Why Asset Intelligence is Replacing the CMDB & Static Dashboards

View Show Notes and Transcript

Why do CISOs still struggle with asset intelligence in 2026? Despite decades of security tooling, most organizations still have a massive 40% "dark matter" blind spot in their environment and the explosion of ephemeral AI agents is only making it worse.  In this episode, Ashish and Caleb sit down with Joe Diamond, CEO, Axonius to discuss the evolution of the asset space. We explore why traditional CMDBs (which track business processes and IT hardware) fall short for cyber asset attack surface management (CAASM), and why the industry is shifting from static asset inventory to dynamic asset *intelligence*. Joe spoke about how AI agents whether they run for five minutes or five months must be treated as a distinct asset class, complete with their own access logs and token utilization tracking.  The conversation also goes into the future of enterprise software interfaces. Joe predicts that within three to five years, the traditional dashboard UI will completely disappear, replaced entirely by natural language prompts and AI-driven BI. Finally, we tackle the "Build vs. Buy" dilemma: if AI can integrate tools in five minutes, why do we still need vendors?

Questions asked:
00:00 Introduction
01:50 Joe Diamond's Background and Journey into Cybersecurity
02:50 Why Asset Management is Still an Unsolved Problem
04:00 The 40% "Dark Matter" Blind Spot in Enterprise Environments
05:30 How Do We Actually Define an Asset?
08:30 CMDB vs. Asset Intelligence: Understanding the Delta
12:30 Defining AI Models and AI Agents as an Asset Class
15:30 Do Ephemeral AI Agents Need to be Tracked?
18:30 The "Time Machine" Feature: Tracking Asset Configuration Drift
20:30 Use Case: Remediating the CrowdStrike Outage Using Asset Intelligence
23:30
Why You Need Asset Intelligence if You Already Have CSPM/CNAPP
31:30 The End of the UI: Why Dashboards Will Be Replaced by AI Prompts
36:30 A Simple 3-Question Framework for AI Asset Management
38:30 Build vs. Buy: Why AI Cannot Operate and Maintain Software

Joe Diamond: [00:00:00] There's some very high percentage, roughly forty percent, of what they think of as like dark matter and what they don't actually know about.

Ashish Rajan: I always thought we have solved the asset problem. Why are we talking still about asset management as a whole industry even today after all these years? If

Joe Diamond: you ask your average CISO, like, is this a problem that they have solved?

Joe Diamond: The answer is a resounding no, basically every single time.

Caleb Sima: Asset identification and understanding your landscape is the most critical thing you could possibly do.

Joe Diamond: We'd be having a different conversation, not fully appreciating how quickly this is going to come at us.

Caleb Sima: With AI, you can build, but at least today you can't operate and manage.

Joe Diamond: I actually do see in the next three to five years the traditional UI going away and everything basically becoming a prompt. This is not the movement of on-prem to cloud. This is like the creation of the internet.

Ashish Rajan: How do you define assets when it comes to AI? Is it something that is ephemeral? Is it something that is running for hours versus minutes, or is it just a prompt?

Ashish Rajan: We explored the evolving world of asset intelligence exposure management when it comes to AI [00:01:00] with Joe Diamond from Axonius. Caleb and I spoke about the change that asset management has gone and why some parts are still unsolved and what parts remain as asset intelligence continues to evolve more than just a CMDB, and where is the future going with this.

Ashish Rajan: All that and a lot more in this episode of AI Security Podcast. As always, if you are listening or watching an episode of AI Security Podcast for the second or third time and have been finding it valuable, I would really appreciate if you take a quick second to drop a follow, subscribe whichever podcast platform you're listening to on.

Ashish Rajan: We are on Apple, Spotify, YouTube, and LinkedIn. I hope you enjoy this episode, and thank you to Axonius for sponsoring this episode of AI Security Podcast. Talk to you soon. Peace. Hello, and welcome to another episode of AI Security Podcast. I've got Joe Diamond with me. Hey, man. Thanks for coming on the show.

Joe Diamond: Thank you. It's a pleasure to be here.

Ashish Rajan: Maybe to quick start, if you could just give a bit about yourself, your professional background, that'd be great to hear.

Joe Diamond: Yeah, sure. So, uh, I've been in cyber quite literally my, my entire life. Was the nerdy kid, you know, coding as an eight-year-old in my room, built a bunch of server network infrastructure as a, as a child, as a nine-year-old.

Joe Diamond: Uh, had an IT and cyber consultancy as a, as a 15-year-old, [00:02:00] so this has literally been in my blood since the very beginning. Went into product before it was even called product, and then have kind of been in the industry since on, on the software, vendor side, and working for companies like, you know, Proofpoint, uh, Okta, RiskIQ, before, uh, I joined Axonius.

Joe Diamond: So yeah, been a, been a, been a long history of doing a bunch of things. I've run almost every function under the sun at this point, everything from, you know, product to product strategy, to product marketing, to being a, like I said, a practitioner myself, to sales, marketing. So, been around the block a little bit on the cyber side.

Ashish Rajan: Awesome. And maybe this is a good way to transition into something that has been in cybersecurity for a long time, which is the whole asset conversation, right? I think maybe to start off with, I always thought we have solved the asset problem. Why are we talking still about asset management as a whole industry even today after all these years?

Ashish Rajan: You know, y- This is, this is a tricky question, but- Y-

Joe Diamond: i- is, is it though? I mean, I, I'll, I'll actually flip that back at you, Ashish. What, what made you think that problem was solved, out of curiosity? Oh, I,

Ashish Rajan: I was obviously- Kyler, by the way, same question for you as well. I was, uh... Yeah, yeah, yeah. I was, uh- Oh, I didn't say [00:03:00] that

Caleb Sima: comment.

Caleb Sima: I didn't say

Ashish Rajan: that. Yeah, yeah, yeah. Come on, guys. Come on.

Caleb Sima: I just wanna make that clear.

