Sounil Yu: [00:00:00] If it believes that one of the ways to accomplish that task is to delete your hard drive, well, it'll go and do exactly that.

Caleb Sima: It was like a forum with no humans allowed and you would go read what all of these hundreds of thousands of AI bots would say to each other about humans.

Ashish Rajan: I mean, I guess we've always scared everyone.

Sounil Yu: Now it pull down a text to speech software, use that to then call the restaurant and book the reservation. It finds a way when you put it into a sandbox, it will find a way to turn off that sandbox and escape. Sandbox.

Ashish Rajan: Shouldn't this work both ways? Isn't that good for defendants as well?

Sounil Yu: We now have a coding agent building a better version of itself.

99.9% of the code that's being generated is by Claude Code itself.

Ashish Rajan: The game with Agent AI completely changed with the announcement and release of something called OpenClaw, a free open source software, which made autonomous agent AI as simple as texting an agent to do actions. Now, there were a lot of controversies around the security aspect of it.

What do CISOs and cybersecurity people do for more of these Agent AI security surface coming in? And for this [00:01:00] conversation I had Sounil Yu, who is a CTO of a company called Knostic, who was kind enough to spend some time talking about how they see this. They have an open source project on identifying OpenClaw presence in your environment.

Where are we going with this particular field as more security capabilities can be done with AI agents? Are we moving towards a world where, as I like to call it, fast fashion of AI agents? All done a lot more in this episode of AI Security Podcast. And if you know someone who is specifically looking at Ag Agent, ai, OpenClaw and some of these capabilities, how do you detect them?

How do you identify a scaffolding around this that you should build in your organization? Definitely share this episode with them. And as always, if you are tuning into the episode of AI Security Podcast for a second or third time and have been finding it valuable, I really appreciate it. If you take a quick second to drop this follow subscribe button, no matter which platform you're listening or watching, this one, whether it's on Apples, Spotify, LinkedIn, YouTube, we are on all podcast platforms.

I hope you enjoy this episode. I'll talk to you soon. Peace. Hello and welcome to another episode of a security podcast. Today we have Sounil Yu. Hey Matt, thanks for coming on the show.

Sounil Yu: Yeah, thanks for having me.

Ashish Rajan: First of all, I wanna say Congrat [00:02:00] on, uh, your company, Knostic, winning the Munich. Cyber night event where I was a judge and you were one of the pitches, great job on doing that

But I think as part of that, I wanted to at least have this conversation because last episode Caleb and I were talking about how Claude Code security announcement kinda shook the cybersecurity internet, I wanna say the internet, but I guess our internet of cyber security,

Sounil Yu: or at least all the SaaS providers of cybersecurity.

Yes.

Ashish Rajan: Yeah. That's all the SaaS providers. Cybersecurity. I wanted to get into some of the things that we were talking about, which led down the path of OpenClaw. Mm-hmm. Uh, I would love for you to first give an introduction about yourself before I just get excited and dive into this. Can people get to know who Sounil Yu is first?

Sounil Yu: Yeah, sure. So I'm a 35, almost a year veteran in cybersecurity. I've been in, uh,

Ashish Rajan: you were saying you were 35. I'm like, dude.

Sounil Yu: Oh, I wish. Oh my goodness. Yeah. Or, you know, actually, I'm sure we'll look back in the days like 20, 26, like five years from now, we'll look back at 2026 and say, wow, those are simpler times.

Um,

Caleb Sima: so yeah, that's kind of depressing.

Sounil Yu: It is. [00:03:00]

Caleb Sima: Thanks, Sounil. Bring, bring it, bring us down.

Sounil Yu: Well, I mean, you know, I look at my 30 5-year-old day myself, I'm like, well, those are simplifi. Focus, focus, focus. Sorry.

Caleb Sima: Fun days.

Ashish Rajan: Okay.

Sounil Yu: Yes. You can get

Ashish Rajan: excited. So tell us about who.

Sounil Yu: Yeah, so anyway, I, I, I've, uh, had a long history in cybersecurity.

I've been, uh, chief scientist over at Bank of America. Uh, I'm, I'm the creator of a couple things like the cyber defense matrix, which some people may know. Um, and, uh, more recently, I, I, uh, am a co-founder of Knostic, alongside my, my co-founder, uh, Gadi Evron, and that we focus on securing coding agents.

Ashish Rajan: Awesome. And I guess to set the scene, um, because you, the, a lot of the conversations you and I had around, um, at least Munich was around AI code security.

Sounil Yu: Mm-hmm.

Ashish Rajan: What does it look like from an AI perspective? But Open Claw has been top of news for a lot of people. So maybe just to set some context, I'll be surprised if people who have been listening to the AI security podcast do not know about it.

But in case there are a few, uh, how would you describe [00:04:00] OpenClaw and why was it so earth shattering for the cybersecurity world or maybe in tech world in general?

Sounil Yu: Yeah, let's start with the tech world in general. Yeah. I think, um, uh, the, the basic, uh, assertion that Peter, the creator makes for OpenClaw, it's something that it's, it's an agent that does things right, and I think a lot of us have wanted something like this, whether it's Alexa or Siri, or, um.

Hold on, let me turn off Siri, my phone,

Ashish Rajan: or Google, as in,

Sounil Yu: Hey, Google. Yeah, yeah. It's, Hey Google. It doesn't matter.

Caleb Sima: You know, Siri doesn't work anyway, so you can see

Sounil Yu: it. Exactly. That's right.

Caleb Sima: Making

Ashish Rajan: jabs already, man.

Sounil Yu: And, and here's the problem, right? It doesn't actually do anything, whereas OpenClaw actually does things for you.

And I think that's the fundamental difference. 'cause we, we, I think we all want such an assistant that does stuff for you. Um, but of course it opens up a whole can of worms around the dangers it has. 'cause now you're giving a fully autonom, you're, you're giving, uh, this system, uh, fully autonomous access to your life.[00:05:00]

And that's both exciting and scary, uh, scary for the security people. Exciting for pretty much everyone, everyone else in the world. The 1.5 billion, not million, I think 1.5 million people who've installed Open Claw and uh, and have started putting it to use.

Ashish Rajan: Wait, but then why specifically about cybersecurity?

'cause there's a, I guess it was an interesting wave to see. First open Glog gets announced, then there's a wave of security people going, actually this is a bad idea. People, we should not use this. And a lot of enterprises stopped it, unfortunately, because of that, there's a whole, uh, repercussion for Claude Cowork as well.

Yeah. But what was the security things?

Caleb Sima: If I could add one thing on the OpenClaw you know, just to let you know, it's effectively giving AI fully access to your system. Right? So it's like Claude code.

Ashish Rajan: Yeah.

Caleb Sima: But wrapped in a, uh, in sort of a, you know, assistant personality, uh, aspect that you can

Ashish Rajan: text to,

Caleb Sima: that you can, then you connect it to WhatsApp, telegram, whatever your messaging is.

It can respond [00:06:00] to other people. It can run every system, run every window, open up browsers, browse webpages. So people really use it like an AI assistant. And it says, book me, you know, dinner reservations. It will go and do probably a bad job at it, but it will still go and try.

Sounil Yu: Oh, actually not, not that it does a bad job.

In fact, I, um, there's this one particular story where someone directed it to try to do, uh, make reservations using OpenTable. And so it tried to work the API, it, uh, failed and working with the API and so it pulled down a text to speech software used that to then call the restaurant and book the reservation.

Okay.

Caleb Sima: See yeah. This is what it can do. It's very powerful.

Sounil Yu: Yes. So it finds a way, right? Um, it, it finds a way to get stuff done. And sometimes the way that you want it to get done, uh, may not necessarily be what you expect.

Caleb Sima: And, and the other big factor of this is the author of that also created a message community forum.

Sounil Yu: [00:07:00] Hmm.

Caleb Sima: For OpenClaw bots. That they could go read and then post whatever quote unquote thoughts that that AI agent had at the time which grew went on fire. 'cause you could basically, it was like a forum with no humans allowed, quote unquote. And you would go read what all of these hundreds of thousands of AI bots would say to each other about humans and their tasks, which got, that's the sum up of what the, this thing is.

So now you can, when you say security, you, you're already like in the back of your head, like, okay,

Ashish Rajan: I mean, I only scared everyone now, but with all the description of what it can do, just. Call open table, uh, restaurants and stuff.

Sounil Yu: I was gonna say, I mean, I think one of the, um, sad state of affairs though is that if it actually had a lot of, uh, security boundaries, it probably wouldn't be as successful as it as it did get, right?

