Insights from recent episode analysis
Audience Interest
Podcast Focus
Publishing Consistency
Platform Reach
Insights are generated by CastFox AI using publicly available data, episode content, and proprietary models.
Most discussed topics
Brands & references
Total monthly reach
Estimated from 1 chart position in 1 market.
By chart position
- 🇨🇦CA · Technology#8530K to 100K
- Per-Episode Audience
Est. listeners per new episode within ~30 days
9K to 30K🎙 Daily cadence·66 episodes·Last published yesterday - Monthly Reach
Unique listeners across all episodes (30 days)
30K to 100K🇨🇦100% - Active Followers
Loyal subscribers who consistently listen
12K to 40K
Market Insights
Platform Distribution
Reach across major podcast platforms, updated hourly
Total Followers
—
Total Plays
—
Total Reviews
—
* Data sourced directly from platform APIs and aggregated hourly across all major podcast directories.
On the show
From 17 epsHosts
Recent guests
Recent episodes
The Meta AI Hack: Just Ask Nicely
Jun 23, 2026
12m 33s
Washington Calls AI a Weapon: Ghosts of the Crypto Wars
Jun 16, 2026
11m 48s
Damaged Goods: When your new hire is already compromised
Jun 9, 2026
15m 18s
The CRM Goldmine: Inside the Salesforce Breach Wave
Jun 2, 2026
16m 31s
Shadow Agents: When Your AI Workforce Has No Boss
May 26, 2026
28m 53s
Social Links & Contact
Official channels & resources
Official Website
Login
RSS Feed
Login
| Date | Episode | Topics | Guests | Brands | Places | Keywords | Sponsor | Length | |
|---|---|---|---|---|---|---|---|---|---|
| 6/23/26 | The Meta AI Hack: Just Ask Nicely | Hackers didn’t breach Meta’s systems, they just asked. In this episode, we break down the Meta AI hack, where attackers used a VPN and a politely worded chat message to convince Meta’s AI support agent to hand over more than 20,000 Instagram accounts, including the dormant Obama White House account and the personal account of a senior Space Force leader. No malware, no phishing, no exploit code. We flash back to the 2023 MGM Resorts attack to show how this fits one of the fastest-growing attack trends of recent years — social-engineering the help desk — now aimed at the AI agents replacing human help desks, minus the suspicion we’ve trained into people. We also connect it to the wider wave of attacks targeting AI agents, from zero-click prompt injection in Microsoft 365 Copilot to the PocketOS rogue-AI-agent disaster, and explain why the first real AI security crisis isn’t superhuman AI attackers — it’s ordinary AI agents with too much permission and no ability to be suspicious. Finally, we share five concrete steps to vet and constrain AI agents before they become your soft target. Key Takeaways: 1. Red-team AI agents before they touch production workflows. Treat deployment like a hire: the background check is adversarial testing. If an agent can change account state — emails, passwords, payments — someone must try to talk it into doing so maliciously before launch, the same way you phish-test your staff. The Meta exploit was the first test anyone would write. 2. Stage permissions like a probation period. New agents start advisory and read-only. Write permissions come later, narrowly, after monitored performance — and account recovery is the last workflow to automate, not the first, because it is the highest-value target in your environment. Meta granted end-to-end authority on day one. 3. Enforce identity verification in deterministic code, not in the model. The agent can request a recovery-info change; it must never approve one. Step-up verification (re-authentication, hardware key, code to the verified channel on file) belongs in the API layer, where no amount of persuasion can waive it. Prompts are advisory — the PocketOS agent quoted its own rules while violating them. 4. Scope every credential and action an agent can reach. Least privilege per task: an agent that answers support questions doesn’t need email-change rights; a coding agent’s token shouldn’t reach production or backups. An agent’s blast radius is what it can ingest, what it can access, and what it can do — audit all three before attackers map them for you. 5. Keep a human escalation path that the agent can’t lock. Meta’s automation removed both the suspicious human who would have questioned the request and the human a victim could appeal to afterward. Mandate an out-of-band recovery route — one the agent has no permissions to modify — before automating any account-security workflow. Resources: 1. 