In this episode of Exploited: The Cyber Truth, host Paul Ducklin dives into one of cybersecurity’s most persistent questions: Can companies actually get ahead of zero-day vulnerabilities—or are we all just chasing shadows?

Joining the conversation are Steve Barriault, VP of Sales & Solutions Engineering North America, Japan and Korea at TrustInSoft, and Joe Saunders, Founder and CEO of RunSafe Security. Together, they bring two distinct but complementary strategies to the table: code-level certainty and runtime protection.

Steve outlines how formal methods and mathematical analysis—long used in safety-critical sectors like avionics—can reduce exploitable bugs to near-zero before code ever ships. Joe shares how runtime defenses like memory layout randomization offer critical safeguards for systems that can’t be patched, such as those in legacy infrastructure.

We explore the growing complexity of the software supply chain, why embedded devices pose a uniquely difficult challenge, and how new regulations are forcing companies to think differently about software assurance and liability.

In this episode:

• Why zero days remain so hard to prevent and detect
• How formal verification can help eliminate vulnerabilities
• What makes embedded systems especially vulnerable to zero-day exploitation
• When patching isn’t possible, what protection strategies still work
• How upcoming regulations like the EU Cyber Resilience Act are changing the game
• What a multi-layered defense actually looks like in practice

Whether you're a CISO, security engineer, or software leader, this episode offers a frank look at what it really takes to stay ahead of invisible threats.