
Sign up to save your podcasts
Or


JJ of Gecko Security and former Disney and Costco CISO Ryan Knisley on why AppSec needs an AI security engineer, not another scanner.
Description
AppSec has been stuck for years, drowning teams in noisy findings that never told them what was actually exploitable. JJ, co-founder and CEO of Gecko Security, and Ryan Knisley, former CISO at Disney and Costco, join Resilient Cyber to talk about what changes when an AI security engineer reasons across code, infrastructure, and design docs at once.
We get into why business logic breaks traditional SAST, why attackers think in graphs while defenders think in lists, why MTTR is a broken metric, how Cal.com went closed source in the AI era, and where AI-driven AppSec consolidation lands over the next two years.
Key takeaways
Chapters
00:00 Meet JJ and Ryan
02:46 Why Gecko is an AI security engineer, not another scanner
05:07 The trend of agentic and headless security tools
05:53 Why business logic breaks traditional SAST
06:27 The no-auth endpoint example and context outside the code
09:06 Attackers think in graphs, defenders think in lists
11:02 Commoditized exploit dev and the internet as one bug bounty
13:55 Shift left and why MTTR is a broken metric
15:07 Eliminating entire classes of vulnerabilities
15:51 Recurrence rate and avoiding risky refactors
18:22 The Cal.com case study and open source going closed
20:48 Consolidation and the shiny object problem in security
22:40 Where AI-driven AppSec lands in two years
27:12 What it takes to trust an AI security engineer
28:57 Where to find Gecko and the Black Hat talk
By Chris Hughes4.9
1616 ratings
JJ of Gecko Security and former Disney and Costco CISO Ryan Knisley on why AppSec needs an AI security engineer, not another scanner.
Description
AppSec has been stuck for years, drowning teams in noisy findings that never told them what was actually exploitable. JJ, co-founder and CEO of Gecko Security, and Ryan Knisley, former CISO at Disney and Costco, join Resilient Cyber to talk about what changes when an AI security engineer reasons across code, infrastructure, and design docs at once.
We get into why business logic breaks traditional SAST, why attackers think in graphs while defenders think in lists, why MTTR is a broken metric, how Cal.com went closed source in the AI era, and where AI-driven AppSec consolidation lands over the next two years.
Key takeaways
Chapters
00:00 Meet JJ and Ryan
02:46 Why Gecko is an AI security engineer, not another scanner
05:07 The trend of agentic and headless security tools
05:53 Why business logic breaks traditional SAST
06:27 The no-auth endpoint example and context outside the code
09:06 Attackers think in graphs, defenders think in lists
11:02 Commoditized exploit dev and the internet as one bug bounty
13:55 Shift left and why MTTR is a broken metric
15:07 Eliminating entire classes of vulnerabilities
15:51 Recurrence rate and avoiding risky refactors
18:22 The Cal.com case study and open source going closed
20:48 Consolidation and the shiny object problem in security
22:40 Where AI-driven AppSec lands in two years
27:12 What it takes to trust an AI security engineer
28:57 Where to find Gecko and the Black Hat talk

375 Listeners

83 Listeners

648 Listeners

1,030 Listeners

57 Listeners

136 Listeners

5 Listeners