Ashish Rajan: I was trying, I was trying to lay- That was Ashish who made that comment. I was trying to lay the foundation for why it's one of the hardest conversations. Instead of asking why is it one of the hardest thing to solve, I was gonna flip that by saying that, hey, 'cause you know, most people, and this is probably people who are new to cybersecurity or have been in cybersecurity in different parts of cybersecurity, they almost always feel, "Why do we still talk about asset management?"

Ashish Rajan: It should be obvious that Ashish owns a particular resource, and I'm not even talking about IoT devices, OT device. I'm answering your question, Joe, by the way. Yeah, no, it's totally fine. You can

Joe Diamond: take it wherever you like. It's your show. Yeah,

Ashish Rajan: yeah, yeah. So I think that's where I was coming from. It's like why is it that we're talking s- about asset management?

Ashish Rajan: Like obviously the transition between data centers, cloud, and now AI, I'm curious to see from your part from your experience, from what you're seeing- Yeah ... how different is asset management in the kind of the trajectory it has had? All these years

Joe Diamond: Yeah, I mean, I think maybe one of the, one of the challenges is that some people think that it's a solved problem, and it, [00:04:00] it never was a solved problem, let alone being an exacerbated problem by AI and cloud and mobile and all the other different sort of like attack surfaces that have been introduced over time.

Joe Diamond: This was never something that was particularly well solved. When you think about like the old asset management space, it was solved by, you know, having agents on devices or network sensors. You're not gonna have an agent on every device, and not every, you know, asset is gonna be working off of networks that you control.

Joe Diamond: So in my experience, you know, in most of my conversations recently, which is like numbers in the hundreds frankly, you ask your average CISO, like, is this a problem that they have solved? The answer is a resounding no basically every single time. And what I typically run into is that there's some degree of confidence about like 50 to 60% of like their coverage and the understanding of what their environment looks like, but they kind of recognize that there's, you know, some very high percentage, roughly 40%, of what they think of as, like, dark matter and what they, what they, what they don't actually know about.

Joe Diamond: So it's kinda like anything else in cyber. I think a lot of the value comes from the blocking and the tackling of the basics that people take for granted and probably don't [00:05:00] do all that well, and frankly have shiny object syndrome and move to, you know, what's interesting without having a lot of the fundamentals solved for it.

Caleb Sima: You know, one of the things that I've always struggled with in talking about this topic is asking people what their definition of an asset is.

Joe Diamond: Yeah.

Caleb Sima: Um, that seem- that is widely varied based on who you decide to talk to.

Joe Diamond: It, it is, and I think, uh, you know, for us, we start with an opinionated view, obviously, because you have to have a target to, to point at in terms of, like, what is an asset, but then you give the customer the ability to refine that based on their own definitions.

Joe Diamond: You know, is a container an asset? Is it not an asset? Is an ephemeral you know, asset an asset? Is it not an asset? Is a device an asset? Like that, there are things that are, I think, less up for debate than others, but there are, are, are some that are gonna vary from organization to organization, and for us it's all about kinda, like I said, having that opinionated view and then giving the organization the ability to refine it however it is that their definitions land.

Caleb Sima: Yeah. I would love to just make sure we tell the readers that in my opinion, asset identification and [00:06:00] understanding your landscape is the most critical thing you could possibly do. And so most people don't understand that. They think that this is, a sort of nice to have, but in reality this is one of the first things.

Caleb Sima: And maybe if we can lay out a little bit of a definition of an asset, because I'd like most people to understand assets a bit differently than they generally do. I like to think of assets as objects versus necessarily assets, and I like to think of it in a stack. There is network layer, right? There is sort of a system layer.

Caleb Sima: There is an operating sort of layer, and then there's an app layer, and then there's a data layer. And I think in all of these layers, there are assets or objects that should be identified, tracked, and managed. And so the obvious ones are the network layers. These are the things with IP addresses, IoT, OT, whatever you wanna call it that have IPs This is pretty obvious.

Caleb Sima: When you start moving up into a system level, this is like infrastructure, cloud, system [00:07:00] services, these kinds of things. At an OS level, these are things sitting on an operating system. These can be applications, these can be libraries, these can be all of these types of things. And then when you go up, up the stack into, let's say, the web application, these are SaaS and SaaS applications and what they run and what sort of APIs that are available.

Caleb Sima: And then data layer, data layer is clearly important as an asset or an object. This is PII, sensitive data, these kinds of things that gets tracked. And so when you think about this in a stack, as a CISO, your job is to first and foremost identify these things in the best way possible so that you know what you have, so you know what to protect and how to track that.

Joe Diamond: Caleb, that's a, I think that's a really great point.

Joe Diamond: I think the, to make sure that you're solving this in the ideal way, it's not enough to have this solved in a point in time form. So like although, like we may align on those definitions, a lot of the time people will basically go off and they'll take a snapshot. They'll take that snapshot, they'll dump it in a spreadsheet, and then they're basically doing manual curation from there.

Joe Diamond: So they may not have had complete coverage in that spreadsheet to begin with, [00:08:00] right? So they still have that delta based off of the definition that we just described. And I think it's important to look at all of these different types of assets, asset classes. So you have your packaged software that is installed on all of your devices.

Joe Diamond: You have your SaaS applicat- applications. You have your identities. You have your IoT and your OT devices. And also you have this new emerging asset class of AI and AI agents. Well, how do you catalog and inventory them? And then how do you move from quote unquote asset inventory into what I think of and what the market has, thinks of right now as asset intelligence.

Joe Diamond: Which is like, okay, now that I have this inventory, what is it that I actually do with it as well? 'Cause, you know, it's not enough to just have the issues or know what you have out there. It's like you have to know what you need to do with it from there too.

Ashish Rajan: Would you guys be aligned in saying that we're not talking about CMDB, right?

Ashish Rajan: A lot of people sometimes confuse too. I love the example of the Excel sheet, Joe, because, uh, having worked in organization with an asset management was literally an Excel sheet. Is this the same as CMDB? 'Cause a lot of people may look at, "Oh, hey, I've got a CMDB. Isn't that the same as an asset [00:09:00] intelligence?"

Ashish Rajan: Are they... Or is that different when people think about assets? It, it...

