and mitigate cyber risks before they become real threats.Subscribe to keep up to date with all new episodes - released every 2 weeks!

In episode 2, season 2 of Let's Talk Security Testing, we continue the conversation on the widely debated topic of 'what can security learn from quality control'. Subscribe to keep up to date with all new episodes - released every 2 weeks!

In episode 1 of season 2, explore techniques for using Jira tickets to enhance the effectiveness of your pentesting efforts. Meaning you can threat model your change tickets and prioritise your testing strategy.Subscribe to keep up to date with all new episodes - released every 2 weeks!

In the second of the Let's Talk Security Testing vulnerability deep dive episodes, Ben and Tom explore access control issues. They explore:What are access control issues & practical examplesHow to identify access control issuesHow to prevent, find and fix them

Has the cyber security industry been ... lying to us? Do scanners provide the coverage whilst penetration tests provide the depth? Ben and Tom peel back the lid on this narrative to see if this is really the case...

In this first-of-its-type episode of Let's Talk Security Testing, Ben and Tom exclusively dive into the vulnerability, business logic flaws.They discuss:How business logic flaws are createdWhere they're typically foundWhy they're uniqueWays to optimise testing processes to find them more easily

Tom and Ben discuss:Determining the need for an internal pentesting teamSetting up the teamKey processes that lead to success

Ben and Tom discuss:The 3 primary sources of vulnerability creationA comparison of defensive cyber security approachesChallenges of route cause analysis

Join Ben and Tom in discussing:What do we mean by context in security testing?The reality of context in security testingBarriers to achieving context in security testing and how to overcome them

Ben and Tom share strategy options, how this translates to operations and resourcing, and what output to expect from an enterprise testing programme.

In episode 6 of Let's Talk Security Testing, we welcome our first guest to the studio, Senior Security Engineer, Christine Smoley. Tom and Christine have an honest conversation on the cyber security vendor landscape, how vendors can make things easier in the buying process, and shared experiences in dealing with challenges of coordinating a security testing team.

In this episode of Let's Talk Security Testing we cover: - Why LLMs are popular across working teams in general - How this can be applied for security testing - Myth busting LLM capabilities and security concerns

Tom and Ben break down what scalable really means, the practicalities this equates to, common challenges and tips & experiences on how to apply this yourself.

Penetration tests are expensive and hugely important to a companies cyber security. We discuss ways to make sure tests are set up for success in the most effective and efficient way.

Deep dive into the evolution of automated security testing, the scope of modern automated tests and their place in security testing programmes.

Tom and Ben unpick the pros and cons of the current security testing approaches, what is truly meant by continuous testing, and why this is perhaps the biggest missed trick in many companies's strategies.

In this edition of REAL CYBER TALK, Thomas and Ben sit down with Saskia Coplans, Founder and Director of Digital Interruption, and Daniel Smart, Engineering Manager at Booking.com.What's one of the main things these two cyber security professionals have in common? OWASP Manchester!OWASP (Open Worldwide Application Security Project) is a worldwide community focused on improving the security of software. Saskia and Daniel join us from the Manchester chapter to share more on what OWASP is bringing to the Manchester cyber security community, and how you can get involved with an OWASP chapter near you.Tune in now! 🎙️#cytix #cyber #cybersecurity #securitytesting #OWASP

In this edition of REAL CYBER TALK with Cytix, Thomas and Ben sit down with Mike Koss, CISO at RTGS.global. Mike draws on his wealth of experience in cyber security to discuss the geopolitics affecting the industry right now, the importance of anti credential stuffing solutions, and why phishing is still one of the top threats facing us today among other thought-provoking topics.Tune in now! 🎙️#cytix #cyber #cybersecurity #securitytesting #continuousintegration

In this episode of REAL CYBER TALK, Thomas and Ben sat down with James Bore: Cyber Security expert and managing director of Bores Group Ltd, a second generation family company that have been operating in tech and security for 35 years.In this insightful episode, the group discuss threat modelling, the flawed logic behind CVE's and the importance of vulnerability management. James also sheds light on how to decipher what kinds of security testing businesses really need by developing a greater understanding of their business, how it works and the processes currently in place. Tune in now! 🎙️

In this episode, Thomas and Ben sat down with Matt Summers, head of security at a Global 100 business with 27 years in the industry. The group share an insightful discussion around enterprise security, the evolution of the role of CISO and emerging technologies.#cytix #cyber #cybersecurity #securitytesting #continuousintegration #ai

In this weeks episode of REAL CYBER TALK, Tom and Ben sit down with Andy Ash. Andy is CISO at Netacea and brings with him to the conversation 25 years of IT experience and 10 years in cyber security. A fountain of knowledge and a part of Netacea since its inception, Andy sheds light on the phobias of AI, where AI is useful and where it is not, the role of market analysts in cyber security and Manchester's potential as a cyber security powerhouse.Tune in now! 🎙️

Meet Stuart Coulson, a seasoned Cyber Ecosystem Project Manager at The University of Manchester with 20+ years of experience in the field.In the latest episode of REAL CYBER TALK, Stuart exposes the lies we tell ourselves in cybersecurity and spills the truth about industry buzzwords and how they could be harming your business. Tune in now! 🎙️

The Co-founders of Cytix, Ben and Thomas, discuss security for security companies with Chris Hodson, CSO of Cyberhaven.They touch on the challenges of balancing internal security with product development, the importance of having a CISO who can articulate the why behind security measures, and the need to align security practices with the expectations of large enterprise customers.They also discuss the difficulty of communicating security across different areas of the business and the importance of peer recommendations in separating valuable technology from marketing hype.