FromNoise2Signal

EP 7. The History Of Vulnerabilities w/ Brian Martin. From 1993 to Current Era.

Mehul Revankar — Wed, 20 May 2026 01:20:56 GMT

In this episode, we sit down with Brian Martin — 33-year vulnerability historian and longtime OSVDB maintainer — to trace the chasm between what CVE actually tracks and what's really out there. Brian explains why VulnCheck's KEV is 3.5x bigger than CISA's, why the real public vulnerability count is missing somewhere between 500K and several million entries, and how he personally mined 105,000 vulns out of changelogs and bug trackers. The conversation digs into the manufactured 2024 funding crisis, NVD's quiet abandonment of a 30,000-vuln backlog, why CVSS V4 is a "train wreck," and the LLM-driven vulnerability spike about to dwarf the fuzzer era. They close on the 1903 Marconi wireless telegraph hack — the first documented exploit-in-the-wild.

EP 6. Meme King. Covering AI, Cybersecurity, Acquisitions & everything in between w/ Pramod Gosavi

Mehul Revankar — Wed, 13 May 2026 21:49:40 GMT

In this episode, we sit down with investor Pramod to break down the deals, valuations, and strategic plays reshaping cybersecurity and AI. Pramod unpacks Nikesh Arora's "sell-to-me-or-I-build-it" M&A playbook, the dirty economics behind AI darlings like Cursor and Claude Code, and the looming SaaSpocalypse pitting AI startups against legacy vendors for the same IT budget. The conversation digs into Nvidia's circular money flow with OpenAI, Anthropic, and CoreWeave, why this AI cycle is the inverse of dot-com, and a sharp take on why Cloudflare commands the highest multiple in security while Okta leaves money on the table.

EP 5. Past, Present & Future of CISA KEV w/ Patrick Garrity

Mehul Revankar — Mon, 11 May 2026 00:19:41 GMT

In this episode, Mehul sits down with vulnerability management influencer Patrick Garrity to unpack the rapidly shifting landscape of vulnerability exploitation. Patrick discusses how his unique data visualizations put CISA KEV on the map, but reveals the hidden limitations of the federal catalog today. He breaks down the recent geopolitical and funding crises paralyzing NIST’s NVD, highlighting how the private sector and projects like CISA's Vulnrichment are stepping up to fill the data void. The conversation also explores how MFA pushed threat actors toward network edge exploitation, the alarming reality of shrinking zero-day timelines, and why "exploitable by AI" might soon become the ultimate threat metric. Finally, they cover the looming impact of frontier AI models on mass bug discovery and how incoming European regulations will force companies to disclose active exploits within 24 hours.

In this episode, Patrick shares:

[00:01:48] How his unique data visualizations ultimately put CISA KEV on the map.
[00:02:37] His journey from sales engineering at Duo to becoming a vulnerability data storyteller.
[00:06:24] The early struggles of trying to contribute real-world exploit evidence to CISA KEV.
[00:08:38] What the pre-CISA KEV era looked like, including scraping Twitter feeds for intel.
[00:10:09] How SOC teams literally used a journalist's tweets as their primary exploitation feed.
[00:11:48] Why the federal CISA KEV catalog only tracks ~1,500 exploits.
[00:15:09] Why ENISA KEV's tiny catalog of 15 matters more than the label.
[00:14:12] When VulnCheck’s CEO decided to give away their valuable commercial KEV data.
[00:16:42] The death of Flash, IE, and Word macro exploits—and the rise of edge attacks.
[00:18:25] An analysis of the Progress MOVEit attacks and the rise of "smash-and-grab" extortion.
[00:23:24] Getting mocked for joining VM in 2022 because the industry thought it was "solved."
[00:27:56] The funding crises that brought global CVE enrichment at NIST NVD to a halt.
[00:34:05] The night the CVE program almost lost its funding entirely.
[00:36:05] How 32K unenriched vulns were reclassified as "not scheduled" to clear their backlog.
[00:41:40] The terrifying metric showing 26% of exploited vulns see action before a patch exists.
[00:43:10] The rapid evolution of AI-generated bug reports from "slop" to legitimate.
[00:48:02] Why "exploitable by AI" might replace CVSS and CISA KEV as the ultimate metric.
[00:50:58] How Anthropic's Glasswing successfully found 300 real vulns in Firefox.
[00:53:12] The possibility of attackers stealing proprietary source code specifically to feed into AI.
[00:53:31] Why AI tools shipping without security in mind will become the next leakage problem.
[00:54:38] War stories from the ProxyLogon exploits and the FBI's unprecedented interventions.
[00:56:30] The time CrushFTP got mad at VulnCheck just for assigning a CVE ID to a vuln.

EP 4. Past, Present & Future of Risk Based Vulnerability Management with Ed Bellis

Mehul Revankar — Thu, 30 Apr 2026 19:46:23 GMT

Ed Bellis is the visionary who essentially created the Risk-Based Vulnerability Management (RBVM) category in 2010. From his days as CISO at Orbitz to founding Kenna Security in a market that didn't yet know it needed prioritization, Ed has consistently pushed the boundaries of cybersecurity. In this episode, Ed unpacks the grueling reality of convincing early investors and customers to put their vulnerability data in the cloud, the game-changing pivot that gave Kenna true product-market fit, and the candid truth behind what went wrong after the massive Cisco acquisition. He also dives into his new venture, Empirical Security, the role of AI in "eating the scanner," and why the industry needs to finally ditch the fear-mongering.

EP 3. The Face of New Media for Cybersecurity with Cole Grolmus, Founder Strategy Of Security

Mehul Revankar — Thu, 30 Apr 2026 19:45:17 GMT

Cole Grolmus is the ultimate "N of one" in cybersecurity media. After a decade at PwC and a failed startup, he hit reset, writing a 65,000-word reflection that birthed Strategy of Security. Today, he cuts through the industry noise with brutally honest, deeply researched strategy analysis. In this episode, Cole breaks down his viral cybersecurity ecosystem map, the dangerous reality of blitzscaling, and why the AI revolution won't wipe out heavyweights like CrowdStrike. We also get an inside look at how he completely reinvented his independent media empire using advanced AI agents.

EP 2. Past, Present and Future of Offensive Security w/ HD Moore

Mehul Revankar — Thu, 30 Apr 2026 19:44:10 GMT

HD Moore started the Metasploit framework project in 2003, forever changing the game on offensive security. Today, he serves as the CEO of runZero, mapping out global networks from behind the firewall. In this episode, we dive into the scrappy early days of internet security and dumpster diving for computer parts, why the AI revolution might make traditional vulnerability research and CVEs obsolete, and the brute-force reality of modern cybersecurity venture capital. We also explore how HD's deep technical roots helped him build runZero to $1M ARR as a solo operation, plus he shares the hilarious history of how the Blaster worm broke the internet using Metasploit's default port.

EP 1. Bromure Secure Browser, Nessus Origins, Overbearer Proxy, Coding with AI, Fundraising in AI

Mehul Revankar — Thu, 30 Apr 2026 00:37:39 GMT

Renaud Deraison started the Nessus project in 1998 and co-founded Tenable, fundamentally changing how the world handles defensive cybersecurity. Today, he is leveraging AI to build and ship open-source security tools in a matter of weeks. In this episode, we dive into the early days of internet security and hardware scarcity , why the AI revolution might make traditional AppSec obsolete , and the exit pressures of the modern VC landscape. We also explore how deeply technical founders are gaining an "unfair advantage" by knowing exactly how to guide AI agents , plus Renaud shares the hilarious honeypot story that led to his new secure virtualized browser, Bromure.