Modern Cyber with Jeremy Snyder - Episode
63

Toni de la Fuente of Prowler

Recorded live at fwd:cloudsec 2025, this episode of Modern Cyber features Toni de la Fuente, founder of Prowler, one of the most widely adopted open source cloud security tools.

Toni de la Fuente of Prowler

Podcast Transcript

Welcome back to another episode of Modern Cyber coming to you again from the sidelines of fwd:cloudsec where, again, we are lucky enough to get to sit down with some of the people making fwd:cloudsec happen. In this case, it is Toni de la Funete. Tony, thank you so much for taking the time to join us. Thanks for having me. So for people who don't know you or know your company Prowler, maybe just a quick introduction.

Tell us a little bit about your career, when you started Prowler, why you started Prowler, what is Prowler, all of that. Sure. I'm Toni de la Funete. I I started in cybersecurity now almost twenty six years. Yeah.

I'm doing many different things from testing to hardening, blue team, purple team, red team. Mostly blue team. Okay. And I started doing stuff in the cloud back in 2012 or so. Okay.

Then I realized that we needed more tools. Okay. And I started writing Prowler. But, okay, in in the in 2016 Okay. Actually, today is our ninth anniversary.

Yeah. I saw your post. Yeah. I saw your post about that. Nine years.

Wow. And, you know, those nine years, I I wanna get into that journey in just a second. But what was the original inspiration? You said you you realized that you needed more tools. What how did you realize that?

Well, I basically, I had a bunch of AWS accounts and I didn't know how to assess them. Okay. And I say, okay. I I found the the CIS benchmark that was Yep. Released that year.

Yep. The first the first version of the CIS benchmark. I remember. And I I said, okay. Let's let me see if we can do some automation on that because those benchmarks came with the CLI, AWS CLI.

By that time, I started only for AWS. And, I said, okay. I'm going to do the assessment once. Okay. The second time has to be automated.

And also has to be easy enough for everybody to run it and get green if you have good configuration and red if you have something to do. Okay. Easy for not for for me not to be on top of anybody else Yeah. But everybody else, doing that. So and I started doing the automation.

It was a vast script Yep. In the day. Yeah. And, since I'm, Hellbanger, I love Iron Maiden. I found that the first song of the first album of Iron Maiden is, the name is Prowler.

Oh, I didn't know that. And, and I said, okay. Prowler is a cool name for a security tool. It is. Yeah.

A customer assessment or Yeah. Or a scanning tool. And that was the name. Yeah. And that was nine years ago.

You are. Wow. And it's it grew a lot and Yeah. Now I will have a company. And and I'm curious.

Right? So at that same time, around 2016, I was actually working for a CSPM company at the same time. Why did you go open source? Because I think there would have been, like, a lot of arguments that, oh, no. You should just make this a commercial offering.

There's lots of companies that needed a tool like this at that time for exactly by the way, exactly what you said, every customer that we worked with at the time, the first use case was CIS benchmark checking. Exactly. Well, the point is I didn't do that as a as a product. Okay. I did that as a as a an open source product.

I've done other other open source project and worked for open source companies. And, and, it was an exercise for me to learn, basically. Okay. I wanted to learn more about hardening s three. Yeah.

Hardening EC two instances. Hardening the the networking in the cloud, all that stuff. And I learned a lot because Yeah. The first 250 checks Yeah. Of product was written by myself.

Yeah. And and I learned a lot about AWS security. Also, by that time, I was doing a lot of, forensics Yeah. Forensics. That wasn't a very popular topic.

No. And, and it was, yeah, mostly a learning exercise and just to to to publish something for everybody. Not not like, okay. I'm going to create a new product. Yeah.

That came after after that. Yeah. Well, I wanna come back to cloud forensics in a minute because that's that's actually something that I think a lot of people don't really understand how to do cloud forensics. There's so many different types of logs that have different data in them and getting all that together and then understanding what actually happened can be quite challenging. So let's come to that in a minute.