404 Media: Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked. https://www.404media.co/hackers-simply-asked-meta-ai-to-give-them-access-to-high-profile-instagram-accounts-it-worked/ 2. MIT Technology Review: The Meta Hack Shows There’s More to AI Security Than Mythos. https://www.technologyreview.com/2026/06/05/1138437/the-meta-hack-shows-theres-more-to-ai-security-than-mythos/ 3. TechCrunch: Instagram Is Alerting Users Who Were Targeted by Hackers During AI Chatbot Attacks. https://techcrunch.com/2026/06/03/instagram-is-alerting-users-who-were-targeted-by-hackers-during-ai-chatbot-attacks/ 4. Silicon Republic: Hackers Stole More Than 20,000 Instagram Accounts Using Meta AI. https://www.siliconrepublic.com/enterprise/hackers-stole-more-than-20000-instagram-accounts-using-meta-ai 5. EchoLeak (CVE-2025-32711): Zero-Click Prompt Injection in Microsoft 365 Copilot — Case Study. https://arxiv.org/abs/2509.10540 | 12m 33s | ||||||
| 6/16/26 | Washington Calls AI a Weapon: Ghosts of the Crypto Wars | Three days after Anthropic put its most powerful AI models in public hands, the U.S. government invoked export-control authority to bar foreign nationals from Fable 5 and Mythos 5. The result: Anthropic was forced to shut both models down for everyone, worldwide. We dig into what actually triggered the order, why the only outside expert known to have read the underlying report calls it an overreaction, and how the fight echoes the 1990s crypto wars, when Washington branded encryption software a weapon and investigated the people who shared it. For security leaders, we close on what to do about single-model dependencies, AI that can be talked into misbehaving, and a capability that's already global no matter what any export rule says. Key takeaways for security leaders 1. Don't let a single AI model become a single point of failure. Fable 5 and Mythos 5 went from public launch to worldwide shutdown in three days — by government order, not an outage — and access dropped even for compliant US customers. If a business-critical workflow (AI code review, SOC triage, agentic automation) runs on a single model or provider, inventory it and build a fallback path now. Put model availability in your BC/DR and third-party risk register alongside any other critical vendor. 2. Assume any AI you deploy can be talked into doing something it shouldn't — and watch it accordingly. Even Anthropic says no provider can fully prevent its safeguards from being bypassed, and that new workarounds will keep being found. For most organizations the practical move isn't building better guardrails — it's logging what your AI tools and agents actually do, baselining normal behavior, and alerting on the abnormal. Treat vendor safeguards as one layer, not the whole control. 3. Leverage AI’s advanced capabilities to check for software bugs, both in code you buy and code you develop If you build software, fold AI-assisted review into your SDLC and red teaming. If you rely on third-party vendors for software, make their use of AI-assisted security testing a question in your due diligence and a clause in your contracts. Either way, the goal is to find the bugs attackers will find, first. 4. Update threat models to assume adversaries already have equivalent cyber-AI, regardless of export controls. The lesson from the crypto wars and the proliferation/distillation discussion is that a ban transfers a capability rather than eliminating it — the model, like the math before it, is already global. Don't let a US export action or one vendor's guardrails read as reduced adversary capability in your risk calculus. Plan defenses for a world where attackers have frontier bug-finding at machine speed. Resources 1. Anthropic — Statement on the directive to suspend access to Fable 5 and Mythos 5 — the company's own account of the order and its safeguards. https://www.anthropic.com/news/fable-mythos-access 2. WSJ — Anthropic Dispatches Staff to D.C., Racing to Resolve AI Export Restrictions — the timeline, the players, and the weekend negotiations. https://www.wsj.com/tech/ai/anthropic-dispatches-staff-to-d-c-racing-to-resolve-ai-export-restrictions-71303d42 3. Luta Security — The Fable 5 Export Controls Harm US Cyber Defense — Katie Moussouris, the one outside expert known to have read the underlying report. https://www.lutasecurity.com/post/the-fable-5-export-controls-harm-us-cyber-defense 4. FreeFable.org — open letter to Commerce — 54 CISOs and security leaders calling for the controls to be lifted. https://freefable.org/ 5. EFF — Bernstein v. United States — the case that established software source code as protected speech. https://www.eff.org/cases/bernstein-v-us-dept-justice | 11m 48s | ||||||
