Episode 118: AI Agents Transforming Cybersecurity with Ian Amit (Gomboc.ai)

So that was the first understanding. We expanded beyond security and we can fix things that are not just security related. We can fix things that are related to software reliability engineering, cost, and performance optimization.

The second one is we're no longer just looking at existing code and saying there you go, I fixed it for you. We decided to shift all the way left, which is a security paradigm meaning getting as close to the development process as possible. Today we're at the development environment itself, there as a good angel on the shoulder of the engineer who's writing the code.

Hi, my name is Demetri Panici and I'm a content creator, agency owner, and AI enthusiast. You're listening to the AI Agents Podcast brought to you by Jotform and featuring our CEO and founder, Aytekin Tank. This is the show where artificial intelligence meets innovation, productivity, and the tools shaping the future of work. Enjoy the show.

Hello and welcome back to another episode of the AI Agents podcast. In this episode, we have the co-founder and CEO of Gambuk AI, Ian Amit. How are you doing today, Ian?

Pretty good, Demetri. How about yourself?

I'm living the dream. I have to be. It's the only way to live. I appreciate you for making the time today. I think it's a really great time to be in the world of AI talking with cool people like yourself.

Just to kick things off, you have a pretty big background in the security space from my understanding. Now you're kind of in this realm of AI. Could you tell us how you made it into this world of AI and AI agents?

Yeah, absolutely. I love the way you're calling me old. It's a pretty big background. That's fair. It is a logical entailment. I apologize. No, I'm just kidding. To make a long story short, AI has been around forever. It's not really new. It's just that in the past three to five years, we've been focusing on new companies operating within this new hype cycle of generative AI that brought it to attention.

I've been in the security industry for almost 30 years, both as a practitioner growing through hacking, pentesting, consulting, running consulting teams, and working in corporate defending organizations. I eventually ended up in leadership positions such as chief security officer for a few public companies. My exposure to AI has been out there for quite a bit.

Specifically for cybersecurity, it's a field that benefits from automation and advantages AI can bring since we're dealing with so much information, disparate data sources, unstructured data. Practitioners are expected to go through all of that and make very quick, sometimes critical decisions.

In this last iteration, I created Gambuk AI as an attempt to apply AI algorithms and models to a specific area in that space.

I haven't had a lot of experience in the security space. I don't know too much about it honestly. It's one of those areas I'd love to learn more about. What do you think are some of the things you learned in that area that prepared you best to get into the field you're in now with Gambuk?

That's a great question. My personal experience has been on both sides of cybersecurity, both as an attacker tasked with finding flaws and understanding targets' IT layouts and capabilities, and as a defender designed to counter those attacks, build defenses, deploy controls and tools to alert and allow action to circumvent attacks.

Having been on both sides prepares you to understand how to utilize AI from an attacker perspective. You have to be knowledgeable across multiple domains, technological and business or process, and be able to ingest and process unstructured data from multiple sources.

This could be open-source reconnaissance and intelligence on someone, understanding their background, languages spoken, and using that to your advantage in communication, as well as the technical sides like technology used, programming languages, operating systems, and applications. You need familiarity with vulnerabilities and be able to string those together to execute an attack targeting the organization's crown jewel.

We're talking about multiple domains, different data, and technologies. Historically, security has used automated tools for collecting and classifying information, but the bulk of thinking and processing to find the right narrative is left to the practitioner. AI provides huge potential to automate many human tasks and leave the practitioner with the understanding and correlation of data to use.

This works on both sides. On the attacker side, figuring out how to break in, and on the defensive side, analyzing bulk data to find anomalies and patterns that a human would have trouble addressing. Cybersecurity professionals are tasked with sifting through terabytes of log data from firewalls, servers, applications, and users daily.

AI is very useful in defensive cybersecurity to find patterns that might not be problematic individually but pose problems over time. That's my personal history practicing cybersecurity as attacker, defender, leader, and executive, honing my skills and understanding of how and where to apply AI models effectively.

I've noticed a trend where many people work in output-based AI, focusing on what is outputted, sometimes for nefarious purposes, and others focus on protection. Understanding outputs helps understand the analysis and inputs or reflection. For example, an HR company noted problems with mass resume submissions and lack of AI to synthesize the other half of the process, the ingestion and analysis.

On the development side, Gambuk AI was a top four finalist at the Black Hat startup spotlight shortly after launching. Can you take us back to the early days of development? Was there a specific frustration related to unresolved tickets or what was top of mind then?

It goes back to why I started Gambuk. After my last role as chief security officer, I realized I had built a solid security practice and had visibility into cloud environments to identify problematic activities. But addressing issues, especially in ephemeral, continuously changing cloud environments, was a problem.

Finding something wrong and calling it out is easy, but fixing those issues systematically from the root cause is the biggest problem. I decided to tackle that space, not by building another product that just tells you what's wrong, but by creating a DevOps agent that takes you from detection through remediation, providing the work product.

My vision was to create an agent that takes the burden off engineers bombarded with multiple alerts and regulatory changes, especially with new AWS services. All of that funnels down to a DevOps engineer who must fix or update environments to be compliant.