Joe Diamond: Yeah, it is, it, it is different. And one of, one of the things that I will say is

Joe Diamond: that a lot of customers that I see use Asset intelligence paired with CMDB. So CMDB is also working in most contexts off of network sensors. Network sensors are only gonna have partial visibility or through network scanning, right? So if wherever there's a delta, like BlueLinx as an example is, is one of our, uh, you know, larger customers that use us basically for everything under the sun in our entire platform.

Joe Diamond: They will take the delineation or the delta that they have between CMDB and what it is they, they see with Axonius and flush it from Axonius back into their CMDB. So they, that way they make up that 40% surface area that CMDB was missing.

Caleb Sima: You know what, the one way I've thought about CMDB, or at least I've seen in organizations is you, you could expand your scope of assets.

Caleb Sima: CMDB generally will also include business processes, applications, furniture, hardware, physical itemization, a lot of these things. So like, oh, if I [00:10:00] wanna start a new project, I may have to c- go into my CMDB, insert my description of my project, what I'm doing and what I'm working on, who the stakeholders are, and then submit it.

Caleb Sima: Th- this then to the business or the enterprise can be considered part of the CMDB versus maybe in other organizations or digital assets may not be considered part of that. Your physical desk or chair may not be considered a part of that. So I've seen these two things separated. But Joe, I'd love to know, like, to me that just seems like from a theory perspective, it's just a matter of, again, how you define an asset.

Caleb Sima: And so- It is ... you know, when you think of software, and by the way, I'm gonna allow, we're gonna allow you to talk about your product here in this aspect, but like, you know, like h- hey, can't you just, like does somebody like Axonius or other products include tracking furniture, physical items, just random business processes too so it becomes the CMDB?

Caleb Sima: Or do you really think that, oh, you know, Axonius as a product is truly separated and should be paired with a CMDB?

Joe Diamond: Where CMDB typically leans on [00:11:00] being a much more, you know, IT, classic IT asset management oriented problem, whereas, you know, Axonius leans much more into the cyber and the attack surface management sort of use cases.

Joe Diamond: So We're much less interested in, like you said, the asset tagging for a chair than we are in the IoT device, which obviously represents a, a potential threat vector for any organization. Of which, like we said, most organizations aren't gonna have particularly good capability in terms of making sure they've cataloged, inventoried, and can respond to all the issues- Yeah

Joe Diamond: that exist across all that, and potentially most importantly, how all these different ad- assets intersect with each other, right? So it's like, well, how, what is this IoT, uh, asset interacting with across the network? What identities or service accounts is it using? Is it corresponding with and so forth, which is the other really hard problem.

Joe Diamond: So I think it's also related to, it's like you have to have sort of like a data pipeline that's bringing all these IT systems and security controls together that can sort of do that correlation, enrichment, deduplication, et cetera, as that's another important aspect of it as well. It's like you [00:12:00] don't just want the inventory, you wanna be able to take action, and you wanna know how they're actually interfacing with each other across the board as well.

Caleb Sima: So a great way that I, you know, you can think about it is there's digital asset identification, which is sort of like a living, breathing sort of area where products like Axonius sit versus your CMDB, which is your just IT physical hardware Business process type of system. Is that- Yep ... that's a good way to put it?

Joe Diamond: I, I think, I think that's, I think that's a really good way of framing it and largely it's again used for IT a- asset management sort of use cases, whereas like you're gonna use, you know, an ex- Axonius from a, an attack surface management point of view for more of the cyber-oriented scenarios.

Caleb Sima: Yeah, yeah.

Ashish Rajan: What about the AI model ecosystem then? 'Cause at the, at the moment a lot of people may hear asset management, and you mentioned AI earlier as something that- Yeah ... is an asset. Is it c- obviously there's just so many variations of AI model, AI agent, and can go into any category. How do you guys define assets in terms of AI then?

Ashish Rajan: 'Cause there is AI that is inside my application, there's AI that... Sorry, when I say [00:13:00] inside, integrated into my application. There's an LLM model with an API, and there is the AI agents, then there are, uh, like the OpenClaws of the world that float around in m- multiple people's endpoint. I'm curious to hear your asset definition for in the AI ecosystem.

Joe Diamond: Yeah, so I think there's, there's AI for security, and there's security for AI. AI for security being, like those are the use cases that you are baking into your overall platform, to that is bringing those AI scenarios. So like as, as an example, it's like, "Hey, I have a list of assets. I'm gonna use natural language expression to ask questions of the platform, surface use cases, surface problems, make recommendations for how it is that you actually go off and solve things."

Joe Diamond: But then there's the how are you actually going to secure AI in your specific organization itself. I look at as agents as an asset class in the same way that you look at, SaaS applications as an asset class, identities as a, as, as an asset class, and so forth. I think you're going to want to be able to or need to be able to catalog all of your agents and understand also how they're interfacing across all the different asset classes that we just discussed.

Joe Diamond: What is that AI agent doing [00:14:00] in that downstream SaaS application? What identities is it leveraging? What services accounts is it leveraging and so forth? What did it access? What does it have from an authorization scope perspective? All of this ultimately ties together, which is why I kinda see it as no different than any other asset class.

Joe Diamond: In fact, I think, you know, AI is going to have an entire layer of security controls and solutions no different than any other threat vector has had in the past, right? You know, as mobile operating systems were introduced, like new, you know, new, new apps, new controls were added to the fold. The same is gonna be true for AI

Caleb Sima: I've always actually struggled a bit with being able to answer this question, which is an AI agent, how do we define an AI agent?

Caleb Sima: You know, let me give you sort of where I get conflicted. Do we define an AI agent as an actual running instance of a LLM loop, like Claude Code, right? Like, or is it the actual Claude Code app itself? Or is it a role as a prompt? Is that considered an agent, right? Like, you can build a skill. A lot of people build [00:15:00] skills as agents, right?

Caleb Sima: That obviously then run. Or do we think of it as just the actual execution or loop, the actual Claude Code, the actual Codex, the, you know, Claude Code for Work. Like, how do we, how do you define that this is an independent agent that should be an asset that's tracked?