| 6/9/26 | Damaged Goods: When your new hire is already compromised✨ | cybersecuritymalware+3 | Tom Pohl | LMG SecurityBitbucket | — | malwarecybersecurity+5 | — | 15m 18s | |
| 6/2/26 | The CRM Goldmine: Inside the Salesforce Breach Wave✨ | Salesforce breachCRM security+4 | — | CharterSalesforce+4 | — | Salesforcebreach+5 | — | 16m 31s | |
| 5/26/26 | Shadow Agents: When Your AI Workforce Has No Boss✨ | shadow AI agentscybersecurity+3 | Sherri DavidoffMatt Durrin | Anthropic's Claude DispatchVercel+1 | — | shadow agentsAI workforce+3 | — | 28m 53s | |
| 5/19/26 | Better Than Google, Still Risky: The OpenEvidence Story✨ | shadow AIhealthcare technology+4 | — | OpenEvidenceHealthcare+4 | US | AI toolsOpenEvidence+5 | — | 15m 17s | |
| 5/12/26 | Finals Week Fallout: The Canvas Hack That Shook Education✨ | data breacheducation sector+4 | — | CanvasInstructure+2 | — | Canvas hackdata breach+6 | — | 11m 24s | |
| 5/5/26 | 9 Seconds to Zero: Misbehaving AI✨ | AI securitydatabase management+3 | Matt Durrin | PocketOSReplit+1 | — | AIcybersecurity+5 | — | 16m 37s | |
| 4/28/26 | Security Debt: The Risk Nobody is Reporting✨ | security debtcybersecurity incidents+3 | — | StrykerChange Healthcare+2 | — | security debtcybersecurity+5 | — | 29m 09s | |
| 4/21/26 | Claude Code Leak: What Security Leaders Need to Know About AI Coding Agents✨ | AI coding agentssecurity risks+4 | Matt Durrin | Claude Code CLIClaw Code+1 | — | Claude Code leakAI coding tools+3 | — | 16m 17s | |
Want analysis for the episodes below?Free for Pro Submit a request, we'll have your selected episodes analyzed within an hour. Free, at no cost to you, for Pro users. | |||||||||
| 4/14/26 | The “Hacking Ray” Is Here: AI, Project Glasswing, and the End of Hidden Vulnerabilities✨ | AI in cybersecuritysoftware vulnerabilities+3 | Tom Pohl | Project GlasswingMythos model+1 | — | cybersecurityAI+5 | — | 24m 15s | |
| 4/7/26 | We don’t break in, we badge in✨ | social engineeringphysical security+3 | TomDerek | — | — | penetration testingsocial engineering+3 | — | 28m 40s | |
| 3/31/26 | Stryker Attack Analysis: Cybersecurity and insurance perspectives✨ | cybersecuritycyber insurance+3 | Bridget Quinn Choi | Microsoft EntraIntune+1 | — | Stryker cyberattackcyber insurance+3 | — | 35m 15s | |
| 3/24/26 | Mass Exploitation 2.0: Web Platforms Under Attack✨ | mass exploitationcybersecurity+4 | — | React2ShellLexisNexis | — | mass exploitationcybersecurity+7 | — | 23m 28s | |
| 3/17/26 | Is Anthropic a Pentagon “Supply Chain Risk”?✨ | AI ethicsnational security+3 | Matt Durrin | AnthropicPentagon+1 | — | AnthropicPentagon+5 | — | 13m 08s | |
| 3/3/26 | Google Gemini Changed the Rules: Are Your API Keys Exposed?✨ | API securitycloud governance+3 | — | GeminiGoogle+1 | — | API keysGoogle Gemini+3 | — | 12m 06s | |
| 2/24/26 | Opus 4.6: Changing the Pace of Software Exploitation Description✨ | software exploitationzero-day vulnerabilities+3 | — | Microsoft | — | zero-dayvulnerabilities+3 | — | 25m 26s | |
| 2/17/26 | Nancy Guthrie’s Recovered Footage: The Reality of Residual Data✨ | residual datadata retention+4 | — | FBIGoogle Nest | — | deleted datadata access+3 | — | 15m 19s | |
| 2/10/26 | Ransomware Gangs Are Teaming Up✨ | ransomwarecybersecurity+4 | — | ShinyHunters | — | ransomware gangsdata leak+3 | — | 15m 44s | |
| 2/3/26 | Top Threat of 2026: The AI Visibility and Control Gap | AI is no longer a standalone tool—it is embedded directly into productivity platforms, collaboration systems, analytics workflows, and customer-facing applications. In this special CyberSide Chats episode, Sherri Davidoff and Matt Durrin break down why lack of visibility and control over AI has emerged as the first and most pressing top threat of 2026. Using real-world examples like the EchoLeak zero-click vulnerability in Microsoft 365 Copilot, the discussion highlights how AI can inherit broad, legitimate access to enterprise data while operating outside traditional security controls. These risks often generate no alerts, no indicators of compromise, and no obvious “incident” until sensitive data has already been exposed or misused. Listeners will walk away with a practical framework for understanding where AI risk hides inside modern environments—and concrete steps security and IT teams can take to centralize AI usage, regain visibility, govern access, and apply long-standing security principles to this rapidly evolving attack surface. Key Takeaways 1. Centralize AI usage across the organization. Require a clear, centralized process for approving AI tools and enabling new AI features, including those embedded in existing SaaS platforms. 