Full Metal Packet

The Capital One Breach and the 1% Security Gap Nobody Fixed


Listen Later

Ross Young was inside Capital One when the 2019 breach happened and he's breaking down what the headlines got wrong.

From WAF misconfigurations to AI-powered attacks moving at machine speed, this episode is a tactical masterclass for security leaders who want to stop wasting budget and start building real defences.

Ross Young is a former intelligence officer turned enterprise CISO. He was at Capital One during the 2019 breach, authored Cybersecurity's Dirty Secret: Why Most Budgets Go to Waste, and is now co-founder & CEO of Clear Capabilities, building AI agents to automate the parts of security that drain teams dry.

In this episode, Ross explains:

◼ The exact WAF misconfiguration that enabled the Capital One breach and why it's probably still hiding in your environment

◼ Why your security tools are likely only 40–72% effective, and how to calculate your true effective protection score

◼ Which security categories are largely security theater (DLP, third-party risk management) and where budget should actually go

◼ How AI is shifting the speed of attacks vs. defenses and what defenders must do right now to keep up

◼ Why AI agents need kill switches, audit trails, and rollback processes before they ever go live

Time Stamps

(00:00) Introduction: Ross Young's Path From Offense to CISO

(00:29) Inside the 2019 Capital One AWS Breach

(07:14) Evidence Every CISO Should Collect After a Breach

(08:26) The Swiss Cheese Firewall Problem

(11:17) Misaligned Incentives Between Developers and Security

(13:10) Risk Acceptance: The MRI Machine and the CFO's Math

(17:55) Murder Boards: Killing Underperforming Security Tools

(24:18) Why Vendor Choice Matters Less Than Configuration

(28:32) Where Security Budgets Should Actually Go

(32:39) AI Is Closing the Attacker-Defender Speed Gap

(36:25) Stopping Deepfakes and Phishing With Process, Not Tools

(43:51) AI Agents Are the New Phishing Target

(47:37) Building a Kill Switch for Rogue AI Agents

(51:51) Introducing the OWASP Threat and Safeguard Matrix

(58:50) One Thing Every CISO Should Fix This Week

(59:48) Ross's New Venture: Clear Capabilities

Connect with Ross Young on LinkedIn: https://www.linkedin.com/in/mrrossyoung/

Hosts ⬇️

Yegor Sak: https://www.linkedin.com/in/yegor-sak-725330b2/

Alex Paguis: https://www.linkedin.com/in/alex-paguis-53a21815/

Powered by Control D

...more
View all episodesView all episodes
Download on the App Store

Full Metal PacketBy Control D