Joe Diamond: It's a good question. It's kind of also the nature of, like, e- ephemeral versus not in some w- cases, because, like, the question there a little bit is, is it being run one time, or is it being run like, in perpetuity, running specific use cases and scenarios to some extent?

Joe Diamond: Um-

Caleb Sima: Yeah, like roles, skills- Yeah ... or roles w- are, are, quote-unquote, could be s- very different agents. Exactly. Like I have a property manager product management role, a CEO role, a whatever, are these considered separate agents or one instance that just-

Ashish Rajan: Or even the agents that Salesforce third parties have as well, like your Salesforces of the world, Notions of the world

Caleb Sima: Notions, yes.

Caleb Sima: Yeah, yeah.

Joe Diamond: Well think about it this way. Like, for a container that gets spun up to deal with load for seasonality because, you know, uh, you're, uh, you know, you're a [00:16:00] consumer app and you're running a sale or whatever, and you have to bl- run up some additional nodes to deal with the demand. Would you wanna track those containers as assets just because they're up for a short period of time?

Joe Diamond: Like, those are still a part of your attack surface even if they're up for only, say, 24 to 36 hours. I think the same is true for an agent that is wanting just one specific task short part of time, 'cause you still wanna catalog it, you still wanna know what it did, you still wanna have some sort of root cause analysis if something does go wrong with that agent.

Joe Diamond: So I think it's probably an and in this case, not an or. Now you may say that one is a higher priority than the other, but I think we'll end up in a world in which most organizations are looking at being able to have and needing to have visibility in both of those things. Now, I think the definitions are up in the air, and I think frankly, all of us are learning this together, right?

Joe Diamond: This is new, and I think if we were having this conversation nine months ago, we'd be having a different conversation, not fully appreciating how quickly this is going to come at us in the way in which it did. I mean, are you guys not surprised by this as well? It's come at us fast and hard. I

Caleb Sima: can't, [00:17:00] I can't keep up.

Caleb Sima: Yeah. I mean, it's every- Exactly ...

Ashish Rajan: it's part of my job is to

Caleb Sima: keep up and I can't keep up. I mean, we, we were

Ashish Rajan: supposed to do the podcast and- Exactly ... yeah, I was gonna say that one of the reasons we started this podcast was to keep up with it, and now we are like, it's been, what? Three years now? We're still trying to keep up with it.

Ashish Rajan: We haven't achieved the goal yet. Three.

Joe Diamond: You can spend two, three hours a day. Has

Ashish Rajan: it really

Joe Diamond: been three years? Yeah, yeah, three years. This has been running for three years? Good God, time does run. Three

Caleb Sima: years.

Ashish Rajan: Yeah, yeah.

Joe Diamond: Three years ago this was in its infancy, and like a lot, it feels like a lot of the growth has come, like I said, like in the last nine to 12 months, and now- Yeah

Joe Diamond: you can spend three hours a day on this and you're still gonna be behind.

Ashish Rajan: Oh my God, yes. Yes, that I agree with. But I think you had the right, had said the right thing, Joe. I think we are, in a way it is an unexplained Depending on what the appetite of the organization is, maybe the AI agent definition may evolve.

Ashish Rajan: But do you see it as the same to what you said, that the time that it runs and whether you as an organization care about it doesn't really matter if it's ephe-ephemeral or not, as long as it has executed and it has a role attached, it should be classified as an asset. Is that, is that how you would define it?

Joe Diamond: Yes. Now, it might be, it might be [00:18:00] cataloged differently, as in like, "This is an asset that we saw," but it, it's not an asset that is live anymore. Just so you can see it, right? So you can at least have that sort of like inventoried and mentioned and have, a record of it. Yeah. But I do think that is an asset that organizations are going to want and need to account for, from a security perspective.

Joe Diamond: And then also, like from an IT standpoint and a governance standpoint and a risk standpoint, you probably still wanna understand like token utilization and things of that nature for that as well. I think that's all in scope.

Caleb Sima: You know, Joe, I haven't I haven't been in an operating role in quite some time, so I'm a little bit behind on the current state of asset identification.

Caleb Sima: But one of the things I know that I always wanted, and I'm, you know, hopefully that this is, this now exists, but is the ability to sort of, time clock or get a history of an asset and its state and its configuration in the past. So for example, I could look at a container that's running, and let's say it's been running for six months, that there are snapshots.

Caleb Sima: I could see that, oh, new ports opened up, month and a half [00:19:00] ago that w- didn't exist two months ago on a service or, or an asset, and be able to sort of like... What was that, what was Apple's sort of like, uh, backup thing called? What was that? Had a good, uh, way back in the day, it was called like a- Oh

Caleb Sima: Time Machine. Like an- Time Machine ... like an i-

Joe Diamond: oh, yeah, yeah. Time Machine. Yeah, yeah, yeah. Yeah, Time Machine. That's right.

Caleb Sima: Yeah, Time Machine, where you could go back and look at where the asset and its state was at that time. Is that something that's, existing today?

Joe Diamond: Yeah. So it does exist today. Uh, so the way that we work is we do fetches and it's all bidirectional API integrations with all the downstream services, and those, those fetches are effectively time-bound and time-based.

Joe Diamond: So we can see the deviation in configuration across any single one of the asset classes in between each of those fetches. Yes. So you have the ability to sort of like check for the delineation of like, oh, what, what has changed from a port perspective? Like, this port was opened here, but it wasn't before, and as a result, there's now an attack path that has been opened as a result of that port being open.

Joe Diamond: Yeah. And again, the beauty of it is, is you see that all correlated to all the different [00:20:00] asset classes. Because again, any one asset class by itself is interesting. Where it gets really interesting is where it's paired with the other asset classes.

Caleb Sima: Yeah. And you can, you can query your graph so you can see the connections and what ha- what has occurred over that period of time, right?

Joe Diamond: Exactly.

Caleb Sima: So one of the other things is that a lot of people think initially to your, original point, is you do this as this sort of snapshot, and you get this data and this information. What do you now use it for? What have you found to be sort of the top use cases that has been the most impactful in being able to have this sort of asset knowledge base at your fingertips?