But so nine years of running an open source project. You yourself did the first 250 checks. When did you see that the project started to grow and have other people contributing to it and then starting to, let's say, build some of their own checks or or, you know, add core functionality that you could then merge into the the the core open source project? That was very in the early days as well because, I didn't even know this is this is a good example for people to see that I was very new on that. I didn't even know about stars.

Okay. And did I don't remember, I had a friend that came to say, Tony, have you seen a product that has 300 stars? I said, 300 what? And it and it was a very it it started becoming very popular. Yep.

And a little bit after that, I remember doing a talk at, the Sands Cloud CloudSecNext in San Diego. Okay. I was doing a talk about cloud forensics. And in cloud forensics, I I did a category prowler that is forensics readiness. Okay.

For people that is, learning about cost security when you do a when you have an incident in the cloud or anywhere, but you need to content the incident, of course. Yeah. Then to do your your analysis to see what has happened and to prevent it to happen again. Right? In the cloud, the you need to make sure everything is enabled.

Right? Because all your logs are log. Yeah. Or the the the any traceability of in your from your application to whatever else you are using, like a Banda function to an s three bucket, you name it. Yeah.

And the security services, by that time, not not many services. Not not that in GuardDuty was Yeah. Manual, but Yeah. You had other options. Right?

And, talking about that, I I realized that, I mean, doing hardening in the cloud and being ready for, security incident was really hard, even in the in the cloud because none none of those services are enabled by default because you have to pay for them. Yeah. That's right. So in during that eve event, people will say, yeah, man. What you are doing is very is very cool.

So you should keep pushing on that. Yeah. And I have my day job that was like a pet project. And I presented, prior to Black Hat Arsenal. Also, that was a very important that was a good good progress in terms of popularity.

Yeah. What year was that? That was 02/2018. Okay. By that time, I got 2,000 stars on GitHub.

Okay. And and I kept adding more more checks. I got, contributions like new output formats. Yep. New checks, new compliance framework supported.

And by that time, everything was bash screen. Still. Still a bash screen. Okay. Yeah.

And and very slow compared to any other tools that came, a bit later like Scott Suite. All that is they were Cloud Exploit. Was very fast because it was note, I think. There you go. Scott Suite was Python.

All those tools were very fast in terms of scanning. Yeah. But Prodder was easier. Yeah. Easier easier to use in my opinion, of course, but Yeah.

All the tools and I mean, if it's bash script, you don't have to install a bunch of It was working at the at the beginning from the very first. So you're like, with bash script, you're relying on the AWS CLI? Yes. Yes. In the So it's not a CLI with the with everything that everybody was familiar with.

Yeah. Like the credentials, authentications, services, very straightforward. So you put your secret key and your access and all that and then environment variables and that's all. Yeah. But And what was the output format at that time?

Like, if you ran The various various output format was, TXT in the in the on the screen. I mean, was the output in the screen. So you you run by that time, you run crawler and you got check number one, you are okay. Check number two, you are not okay. Share number seven like that.

Seriously. That easy. Like, not even an output. The output was the screen. Yeah.

The standard output in the screen on the on the command line. Right after that, I created a c it was a TXT file then a CSV file that was a contribution from from from, a contributor. What is the name? The name. The name.

The oh, Ben. Ben Allen. Okay. Also, and, I created an HTML that the HTML file was created on the fly. Okay.

It was I mean, if you think about any type of trick, bash, or shell script trick that you can imagine, that was in power. But at some point, it was very hard to manage. So, like, when you say this HTML script is created on the fly, like, you're literally creating, like, the tags from, like, this, like, output of the bash script. Exactly. Okay.

Exactly. Yeah. It was I created the template by myself. I mean, now in Python, I didn't know that Python was going to be make everything easier. Even I had my own functions for date of some services.

Yeah. Like, I don't know. For for BSD one, for, Linux a different one. Yeah. If you run that from Linux or from Yeah.

Mac, for example. It it was crazy. Speaking of date, I mean, just a random question because I remember from this time period, we, you know, we the product that I would the company that I was with at the time and the product that I was selling DiviCloud, like, we were a kind of a customer server install. It was Python based, web based interface, and so on. But we we often had this problem where the, the clock sync would get out of sync with AWS.