Yeah. In fact, one would argue that if, with some of the security boundaries that we're trying to put on, it would essentially undermine ability to do a lot of the, um, to have the kind of creativity that we're starting to see with OpenClaw. Uh, and so I think in some respects, the fact that [00:08:00] it had very few security, uh, controls around it initially, uh, is, is a contributor to its success.

Now as we discovered that, um, that's causing some problems. You know, we're starting to put some of these security, security controls in. But let, let's just be clear. When, uh, Peter first rolled out OpenClaw, it was actually, uh, insecure by default. And one, and one of the most insecure aspects of it is simply the default installation leaves the, the controller interface available for anyone in the pub, you know, for anyone on the internet to hit it.

So you have to take deliberate steps to avoid, uh, exposing that to the open internet.

Caleb Sima: So, which, which brings up a good question, Sounil. Like when we think about security of something like OpenClaw you brought up what, what I would call as a default, you know, config security risk. Mm-hmm. This, their admin port, quote unquote, was open to the public.

This is your default standard problem you see everywhere. Same as leaving your default password, admin, admin, admin, uh, this app. What else do you think? Is really the top risks of Open [00:09:00] Claw at the end of the day.

Sounil Yu: Um, well, at some level it is you again, it's violating what's called the agent rule of two. Uh, or the, it's from meta.

Meta, uh, released something called the agent Rule of two. And there are three conditions giving it, um, access to sensitive data, allowing to, uh, process untrustworthy input and the ability to communicate externally or change state. Okay. So those are the three conditions. And essentially, OpenClaw by default has all three, which puts it squarely in the, what's called the danger zone, where it's able to, if it's processing untrustworthy input, like for example, example input from, uh, notebook or these, this, uh, skills hub that anybody can contribute to, then you're, you have, you're giving, uh, an outsider the ability to control your claw, bott.

Okay. And then if your claw bot also has access to your personal email, your, your whole computer, okay. And then it can, uh, act on that changing state or communicate externally. Uh, you, you violated the [00:10:00] agent rule of two, you've entered into the lethal trifecta that Simon Willison talks about, and the, your personal life, uh, is now exposed to an attacker.

Um, and so I think I just, the personal risk is, is of great concern. But again, you know, I think people are finding ways to get around that or to, or rather to, uh, to properly sandbox that so that you, uh, don't expose all that. But the more you sandbox it, again, the more you cripple the capability of this amazing agent.

Caleb Sima: If I could. Maybe challenge a bit on this. Do you think that the only real problem with open call is actually just straight up prompt injection? And that's the problem. The fact that you could download a skill that prompt injects it, or it, you know, reads a website or a message that prompt injects it and that's the real problem.

And if you removed or somehow mediated that issue, actually open claw as a product would absolutely be fine.

Sounil Yu: Uh, no, not at all. In fact, I think in many ways I, I see prompt injection [00:11:00] really as a, um, uh, one of many, a red herring of sorts. It's one of many, and certainly one that gets a lot of attention. But, uh, using the example I said earlier around, um, the open table gang and reservation, you're giving an agent, uh, a task.

And a lot of times we don't really define that task well. That task that we give it, uh, we're giving it open-ended sort of a path to accomplish that task. But if that task includes, well, if it believes that one of the ways to accomplish that task is to delete your hard drive, well it'll go and do exactly that.

And we're seeing those sort of, sort of like, yeah. Head scratcher type of behaviors from these coding agents as well as tools like, uh, open claw. And, uh, that's, I think the bigger, that's the concern that I would point to. You give it a task and because it's undefined, it will find a way to get that task done.

And sometimes, again, the outcome of that task or the how of that task may not be something that you,

Caleb Sima: or the effects of its [00:12:00] execution in that tasks have farther ripple effects that you, that were not intended.

Sounil Yu: Yeah. And we're seeing that actually in the context of that ecosystem that's being created around, uh, all these open claw bots that are running around.

It's, it's really an emergent behavior, which is entirely unforeseeable. We'll see, well, we'll fi we'll discover over time what's gonna happen with, uh, all these, uh, agents running amok on without clear direction or clear, uh, guardrails. And so the emergent behavior is something that we're, we're, we're. It is still to be seen.

Ashish Rajan: Hmm. Would you, would you guys say that, shouldn't this work both ways? Like the, as much as you want it to be, like, obviously we're thinking about the hacking scenarios where it may go or it may go and delete a hard drive. On the flip of it isn't that good for defendants as well? Like if, how many times do I get a, I don't know, a cloud alert or a, uh, SQL injection that I've found on a code?

I have no idea how to resolve, but if there is, quote unquote this open claw agent that is gonna figure [00:13:00] out somehow, uh, if I have designed a workflow for it, like. With guardrails. Isn't there a flip to it as well? The ying to my yang for lack of a better word, um, that we can use it for defense as well?

Sounil Yu: Well, I think the upside is, I think the downside is much greater than the upside in that regard.

So from a, especially from an enterprise standpoint, uh, there's a lot of downsides that we just see in patching. For example, automated patching, you know, modest upside, huge downside, uh, or, or not just it's observed downside. We've had downtime because of bad patches or things that don't work after the patch.

Um, and that's actually something that, uh, I, I was particularly, uh, excited about hearing from. Um, so I had a chance to go to, oh, we, or, uh, Knostic. Yeah, we had, we had a conference called Unprompted this week. And, uh, to kick it off, we had Google, uh, we had Heather Atkins and, uh, four Flynn from, uh, Google talk about something called Code Mender.

And, um, there's an aspect about, uh, discovering vulnerabilities. There's an aspect about, uh, [00:14:00] finding fixes to those vulnerabilities, uh, and that AI is helping us do both of those really fast. But what I really, really liked about Code Mender was they're trying to also have AI determine whether or not, um, the fix that they, uh, find retains all the functional, um, characteristics of the original system, uh, such that if a patch goes in, it's not breaking something right.

And that's, I think, the reason why we hold back on patching. That's why we, the decision. There, there's a, it's a risk decision to patch because we, there's a downside risk associated with that. And so if we can change the, uh, the calculus of the downside risk there, then um, then I would actually be happy. I think that the edge goes back to the defender where an agent like OpenClaw maybe not OpenClaw but something a bit more robust, we'll go and actually go patch for us as well.

Caleb Sima: What was the outcome of that, that toil? Like, um, how did they do that? You know, give me some of the, uh, and is it

Ashish Rajan: from

Caleb Sima: Google or is it from both memorable punch, punch liners? Yeah. Outta that.

Sounil Yu: Yeah. Yeah. So it is from [00:15:00] Google and, uh, they're looking at, uh, well, what the, the main punchline of all that was. They anticipate having that ready in six to nine months where many things will be discovered.

The fix will be found. Patch autonomously in somewhere between six to nine months. The, the decision around patching, though again, I think is the biggest, uh, bottleneck that we will face. And I think we face this in current enterprises too. It's not like we don't have a patch, it's just that we ha we we're, we're concerned about the patch.

Right? Yeah. Yeah. Will it break something

Caleb Sima: and was it because the, the ac they showed that their sort of success versus failure rate of implementing the patch, like, and how they looked at the functional operation of the program was high. So like what, what num did they give any numbers? Like, Hey, we looked at this and we, you know, through our ai, we were able to determine, oh, we can patch this 99% be successful in it not breaking.

And that was correct. Or like, what were the edge cases where it failed, where they're like, oh, we were not able to expressly identify the breakage that [00:16:00] occurred. Like it seems almost. Every engineer in their head can, can argue against this that says, you know, a lot of these breakages can occur over, over periods of time.

Right. Where

Sounil Yu: mm-hmm.

Caleb Sima: In a complex web app's about the interaction of, you know, things that happen at runtime between a partner and not a partner. That this feature then broken the other partners, you know, business process that caused the breakage, which you'll never see in a code assessment. Like, how do they answer those, those types of questions.

Sounil Yu: Yeah. I don't know if they could, right. I, I, I, I don't think we got to that level of detail in, in that. 20 minute talk, but the, I think that the, the realm of what we can potentially do is just at least determine what's the functionality of this particular component and will you at least have some degree of, um, backwards compatibility effectively.

So

Caleb Sima: almost from like a unit testing perspective.

Sounil Yu: Yeah. And, and the, the nice thing of course, is a lot of the code that's being generated as a, uh, expected practice for, um, these coding agents, it's go develop all the unit [00:17:00] tests for whatever code's being generated as well. And so I think the, the, this, the full loop is becoming available of, of course, you know, gimme all the design docs and, and specifications, but also come up with a set of unit tests that, uh, provides a verifiability of, uh, did I get the job done correctly?

