Episodes

  • Episode 21: AI Notetakers Are Illegal, GRC Tools Are Lying, and ISO 42001 Changes Everything
    Feb 18 2026

    In this episode of the Distilled Security Podcast, we break down three converging forces reshaping how organizations manage AI risk — and what you need to do about it now.

    🔹 BIPA + AI Notetakers — A class action lawsuit exposes unauthorized biometric data collection, why a single Illinois meeting participant creates liability, the Shopify wiretapping dismissal, and the steps you should take today to audit your AI tools
    🔹 GRC Engineering Meets AI — Real AI compliance tools vs. vaporware, using LLMs for policy drafting and control mapping, the hallucination accountability problem, building AI guardrails as code, and the NIST RFI on AI Agent Security (comments due March 9, 2026)
    🔹 ISO 42001 Deep Dive — The first AI Management System standard, how it differs from ISO 27001, AI Impact Assessments vs. traditional risk assessments, stakeholder engagement requirements, and why certification is becoming essential for EU AI Act compliance

    🥃 Spirit Review: Redbreast 12 Cask Strength
    https://www.redbreastwhiskey.com/en-us/whiskey-collections/redbreast-cask-strength-whiskey/

    ⏱️ Timestamps

    0:00 Intro & Episode Overview
    2:04 BIPA & AI Notetakers
    25:08 GRC Engineering Meets AI
    1:07:15 🥃 Spirit Review: Redbreast 12 Cask Strength (Irish Whiskey)
    1:11:17 ISO 42001
    1:49:30 Outro & wrap-up

    🎙️ Hosts
    Justin Leapline – @justinleapline
    Joe Wynn – @wynnjoe
    Rick Yocum – @rickyocum

    🌐 Connect with Us
    Website: distilledsecuritypodcast.com
    X: @DisSecPod
    Email: hello@distilledsecuritypodcast.com

    👍 Like, comment, and subscribe for weekly security and compliance insights.

    Show More Show Less
    1 hr and 51 mins
  • Episode 24: 2 Years, 24 Episodes & The State of Security in the Age of AI
    May 14 2026

    In this episode, we celebrate our 2nd anniversary and Episode 24 of Distilled Security! We cover the Vercel breach, how a Roblox script led to compromised Google Workspace credentials via an unauthorized OAuth connection. Then we dive into HackerOne, pausing their own bug bounty program, overwhelmed by low-quality, AI-generated submissions. And we close out with the State of Vibe-Coded Security—4,783 AI-assisted apps scanned, 727 critical issues found, and the real question: are you vibe coding or vibe deploying? Plus, a quick look at Claude for Security dropping into public beta and what that means for the industry.

    All of that, and we crack open a Peerless Double Oak to toast two years of Distilled Security. 🥃

    ⏱️ TIMESTAMPS:

    00:00 – Intro & 2-Year Anniversary 🎉
    01:26 – Behind the Scenes & Favorite Moments
    08:26 – Podcast Metrics & Global Reach
    24:20 – BSides Pittsburgh 2025 Update 🛡️
    34:31 – The Vercel Breach & OAuth Risk
    58:57 – HackerOne Pauses Bug Bounty
    1:16:05 – Spirit: Peerless Double Oak 🥃
    1:20:27 – Vibe Coding vs. Vibe Deploying
    1:26:46 – Claude for Security & AI News
    1:41:27 – Cheers to Two Years! 🥃

    🎙️ Hosts
    Justin Leapline – @justinleapline
    Joe Wynn – @wynnjoe
    Rick Yocum – @rickyocum

    📬 Send Us Your Questions!
    ask@distilledsecuritypodcast.com

    🌐 Connect with Us
    Website: distilledsecuritypodcast.com
    X: @DisSecPod
    Email: hello@distilledsecuritypodcast.com

    👍 Like, comment, and subscribe for monthly security and compliance insights

    Show More Show Less
    1 hr and 43 mins
  • Episode 17: TPRM Is Worthless?! NY DFS Part 500, Security Negotiation Tips & Mezcal
    Oct 13 2025

    🎙️ Welcome back to the Distilled Security Podcast - Episode 17!