And so if your e c two instance, which is where most customers ran our product, if that had any kind of NTP drift from AWS, even if you provision valid credentials into the instance, like the checks would fail. Like because they already talking that doesn't work. Exactly. It's like out of it's it's not valid or out of scope or whatever. Yeah.

So when I when I said that it was a learning exercise, it because I learned a lot about those things. Yeah. Because if something fails so at some point, probably have a a very large community and a lot of people using it all the time. And when I say all the time, it's like, I remember making a change and people testing that changes straight away. Yeah.

And now it happens even even more. But, when somebody started saying, hey. I'm running this check and doesn't work because I'm running in cold build from this type of build where whatever thing and spend I remember spending the whole night debugging every every time that somebody was saying that it probably doesn't work in this case. Yeah. And it was a lot of work.

Yeah. And very hard to debug. Yeah. Very, but at the end of the other side, I was very proud because my code was being used Yeah. By Yeah.

Our people. I remember very large companies using product and asking me, hey, Tony, why do you have this or that feature? I remember to not to sleep that night Yeah. Adding the feature. Yeah.

And that was back in 2018 or '19. Yeah. And at that point, I had the opportunity to join AWS. Because I tried to join AWS many times because it's like for me, it was like, wow. My dream job.

Right? Like, Lego lamp for a for a kid. Yeah. And I joined AWS. I spent two years in AWS doing different positions, and learning a lot about a company like Amazon, and also growing, making making Prowler even more important in Italy, but also externally.

Yeah. Adding more popularity into Prowler, I had I mean, many VCs and people are looking also at successful open source projects to see if they can make money out of them. Yeah. And I had many different conversations with a lot of people. Yep.

And at some point that I was working so many hours Yeah. For AWS, of course, at my day job. Yeah. And for for Prowler, I decide to put all my eggs in the same basket for for Prowler. So I quit.

Yep. And I started full time with. Yeah. Yeah. And so what year was that?

That was 02/2021. Okay. And after a year and a half, I started the company. Okay. The and in February, '23.

Actually, now in July, it's going to be two years of the of the company, the incorporated company, but with money. We and then I raised money, like, three, four months after that. Yeah. It wasn't very, very difficult. Yeah.

But it wasn't easy either. Yeah. But it is good when you have an open source product that is very popular, makes everything easier. Yeah. You have proof.

You have, you know, users. You have validation. And I think one of the things that it's it's easy to take for granted is actually, like, just the importance of getting your software into the hands of as many people as possible to prove that it's working. Right? So, like, even if, let's say, the commercial model isn't necessarily working the way that you think it should or something like that, you at least know that, a, the software works, and b, there's value being provided because, like, otherwise, people wouldn't use it.

Exactly. Right. And so that those are two strong, validation points. I'm curious. You're one of the few people that I've had on the show that goes back in cloud security as long as I do and maybe even longer.

I left AWS in 2011, but I didn't have a ton of focus on security at the time because at that time, well, first of all, like, during my time at AWS, VPC and IAM were both introduced. Prior to that, like, the way that organizations used AWS accounts was completely different. Right? Like and I think those two things really changed the security model completely. Prior to that, you know, like, a company would have one AWS account and, you know, threw everything in there.

And at best, you had tags on different workloads, but effectively every instance was kind of Internet facing. And so you had to adjust the way that you used AWS because of those constraints. And then VPC and IAM came along and then, like, you as a customer, you can, you know, set this up however you want. Oh, I want these users with these roles, and I want role based access control, and I want, like, a subnet that looks like this and a DMZ and then all the different things that you could put in place. But I'm curious from your perspective.

Right? So ten years in or nine years into Prowler, what's changed? What do you see that's, like, different today in terms of, let's say, like, the cloud provider defaults or, let's say, the challenges that customers have when they when they turn on cloud accounts for the first time? In AWS or in general? I I guess either.

I mean, however you wanna think about it. It's way more complex. Okay. It's way more complex. There are so many, API endpoints.

It's it's very different to do a product, cloud security product, like product for AWS than others Okay. For AWS or Google Cloud, kind of easy, but compared to Microsoft related services. Yeah. Yeah. Because the also, the pace of AWS is different to everybody else.