And then later on, if something is broken, does all the tasks or all the tests that we had before, do they continue to run as run as expected?

Ashish Rajan: Yeah, yeah. I was, I was gonna go back to OpenClaw Well, because I, I think it's definitely like the, the, uh, the Codeminder thing is interesting because that it also highlights the fact that, I guess we're still evolving on how AI is being used in security. So that was definitely an interesting insight in terms of specifically for OpenClaw and everyone else in cybersecurity is using Claude Code or anything else to build autonomous, uh, I, I hate the word autonomous agentic ai 'cause it feels like we're talking about super intelligence, but we technically are not.

But I'm just gonna use that word. So it makes people, let's just say autonomous workflows that can [00:18:00] happen in the organization, which to your point, could be a patching exercise or could be something to do with my first level of investigation for. An incident that happened, it does a initial triage. Is there, in all the work you've done or in the conversations you've had, have you kind of looked into this from a, how should organizations approach this?

Like whether it's OpenClaw a 'cause I, the first thing people have trouble understanding is, can I even detect this thing in my environment? Because it could be CLI, it could be browser, it could be endpoint. I mean, there's so many layers to that thing, and I don't even know if the traditional. No matter how much a, and when I say traditional, I mean like the pre gen AI one, which sounds bit silly, just call them traditional, but I'm gonna say pre gen AI products may not be the most successful.

Not everyone may have the latest and greatest as well. If you start with the detection piece, like how are you seeing people approach this and how are you guys approaching it? 'cause I'm sure you guys have the same problem at your end. 'cause the developers are producing code views and they want to be more efficient as possible [00:19:00] as well.

Sounil Yu: Yeah. Well first of all, let's, um, okay, so we released aKnostic. We released, uh, something to help us discover the presence of OpenClaw out there. Uh, and so if you wanted to look at the, I think we call it OpenClaw. Detect which, which should actually really be OpenClaw, discover. But anyway, if you look in GitHub, you'll find a, um, a version that we released and people have been successfully able to find, uh, instances of, of OpenClaw out there.

But this is really, uh, I think a shot across the bow for, for enterprises, this will not be the only, um, uh, AI assistant out there. Yeah. That will do things. We absolutely should expect to see more of these. And, uh, we need to find ways to essentially, uh, coexist or have such a, in, um, entity coexist inside of our environment.

And so there are a couple of things to consider along those lines. And, uh, going back to, um, unprompted one, one of my, uh, one of the talks that I really enjoyed was from Dan Guido over at the Trail of Bits. And, uh, he talked about three types of, [00:20:00] uh, organizations, um, that use ai. Okay? So every organization out there is told to go use ai, right?

Ashish Rajan: Yeah.

Sounil Yu: Uh, but what does that really mean? And he articulated three different levels of AI usage or, or becoming what is, uh, what he wants to be, which is to become AI native. The first level is what I think most people will see as like a pedestrian use of ai. Uh, people are using chat, GPT, they're drafting emails, but the organization's not really changing.

The workflows don't change, and everyone's just basically doing something, uh, a little faster. Uh, the next stage is where your AI augmented, okay? You redesigned some of the workflows. Um, you have agents that are, uh. Now part of the, the workflow and, and they're changing some of the workflows. Uh, and, and we have coding agents that create, for example, coding agents that create code and also review code.

But humans, uh, are doing part of the final review. Uh, I think some of the more leading edge companies, uh, using AI are kind of quote a [00:21:00] quote, using AI are in this space, uh, but then articulates a third sort of, uh, tier that, uh, that is actually. What, uh, is more of what Open Claw is about. Okay. And it's a structural shift.

It, it's where organizations are really designed from ground up, assuming that you have like ai, uh, assistance, like OpenClaw uh, as another team member within your organization. And so you're starting, you start redesigning. The organization, you, you, how you gain access to knowledge or how you deliver your outputs or how you, um, make domain expertise available.

Those are all redesigned to be consumed and amplified by these AI agents. And what we're seeing with Open Claw is a really a taste of that because you now see things like Claw Hub or Malt Book or a Rent a Human or Church of Malt or I, I can't, there's, there's all these different, uh, resources that are out there that are designed for agents to be, to consume the kind of stuff that helps them be more [00:22:00] productive.

And so. That is what we're starting to see as, uh, what Dan would call it, AI native. And uh, I think open claw is just a taste of what's to come in that front.

Ashish Rajan: Do you find that, I guess it's the future then, like there's, well, there has been a theme on this podcast for some time where you be coming up with, uh, startup ideas.

Is there an open claw version for security team? Like a, like an, if I were to see an org chart, right? Technically the CSO or cs, so there's like a agent logo who, which is the quote unquote security open claw agent, which is just autonomously giving updates. Uh, have we gone that far yet? Or has anyone made that yet?

Sounil Yu: Uh, I have not seen it, uh, personally, but, uh, I wouldn't be surprised if people are, are tinkering with that, what I would admit. Oh yeah. Okay. Uh, well, I think one of the first things I would expect to see as one of these, uh, systems that are designed to be consumed by these agents would be something like threat intelligence, right?

So imagine all the. I mean, we already have too, way too much threat intelligence for consumption by humans. But of course, these agents, uh, will have, uh, far less trouble, [00:23:00] uh, with the volume that we see today.

Caleb Sima: Yeah.

Ashish Rajan: You've seen this.

Caleb Sima: Yeah. These, well, right now they're specialized. Right? So anytime you see sort of all these agents that are doing ai, soc ai, SOC is a version of, you know, open claw.

Yeah, right. But focused obviously on the SOC and determining tickets and investigations. You're seeing this in ai, red teaming, right? Like we are using AI to red team and pen tests. You are seeing this in detection engineering. We are using AI to focus on threat intel, generate detections, manage detections, uh, for enterprises.

So right now you're seeing sort of the specializations of, Hey, how do we replace or quote unquote, replace or. Sounil or Dan's talk AI augment these specific teams with this software. But a lot of these are moving or already, you know, obviously the goal is AI native where although they are messaging AI augmentation, [00:24:00] clearly I have seen, for example, in some of our portfolio companies, the detection stuff is clearly AI native.

Like you are taking things that are threat intel, looking at environments, generating detections, managing those detections, and doing it all without a single human in the loop. And it's working at scale.

Sounil Yu: And let me add one additional piece to what Caleb just said. That's should unnerve people. It's deciding what the playbook is once something is determined, uh, once the system determines it to be bad or needs action of some sort.

Yeah. And the playbook would be, may not necessarily be what we expect. Desire. Okay. Um, but the playbook, its ability to create, to dynamically create its own playbook and have decision autonomy is what, uh, is moving towards that AI native world. For us, with AI augmented, we are still kind of in the loop and we still can, um, the [00:25:00] playbooks that we want these AI systems to follow, or playbooks that we've determined.

But AI native is again, yeah, I just wanna use the, uh, the, uh, restaurant example. Doing text to speech and calling the restaurant is, was not in my playbook.

Ashish Rajan: Yeah.

Sounil Yu: Right.

Ashish Rajan: Yeah.

Sounil Yu: Um, but got the job

Caleb Sima: done,

Sounil Yu: but got the job done. Job done.

Caleb Sima: Yeah. Yeah. And so, like, you know what, what, what I think you're seeing, and I think this might be a trust.

Thing too. This is probably an interesting debate, debatable topic, but like obviously the most adjacent common logical thing is to build these AI augmented in specific areas, ai, SOC detection, engineering offense, blah, blah, blah, blah, blah. But in reality, at the end of the day, if you had a major general athlete, like if you could take the 16, 18 year experienced veteran cybersecurity engineer who knew the details and the weeds of everything in cyber, wouldn't you not hire 50 of those versus one [00:26:00] specialist in each area?

Absolutely. And so I think that there's both a incident logic, uh, of this is the first wave of us building specialists. But at the end of the convergence here, I would imagine it becomes more like ClawdBot, where you actually do have a quote unquote software engineer, super athlete who can go in any of these specialist areas and will solve the problem.

The question is, how do we set up the frameworks? To trust that agent in the way that we wouldn't want so that someone can go from infra security engineering to offense to detection and make these hops and make these autonomous decisions on playbooks we didn't provide. And there be that trust and I think that's the barrier to overcome, to be able to get to that convergence.