2. Gain visibility into AI access and data flows. Inventory which AI tools, agents, and features are in use, which users interact with them, and what data sources they can access or influence. 3. Restrict and govern AI usage based on data sensitivity. Align AI permissions with data classification, restrict use for regulated or highly sensitive data sets, and integrate AI considerations into vendor risk management. 4. Apply the principle of least privilege to AI systems. Treat AI like any other privileged entity by limiting access to only what is necessary and reducing blast radius if credentials or models are misused. 5. Evaluate technical controls designed for AI security. Consider emerging solutions such as AI gateways that provide enforcement, logging, and observability for prompts, responses, and model access. Resources 1. Microsoft Digital Defense Report 2025 https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2025 2. NIST AI Risk Management Framework https://www.nist.gov/itl/ai-risk-management-framework 3. Microsoft 365 Copilot Zero-Click AI Vulnerability (EchoLeak) https://www.infosecurity-magazine.com/news/microsoft-365-copilot-zeroclick-ai/ 4. Adapting to AI Risks: Essential Cybersecurity Program Updates. https://www.LMGsecurity.com/resources/adapting-to-ai-risks-essential-cybersecurity-program-updates/ 5. Microsoft on Agentic AI and Embedded Automation (2026) https://news.microsoft.com/source/2026/01/08/microsoft-propels-retail-forward-with-agentic-ai-capabilities-that-power-intelligent-automation-for-every-retail-function/ | 18m 58s | ||||||
| 1/27/26 | The Verizon Outage and the Cost of Concentration | The recent Verizon outage underscores a growing risk in today’s technology landscape: when critical services are concentrated among a small number of providers, failures don’t stay isolated. In this live discussion, we’ll connect the Verizon outage to past telecom and cloud disruptions to examine how infrastructure dependency creates cascading business impact. We’ll also explore how large-scale outages intersect with security threats targeting telecommunications, where availability, confidentiality, and integrity failures increasingly overlap. The session will close with actionable takeaways for strengthening resilience and risk planning across cybersecurity and IT programs. Key Takeaways 1. Diversify your technology infrastructure. Relying on a single carrier, cloud provider, or bundled service creates a single point of failure. Purposeful diversification across providers can reduce the impact of large-scale outages and improve overall resilience. 2. Treat outages as security incidents, not just reliability problems. Large-scale telecom and cloud outages directly disrupt authentication, monitoring, and incident response, and should trigger security workflows—not just IT troubleshooting. 3. Identify and document your dependencies on carriers and cloud providers. Many security controls rely on SMS, voice, cloud identity, or single regions; understanding these dependencies ahead of time prevents dangerous blind spots during outages. 4. Plan and test incident response without phones, SMS, or primary cloud access. Assume your normal communication and authentication methods will fail and ensure your teams know how to coordinate securely when core services are unavailable. 5. Expect outages to increase fraud and social engineering activity. Attackers exploit confusion and urgency during service disruptions, so security teams should prepare staff for impersonation and “service restoration” scams during major outages. 