Yeah. The best thing of AWS, from product standpoint is portal three. Okay. That makes everything busy. Yeah.

Yeah. Others are a little bit more, difficult in order to understand how to do that, yeah, properly. Microsoft is is a is a is a little bit yeah. And I'm I would Yeah. Yeah.

On that. But, in terms of the the industry, something that is happening too much probably is that companies, even small companies, small organizations, they want to use multiple clouds. Yeah. And that makes everything harder. Not for us.

I mean, we we are multi cloud and because we want to bring service for all the the most important cloud providers and SaaS. Yep. But but for an end customer to understand how just one single cloud works, is hard. So to understand two two service pro cloud service providers is even harder. Yep.

Something that happens in I'm in this has happened in I'm in the the last twelve years is nothing more than complexity. Yep. And we are trying to to create tools to allow people to understand what they have or at least the most important things. Yeah. They don't have over privileged users or rules, policies, all that stuff.

Yeah. But it's very hard. And that is a pending task for all calculators. Yeah. Microsoft to to AWS, of course.

Yeah. Interesting. I I mean, I think, like, of all the things that are the most different across the three major cloud providers, IAM is the one that, in my opinion, is the most different. Of course. Yeah.

Yeah. It's but that starts from the foundation. The and you said that, AWS started with the account as a as the unique entity. Yeah. And they didn't have Haptics.

They they didn't fix that. This that is the same. Regardless, AWS organizations that try to create some sort of umbrella Yeah. But it's still the same. Yeah.

Even if you want, I mean, if you start an AWS account today, you're gonna end up with one account and you have a root user as the your starting point, and then you have to go from there. And if you wanna kinda grow up to be an AWS organization, you need to create an organization and then create the OUs and all the all the, you know, the things around it and create an admin user and disable root and, you know, all those types of things. The STPs, SCPs, the the they don't apply to to the to the organization's management account Yeah. For for obvious reasons. Yeah.

That's a kind of and in in the other side, in Azure, for example, the way you organize subscriptions Yep. Makes a little bit more sense. Yeah. You're starting with the top down construct. You have an org and you have yeah.

Or even with products in Yeah. In Google. Yeah. Is also even probably easier way to see it in terms of also permissions Yep. Getting permissions or assigning the roles or stuff.

But it's partly because we have made, regardless the complexity of AWS I'm Yeah. We have made kind of easy to to use mostly. Yeah. But but still, I I mean, is I say they're easy between quotes because we have been in AWS pretty much forever. Yeah.

But for the new people, it's like, wow. This make a big issue. Yeah. This a big issue. And how have you seen things like the benchmarks evolve over time, like the CIS benchmarks or other standards?

Because, like, I I see kind of two aspects of them that I I really scratch my head around. Number one is, of course, you know, like, the cloud providers are moving so fast and they're adding new services. And, obviously, like, the last two years, they've been adding so many AI service, AI related services with a ton of risk associated to them, especially in different data usage, but almost nothing in the way of, let's say, like, compliance or security checks around the AI specific things. But part of my point is that, like, the cloud providers move super quickly. Organizations like CIS don't move nearly as fast.

And so they're always kinda behind what is actually, like, out there in terms of risks or misconfigurations that a customer could get wrong. And yet still most customers, when you talk to them, it's like, hey. What are you doing? Well, I'm checking CIS benchmark, whatever. Right?

And still people want that level one or level two. You know what I mean? CS level one, level two. It's, so to give you an idea, I started Prowler for CIS benchmark, AWS CIS benchmark version one, and now it's CIS benchmark for AWS version five Okay. In nine years.

In nine years. Okay. At I at the beginning, I think it they were, like, 50 checks or 50 controls, and now they are, like, 78. Yeah. Something like that.

Yeah. Are 70 or even a 100 controls enough to guarantee your security? No. No. But I don't see any other compliance framework that guarantees guarantees full security.

Well, no compliance framework is ever a guarantee of anything. Right? Exactly. That is not their their job. No.