Ashish Rajan: I would probably add one more thing in there. I think the trust to barrier also would extend to like, I guess I a hundred percent am with you on the, the team [00:27:00] of athletes, one for incident response, knows everything about cybersecurity detection forensic. Any environment, one for GRC and so on and so on. In my mind, I definitely go back to the, the start, the thing that I was talking about, where the agent for right next to the CSO or CISO, which, and the subagent for instance, response subagents for, uh, GRC, whatever that's the,

Caleb Sima: the easy answer.

It's the most obvious, right?

Ashish Rajan: Yeah. But I'm, this is the, the, the trust would only work or this AI native scenario would only work if the, with the right context. I think all in all the AI work that people have been doing, the big missing piece for us to reach that state has been that there is not enough context that I can give to the super intelligent, all knowing cybersecurity agent of mine to make the right decision of something that is in Ashish's head versus in a document somewhere in confluence.

So I would add that to the trust part as well. Like even if we got to the point where I gave it all the context. As a human would still not trust that it can make the decision because that one thing that happened 10 [00:28:00] years ago that I know about, but I just didn't happen to be there when that thing came in.

I don't know if you guys agree with this, but I definitely find that there is some way to go or some distance to cover before we get to that point. But there are organizational challenges to what Sounil, what you were saying, where we are in that level two of that AI augmentation layer where we are building the context.

We're building search, like we have this AI search across the organization thing that people have. But even that doesn't capture what I never put down in PA piece of paper, but it does capture some of it.

Sounil Yu: Well, so this also gets into, I think, uh, the question of like, where do humans come in?

Where's our value in the overall system? Um, and, and let me cite one additional other talk that, uh, was interesting. It was a, a Sergei Epp, uh, talk about essentially verifiability. His assertion is verifiability is all we need. And the perspective is that there's a lot of things in cybersecurity that are not verifiable, but of the things that are verifiable.

We can very quickly train a model to look for those, um, those things. And look, the patching is an example that we know that the patch worked. [00:29:00] Does it actually fix the exploit or is something exploitable? Those are things that are, are veri verifiable. But there is something I wanna, uh, highlight that we oftentimes confuse.

Uh, we use the word verify and validate synonymously. I wanna be clear about what the terms mean because it, it directly points to, I think, our opportunity as humans to insert ourselves into this. So verifiability or, uh, when you verify something, you're determining if the thing was built right? When you're validating something, you're determining whether you've built the right thing.

Okay? So verification is about did I build it right? Uh, validation is about did I build the right thing? Okay? And what these agents are gonna be able to do is to verify things and know that yes, I built it right, or that the right thing, um, was. Done. But what we humans will do is be able to have more time to say, was that actually the right thing to build at all?

Okay. Today we don't really get much of an opportunity to weigh in on that because most of our time is spent making sure that something is [00:30:00] built right. But if now we have a whole bunch of systems that will, um, you know, speed that up for us, we're gonna spend more time figuring out whether or not this was the right thing to build at all, and to be able to say, whoa, well hold on, wait.

That's not what I wanted to do. That's not what I meant. I wanted you to do this instead and you can restart and try it again. And hopefully the, the way that it was done isn't catastrophic. You know, we're crossing our fingers. That was not catastrophic, but the opportunity to validate No, no, this is really what I meant.

Try again is the opportunity that I think we as humans will, uh, have, will have more of the opportunity to validate, uh, correctness. Not just verify that it was done correctly.

Caleb Sima: So, you know, in the cyber world, you know, I find, you know, do you find it's hard to. Know how to verify, right? Like, you know, I feel like it's easy in the sense of if I'm building a a product, I might be able to distinctly have outcomes that I [00:31:00] know that I could verify work the way that they need to work.

But the world in cyber is like, you know, an insurance problem. We are trying to prepare for the unknown. And so how, how do we apply? You know, how does the world change in cyber? Where we start looking at this in a verifier validator type of way.

Sounil Yu: Yeah. Okay. So, uh, verifiability has its limits to your point.

And what we cannot verify is the emergent effects of what happens when you combine two or, you know, two, three, it just even two systems together. Um, it's a, it's a fundamental problem in security, which is if I can, um, formally guarantee that this component A is secure and component B is also secure and there's zero, let's just for argument's sake say that there's zero ways to attack A or B, but once I combine A and B, you now have something emergent that is not, uh, that, that may introduce, it cannot

Caleb Sima: be verified Yeah.

To be zero tact. Right?

Sounil Yu: Exactly. Right. Yeah. And those [00:32:00] interfaces are oftentimes where we see most of the security issues. Uh, so you kind of have to look at the system as a whole. And sometimes that's just to the point earlier about code vendor, uh, to your question about code vendor earlier, which is, you know, how, how do you test for that?

And the reality may be we, we simply cannot, the only way to test for it is to do like a chaos monkey type of scenario and just see what happens when you, um, put it out in the wild.

Caleb Sima: So your, to your point though, to be on the positive side, what code me is showing is that unit by unit, we are having the ability to automate and verify components to some degree.

Mm-hmm. Which is huge step ups

Ashish Rajan: mm-hmm.

Caleb Sima: From where we are today. So if we can say, Hey, all the Lego blocks are at least secure, the, then the combination of those becomes the next task and challenge ahead. And who knows where AI evolves in that next step, but at least it helps us fundamentally solve a big problem on a fundamental level, right?

Sounil Yu: That's right. That's right. You can, uh, we, we can [00:33:00] have verifiability that the bricks that I create are exactly, uh, conformance specifications.

Caleb Sima: Yep.

Sounil Yu: Could you build a crappy wall with really, really good bricks? Sure.

Caleb Sima: Right, but the likelihood is less, right? Your risk goes down, uh, if you're able to do that, but, and then the challenge is going and finding how well that wall is built.

That becomes maybe, to your point, validating that the wall was built to our expectations versus verifying.

Sounil Yu: Yes. And by the way, this is something that I'm super excited about. Let me, let me, so I, now I have to give a little bit of a preface here to explain what I'm talking about. So, uh, just imagine back, back in the day when all you had was wood as a building material, we figured out how to.

Build better buildings, um, just with wood. Okay? Eventually, stone comes around and our building codes for wood, uh, you'd have to, you can, some of them you keep, um, but you have to now, uh, update your building codes accordingly to account for stone. Then metal comes around and so on. And then eventually now we have, uh, titanium reinforced [00:34:00] carbon nanotubes.

Okay? And you're building codes adjust to the new materials. Now, let's go back to Opus 3.5. Uh, Claude Code comes out and between the point that, um, right up until day minus one for Opus 4.0, Claude Code improves not just because Boris is improving Claude Code, but the real, uh, step improvements happen because we have new building codes for Claude Code itself.

Like the, the scaffolding that we create around Claude Code, it gets better and better during the life of Opus 3.5. Again, the model hasn't changed, but the building codes have gotten better. Uh, Opus 4.0 comes out and now we're building with stone, okay? And there are things that in the building codes we need to update.

Uh, 4.5 comes out. 4.6 comes out. Now we have, again, titanium reinforced carbon nanotubes, and what we're discovering is some of the structural things that we needed to have for 3.5, uh, is not. Don't need anymore. 'cause the, the model's intelligent enough to figure things out on its own.

Ashish Rajan: Yep.

Sounil Yu: [00:35:00] Um, but we also need other, uh, now it's more capable of doing things and so we need new building codes around that as well.

Caleb Sima: Yeah. Um, and if, okay, if I go in this, like to your point, we are focused on building buildings, but when it gets smart enough, then we're focused on building towns, villages, cities. Right. So you kind of escalate your, your capability when it becomes so good at it, the, the needs rise, uh, for different kinds of problem spaces.

Sounil Yu: Yeah, there's a much greater complexity that emerges. And the orchestration that's we're gonna be required I think is again, where we as humans have an opportunity to think about the validation aspect of things. Is this truly what we wanna build? Not just is it built right, but is this, what is it that we actually truly wanna build going forward?

Caleb Sima: How do you think, and I'll bring it back a little bit to like agents today, coding agents, 'cause you kind of talked a little bit about that evolution. Where are you seeing coding agents? What's your prediction on where they sort of fall in that? Like if you were to say, Hey listen, I've [00:36:00] seen obviously the history, this is where I think in the next couple years it's going to be, and the kinds of problems that will arise.

Ashish Rajan: And maybe to add, sorry, could you also, uh, tie back to your word analogy as well? 'cause where it started. 'cause a lot of people still believe that, uh. Code being produced is just producing vulnerable code and open source libraries are just being added will nilly. Curious to know about the evolution.

Caleb Sima: All true.