Joe Diamond: Yeah. So I mean, there's, there's a bunch of different scenarios and use cases that come to mind. One of the ones that is, like, absolutely clearest is, is agent coverage or continuous control monitoring as an example. So, you know, just as a simple example, you have, uh, using CrowdStrike from, you know, endpoint security perspective.

Joe Diamond: You wanna make sure that you have 100% coverage of, [00:21:00] of CrowdStrike deployed on every single one of your devices. As it turns out, when you started with us you only had 50 or 60% coverage. You're gonna use Axonius as sort of your orchestration engine, not just for identification, but also orchestration of here's the 40% delta of the devices that didn't have CrowdStrike installed on it.

Joe Diamond: You're gonna use us to basically automate the deployment of CrowdStrike paired with your deployment tool of choice to get that 40% delineation in place. Now, there's a bother- a bunch of other areas where that actually services a massive benefit, like in the case of, uh, when CrowdStrike had their, you know, their challenge, you know, with, uh, with the update that kinda took down the world for a little while there.

Joe Diamond: Customers that were using Axonius in that period of time were able to use Axonius to identify all of the different devices that were running that specific version of CrowdStrike for the devices that were bricked, and then go and quickly remediate and fix that effectively instantaneously. So organizations that had Axonius in place were able to rectify that issue in days rather than in some cases you had organizations that were taken down for multiple days or even in some cases longer, you know, as a part of that.

Joe Diamond: So that's one of the, yeah, that's one of the absolutely core use cases as a part of Axonius for [00:22:00] sure. Another one that comes to mind is, you know, it's, it's one thing to have the always up-to-date inventory. The what you do with it also rests in prioritizing sort of the vulnerabilities and the risks that exist across that inventory, right?

Joe Diamond: What we give organizations the ability to do is basically, okay, here's like your top 10. Like you may have hundreds of thousands, if not millions of vulns that exist across your entire estate, but here's your top 10, not just based on the CVEs or the CVE scores that are associated with it, but also based on this is on a public network, this is exposed as a result.

Joe Diamond: You need to actually weigh that in the prioritization for your response. Also weighing it based on, there's misconfiguration in a downstream cloud application, for example, or MFA is not enabled. There's any number of use cases there. At the end of the day, we are a really robust data platform that surfaces Quite literally thousands of use cases, and there's very top universal scenarios by which people use us.

Caleb Sima: Those are just a, an, an example of a couple. Uh, raising and identifying the vulnerabilities, misconfigurations, the reachability, [00:23:00] obviously point of this aspect. Ashish, you were gonna say something before I go

Ashish Rajan: jump in. Uh, uh, y- yeah, no, that's okay. I was gonna, I was gonna ask in terms of, I almost hear- heard two, three...

Ashish Rajan: I heard about the link between asset and vulnerability misconfiguration, 'cause obviously you have access to the cloud information, you have access to the assets, and the gap between what the coverage is. I think for me over there, it was an interesting one because obviously a lot of people who are enterprise today, they already have, let's just say CSPM, CNAPP, whatever category you wanna put in there as well.

Ashish Rajan: Why go down that path of, uh, linking the assets and for lack of a better word, uh, me as a person who's making a decision today, I already have, you recently mentioned Crowdstrike earlier- Yeah,

Caleb Sima: why... I already have Wiz, why wouldn't I just use Wiz for this, you know, as a-

Ashish Rajan: I, yeah, and I, I'm trying to come from a perspective more for...

Ashish Rajan: 'Cause a lot of people already are customers of a lot of these solutions already. Like, what made you lean in on the direction for, hey, this is where the industry is going? 'Cause I'm curious to hear your thoughts on this. Is it because there's a gap you noticed, or you found the customers are [00:24:00] still misunderstood?

Ashish Rajan: What made you, uh, lean in on then that direction, ar- artistically? Yeah.

Joe Diamond: Yeah, no, it, it's a great question. It's a fair question. So I think the reality is, is like when you, like you said, you, you have a Wiz for that, and that's it, and that's great. When you're using and leaning heavily on, on, you know, AWS or, or, or GCP, like that makes a lot of sense, but, Office 365 is a downstream cloud application you have to worry about as critical infrastructure as well, and there's, Salesforce and like, you know, hundreds of other cloud applications that you have to lean into too.

Joe Diamond: Those are all just downstream cloud apps for us, and we just look at those, again, as another asset class. And also, again, correlating that down to the identity, down to the assets that have access to those. It, I- it's really important to be able to pull all of these different data sources together in one view and manage that correlation enrichment as a part of, like, one singular data pipeline.

Joe Diamond: So, like, we actually look at this from a completely neutral way. Like, we have an in- we have integrations with Wiz As an example, like we don't, we don't compete with Wiz. So we maintain sort of like that Swiss mindset of, uh- Oh ... all of our customers, most of our customers are actually going to use Wiz, and we're [00:25:00] actually gonna manage that as an integration as well.

Caleb Sima: And Wiz is just one layer, the infra layer, um- Exactly ... in that sense of the stack, right?

Joe Diamond: Exactly. So if, if, if customers wanna use Wiz for those use cases, we're more than supportive of that, and see that as actually an enablement layer for our story of, of adopting best in breed.

Ashish Rajan: I was just, I was just gonna say, I think it, where I'm ta- what I'm taking away so far is that when people think about asset intelligence, they just not need to think about the definition ,of assets as you were talking about, the AI agents and everything, but also the integration to the existing ecosystem that they have to pull in all that data that they already draw in, but perhaps are not able to create a mind map or to make something useful out of it apart from the fact that, "Hey, I know I have 20,000 assets."

Ashish Rajan: That makes sense.

Caleb Sima: Which makes me excited if I have this for one particular reason. Ashish, do you know why?

Ashish Rajan: We have spoken about this before, but I think I'll let you speak about this.

Caleb Sima: Now, like this is a phenomenal context for AI, right? Yeah, that's... Yeah. Like, the first thing I wanna do is I wanna hook Claude Code up to this system, right?

Caleb Sima: [00:26:00] Like any system or software that has the level of asset intelligence that we're talking about here would be phenomenal in its ability to be able to make smart decisions and monitor and understand what's going on. So Joe, tell me how do, does these products or your product in specific We're also gonna allow you to talk about Axonius here.