I mean, despite it should be kind of, but Yeah. Something that we we try to do and we we do actually with prior studio, we can is we we can, update more often our supported compliance frameworks. We have more than 50 now. Is just to make sure all the new services are in the section of the the existing compliance frameworks. Am I talking not only about CIS, but also ISO 27 for one, SOC two, type two, you need.

And now we have actually in the in in prior five eight that we release, most likely tomorrow. We include something that we have called prior threat score. Okay. And we try to go a little bit bit a little bit farther than the typical yes or no if you are compliant with this requirement or bad requirement. Yeah.

But, because that gives you a false sense of security. Yeah. Because if you have everything right, but an an exposed s three bucket Yeah. You have a 99% of right next. Yeah.

Yeah. Right? Yeah. That is false. Yeah.

Because you are actually doing something really bad like exposing resources. Yeah. With power threat score, we are, adding weights. Okay. And the risk and the weights the the weights of of the the finding is going to tell you your actual score.

And is the are the weights informed by what you know threat actors are exploiting in the world or what what determines the weights? The ex mostly the the exposure of of resources. So if you think about things like net effective access where like, you know, something that might get flagged as this has public Internet access, but, actually, you know, there's a VPC and there's an ACL and there's a whatever. You can actually check whether it really is exposed and then maybe, like, lower the score or whatever. Yeah.

We but we have that in our text now. Okay. So now if you have a port 22 open in an in a security group Yep. We don't not only tell you, hey. You have this open with that severity.

But if it's open, if it's attached to an instant, if it's in a public subnet Yeah. That instance has a public IP Yeah. That is critical severity Yeah. Instead of Yeah. If you have the that security group open and it's not even attached to anything Yeah.

It's a low severity. That's still a problem. But still a problem. Yeah. But not a big big thing.

Right. Right. This is one of the things that I think, like, a lot of customers are probably facing as they get as their cloud footprint gets larger and larger, one of the problems is tools like like Prowler, like, you know, former Divi Cloud, any CSPM tool, really. Like, you find all these misconfigurations and you show them to the customer, but sometimes that list is really long and can be very overwhelming. Right?

And so things like this where you're waiting and then trying to tell them, like, actually, these are the ones that you care about. I know you have a thousand, but, like, these are the 50 that are actually important because they're publicly exposed, and I can show you exactly why and and so on. Right? Makes a ton of sense. So what's next for Proller?

Like, what's what do you think is the path forward? So in that regard, we have something that we call mute list. Okay. And it's becoming part of the UI of the the mute list, the the application UI that is open source and is in network product offering. Yeah.

And that is going to make everything easier because you're going to be able to mute group of finding. And, also, something that we are adding now to Prowler, our AI part is called, Prowler Lighthouse, is going to tell you what is the most important thing you have to do now. Okay. Based on context, if you want to give a Prowler context. But if not, it's going to tell you, hey.

I have just done this security assessment in this or that account or project or subscription, and do this now. Yeah. Because this is important. And if you don't know how to do it, you can ask. Yeah.

And Prowler gives you the confirmation template, the Terraform code, or anything. I mean, AI is great for Yeah. Yeah. I mean, it's not 100% guaranteed that it's going to be perfect Yep. But helps a lot.

Yeah. Yeah. A lot. To for example, to ask, hey. Give me the SCP to prevent this or that to happen.

And we give you straight away. Yeah. That is very, is going to help a lot. And also, we are adding new providers, like Microsoft Microsoft three six five. We are adding also, GitHub for your security of your repositories.

Yep. But, also, we are going to allow Prowler to scan your code. It's like it's like shifting left a little bit. Yeah. Yeah.

Prowler is, actually, that is already in the repo. So it's a new provider that we call IAC, infrastructure as code. Yeah. So you are going to be able to scan Terraform, CloudFormation, GitHub secrets, actions, all that stuff. Nice.

Because we want you to use product not only for the runtime part, but also before runtime. Yeah. And to cover the whole the whole pipeline, let's say, of your application in or your workloads in the cloud. And on top of that, now we have released a new service called Prowler app that is our database or our knowledge base of our Prowler artifacts. So, for example, if you want to learn how to secure SageMaker, for example, you can go to product hub and see all the SageMaker controls that we have Yeah.