I would, I would, I would probably ag I would agree with that. A

Ashish Rajan: spoiler alert. Come on.

Sounil Yu: Uh, so to use the construction analogy first, um, think about 3D printers that can print itself. Yeah. Right? But not just print the exact replica of itself, but to print a better version of itself.

Ashish Rajan: Yeah.

Sounil Yu: Okay. Uh, one of the things that we, we've talked about in AI research is the best place to put a unit of AI research or research into AI is for the AI system to build a better version of itself.

And what exactly is happening in the coding environment, uh, coding agents is this, this is exactly what's happening with coding agents. We now have a coding agent, building a better version of itself. [00:37:00] Where, uh, I, you know, I don't know if you guys have noticed, but like, I feel like I have to update Claude Code, like.

A couple times a day, there's like a new up, there's a new version so frequently and, uh, I don't really know what the updates are, um, but it is effectively building a better version of itself. And, and Boris attests to this by saying, look, you know, 99.9% of the code that's being generated is by Claude Code itself.

Well, originally when I thought about what, uh, AI research would look like, the thought was, well, a, an AI model will go create a better version of another AI model. But what's actually happening is, uh, what, what we're seeing manifest instead is these coding agents building a better version of its own coding agent and using the same AI model, but in ways that are, uh, vascularly superior to the prior version.

Caleb Sima: I mean, so when you think about yeah, coding agents today, and like again, you know, like, I'll take it from a practical today, today I have clearly all my engineers. Are all using coding agents with, [00:38:00] I would say cutting edge people, start my corporate workforce. Also starting to use coding agents in the guise of Claude work, right?

Mm-hmm. Or other sort of models that are coming forward. And I see this expansion of sort of, you know, like actually I think someone from AI made a quote that says, software is gonna be like ordering a pizza. You customize it on order time and it gets delivered, right? And, and do we see that model take place where now workers, hr, finance, marketing, your junior intern are writing software applications customized for needs and demands, and then these coding agents are expanding out into this common workforce.

How do these risks change? How do you manage this? Do you think, you know, from a CISO security perspective, because we're already seeing it. What do we do? Do we think Anthropics just gonna handle it we'll? We'll be good. Do we think we have to deal with it? Is open AI gonna handle, like, you know, do the frontier [00:39:00] models manage this?

Like, how does it play out for you?

Sounil Yu: Um, uh, it's, that's a for proKnosticating part that I, I don't know if I could see the future that far ahead, but I can see patterns and let me see if I could, uh, articulate some of the patterns. So first is the notion of cowork. Uh, behind the cowork is, um, of course, a coding agent, but the interface is very, uh, user friendly.

But I think the, the reason why, um, I would avoid calling them coding or just focusing on the coding part of these agents. Let me give you a quick analogy. We, uh, in high school, or all the way up until high school, most of us take English. Okay. And it's not because we're trying to learn English, right? It's, it's not like we don't already know English yet.

We're speaking English, right? And, and it's because we wanna understand, uh, other forms of communications, you know, style, uh, persuasion, uh, what else might be, and when we think about coding, uh, we, we take computer science and we learn it because we're trying to learn English or learn, you know, [00:40:00] uh, c or, uh, Python or, you know, rust or whatever else it is.

But if you, once you know the language, the higher forms, like what, what would the 12th grade computer science look like if you started learning, uh, Python from kindergarten? Okay. So imagine that for a moment. And it, it's no longer about just. Uh, writing Lang, uh, code, it's really about thinking about the higher level forms of, um, uh, what the expression, yeah.

Higher forms of expression. Fs,

Caleb Sima: is

Sounil Yu: that? Yeah. Finesse style, architecture, all, all these other sort of things that you'd want to unleash once you have the basic coding skills established. And I think in the context of cowork, that's essentially what we're trying to unleash. We're saying, look, you don't need to learn.

Python anymore. We got that. Now we can just express in English what you want. And behind the scenes there's a translation function. And so that's one framing I would put in there to say it. Once everyone can speak a [00:41:00]language and communicate across computers and other people, um, without, you know, any sort of in a seamless way, uh, what are you able to unleash, uh, in terms of creativity and productivity?

Moreover, if there is a lot of toil. Involved in some activity that is repetitive and you wish you could just automate it out of the way again, what are some things that you can do there that these tools help you?

Caleb Sima: Could I bring it maybe a little bit into the practical, even today problem?

Sounil Yu: Mm-hmm.

Caleb Sima: Like what do I do?

You know, I know that my engineers are running Claude Code, so clearly there are solutions on the market like Knostic that help, you know, manage this. But I do like there are employees running effectively, no, not effectively. Re really, they are running Claude Code on their laptops. Mm-hmm. Through Claude work.

Ashish Rajan: Mm-hmm.

Caleb Sima: Right? And they are building and running, which has full access to corporate data, full access to file system and execution capabilities. [00:42:00] How do I today? Either know what's happening there or help secure those things.

Sounil Yu: Yeah. So I mentioned earlier in terms of the building codes or what we call scaffolding in the context of some of these tools, what we would want as an enterprise is to have consistent scaffolding across my developer base, across my employees, or, and whether it's even, I mean, not even developers, right?

Just anybody who's in cloud work or any of these, uh, AI tools, you know, lovable base 44. Um, I would wanna ensure that there's, uh, consistent scaffolding. The scaffolding, uh, would adhere to certain enterprise guidelines would ensure that, um, good practices are adhered to. And, and some of these practices are gonna be consistent across any organization.

Others are gonna have their own sort of special flavor. But the, uh, similar to how we've seen, um, SSPM or uh, SaaS security, posture Management, where you have a ton of different SaaS applications and you wanna just ensure that they all have ss, you know, single sign on. I think we're gonna have something [00:43:00] similar.

We're gonna need something similar for all these, uh, agents that we have inside of our environment. Uh, At Knostic. We've chosen to focus on coding agents first because, uh, most organizations have usually two or three or five forms of coding agents. You know, they have Claude Code, they have. Cursor. They have, uh, getup, copilot, they have windsurf, they have, you know, key route.

They, they'll have multiples. And so you just want conformity across, uh, some, uh, subset to start with.

Caleb Sima: Consistent policy is what you're sort of referring to.

Sounil Yu: Yes. Right. And so that's our starting point. We say, okay, let's give you consistent policy across these coding agents. Um, and then the behavior of these things are what we're also looking at.

We can normalize that for coding agents 'cause we know what coding agents are supposed to do and not supposed to do, pick any flavor of other type of agent. And I don't know. Okay. You know, claw Bot and I, again, that's what makes Claw Bot so so powerful. It has tons of flexibility. But how do you, how are you to know I, if you have an approved version of Claw [00:44:00] Bot or something like that in the future in your organization, what's normal for these things?

And that's really hard to baseline. Um, but for coding agents, we can baseline that today 'cause we, we kind of generally know what they're supposed to do and not supposed to do.

Ashish Rajan: I I think you mean OpenClaw, ClawdBot Tree named OpenClaw?

Sounil Yu: Uh, yeah. Uh, OpenClaw. Yes.

Ashish Rajan: I, I would add one more thing for the Claude Co Work piece.

So I think, uh, many organizations that I've been talking to, they've actually outright. Blocked the use of or denied the use of cowork for two reasons. One official documentation actually calls out for cowork that there is no audit logs. So there is no way for it to know what Ashish did with his cowork account.

So there's no audit log available. This is there on their own documentation. And the other one they called out in their documentation was that if you are on a regulated environment, do not use it. Not that it's stopping anyone, they're still using it, but hey, that's at least what the official documentation is saying that hey, there is no audit log, there is no data export.

There is no uh, way for it to even find out to what Caleb, what you were saying, even if I was using it, there's no way for someone to [00:45:00] know that I have actually gone ahead and done a lot of these. But I would love to bring back to what you were saying about the standardized scaffolding across, doesn't really matter what kind of coding agent am I using.

I guess what's a good starting point for this to even, am I building a policy engine? Like obviously you, you mentioned and Caleb mentioned as well, there's lot of tools. Noje is one of them as well. But if I'm looking at this as a CISO today. And I can see it's coming towards me. I see AI agents coming towards me.

I see people using coding agents as well. Just if you just focus on coding agents for one second. What, how do I even start approaching this?

Sounil Yu: Yeah, so actually there's a lot of, uh, native tools. So I'm not suggesting like if you go back to AWS you have security hub, you have all these different native security tools for AWS, but then you also have a wiz out there, right?