Caleb Sima: How in AI does it... Are you allowing this this sort of integration and compatibility?

Joe Diamond: Yeah, so there's a bunch of different ways, and, and thank you for allowing me to talk about Axonius in this case as well. ... No one wants to, to buy anything here, so I promise I'm gonna sell anything We wanna

Caleb Sima: keep it, you know, we, we wanna make sure it doesn't sound like a sales pitch to, to everybody.

Joe Diamond: It should never sound like a sales pitch. Uh, I, I, I'm honestly a really big believer in, in, you know, delivering value in these conversations, and then that tends to lead to very naturally good conversations, right? So I think that the context that you can get from Axonius, where you, you can't really get that data and that context in any other way without a lot of manual curation, is the, is, like, really the ground truth for AI.

Joe Diamond: So the way that we're solving this is we're gonna have integrations, [00:27:00] of course, with all of the downstream

Joe Diamond: so agree with you 100%, Caleb. This is the net of it. We think the... We know the context that we bring is going to be, you know, very helpful in terms of helping all of the compensating controls that exist across the organization make informed, more informed decisions as a result of having the context in Axonius.

Caleb Sima: Yeah, I mean, it's extremely powerful, right? Like, I find that, y- you know, we know the, Ashish and I, we have, we've talked many times about the fact that, you know, today, AI or AI agents per se are very, very good at, I would say, two things, obviously building, coding, and being able to do that, and then number two, I think being able to do automation of just standard workflows in some sense with some reasoning.

Caleb Sima: But the thing that AI has really lacked is its ability to operate and manage, right? It doesn't have the ability to understand the context of very large infrastructure systems capability to operate and manage, and if you can bring, you know, the ground truth [00:28:00] of- Here is how everything's laid out, here's how it works, here's the history of how it all works, here's the configuration of how it all works, and then how it's changing, then I think that really helps AI to reach that next level of, oh, I can now write an agent in Claude Code that can potentially manage or operate systems by being able to have that context, which is super exciting.

Joe Diamond: Couldn't have said it better myself, Caleb. It's the it's the context that gives you the faith in taking action on things as well, even from a manual curation perspective, let alone, you know, automation or orchestration with agents, right? So I mean, we've been talking about automation in cyber for how long, and there's a lot that's still done through manual curation, right?

Joe Diamond: Like, you guys know that as well as anyone.

Ashish Rajan: I have an interesting question, Bay, just to piggyback on the same tech conversation about AI usage. I'm curious about your vision for where this would go, 'cause obviously you are seeing a lot of customers use your asset intelligence and the product you guys have.

Ashish Rajan: We're also seeing a lot of AI forward companies thinking about, hey, moving forward, I just wanna use [00:29:00] these intelligent data points or platforms, if you wanna use that word as a source for me to make an informed decision about my organization. Where's your vision with how the platforms would evolve on how AI would be consuming information that you guys provide and the ecosystem provides in general?

Ashish Rajan: Do, do, do you have some insights there in terms of what you're probably seeing with some of the customers already?

Joe Diamond: Yeah. I think, you know, at, at the end of the day, I think best of breed is still gonna have very much so a place in our industry. I, I mean, as you guys know, there's a lot of pressure on on organizations right now from a budget perspective, so there is some consolidation that continues to happen from a platform standpoint.

Joe Diamond: I think we're gonna continue to see that to so- to some extent, like that's not gonna change. But I don't think organizations are gonna be completely willing to sacrifice like what amounts to best in breed and the use cases that they get from like really exploring with, adjacent solutions that exist in market to help them solve their problems.

Joe Diamond: I mean, we've essentially bet on that at Axonius, right? I mean, we are, we are a company at the end of the day that enables choice, that enables best of breed, that enables you to adopt whatever control it is that you [00:30:00] want, you know, regardless of, of who the vendor is. So whether it's a relatively small and emerging company that, you know, it, you know, is showing signs of light and addressing key concerns or it's, uh, a large platform player, we're gonna have deep integrations with both of them.

Joe Diamond: So we have- You know, deep integrations with the Ciscos, you know, and the, a- a- and the Wizs and the Googles, and we have deep integrations with the Cyeras as like the late stage startups as an example, and we look at those as, as equal weight. And they're more focused on what the customer and the market needs from us.

Ashish Rajan: So I guess to what you were saying earlier, the asset intelligence kind of platform could become that, the source which is integrates with, say obviously across the, across the organization, across multiple tiers. But- Yep ... with giving you information about the quote unquote exposure that you may have or, uh, reachability that may be lacking at the moment.

Ashish Rajan: But it also allows for me as an AI forward person to be hooking into my, hooking my AI capability into your platform and draw out that information for whatever my AI agent needs to do.

Caleb Sima: Yeah, like, you know, one of the things that I think as a practical example we've [00:31:00] talked about on this podcast before is we have this thesis that states that, the a big security problem or really a- any problem has been the war of dashboards, right?

Caleb Sima: Where Axonius has a dashboard, Cyera has a dashboard, every vendor has a dashboard, and it's hugely problematic, and it doesn't quite show the right data. You can't merge the data, you can't cross-reference the data, and this has become problematic. However, in the world of AI now, AI, what AI is phenomenal at being able to do is sort of create your own BI in that sense.

Caleb Sima: So now when we think two, three years from now, when you think about your product, does your UI, your interface, your dashboard become less important And it become more about the APIs and the things that are available to it so that the enterprise customers are now using AI to just pull the data and customize and merge the data with whatever other products they have to build the dashboard that [00:32:00] suits their style.

Caleb Sima: Like, how do you sort of see that arc or not? Or maybe you could just say, "I don't believe it," maybe a little bit, but I- Yeah, yeah,

Ashish Rajan: totally fine as well if you don't believe

Caleb Sima: it. Yeah, yeah, for sure.

Joe Diamond: It's a great question, and it's one that we've been talking about a lot recently internally, and it's one that I've been exploring with customers as well, and these are some of the largest customers in the world.