6. Use widespread outages as learning opportunities. Review what happened, assess how your organization was—or could have been—impacted, identify potential areas for improvement, and update incident response, communications, and resilience plans accordingly. Resources 1. Verizon official network outage update https://www.verizon.com/about/news/update-network-outage 2. Forrester: Verizon outage reignites reliability concerns https://www.forrester.com/blogs/verizon-outage-reignites-reliability-concerns/ 3. CNN: Verizon outage disrupted phone and internet service nationwide https://www.cnn.com/2026/01/15/tech/verizon-outage-phone-internet-service 4. AP News: Verizon outage disrupted calling and data services nationwide https://apnews.com/article/85d658a4fb6a6175cae8981d91a809c9 5. CNN: AT&T outage shows how dependent daily life has become on mobile networks (2024) https://www.cnn.com/2024/02/23/tech/att-outage-customer-service | 30m 45s | ||||||
| 1/20/26 | Data Is Hazardous Material: How Data Brokers Telematics and Over-Collection Are Reshaping Cyber Risk | The FTC has issued an order against General Motors for collecting and selling drivers’ precise location and behavior data, gathered every few seconds and marketed as a safety feature. That data was sold into insurance ecosystems and used to influence pricing and coverage decisions — a clear reminder that how organizations collect, retain, and share data now carries direct security, regulatory, and financial risk. In this episode of Cyberside Chats, we explain why the GM case matters to CISOs, cybersecurity leaders, and IT teams everywhere. Data proliferation doesn’t just create privacy exposure; it creates systemic risk that fuels identity abuse, authentication bypass, fake job applications, and deepfake campaigns across organizations. The message is simple: data is hazardous material, and minimizing it is now a core part of cybersecurity strategy. Key Takeaways: 1. Prioritize data inventory and mapping in 2026 You cannot assess risk, select controls, or meet regulatory obligations without knowing what data you have, where it lives, how it flows, and why it is retained. 2. Reduce data to reduce risk Data minimization is a security control that lowers breach impact, compliance burden, and long-term cost. 3. Expect that regulators care about data use, not just breaches Enforcement increasingly targets over-collection, secondary use, sharing, and retention even when no breach occurs. 4. Create and actively use a data classification policy Classification drives retention, access controls, monitoring, and protection aligned to data value and regulatory exposure. 5. Design identity and recovery assuming personal data is already compromised Build authentication and recovery flows that do not rely on the secrecy of SSNs, dates of birth, addresses, or other static personal data. 6. Train teams on data handling, not just security tools Ensure engineers, IT staff, and business teams understand what data can be collected, how long it can be retained, where it may be stored, and how it can be shared. Resources: 1. California Privacy Protection Agency — Delete Request and Opt-Out Platform (DROP) https://privacy.ca.gov/drop/ 2. FTC Press Release — FTC Takes Action Against General Motors for Sharing Drivers’ Precise Location and Driving Behavior Data https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-takes-action-against-general-motors-sharing-drivers-precise-location-driving-behavior-data 3. California Delete Act (SB 362) — Overview https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362 4. Texas Attorney General — Data Privacy Enforcement Actions https://www.texasattorneygeneral.gov/news/releases 5. Data Breaches by Sherri Davidoff https://www.amazon.com/Data-Breaches-Opportunity-Sherri-Davidoff/dp/0134506782 | 19m 25s | ||||||
| 1/13/26 | Venezuela’s Blackout: Cybercrime Domino Effect | When Venezuela experienced widespread power and internet outages, the impact went far beyond inconvenience—it created a perfect environment for cyber exploitation. In this episode of Cyberside Chats, we use Venezuela’s disruption as a case study to show how cyber risk escalates when power, connectivity, and trusted services break down. We examine why phishing, fraud, and impersonation reliably surge after crises, how narratives around cyber-enabled disruption can trigger copycat or opportunistic attacks, and why even well-run organizations resort to risky security shortcuts when normal systems fail. We also explore how attackers weaponize emergency messaging, impersonate critical infrastructure and connectivity providers, and exploit verification failures when standard workflows are disrupted. The takeaway is simple: when infrastructure collapses, trust erodes—and cybercrime scales quickly to fill the gap. | 13m 42s | ||||||