    In this episode, Justin, Joe, and Rick break down several major cybersecurity and compliance updates shaping the landscape this fall. From regulatory deadlines to the futility of checkbox TPRM exercises, the crew dives deep into what actually matters for security leaders and business owners navigating today’s risk environment.


    Also, join us at TRISS in Pittsburgh, PA, at the David this October 29,2025! We have our own booth and will be doing something fun there. Also, we are sponsoring the After Party! Please come say hi!


    🔹 Topics Covered


    NY DFS Part 500: Final Requirements Take Effect November 1

    The hosts unpack the final phase of New York’s cybersecurity regulation, what’s changing, and what companies must have in place before the enforcement deadline.


    Negotiating Security

    How smaller companies can push back or reframe due diligence requirements—substituting a SOC 2 or ISO 27001 certification with custom questionnaires, summaries, or shared evidence that reflect real security maturity instead of checklists.


    “TPRM Is Worthless”

    A candid discussion on the state of third-party risk management: why it’s often broken, what needs to change, and how to make it meaningful rather than bureaucratic.


    Department of War Announces New Cybersecurity Risk Management Construct

    The team explores the DoD’s latest cybersecurity framework announcement—what it means for contractors, how it overlaps with CMMC and NIST 800-171, and whether it will actually simplify or complicate compliance.


    🥃 Spirit Review


    One of Us Mezcal — This small-batch mezcal impresses with its earthy smoke, hints of citrus, and smooth finish. The guys compare it to other craft agave spirits they’ve tried and debate whether it pairs better with a quiet evening or post-recording celebration.


    Find it here:

    https://oneofusmezcal.com/products/cuishe-mezcal-the-wild-one


    ⏱️ Timestamps


    0:00 – Introduction & Travel Mishap

    6:25 – New Laptop Twins & Backup Strategies

    11:35 – NY DFS Part 500 Updates

    27:30 – DFS Reporting & Organizational Accountability

    33:30 – Negotiating Security Requirements

    47:46 – Cultural Nuances in Negotiation

    50:20 – Spirit Review: One of Us Mezcal

    52:55 – TPRM Is Worthless?

    57:50 – Fixing Broken Vendor Risk Workflows

    1:08:21 – Vendor Resilience vs. Security

    1:18:20 – New DoW/DoD Cybersecurity Risk Management Construct

    1:35:06 - BSides Pittsburgh Planning & Sponsorship

    1:38:35 - DSP at TRISS

    1:39:51 – Closing Remarks & Outro


    🎧 Hosts


    Justin Leapline – @justinleapline

    Joe Wynn – @wynnjoe

    Rick Yocum – @rickyocum


    🌐 Connect with Us


    Website: distilledsecuritypodcast.com

    🐦 Twitter: @DisSecPod

    📧 Email: hello@distilledsecuritypodcast.com

    Show More Show Less
    1 hr and 41 mins
  • Episode 23: Nobody read the report
    Apr 14 2026

    In this episode of the Distilled Security Podcast, we break down the Delve scandal—flawed SOC 2 reports, copy-pasted content, and oversight failures that expose deeper issues in compliance-as-a-service. Joined by Matthew J. Schiavone, we examine auditor accountability, quality review gaps, and key differences between SOC 2 and ISO 27001.

    We also cover what companies should demand from auditors, the role of automation, and whether this scandal will drive real change in the industry.

