From Annual Checkbox To Continuous SDLC Testing: Operationalizing AI Pentests - Andy Dennis of XBow

In this episode of the Security Repo Podcast, Dwayne catches up with returning guest Andy Dennis (Head of Field Engineering at XBOW) to unpack what it really means to run “AI-backed” penetration testing at scale, without turning red teaming into a gimmick. They dig into how XBOW approaches discovery, guardrails, and reporting beyond “scan results,” and why operationalizing LLM-driven testing in real enterprises still demands SaaS-grade controls and infrastructure. The conversation closes on where this all goes next: continuous testing in the SDLC, deeper discovery of business-logic bugs, and a near future where findings increasingly translate into remediation-ready pull requests.https://xbow.com/  https://www.linkedin.com/in/andy-d-b43a17b/Head of Field Engineering at XBOW. Published author. Public speaker. Former undergraduate tutor and examiner. Cyber Security and AI Strategy. M&A technical due diligence. 22+ years in industry. International team management experience across 5 continents and 400+ individuals. Interest in Cybernetics. Andy has 22+ years experience in the technology industry and has worked in the UK, Canada and US. He’s had 5 books published on a variety of topics including IoT and the Raspberry Pi and spoken at multiple events around the country. Previously Andy tutored undergraduates at Goldsmith’s College, University of London’s online degree program and is currently studying with HEC in Paris.

Why Compliance Isn’t Governance & How GovOps Rebuilds Trust Boundaries – Mike SchwartzIn this episode of the Security Repo Podcast, Dwayne sits down with Mike Schwartz (CEO & founder of Gluu) to unpack GovOps as “next-gen governance” built to be declarative, provable, and continuous. They dig into why compliance ≠ governance, how formal reasoning can help prove policy outcomes, and why modern governance needs to shift from periodic audits to real-time visibility. The conversation closes with the collision of agentic AI + identity, the need for better software identity and token trust, and how this moment might finally unlock board-level investment in security.Links from the show:https://www.linkedin.com/in/nynymike/GovOps Working Group on LinkedInhttps://www.linkedin.com/groups/17478011/https://gluufederation.medium.com/govops-manifesto-33eb7cb01ed3Identerati Office Hourshttps://gluu.org/identerati-office-hours-episodes/The Janssen Projecthttps://docs.jans.io/stable/https://www.cncf.io/projects/oscal-compass/https://gemara.openssf.org/Mike Schwartz is the Founder/CEO of Gluu, and leads the Linux Foundation Janssen Project. He is the co-author of the book "Securing the Perimeter" (Apress 2018) about how to use open source IAM tools. In addition to his day job at Gluu, he currently hosts the “Identerati Office Hours” Livestream twice a week, which features discussions on all topics digital identity and security. Mike resides in Austin TX with family and pigeons.

In this episode of the Security Repo Podcast, we talk with Henry Odibi, a data engineer who pivoted from chemical engineering into data and AI. Henry shares how he hacked his way into tech, built his own automation tools, and now integrates AI responsibly—always with a “security first” mindset. He also emphasizes the importance of treating data as if it were your own and offers practical steps for anyone starting in AI or data engineering to stay secure.https://www.linkedin.com/in/henryodibi/Henry Odibi transforms messy, real-time process data into high-performance data systems used across global manufacturing operations.With 4+ years of experience spanning chemical engineering, utilities, telemetry integration, and cloud architecture, he's built solutions that improve OEE, energy intensity, yield, inventory accuracy, and cycle time across 30+ Ingredion sites worldwide.He began his career on the plant floor, supervising wet mill operations and responding to breakdowns firsthand. Over time, Henry transitioned into a global data role where he now designs scalable data pipelines using Azure Data Factory, Databricks, PySpark, and Power BI — empowering teams with near-real-time visibility and decision intelligence.Henry has led internal training programs, built metadata-driven automation frameworks, and collaborated with cross-functional teams to deliver insight that drives action.His passion lies in building the future of digital manufacturing — a connected, automated, and self-optimizing production environment.