That motive drove me to start Gambuk, realizing the friction is not in finding problems but fixing them. Even advanced generative AI models lack the accuracy and contextual ability to provide a fix fully reasoned and explained for the engineer to implement.

It's really interesting to learn about these new areas. How many people currently work at Gambuk?

We currently have 16 employees, keeping things lean and efficient, mostly based out of our New York City office.

What's your tagline now and how has it changed since the beginning?

The tagline remains it's all about the fix. What changed is a better understanding that we should go as far back into the source of the problem as possible. Initially, we provided ad hoc fixes for existing environments.

Over the past two and a half to three years, we understood this is not just a security problem but an engineering problem. Security is one of the elements at the receiving end of the DevOps engineer's task list.

We expanded beyond security to fix things related to software reliability engineering, cost, and performance optimization. We're no longer just fixing things ad hoc or looking at existing code. We shifted left, meaning getting as close to the development process as possible, now at the IDE itself.

We're there as the good angel on the shoulder of the engineer writing code. The second someone starts building a cloud environment or architecture, before deploying the first version, we're there to apply fixes and bring policies to life in real time at the editor itself.

When writing or prompting AI like Copilot to add elements, Gambuk applies fixes to that code before it's even saved for the first time. This transformation of the tagline to 'it's all about the fix' has moved as early as possible to prevent rework.

Once code is deployed, the last thing you want is to go back and fix or change it. If it works, move on. Providing fixes as early as code generation is our focus in the past six months.

In the near future, we'll focus on getting Gambuk into the hands of more engineers. We recently released a fully free community edition so engineers can use it even if their company hasn't bought the platform.

The enterprise features include policy customization, report generation, and advanced integrations. We're focused on clean coding and producing clean environments to optimize productivity promised by AI tools.

On the enterprise side, customers face different policies and requirements they need to adapt to. Gambuk ingests these requirements, changes, policies, frameworks, and compliance reports to provide fixes, not just alerts, fully reasoned and contextual for implementation.

What is the hardest thing about implementing your solution and explaining it to customers?

It's combined. There's a huge hype cycle around AI, and explaining to customers that we're not just another iteration or fancy interface to common generative AI models is the biggest challenge.

The industry has overpromised, saying AI will 10x code generation, but no one talks about the 10x bugs and time to resolve them, plus hallucinations and inaccuracies. Users wrestle with creative prompts to work around limitations.

We explain that we're a deterministic AI model, producing the same output for the same inputs and environment, unlike generative models designed to produce new results each time. This builds trust with engineers.

We offer a community edition for users to experience working with a deterministic model. Often, generative AI produces fantastic but non-working code that doesn't meet organizational requirements. Gambuk provides fixes to ground code in reality and compliance without elaborate prompts.

I hadn't considered lack of creativity being problematic. I've used AI coding tools and experienced bugs that took hours to fix due to unexpected code variations. It can be frustrating and time-consuming.

That example is perfect. Spending hours debugging something caused by unexpected code creation is common. Engineers can save hours coding but spend more time debugging. The hardest issues are those unnoticed broken parts that cause problems later.

I hacked together a simple internal tool that was effective but had universality issues. Fixing those took time and multiple prompts. Without proper QA, such issues multiply, causing delays and frustration.

Can you give examples of issues people should be concerned about and how you've helped prevent them?

We're dealing with infrastructure foundations for cloud or on-prem deployment. Common issues include unencrypted data, which is critical for consumer trust. It's common to find data transitions or databases without adequate protection.

Customers often believe their architecture is secure, but there are hidden vulnerabilities. Reconfiguring environments to have adequate protections takes time and effort, similar to adding multiple fixes repeatedly.

Another example is open S3 buckets, a long-standing security issue due to forgotten access restrictions. These buckets might be publicly accessible or writable, which is a major risk.

Finding these issues can be automated, but applying the right controls contextually is challenging. Our customers appreciate that we provide bespoke, curated, deterministic fixes that preserve architecture functionality while securing resources.

We're told we save dozens of engineering hours that would otherwise be spent untangling environments, requirements, and documentation. These are the two most common use cases, beyond hygiene, cost optimization, and automated environment maintenance.

What is your ultimate goal for the next three to five years, and what would you like people to understand about that vision?

My goal is to save people and organizations time, especially engineers, by removing non-effective, repeatable toil that requires extensive reading and contextualizing. This comes from understanding the tools available.

One problem in our industry is that generative AI is seen as the best hammer, and everyone tries to use it for everything. I would remind people that AI has been around for decades and generative AI is not the only tool available.

There are many AI models designed for different problems. Generative AI is great for creating images and text but not the right tool for precise engineering tasks platform engineers and developers need.

I would leave the audience with the understanding that they have a toolbox with many tools and the education to use each tool for its task.

I appreciate your time today. Where can people find out more about what you're doing?

Our website is gambuk.ai. The community edition is available at gambuk.ai/community. You don't need to talk to sales to download and experience it yourself and see the difference between generative AI models and our deterministic, fast, and accurate model.

Feel free to download and experiment, and send feedback.

Thank you for listening to this episode. Please leave a like and comment, and we'll see you in the next one. Peace.