    Topics Covered

    • The Delve scandal—leaked reports, copy-pasted audits & pervasive deficiencies
    • The AICPA peer review process & AC Corp's adverse findings
    • SOC 2 vs ISO 27001—oversight models, witness audits & accreditation
    • The incentive structure driving compliance to the bottom
    • Compliance automation — what works, what doesn't & AI's real role
    • What to ask your auditor before signing anything
    • Trust centers — done right vs. compliance theater
    • Is SOC 2 dead? What needs to change & who has to change it


    Hosts

    • Justin Leapline – @justinleapline
    • Joe Wynn – @wynnjoe
    • Rick Yocum – @rickyocum

    Hosts

    • Matthew J. Schiavone - (Sikich)


    Connect with Us

    • Website: distilledsecuritypodcast.com
    • X: @DisSecPod
    • Email: hello@distilledsecuritypodcast.com
    Show More Show Less
    2 hrs and 10 mins
  • Episode 14: AI Risks, Threat Modeling, and The Future of Vibe Coding
    Jul 8 2025
    Episode 14 of the Distilled Security Podcast is here!This week, the team welcomes guest John Zeolla, a cybersecurity expert and AI enthusiast, for a deep dive into the risks, realities, and potential of artificial intelligence.Topics include:Shadow AI in the Enterprise: Why business leaders are adopting AI faster than CISOs can assess the risks—and how features are outpacing controls.Third-Party AI Risk: Understanding vendor integrations with ChatGPT and others, and how contracts alone can’t guarantee security.Data Sprawl and Provenance: How uncontrolled data flows and poor identity scoping create dangerous exposure in generative AI platforms.Threat Modeling for AI: Why traditional frameworks like STRIDE still apply—and how techniques like “LLM as a judge” are reshaping modern risk analysis.Hallucinations, Misuse, and Insider Access: From AI-summarized HR documents to leaked board data, the team explores how improper permissions are amplified by intelligent agents.AI in Real Business Use: From customer support chatbots to code review tools, where AI adds value—and where it creates new points of failure.Governance and Culture: The role of CISOs, legal, and finance leaders in aligning AI ambition with responsible oversight.Bourbon Review – Elijah Craig Private Barrel Pick: A smooth 94-proof selection sponsored by Liberty Liquors (MD), bringing sweet caramel and balance to this week’s pour.BSides Pittsburgh Preview: With nearly 1,000 tickets sold, the team teases event highlights, panel interviews, and John's upcoming talk on "vibe coding."Timestamps00:00 – Welcome & Introductions02:20 – What’s “Shadow AI”?06:45 – Third-Party Risk & AI Integrations11:10 – Contracts ≠ Security14:00 – Data Sprawl & Identity Challenges19:05 – Threat Modeling for AI23:40 – “LLM as a Judge” in Risk Analysis28:15 – Hallucinations & Misuse Scenarios33:00 – Insider Access Amplified by AI36:30 – Real-World Use Cases (Chatbots, Code Review, etc.)41:55 – Governance, Culture & CISO Alignment48:20 – Bourbon Review: Elijah Craig Private Barrel52:30 – BSides PGH Preview & John’s “Vibe Coding” Talk57:00 – Final Thoughts & Wrap-UpHostsJustin Leapline – LinkedInJoe Wynn – LinkedInRick Yocum – LinkedInGuestJohn Zeolla – Zenable.ioConnect with UsWebsite: distilledsecuritypodcast.comTwitter: @DisSecPodEmail: hello@distilledsecuritypodcast.com
    Show More Show Less
    1 hr and 23 mins
  • Episode 6: SEC Penalties, M&A Security, and Due Diligence
    Nov 8 2024

    Episode 6: SEC Penalties, M&A Security, and Due Diligence


    Welcome back to the Distilled Security Podcast! In this episode, hosts Justin, Rick, and Joe dive into the latest in cybersecurity, from regulatory challenges to pop culture:

    Topics Covered

    1. SEC Penalties for Cybersecurity Disclosures
      Discussing recent SEC penalties due to lapses in cybersecurity disclosure, the implications for companies, and how organizations can stay compliant.
    2. Cybersecurity Materiality and Disclosure Practices
      Tips on navigating the materiality assessment of cybersecurity incidents and ensuring compliance with auditors' disclosure requirements.
    3. Preparedness Through Tabletop Exercises
      Exploring tabletop exercises as a method to enhance readiness for cybersecurity disclosures.
    4. Security in Mergers & Acquisitions
      The importance of aligning security philosophies, protecting supply chain integrity, and fast decision-making in M&A processes.
    5. Pre-Mortem Analyses for Risk Mitigation
      Utilizing pre-mortem analyses to identify risks in acquisitions and ensure security compatibility before a merger.
    6. Best Practices for Selling a Company with Strong Security
      Tips on audit readiness, maintaining a secure posture, and what security leaders should prioritize to avoid penalties or discounts during acquisitions.
    7. Information Control in Modern Warfare
      How controlling information plays a strategic role, with examples from cyberpunk themes to illustrate the power of data control.
    8. Favorite Cybersecurity Movies
      A fun review of iconic cybersecurity movies, highlighting elements like data movement, IP address inaccuracies, and common movie hacking tropes.
    9. Due Diligence Strategies for Small Businesses
      Key steps for conducting effective due diligence, including using a risk-based approach to compliance and managing contracts efficiently.

    Links

    • Cyber Scoop

    Spirits

    • Barrell Seagrass - A unique blend of American and Canadian rye whiskeys, each carefully selected and finished in Martinique Rhum, Madeira, and apricot brandy barrels.

    Hosts

    • Justin Leapline
    • Joe Wynn
    • Rick Yocum

    Connect with Us

    • Website: Distilled Security Podcast
    • Twitter: @DisSecPod
    • Email: hello@distilledsecuritypodcast.com

    Time Stamps

    • [00:01:25] SEC penalties for cybersecurity disclosure lapses
    • [00:05:16] Working with external auditors on cybersecurity disclosures
    • [00:09:30] Assessing cybersecurity materiality in disclosures
    • [00:11:45] Tabletop exercises to improve disclosure preparedness
    • [00:14:36] Cybersecurity considerations in M&A
    • [00:19:12] Making fast, informed security decisions
    • [00:23:06] Pre-mortems for assessing acquisition risks
    • [00:25:12] Compatibility of security philosophies in M&A
    • [00:30:20] Securing supply chains in acquisitions
    • [00:34:23] Steps to sell a company securely
    • [00:37:06] Preparing for audits in the sale process
    • [00:42:07] Hosts discuss favorite cybersecurity movies
    • [00:45:57] The strategic role of information in warfare
    • [00:48:49] Data transport themes in cyberpunk films
    • [00:52:36] The infamous fake IP addresses in movies
    • [00:56:01] Due diligence for small businesses and startups
    • [01:00:47] Centralized vs. decentralized security strategies
    • [01:02:20] Adopting a risk-based approach for security questionnaires
    • [01:06:05] Negotiating buyer risk assessments
    • [01:10:11] Leveraging compliance automation tools
    • [01:12:55] Managing contract risks effectively
    • [01:16:10] Ensuring alignment between contract terms and security questionnaires
    Show More Show Less
    1 hr and 17 mins
  • Episode 3: Crowdstrike, North Korean Spies, and CISO Scapegoats
    Aug 12 2024

    Episode 3 of the Distilled Security Podcast is here!


    Join us this week as we jump into:


    • CrowdStrike Incident Analysis: A deep dive into a recent mishap by CrowdStrike that led to significant financial losses and operational disruptions, including 5.4 billion in estimated losses.
    • Vendor Accountability: Exploring the legal and financial repercussions of security vendor failures.
    • Business Continuity Planning: The importance of preparing for security vendor failures, including considering alternate vendors and the complexities of implementing such strategies.
    • Kernel-Level Security Risks: A discussion surrounding kernel-level operations in security software, focusing on the controversy between CrowdStrike and SentinelOne.
    • Manual Workarounds and Legacy Systems: The challenges of maintaining business operations during security incidents.
    • Ransomware Recovery vs. Vendor Failures: Comparing ransomware attacks' impact and recovery processes with security vendor-induced failures.
    • Password Management Vulnerabilities: The risks associated with dependency on password management systems like Thycotic/Delinea and LastPass, and the potential fallout if these systems experience downtime.
    • BSides Pittsburgh Recap: the biggest BSidesPGH event yet. Hear the notes and highlights from the conference.
    • North Korean Spy Hired By KnowBe4: Hear how a spy for N. Korea got by the defenses of KnowBe4, how they caught them, and steps they implemented to avoid this in the future.
    • CISOs as Scapegoats: Are CISOs being pegged as scapegoats unfairly?