In this episode of the Security Repo Podcast, Nathan Koester shares his path from reverse engineering for the Air Force to building practical security tools for real-world teams. He discusses *Pwnbook.io*, a platform for integrating and visualizing security tools and data, and *Charlemagne Labs*, a local-first browser extension using small language models to detect risky links. The conversation also explores the philosophy behind lightweight AI models, cognitive defense, and staying curious in a fast-evolving field.https://[pwnbook.io](https://pwnbook.io/) https://[Charlemagnelabs.ai](https://charlemagnelabs.ai/)Nathan Koester is an engineer with a diverse background, ranging from forward software development to reverse engineering embedded systems and performing vulnerability assessment.Nathan’s preferred work focus is leveraging his forward and reverse engineering skills with a red team mindset to provide pen-testing and vulnerability assessment capabilities.

In this episode of the Security Repo Podcast, we dive into the world of incident response with Robert Saul, General Manager of AWS Security Incident Response Services. Robert shares insights from decades of experience, emphasizing that over 70% of security incidents stem from credential loss and that these challenges are rooted more in people and process than technology. From governance and playbooks to building a culture of incremental improvement, this conversation is packed with hard-won advice for security professionals at every level.https://aws-samples.github.io/threat-technique-catalog-for-aws/https://aws.amazon.com/iam/access-analyzer/https://www.linkedin.com/in/robert-saul/With nearly 30 years of experience in security and network engineering, Robert Saul currently serves as the General Manager of the [AWS Security Incident Response service](https://aws.amazon.com/security-incident-response).In this role, Robert establishes the strategy and measures the operations of a global network of security incident responders dedicated to supporting the investigation of security events that occur on the customer side of the shared responsibility model. The service's focus is on the coordination, detection, analysis, mitigation, and recovery from cyber incidents, ensuring AWS customers receive top-tier support to accomplish their business objectives.He is incredibly proud to be a part of this team of talented professionals. Their collective experience, dedication, and expertise allow them to provide invaluable guidance, often in high-pressure situations where time is critical. Robert is continually inspired by their commitment to excellence in incident response and their unwavering customer obsession in line.Prior to AWS, Robert engineered and secured tactical communications platforms for defense and intelligence sectors. This background provides him with a unique perspective on the evolving landscape of cyber threats and the importance of robust incident response strategies.Robert's blend of technical capabilities, leadership skills, and experience in both public and private sectors enables him to effectively lead the AWS Security Incident Response service. Together with his exceptional team, they guide customers through the complex world of cybersecurity and incident response.He is also deeply grateful for the opportunity to work alongside such a talented and dedicated group of professionals. Their expertise, passion, and commitment to our customers’ security make it an honor for him to lead this service every day.

In this episode of the Security Repo Podcast, Ryan Bonner dives into his exploration of legacy enterprise integration platform WebMethods, revealing alarming vulnerabilities that allow unauthenticated access and even system shutdowns. He discusses how collaboration with Iceland’s top bug bounty hunter led him into this niche area of research, and shares practical advice for responsible disclosure and improving enterprise security hygiene. The conversation also touches on broader security culture, from overlooked credentials to the value of testing unconventional attack vectors.https://github.com/Roll4Combat/IntegrationSurferhttps://www.linkedin.com/in/roll4combat/Ryan 'Roll4Combat' Bonner is a penetration tester and educator who enjoys breaking things and sharing knowledge. By day, he's a Senior Cybersecurity Consultant, testing the defenses of web apps and corporate networks. By night, he dives into AI and bug bounty huntingA firm believer that we all get better by sharing, Ryan is a community speaker at events like BSides and DEF CON. He is committed to paying forward the mentorship that launched his career by helping others get their start in the community.

In this episode of the Security Repo Podcast, we dive into the world of zero-day exploits, marketplace dynamics for vulnerability research, and the evolving role of cybersecurity in boardroom decision-making. Guest Evan Dornbush, founder of Desired Effect, shares his journey from government cyber-ops to founding multiple security startups, and explains why attackers don’t care about compliance paperwork. We also explore the real-world consequences of hardware vulnerabilities, how a plug won’t save your hotel lock, and why we might be fooling ourselves by trying to “out-tech” cybercriminals.https://www.linkedin.com/in/evandornbush/https://www.desiredeffect.io/Evan Dornbush is the founder and CEO of Desired Effect, which helps vulnerability researchers get fairly compensated and helps defenders act before attacks begin. He hosts the researcher-focused Hackers On The Rocks podcast. Previously, Evan co-founded Point3 Security, a cybersecurity workforce development firm acquired in 2021, and served as CEO. He co-founded P3F, a cybersecurity research firm acquired in 2021. He led Customer Experience at Vulnerability Research Labs, a security research firm acquired in 2010. He worked as a Computer Network Operator for the National Security Agency. Evan holds an M.S. in computer science from The George Washington University and has four ridiculously good-looking children.