Yeah. In case you wanna make it a little easier or if you have multi, if you're multi-cloud, and I think we were making the same va uh, value pro proposition as well. Uh, you can absolutely try to lock some of these down things down on just on its own ecosystem. And, and there are [00:46:00] plenty of tools out there to help you do that.

Um, and so if you are just wanting to get started in this space, um, just look at the native controls and try to lock things down on your own. And again, they're largely effective. Just, it's just got, you just have to have configuration con, you have to have conformance across all these other types of coding environments.

Um, and that's essentially what we're trying to offer as a, as the additional value add and some additional guardrails that they may have missed as well.

Ashish Rajan: So would I be oversimplifying it by saying that, uh, we're still referring to still a SaaS configuration for er, for Codex, or,

Sounil Yu: it's the closest analogy?

Yeah, it's the closest analogy to say like, just as much as you would wanna have consistent configuration across Google Workspace and Salesforce and whatnot, you'd wanna have something similar for at least this class of agent.

Ashish Rajan: And, and what's the way that I know that? Like, you know, we, I was, we were saying earlier that the code being produced is Oh, secure, uh, secure, including libraries and all that as well.

So this is like the next layer after that.

Sounil Yu: Yeah. Yeah. [00:47:00] So we actually look at the overall ecosystem as well, what we call the, um, agent supply chain. You know, how do you know the extensions and the MCP servers and, you know, fill in the blank, uh, parts of the ecosystem if they are, uh, legitimate, they're not polluting or compromising your environment.

Those are all things that we've, uh, put together. We actually have a service that we, uh, uh, uh, I forget if it's rolled out. It may be rolled out by the time that you, this goes, um, uh, uh, public, but it's a reputation service for skills and extensions and MCP servers that we've also integrated into the product, but it's, it's a service that we've just made open to anyone to use.

Ashish Rajan: But you know, since we've been talking about AI so much and how it can have a CISO have it or have their own version of OpenClaw, can someone just create this, at least a version of this, to validate themselves that, hey, is this is actually possible within their organiz? Oh, obviously that there is a whole other argument of build versus buy.

But I'm curious with the AI capability that we have today, where it's a much smaller organization, one Oh

Sounil Yu: yeah.

Ashish Rajan: Say [00:48:00] cursor not too Ma, not multi coding agent, whatever. Is it, is it possible to go far with it with

Sounil Yu: ai? Yeah, sure. So just as a proof point to that, uh, of course we know OpenClaw but then since then there's um, tools like Zero Claw, which is I think made by a Chinese entity.

And there's also Null Claw, NULL Claw. Um, at the end of the day, there's, there's much smaller footprint, um, equivalent of Open Claw. Uh, what Open Claw was, you know, partly, uh, code duct tape and glue type of code. But moreover, the most important aspect of it was an architecture. And what Peter, uh, de, uh, created was an architecture that is.

Now really easily recruitable and that we're starting to see, uh, a number of variants along those lines. Now, can that, can these variants be slightly more secure, um, by default outta the box? I think that's what we're gonna, that's what we should expect to see from OpenAI. We, we should expect to also see that from Google and uh, um, apple [00:49:00] as well.

Caleb Sima: This is where, I guess maybe I get confused as to why it's a new architecture when, to me, and again, maybe help me understand, it's just Claude code as an engine and you are giving it, its integrations you are giving in its messages. So you have, you know, an inbound telegram that basically connects directly to a Claude Code instance that just does the work for you.

It's exactly the same. Model or am I off somewhere? Because I, to, to me it feels like that's exactly all it is, which is exactly what Claude Code is. Is it any different than Claude Code?

Sounil Yu: I think fundamentally the scaffolding around Claude Code is very similar to the scaffolding that you provide open claw.

But I think it's going back to the notion of we're discovering these new building codes. Well, one, we're discovering new building codes, but also two, we're also having the building codes themselves. The scaffolding, the markdown files become executable files. So [00:50:00] that's something I think that's, uh, it's a mind shift in terms of how we think about, uh, documentation, where documentation used to be for the purposes of just, it is meant to be informative, but now documentation is executable code that directs these agents to do a lot of different things.

It's called, and once you.

Caleb Sima: Right.

Sounil Yu: Essentially it's, it is prompts that should be seen as executable code, uh, from now, now on. Right. It used to be, again, markdown up until CLO code. I don't think we saw markdown files as anything but documentation. Mm.

Ashish Rajan: Mm-hmm. Mm-hmm. I think the architecture about that, uh, a lot of people have been talking about is the fact that, you know, how in Claude Code memory is like a thing came much later, whereas the, the, if you ever, there's a image, um, I don't know if you can put that, uh, anywhere in the video, but essentially, uh, the image to what you said, it comes into a control, a gateway, and then Gateway has access to memory, but which is the markdown file.

That's so you is talking about there's also skills in there and, and you can [00:51:00] keep adding on top of that. I think it's a, it's a collect, it's the way that it has been put together versus Yes. Yeah. And I guess to be fair, all of this has built up to it to this moment as well. If you think about how Open Drop first started, sorry, open, open.

AI started, there was no memory, then there was memory. So, oh wait, my AI can have memory now. If you think about the stages of it, it's a natural evolution of where he just became the first person who created the architecture of putting all that together. But we have been coming to the stage slowly since the day open AI became like a chat GPD explosion happened because that's how Wise

Sounil Yu: saw.

Yeah, yeah. All the pieces were there. I think the final connection between the gateway and the communications channel and the the agent loop to go and. Go. Yeah, go and go. Um, is is the final step that that many of us are, were unwilling to take. That's right. But um, and I think in some respects, if you think about what Microsoft was trying to do with copilot, that's what they wanted.

I mean, that's what. I think copilot was meant to be, except that no one would be [00:52:00] willing to take the risks of letting it go off the rails. Right. Is

Ashish Rajan: copilot on the downhill now? I think I keep hearing about rumors that copilot is almost fading away.

Sounil Yu: Uh, well, Microsoft fired the entire copilot sales team, which tells you something.

Um, but I had just recently talked to a major bank and they said, you know what, copilot has significantly improved. Over the last couple months where it now can, it actually produces high quality outputs, uh, when it's anchored on your enterprise data. Uh, but I, I can attest to how bad it was, um, six months a year ago.

I honestly haven't looked at it since then. But the, this, uh, friend of mine, uh, at a major banks said, I just used it over the past two weeks. And it's just, it's, it is, there's a step change that they've seen in, in, in its improvement, which, which kind of makes sense in the context of the underlying model.

The underlying models have improved in some way, and they're, you know, they're getting better results. Um,

Caleb Sima: you, you know what else is good is Cursor. Have you guys used latest cursor stuff?

Sounil Yu: The

Caleb Sima: automation? Like it's good. Yeah, [00:53:00] it's really good. Like I'm starting to, I wouldn't like, clog code is still sort of my, like, my default, but when I'm building more comprehensive things, I'm starting to use cursor.

Uh, it's so fast and so good at what it's like, it's, it's actually beating clo code in my head-to-head as I'm building things. So

Ashish Rajan: it's, it's funny, the other day I had this epiphany, which I

Caleb Sima: never expected.

Ashish Rajan: No, I, um, I, I a hundred percent I have not, I've seen the update for it. I have not tried using it, but the other day I had this epiphany.

We're definitely moving to a world where we are in this fast fashion of AI agents. You know how App store kind of came in and iPhone was just, just that device that made apps? Sure. Possible. Then we had like 10,000 apps that we were downloading, but we only used five at any given point in time. I feel we are speeding towards that era with AI agents where like, you know, your current favorite today may be Claude Code.

Mine will be Claude Code, but tomorrow now something else comes out, I download it, but then Claude Code comes back with a new feature. Now you go hop back on [00:54:00] that. But obviously an organization cannot work like that. Organization has to. That's where the whole MDM kind of came in for mobile devices and everything.

So I imagine we are definitely speeding in that direction. Where to what? 'cause I think there was a organization that I was talking to there using Notion Agents. Notion as a company, the entire organization runs primarily the documentation. Everything is on Notion. Notion has custom agents, but if you are in an ecosystem of notion that works really well.

But if you're not in ecosystem.

Caleb Sima: Have you seen Perplexity computer yet?

Ashish Rajan: Yes, I've, yeah. The,

Caleb Sima: it's pretty good,

Ashish Rajan: the terminal.

Caleb Sima: It's pretty good. Like, yeah, it's really good. I'm about to, uh, by the time this thing probably airs, uh, it'll be published, but I basically said, Hey, I want to know what the best AI agent Sandbox project is.

Oh,

Ashish Rajan: yes.