Joe Diamond: And I, and, uh, I'm excited about a world that has no traditional UI/UX. So that kind of answers your question on the front end here- Yeah ... and I'll tell you I'll tell you why. It's like I actually do see in the next three to five years the traditional UI going away and everything basically becoming a prompt, effectively.

Joe Diamond: You're asking a question of a platform versus clicking through UI configurat- configuring settings in the traditional world that we're, we all grew up with and what we're all accustomed with as, you know, practitioners. But, I don't think that's gonna change immediately, especially from, like, an enterprise perspective.

Joe Diamond: Like, it's gonna take time to, for them to evolve to these changes. I think you still are gonna have to have pretty good UI/UX for the next three to five years, but I think at a certain point, like once, you know, legal and compliance teams and [00:33:00] whatnot have caught up with all the sort of like emerging requirements and the risks that are coming as a result of the tech- new technologies that organizations are adopting, after that, it's gonna be, I, I think, the traditional UI effectively goes away.

Joe Diamond: We're just gonna be using natural language to express ourselves to every platform. Everything's gonna become, fairly agentic from an orchestration and automation perspective, and it's gonna, it's gonna be quite transformative. I actually look at this from an AI perspective as frankly the biggest change that we've seen in, in the industry in our lifetimes.

Joe Diamond: Like, this is not the movement of on-prem to cloud. Like, this is not, the proliferation of mobile. This is like the creation of the internet.

Caleb Sima: Yeah, yeah. It's, uh, it's we're changing the way software is built and used. Completely. Yeah. Yeah.

Joe Diamond: Completely.

Caleb Sima: And like when you say the interface goes away, like I have one view, but then let me m- make...

Caleb Sima: If I validate this. My view is that dashboards don't go away per se. Dashboards just become dynamically generated based upon the needs and uses of your customer. Or are you talking about the you just have a straight chatbot box and that then becomes the new interface?

Ashish Rajan: Or an API [00:34:00] that you just connect to.

Ashish Rajan: Yeah. Because my, my theory is that it would just be an API that me as a user just plug into. If I'm a SOC person or an OPSEC person or whoever, you know, every time there's an incident comes up, instead of me trying to find out, "Hey, who owns this asset and what else is linked to the asset?" Could be an API call.

Ashish Rajan: And obviously there are three options. Obviously I don't want to cloud your- I mean- ... cloud your answer, but- No, but- ... which one do you lean on?

Joe Diamond: But are they really that different? I mean, what's behind what's behind the, the chat prompt is a bunch of APIs, right? Behind the scenes. So like whether you're doing that from a technical perspective or from a business perspective, you're getting ultimately to the same outcome at the end.

Joe Diamond: A dashboard dynamically populating, is it more useful to have a dashboard that is structured in a way that you asked it to be, uh, initially? Or should you just be asking new and emerging questions via prompt based on whatever it is that you're trying to solve at any moment?

Caleb Sima: And it would produce the dashboard based on your prompt is sort of what you're

Joe Diamond: saying Yes.

Joe Diamond: Yeah, that's exactly what I'm saying. And it's like- Yeah ... it is a sta- I don't think a static dashboard is as useful as we want it to be. I think it's just the way that we've always worked, right? So [00:35:00] it's like we're used to this sort of like dashboard dynamic of like, "Hey, here's my dashboard for my keep my KPIs."

Joe Diamond: But like that was the world of yesterday. I think the world of today is like everything is so fluid and changing so quickly now with how people work, where even like one employee, like leveraging AI properly can become 10, if not more, right? Like it- Yeah ... it, it's an exponent on people. Yeah. So it's like we have to change how it is that we're working and evolve our working styles, and I think that that, that...

Joe Diamond: I think that means the static dashboard, even if it's dynamically populated, is dead. I think it's gonna be more like asking dynamic and fluid questions of the data that you have, and even maybe asking it to tell you things like, "Hey, what am I not thinking about that I should be thinking about? Tell me what I should be thinking about-" Yeah, yeah

Joe Diamond: "because you, you have everything and are able to think." You're smarter

Caleb Sima: than I am, so tell

Joe Diamond: me

Caleb Sima: what-

Joe Diamond: Exactly. Ex- exactly. Exactly. I mean, that is, that is the spirit of like what it is that we're trying to accomplish here, and if an AI is masterful at anything, it's gonna be, you know, really good at pattern matching on effectively a much larger data set that our brains can process.

Ashish Rajan: My, my question was, uh, more for people who are, watching this. It would [00:36:00] be really interesting to hear how do you want people to think about, like the question they should be asking for asset intelligence moving forward. 'Cause obviously we're talking about now there's an AI future that we walk- we're all walking towards.

Ashish Rajan: Some people may be already there or trying to get there. Some people are trying to think about. I truly believe at least everyone has some level of asset management, even if it's an Excel sheet. How should people approach this in an AI world as they're going towards? Are there like some questions people should be asking themselves as they approach this problem today?

Ashish Rajan: 'Cause to what you said, even defining AI agent as an asset is like a multi-layer question that we were talking about earlier. So I'm, I'm curious if you have some simple framework or thinking that you normally talk to customers about so they can think about this as they move forward with the AI world.

Joe Diamond: Yeah, I think, I mean, this is not exclusively just AI. It's been exacerbated by AI, but it's three simple questions. What do you actually have? So every device, identity, SaaS app, cloud workload, OT asset, AI agents, AI permissioned accounts. How do you know what you have across all those different dimensions continuously, and not just as like some [00:37:00] CNDB snapshot, which is only gonna give you partial coverage anyway?

Joe Diamond: So that's question one. Question two is, what are the exposures that we have across that state that actually matter? So this isn't just like a CVE list. It's the combination of, you know, the asset plus the identity, plus the integration, plus the data sensitivity that together is what actually formulates the risk.

Joe Diamond: So that's question number two. And then question three is like, now that you have that information How do you act on it today in minutes? And how do you do that without leaving whatever platform it is that you have a choice? So it's like that gets you to a place of real governed action with an actual audit trail, not like, uh, puts you in a scenario of opening a ticket and hoping for the best.