In this episode of the Security Repo Podcast, Eric Woodruff dives deep into the complexities of identity and access management (IAM), from the evolution of Active Directory to the future of non-human identities. He explains the real-world challenges of hybrid environments, governance, and over-engineered identity solutions. Eric also highlights practical ways for newcomers to start learning IAM and emphasizes the importance of soft skills in security roles.https://www.linkedin.com/in/ericonidentity/https://idpro.org/body-of-knowledge/https://ericonidentity.com/Throughout his 25-year career in the IT field, Eric Woodruff has sought out and held a diverse range of roles. Currently the Chief Identity Architect for Semperis; Eric previously was a member of the Security Research and Product teams. Prior to Semperis, Eric worked as a Security and Identity Architect at Microsoft partners, spent time working at Microsoft as a Sr. Premier Field Engineer, and spent almost 15 years in the public sector, with 10 of them as a technical manager.Eric is a Microsoft MVP for security, recognized for his expertise in the Microsoft identity ecosystem. Eric is a strong proponent of knowledge sharing and spends a good deal of time sharing his insights and expertise at conferences as well as through blogging. Eric further supports the professional security and identity community as an IDPro member, working as part of the IDPro Body of Knowledge committee.

Hi everyone, It's Dwayne, host of the security repo podcast. The show is taking a 2-week break over the holidays to give you a chance to catch up on our backlog of security conversations. Our next new episode premieres January 7th, 2026. It's one to look forward to. And I wanted to say a huge thank you to each and every one of our listeners and subscribers. Thanks to you, in 2025, we gained 1300 new subscribers and crossed the 3500 mark on YouTube. Thank you. And I honestly hope you all are learning as much as I am from the amazing guests.I am honored to get to talk to some of the smartest people I have ever met and get to ask them about stuff I care about.I wish you the very best in 2026 and beyond, and may you and your loved ones have the best holiday season ever.Thanks, Dwayne

In this episode of the Security Repo Podcast, Douglas Brush, digital forensics expert and self-proclaimed "CISO Whisperer," shares his journey from early IT consulting to guiding CISOs and boards through complex security decisions. He breaks down his “Dad Bod Security” framework, connecting personal health metrics to meaningful cybersecurity goals, and highlights the need to move beyond vanity KPIs to focus on sustainable security programs. With candid insights on executive communication, legal challenges, and cultural resistance, Douglas offers a blueprint for building trust and progress in modern security leadership.https://www.linkedin.com/in/douglasabrush/https://brushcyber.com/Douglas Brush, the founder of Brush Cyber, excels in data privacy, cybersecurity, litigation, and information governance. His unique combination of technical skills and business insight has earned him the respect and admiration of clients and colleagues.What truly sets Douglas apart is his unwavering dedication to his clients. He understands that protecting data in today’s digital age is a technical challenge and a business imperative. Whether testifying as an expert witness or providing virtual CISO services, Douglas always brings his A-game with an engaging yet intelligent approach. He translates bits and bytes to dollars and cents like no other professional in his field.In fact, he’s so good at what he does that he is a federally court-appointed Court Appointed Neutral (formally known as a “Special Master”) and neutral expert in high-profile litigation matters. Douglas Brush is a beacon of light in a world where data breaches and cyberattacks are becoming increasingly common. He is always ahead of what is coming next, and you’d think he’s got his crystal ball. He’s a leader who inspires confidence and empowers organizations to embrace the digital age without fear. With Douglas at the helm, organizations can rest assured that their data is safe, allowing them to focus on their core business objectives and drive growth in the digital economy. Douglas is a heavyweight in his field, with over three decades of experience in information governance, data privacy, cybersecurity, and dispute consulting is second to none. His unique approach, blending technical expertise with a light-hearted touch, sets him apart, making the complex world of cybersecurity and privacy more accessible and engaging. His unique ability to break down complex technical concepts into easy-to-understand language has made him a sought-after speaker at industry events and conferences.