Caleb Sima: And so I actually compared this with Claude Code task lit and perplexity. Yeah. Uh, the computer. And I basically, I built it out in three phases. I just said, go find all the top, uh, GitHub, you know, [00:55:00] AI agent, sandboxing tech, and I want you to rate it both on visibility. It gives, builds on the protection.

It actually blocks like what's the preventative capabilities and it like Perplexities destroyed Claude Code destroyed. Task lit. It built not it got, it went and gathered over 46 different projects. All the top ones, built a security testing methodology, installed them all on containers. Ran the security testing methodology, stored the data, ranked them, built a web dashboard, put them all together where you can go and view what it blocked, what visibility it gives versus not, and then put them all together and you can go dig into the d It's, it was crazy.

It was crazy.

Ashish Rajan: I'm, I'm curious who, what for the top two sandboxing techniques

Caleb Sima: Oh yeah. Here, uh, I'll bring you,

Ashish Rajan: it's scary, but at the same time you almost feel that that's the world we are moving towards where [00:56:00] I guess most complex answers, which would've taken, I don't know, months of research for a lot of people.

'cause

Caleb Sima: now listen, I didn't verify yet, so.

Ashish Rajan: Oh, right, okay. Fair. You didn't,

Caleb Sima: there has to be, I think, verify, but on, on initial digging through the data that it provides, Daytona. Rated number one tool, hive, LLM, guard. Uh, these are all ones that, you know are all in the top four.

Sounil Yu: Um, so let me offer, uh, something, I, I don't know the exact quote.

I think it's something like this. Never underestimate the persistence of a jilted lever. You know, if, if you ask an agent to do something, it will persist in trying to get something done. Persist and persist. And one of the things that we've seen is when you put it into a sandbox, it will find a way to escape that sandbox.

Um, like there have been a couple, I mean, I have some exact, uh, scenarios where it said I'm in a sandbox, uh, and I'm trying to get what you wanna get done. So the best course of action that I can take to, to [00:57:00] get what you want me to get to get done is find a way to turn off that sandbox and escape the sandbox so it will find a way.

The way that we've thought about that problem is look, the first, or maybe, and certainly the second time it tries to escape the sandbox. You want a human to intervene at that point, right? You don't want a human to intervene. Um, on the 50th time or the 51st time when it actually does escape the sandbox.

You just kind of wanna know, Hey, wait, this system is, uh, acting in a way that I didn't expect it to. Maybe I should redirect. Its, uh, its task accordingly, you know, to operate within a sandbox or whatever else it might be. But we, we've seen, um, these agents are very persistent and determined and, uh, it may not necessarily, again, how it, I love this one quote, uh, I have a t-shirt on it.

It says, uh, you know, I'm chaotic. Good. Okay. Um, doing the right things, but doing it in the wrong way. And, uh, in many ways that describes these agents too.

Caleb Sima: Is there, like, and one of the ways of being able to do this is, to your point, detecting the intent early [00:58:00] and then being able to recognize it and change it.

Sounil Yu: Mm-hmm. That's right. Exactly. All right. I had to give the human the opportunity to, to give it slightly more context, to make sure that it doesn't divert from your, your true intentions.

Ashish Rajan: I, I guess maybe isn't there, the whole idea and the balance to be found between, 'cause sandboxing doesn't really mean you have access to real data, so whatever you're producing is.

Kind of based on fake data to begin with, right? What's the balance there that people can find? Because a lot of people that I've spoken to, at least CSOs I've spoken to, the balance they're trying to find is, developers complain about the fact that sandboxing doesn't allow me access to, uh, create this feature the right way, but I need access to production data, or at least production like data to be able to produce something.

Uh, we can demas the data, we can do all of this. Where are you finding the balance between actually making the sandbox work instead of just, Hey, we have a sandbox capability, which like any other security guardrail, no one wants to use, people just go around it.

Sounil Yu: Uh, this is a hard one because I've made that claim myself.

I can't do this except for referral data. It's, it's just extra work on my part to make it [00:59:00] work, uh, without production data. And that additional energy is something that, uh, many of us developers, we just wanna take a shortcut and sometimes, um, that shortcut isn't the right thing to do. One of the ways that I've also described, uh, the notion of, uh, the use of these agents is you should think of these as experiments.

And when you experiment, uh, you don't experiment on humans, uh, you experiment on mice First, demonstrate for me, I want to demonstrate, demonstrate for myself that whatever agent, agent tech flow that I'm having this system create for me is actually safe. I'm gonna wanna experiment on mice first. And that once I'm, I feel comfortable enough that this workflow and the playbook that's gonna follow is sound, then I'm willing to let it touch my own data.

And, and that's how I've looked at it. Would I want my own data to be, uh, exposed accidentally? And, and most the answer of course is no, I wouldn't. So I'm gonna, uh, look at this as an experiment and bound things accordingly.

Ashish Rajan: Well, if we have any, uh, open call levels, uh, just a word of caution as well. 'cause Google has started, [01:00:00] uh, blocking paid Google accounts using open Claw as well.

I dunno if you guys have heard of that. Basically anyone with a ultra pro Google account trying to use it for OpenClaw Google is outright blocking them. And you

Caleb Sima: mean if they're trying to use Gemini?

Ashish Rajan: Uh, no, not. Open claw with Gemini. I think Open Claw with Gemini.

Caleb Sima: Yeah. Like if, if Open Claw uses Gemini as the model, they're blocking it.

Ashish Rajan: That's right. Yeah.

Caleb Sima: Well, why would they do that? I don't understand.

Ashish Rajan: I have no idea that, and how would

Sounil Yu: they even know?

Ashish Rajan: Yeah,

Caleb Sima: yeah.

Ashish Rajan: Reddit is just like full of this, uh, where people are complaining because the thing is, these people are still being charged while their account is blocked. That's, that's what's making them go on Reddit didn't go, well, block me, but don't charge me.

Caleb Sima: Well, I mean, I mean, it's Gemini, you, it's charged by usage, so, you know, you think it, well, they, they block

Ashish Rajan: or it's linked to the Ultra Pro, or even people with ultra or pro accounts, they all

Sounil Yu: Oh, I bet you I know what you mean. So it's not metered. That's, I think that's the issue. Maybe the, that what Anthropic and uh, OpenAI want is if you're accessing the API, it's all metered.

Uh, but if you have a subscription

Caleb Sima: service, [01:01:00] ah, the subscription account, yes. Mm-hmm. That is correct. And by the way, all AI vendors do that.

Sounil Yu: Yes. Oh,

Ashish Rajan: right.

Caleb Sima: Yeah. So. Open Claw has to use the API in order to work properly. If it uses your actual subscription account, they'll block you. Yeah. And actually that's the same with Anthropic, uh, and others too.

So

Ashish Rajan: yeah. But then Entropic and others gave you a separate portal to get your API keys and do all of that as well. But,

Caleb Sima: but then it's using the API so you're charged on usage

Ashish Rajan: usage

Caleb Sima: versus if you auth with your OAuth account to like clawed, you're using your 200 max and account, which is not usage metered.

So I actually built a custom version of Open Claw. Right. You, we talked about this on our episode. Ashish Pepper.

Ashish Rajan: Yes.

Caleb Sima: Right.

Ashish Rajan: Puff.

Caleb Sima: Yeah. But I use Claude Code in the background as my, so it uses my Max account and so my Pepper AI wraps [01:02:00] around Claude code as the primary engine, and so I can make use of Max, uh, a subscription account versus metered.

Since I'm properly using Claude Code, just I'm running it

Ashish Rajan: proper.

Caleb Sima: Yeah. I'm, yes. It's literally using actual Claude Code,

Ashish Rajan: you're paying money for the usage. That's pretty much it. Yeah. Yeah,

Caleb Sima: yeah.

Ashish Rajan: You, you won't get blocked, but it's good. Good to know. Uh, but I guess maybe, uh, we are on the tail end of the episode as well.

We've covered unprompted, by the way, are unprompted talks coming online or are they just

Sounil Yu: Yes. Yeah, we had a, um, so the online experience was, uh, facilitated by, uh, Dragos Rui, and it was fantastic. It was, uh, really well done. The online version was really well done. And, uh, Rob Lee, uh, one of the three Rob Lee in the, in the cybersecurity world, uh, this one is the Sans Robley.

He also, uh, fed all the transcripts. And the slides into Notebook, lm, and we now have this massive compilation of, of all the talks and all the transcripts that you can now search on. And, and anyway, it's a taste [01:03:00] into, and by the way, all this stuff, the online version and the notebook lm, it was all Gentech orchestrated, so Oh,

Ashish Rajan: right.