    Links

    • Crowdstrike Incident - https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
    • SentinelOne Response to Crowdstrike - SentinalOne on Crowdstrike Outage - https://www.crn.com/news/security/2024/sentinelone-ceo-on-crowdstrike-outage-not-just-an-honest-mistake
    • BSidesPGH - https://www.bsidespgh.com/
    • TRISS - https://www.threeriversinfosec.com/
    • KnowBe4 // N. Korean Spy - https://blog.knowbe4.com/cyberheistnews-vol-14-31-how-the-whole-world-now-knows-about-fake-north-korean-it-workers
    • CISO as Scapegoats - https://www.thestack.technology/were-becoming-scapegoats-how-have-cisos-responded-to-sec-cyber-risk-disclosure-rules/


    Spirits

    • Rabbit Hole Cavehill // Four Grain Tripple Malt - https://www.rabbitholedistillery.com/pages/cavehill/


    Hosts

    • Justin Leapline - https://www.linkedin.com/in/justinleapline/
    • Joe Wynn - https://www.linkedin.com/in/wynnjoe/
    • Rick Yocum - https://www.linkedin.com/in/rickyocum/


    Connect with Us

    • Website: https://distilledsecuritypodcast.com
    • Twitter: @DisSecPod
    • Email: hello@distilledsecuritypodcast.com
    Show More Show Less
    1 hr and 11 mins
  • Episode 22: Is AI Good for Security, CIRCIA Starts the Clock, and the M&A Problem Nobody's Talking About
    Mar 9 2026

    In this episode of the Distilled Security Podcast, we tackle four topics shaping the cybersecurity landscape — from AI's real impact on defense to a wave of regulatory and market changes every security team needs to be tracking.


    🔹 Is AI Good for Security? — Anthropic's model finding hundreds of zero days, stock market panic after Claude Code's launch (CrowdStrike down 11%), the "hard things easy, easy things hard" reality of AI, why human-out-of-the-loop isn't ready yet, the coming spike in vulnerability disclosures, and how defenders should be using AI for better hygiene

    🔹 CIRCIA Final Rule (May 2026) — The federal incident reporting law hitting critical infrastructure, 72-hour incident and 24-hour ransom payment notification clocks, how "substantial cyber incident" triggers differ from materiality, mid-market companies falling in scope, overlapping timelines with HIPAA/SEC/state breach laws, and building your incident response playbook now

    🔹 Protecting Yourself Against a Changing Compliance Landscape — CMMC Phase 2, HIPAA overhaul, CCPA audits all converging, why a unified security program beats framework-by-framework chasing, evidence over policy in audits, engineering continuous compliance through automation, and the reality of doing this without dedicated staff

    🔹 Cybersecurity M&A / Consolidation Problem — Google acquiring Wiz for $32B, 10% of the cybersecurity industry changing hands, operational benefits of fewer vendors vs. pricing pressure and talent drain, the OneTrust "sticker on the side" integration warning, Cisco's Startup Studios model, and why consolidation only works if they don't break what made the acquisition special


    🥃 Spirit Review: WhistlePig 12 Year Old World Rye

    PA Fine Wine & Good Spirits Select — Finished in Madeira, Sauternes & Port barrels, 86 proof

    https://www.whistlepigwhiskey.com/


    📬 Send Us Your Questions!

    ask@distilledsecuritypodcast.com


    🎙️ Hosts

    Justin Leapline – @justinleapline

    Joe Wynn – @wynnjoe

    Rick Yocum – @rickyocum


    🌐 Connect with Us

    Website: distilledsecuritypodcast.com

    X: @DisSecPod

    Email: hello@distilledsecuritypodcast.com


    👍 Like, comment, and subscribe for weekly security and compliance insights.

    Show More Show Less
    1 hr and 56 mins