| 1/6/26 | What the Epstein Files Teach Us About Redaction and AI | The December release of the Epstein files wasn’t just controversial—it exposed a set of security problems organizations face every day. Documents that appeared heavily redacted weren’t always properly sanitized. Some files were pulled and reissued, drawing even more attention. And as interest surged, attackers quickly stepped in, distributing malware and phishing sites disguised as “Epstein archives.” In this episode of Cyberside Chats, we use the Epstein files as a real-world case study to explore two sides of the same problem: how organizations can be confident they’re not releasing more data than intended, and how they can trust—or verify—the information they consume under pressure. We dig into redaction failures, how AI tools change the risk model, how attackers weaponize breaking news, and practical ways teams can authenticate data before reacting. | 15m 28s | ||||||
| 12/30/25 | Amazon's Warning: The New Reality of Initial Access | Amazon released two security disclosures in the same week — and together, they reveal how modern attackers are getting inside organizations without breaking in. One case involved a North Korean IT worker who entered Amazon’s environment through a third-party contractor and was detected through subtle behavioral anomalies rather than malware. The other detailed a years-long Russian state-sponsored campaign that shifted away from exploits and instead abused misconfigured edge devices and trusted infrastructure to steal and replay credentials. Together, these incidents show how nation-state attackers are increasingly blending into human and technical systems that organizations already trust — forcing defenders to rethink how initial access really happens going into 2026. Key Takeaways 1. Treat hiring and contractors as part of your attack surface. Nation-state actors are deliberately targeting IT and technical roles. Contractor onboarding, identity verification, and access scoping should be handled with the same rigor as privileged account provisioning. 2. Secure and monitor network edge devices as identity infrastructure Misconfigured edge devices have become a primary initial access vector. Inventory them, assign ownership, restrict management access, and monitor them like authentication systems — not just networking gear. 3. Enforce strong MFA everywhere credentials matter If credentials can be used without MFA, assume they will be abused. Require MFA on VPNs, edge device management interfaces, cloud consoles, SaaS admin portals, and internal administrative access. 4. Harden endpoints and validate how access actually occurs Endpoint security still matters. Harden devices and look for signs of remote control, unusual latency, or access paths that don’t match how work is normally done. 5. Shift detection from “malicious” to “out of place” The most effective attacks often look legitimate. Focus detection on behavioral mismatches — access that technically succeeds but doesn’t align with role, geography, timing, or expected workflow. Resources: 1. Amazon Threat Intelligence Identifies Russian Cyber Threat Group Targeting Western Critical Infrastructure https://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure/ 2. Amazon Caught North Korean IT Worker by Tracing Keystroke Data https://www.bloomberg.com/news/newsletters/2025-12-17/amazon-caught-north-korean-it-worker-by-tracing-keystroke-data/ 3. North Korean Infiltrator Caught Working in Amazon IT Department Thanks to Keystroke Lag https://www.tomshardware.com/tech-industry/cyber-security/north-korean- infiltrator-caught-working-in-amazon-it-department-thanks-to-lag-110ms- keystroke-input-raises-red-flags-over-true-location 4. Confessions of a Laptop Farmer: How an American Helped North Korea’s Remote Worker Scheme https://www.bloomberg.com/news/articles/2023-08-23/confessions-of-a-laptop- farmer-how-an-american-helped-north-korea-s-remote-worker-scheme 5. Hiring security checklist https://www.lmgsecurity.com/resources/hiring-security-checklist/ | 15m 55s | ||||||
Showing 25 of 76
Sponsor Intelligence
Sign in to see which brands sponsor this podcast, their ad offers, and promo codes.
Chart Positions
1 placement across 1 market.
Chart Positions
1 placement across 1 market.