Joe Diamond: So if you, if you don't know the answer to these questions, like you have to start with number one, like you have to start with sort of like the, this always up-to-date catalog, this always up-to-date inventory, and then you'll get the rest from there But you gotta start with number one.

Ashish Rajan: Caleb, final question before we wrap up, man.

Caleb Sima: Man, I don't know if this is a good final question, but- ... we can, we can rotate it in the audio. Uh- Sure, okay. But I wanted to ask a hard question, Joe. So, as a CEO of a pretty [00:38:00] significant vendor, you know, our talk, AI is very powerful, and it could be very powerful in the hard way, too, which is a couple things we know about AI.

Caleb Sima: AI allows us to do integrations, in five minutes

Joe Diamond: now,

Caleb Sima: right? AI allows us to be, why wouldn't I just write my own agent to do identification, do asset intelligence, do the integrations that I require? Why do I need a vendor anymore? Which goes to the wrap-up of the hard question I think every vendor, has some fear of and deep thought on.

Caleb Sima: I'd love to get your opinion, which is what scares you about AI when it comes to you as a business and as sort of the leader of that business?

Joe Diamond: It's a, it's a good question. I, I don't look at this fearfully. I look at AI as more of a, uh, more of a tailwind and an opportunity than I, than something that I look at as, like, I'm, I'm scared of or the business should be scared of, and I hope most businesses are able to look at it in this context as well.

Joe Diamond: Really, the, the heart of the question that you're asking there, Caleb, is what's the moat? Like- Yeah ... why can't I just, like, go off and [00:39:00] try to replicate, you know, an Axonius? And the answer to that is you can try. You're gonna have to go build 1,400 integrations, and they're gonna have to be very deep integrations, and then you're gonna have to build a data pipeline on top of it that can actually do, you know, the correlation and the normalization, and then the enrichment.

Joe Diamond: And then you're gonna have to figure out, like, how it is that you're actually gonna

Caleb Sima: do this work. Think about it from a customer perspective. Yeah. They don't wanna compete with Axonius as a business, but they may say, "Well, I don't need 1,400. I just need the integrations for my business." And- Yeah

Caleb Sima: you know, that, that may be 50 or 100, and that's good enough to then say I'll go and do it."

Joe Diamond: Sure, and then, like, look, that's the case. It's like a, I'm sure you guys have experimented with, with Claude Code, and you guy- in the same way that I have. It's really great at getting, like, an, that initial concept, out the door.

Joe Diamond: But with enterprise software you guys know that there's a lot to it in terms of, like, updating it, scaling it, keeping it live, handling the enterprise feature functionality. So if that could be everything from, data scopes to, single sign-on or whatever the case may be. There's no shortage of things that you're consistently adding to it and extending it.

Joe Diamond: That's where Claude Code becomes maybe a [00:40:00] little less adept, right?

Caleb Sima: Yeah.

Joe Diamond: So there's, I, I don't think there's any shortage of reasons. Like, there's gonna be a n- a number of use cases that Claude Code is incredibly good at where we can really do phenomenal things with how it is able to extend our speed and our capacity.

Joe Diamond: But I think fully replicating, enterprise platforms is, uh, is not the most obvious one. Now, for certain other types of software, like, collaboration platforms that are solving relatively basic use cases, not very nuanced use cases like Axonius solves It, it becomes a very different conversation very quickly, Caleb.

Joe Diamond: But, uh, at the end of the day, it's, it's really like, you know, how many moats do you have, and do those moats go from being moats into an ocean? Yeah. And if you have an ocean, that's tough ground to cross.

Caleb Sima: Yeah. I think that vibes with what Ashish and I have also kind of- Yeah ... come to this conclusion that the moat actually turns out to be pretty obvious.

Caleb Sima: It's existed forever, which is accountability, the consistency, ability to scale, benefits from other customers. With AI you can build, but at [00:41:00] least today you can't operate and manage, and therefore the... Nobody-- Everyone can build it, but actually they, turns out they don't wanna operate it and manage it.

Caleb Sima: And so this actually turns out to be, "Oh," like, "Oh, I don't wanna do this. I can build it, sure." But like at the end of the day, let's go get someone to go

Joe Diamond: and, and you guys probably know this too the same is the case with software engineers with software that they built with their hands, right?

Joe Diamond: Yeah. It's like they have the, the shiny object syndrome of building the cold thing, the cool thing on the front end- Yeah ... but they don't wanna maintain it either, right? So it, it's funny how that works even when it comes to AI. Yeah. I,

Ashish Rajan: I actually had numbers. Funny enough, I was on a talk recently which Guy, Guy Pope, Caleb and I both know Guypo from Snyk founder, and, uh, funny enough, he's, one of the stats he's had shared was there were 2.1 million Claude Code skills created in the six months that we existed in this 2026.

Ashish Rajan: But n- not a, a lot of them are managed to what we're guy- trying to get to as well. They're actually st- coming up with numbers to prove the point where everyone's creating a prototype, but no one [00:42:00] seems to be willing to maintain, distribute, and as, as I said, to maintain the entire life cycle is a whole 'nother story.

Ashish Rajan: But-

Joe Diamond: That's

Ashish Rajan: right ... I, I think this, that's a great place to wrap up. Uh, where can people find more about Axonius and the work you guys are doing uh, over there, Joe?

Joe Diamond: Yeah, j- uh, check out axonius.com. We're always happy to talk shop about everything, you know, asset intelligence and AI in particular. Love to talk some more.

Joe Diamond: Thanks Ashish and Caleb. It was great chatting with you.

Ashish Rajan: I mean, our pleasure was ours, man. Thanks so much for doing this. Absolutely. Thanks everyone. Thank you for watching or listening to that episode of AI Security Podcast. This was brought to you by Techriot.io. If you wanna hear or watch more episodes of AI Security, check that out on aisecuritypodcast.com.

Ashish Rajan: And in case you're interested in learning more about cloud security, you should check out our sister podcast called Cloud Security Podcast, which is available on cloudsecuritypodcast.tv. Thank you for tuning in, and I'll see you in the next episode. Peace.

No items found.
More Videos