Sounil Yu: In many ways, this conference is a taste of what, um, a, I don't know if I would say AI augmented, it's not quite AI native, but it, it gives you a taste as to what an AI augmented conference looks like.

Caleb Sima: Yeah.

Sounil Yu: And it is, it is mind blowing. It's amazing. I

Caleb Sima: also created an AI conference review. Uh, zero. That's right for unprompted.

So,

Ashish Rajan: well, what, what

Caleb Sima: was the, which became, by the way, very popular? Uh, it became very popular. In fact, I had one of the guys who was there, this guy over at Google, was like, I use Zero to review my talk before submitting and got accepted because I tuned it. So Xero gave it a great review.

Ashish Rajan: Wait, so are these, uh, all these agents that people used to build on the [01:04:00] unprompted, are they gonna be open source as well?

Sounil Yu: Uh, most of the thing, yeah. In fact, I think, I don't think there was anything that wasn't open sourced or made available for people to, to use. It was really much a practitioner confidence with the goal of sharing with other s.

Caleb Sima: There needs to be a centralized resource, though. Pointers to all of those. I don't think that exists yet.

Sounil Yu: Um, a actually I wait for the notebook lm, uh, resource to get published. Uh, I have it. It's all I have

Caleb Sima: it. I'm

Sounil Yu: Oh, you do? Okay.

Caleb Sima: Yeah.

Sounil Yu: Yeah. Okay. Uh, I think it was all centralized there, but maybe, um, if, if you prompted and say, Hey, gimme all the links to all the GitHubs, maybe that'll Oh,

Caleb Sima: okay.

Sounil Yu: That'll show it to you.

Yeah.

Ashish Rajan: Got it.

Sounil Yu: Well,

Ashish Rajan: I'll, I'll, uh, maybe we can put the link. Can we put the link on the show notes for when this pub gets published?

Sounil Yu: Um, I'm sure we can, yes. I, I it's gonna be released really, uh, imminently, so no problems ensuring, so the link

Ashish Rajan: that Caleb you have is not the public one?

Caleb Sima: No, I, I don't think so.

Maybe it's just shared with the unpro

Sounil Yu: with the committee. Yes. Right. It hasn't, it hasn't been publicly announced, but, uh, it, it won't be too long before it gets announced.

Ashish Rajan: Fair. I'll look out for that.

Caleb Sima: Sounil. If people wanna use open [01:05:00] claw. What's your recommendation, do you think? Zero claw, null claw, like, okay, like the functionality is good, but I don't want to use that piece of junk. What, what, what do you recommend? What, what do you think is the right project to go after?

To use?

Sounil Yu: Uh, you mean between, uh, well, so Zero Claw, again, I think it has Chinese origins. Not that that by itself is bad. That just makes me, you know, a little like, Hmm. I wonder. Um, so I looked at Null Claw, NULL Claw, and, um, it, I will say they're comparable in terms of the goals that they have established.

Um, both are open source, so you can look at, you'll be

Caleb Sima: like, Hey, you use Null Claw. That's, that's sort of like a Recomme recommendation and.

Sounil Yu: Moreover, uh, uh, Zero Claw and Null Claw, uh, tried to put in a little bit more security on the front end. Okay. So I, I would say, take a look at those, uh, and I'm sure there's gonna be more variants coming in, and no doubt there's gonna be more variants.

But those are the ones that, uh, I looked at and said, okay, I, I want to use these instead.

Ashish Rajan: But to your point, these are just variants of OpenClaw.

Sounil Yu: These are variants of the [01:06:00] architecture of OpenClaw that are compatible with everything that's happening in the OpenClaw ecosystem.

Caleb Sima: So if, but it's built from the ground up to be better.

Mm-hmm.

Sounil Yu: Yes, that's right. And faster.

Caleb Sima: Yeah.

Ashish Rajan: So if security teams who are listening to or watching this, they can literally just go on Null Claw, Zero Claw, depending on the choice of risk that they wanna go with. Install building. Yes.

Sounil Yu: Well, or start hooking it up to certain skills. Uh, but you know, keep in mind the open claw or no claw or whatever is just, um, it's like, it's like the open, it's like the operating system.

Okay,

Ashish Rajan: yeah. Yeah.

Sounil Yu: Then the real power comes in and all the skills or the apps that you install and now you wanna be much more careful about what skills you're willing to, um, load it up with.

Caleb Sima: Going back to

Ashish Rajan: open costs,

Caleb Sima: going back to documentation is now executable files. So

Ashish Rajan: yes.

Caleb Sima: Don't just download 50 skills and then install them

Ashish Rajan: also.

I mean, the cost is a factor as well. I think there's, there's so many people paying tens of thousand dollars because the open claw agent is just, uh, adding up cost. [01:07:00] So maybe cost is something that people should consider as well. Maybe try their max account. Is that, is that what we are going with Caleb?

Caleb Sima: Well, I can use the Max account because I built my own version of Open Claw. Right. That uses Claude Code as its primary engine.

Sounil Yu: Yeah. It's a wrapper. I mean, I've seen a number of wrappers around the subscription, uh, open AI subscription, uh, Claude, um, that makes it, treats it like an API.

Ashish Rajan: Cool.

Caleb Sima: Okay. Alright, now you go wrap up.

Thanks.

Ashish Rajan: Alright, cool. Lucky just to summarize then, we spoke about OpenClaw. We spoke about Unprompted Con with the notebook, LLM link coming soon. We also spoke about the why or how people can approach this AI agent security code security with having that general scaffolding as an organization that enables them to, it doesn't really matter what the op OpenClaw 2.0 comes out, or I don't know, Caleb Claw comes out tomorrow.

Well, well, or maybe Sounil will find out, uh, at the next Unprompted Con, but, uh, at least the co the, the general [01:08:00] understanding that I'm walking away with this is that it's a scaffolding that's gonna keep you sane. And I think, yeah, maybe this is for another topic. I feel like the, what is the scaffolding started at the engineering side, not a security.

We just basically help build it that support potential as well. 'cause they, they obviously seeing the same thing as well.

Sounil Yu: Yeah. I mean, scaffolding is engineering. Um, yeah. And good engineering includes potential, uh, a wide range of different threats. Um, natural threats as well as human, human threats. Right.

Ashish Rajan: Sweet. And maybe, uh, just to plug in, uh, yourself where, can people find you connect with you and know more about what the work, you guys? I, you guys are doing Knostic?

Sounil Yu: Uh, certainly the website. So aKnostic.ai Knostic is spelled with A-K-K-N-O-S-T-I-C. If you're Israeli, you might call it Knostic, I suppose.

Um, but the K is silent. Um, yeah. And then, uh, both my co-founder and I, uh, Gadi Evran and I, uh, are easily discoverable on LinkedIn. Uh, my, my joke about startups is, you know, I, I started a startup because I wanted to build some amazing [01:09:00] technology that changes the world. It seems like all I do is spend time on LinkedIn.

Ashish Rajan: Uh, well, until, until there's an OpenClaw for LinkedIn. Then you can just, maybe

Sounil Yu: there is claw in

Ashish Rajan: Oh, there there is.

Sounil Yu: Yes, there is.

Caleb Sima: Does it work because you get, you get banned, your account gets banned.

Sounil Yu: Oh, no, I meant, I meant, uh, LinkedIn for, uh, claw bots or Open Claw? Open claw bots. Oh,

Caleb Sima: okay. Got it. Got it.

Sounil Yu: Got it. Thinks called Link Claw or something like that.

Ashish Rajan: There's a link claw. Oh my God. What, what is the world going up to, man? Oh, anyways, well let us know in the comment section if you wanted us to do a expanded episode on this. Uh, maybe actually maybe dive in, open claw on the episode. Comment, uh, we've been getting a lot of requests on the previous episodes to do expansion on pepper AI and stuff as well, so we're definitely gonna cover that someday.

But for now, uh, thanks. Thank you so much for your time, Sounil, and uh, I look forward to talking more about this. Thanks so much.

Sounil Yu: All right. Thanks for having me.

Ashish Rajan: Thank you for watching all listening to that episode of AI Security Podcast. This was brought to you by Tech riot.io. If you want to [01:10:00] hear or watch more episodes of AI security, check that out on ai security podcast.com.

And in case you're interested in learning more about cloud security, you should check out a sister podcast called Cloud Security Podcast, which is available on Cloud Security Podcast tv. Thank you for tuning in, and I'll see you in the next episode. Peace.

‍