How to assess them, how to learn from them, why it why it's important this or that control and how the the all of them map to multiple security Nice. Compliance frameworks. Yep. So, basically, keep growing the community also and and giving the industry an open source alternative to to what everybody needs that is improve their security posture. And how many how many stars are we at now in probably We have almost 12,000.

Very nice. Yeah. Awesome. We've only got a couple minutes left, and I've got two questions I wanna kinda come back to. Number one is, for those who have never gone through cloud forensics, you know, we talked to for just a second about making sure that you have all the logs turned on, and I know there's paid services.

But just at, like, a high level, when you think about, okay, we've had an incident in our cloud environment, how do you approach forensics? Like, is there any kind of lesson learned that you could share with the audience? Well, actually, I, in 02/2018, I released a kind of a workflow Okay. Of what you have to do when you have an incident. Depending on the incident, of course.

But if it's, you know, a a credentials leak through the IMDS version one, you should also take a snapshot of the EBS volume, then do the analysis of the EBS volume doing typical forensics, like, using the cloud, going through the whole path of the the attacker from, let's say, common application in the cloud where you have static content in an s three bucket Yep. Then your application in a in a cluster of EC two instances Yeah. That but but below the two load balancers. Yeah. And then your database, you have to make sure all that stuff is logging including the the CloudWatch logs or something for your application.

Yeah. The s three for the content, the even the load balancers, the VPC flow logs. Now the VPC flow logs are not that that important if you have GuardDuty enabled. Well, and also, especially if you're running more, let's say, like, serverless or containerized workloads. Yeah.

But if you have Lambda functions, you have I mean, there are many different services that you don't even know sometimes that they have a logging option. Yeah. So, is to to go through all that stuff. Actually, in parallel thread score, we have four pillars and one is, is in response. Yep.

Are you ready for, an incident? Yeah. And it's about monitoring, logging Yeah. And, yeah, and the services about about those those, artifacts. In this, this blog post, is it still online?

Should be. It should be. Okay. My mlicks.com, my personal blog. But, okay, I don't I don't I don't update very often, but, yeah, it should be in lyx.com, blyx.com.

Blyx. Alright. We'll see if we can find it and put it in the show notes for for anybody who's interested. Last thing, I mean, you you know, you've been working on this. You've been working on this for, like, nine years now.

So you've seen all the changes across the different cloud providers, Microsoft, Amazon, Google, etcetera. If you could talk to the heads of product for each of these platforms, what would be, like, your number one request for something that you wish that they would change? The Unify APIs, man. Yeah. Unify APIs and SDKs.

Yeah. And that is an important thing mostly for for Azure. Yeah. But, yeah, having developer tools, SDKs Yeah. And, for most common languages like Python Yeah.

And and Java. Java. Java. Yeah. Whatever.

At least Yeah. That will make, their clouds more secure. 100%. 100%. And, for AWS, what I will ask is, change the way you create defaults.

Yeah. Yeah. But security faults have gotten better. Security is is is better Yeah. But but also I'm is more is harder.

Yeah. Fair enough. But if we if we allow people I mean, I remember that I one of the reasons I started Prowler was because I doing a scan of look for EC two instances. Yeah. I found three accounts with with EC two instances in Singapore.

Mhmm. And we were a British company. Yeah. You know? It's like, why Yeah.

Why Singapore is enabled? Yeah. No? So so to create bet better defaults or more or at least to give the opportunity to create something like, okay. You have to to open.

So imagine you had some kind of, like, let's say, account wizard at the very beginning of the process, and you just describe, like, you know, this is what I want. I want an organization and, oh, you know, we we are a British company. We're gonna run production in London, and maybe we'll run disaster recovery in the Ireland region. Those should be our default ones and, you know, our main use cases. And it seems like, by the way, like, it seems like with LLMs, this shouldn't be very hard to kind of reveal.

In context. Yeah. Actually, if you go to the wizard that you can use when you create a VPC Yeah. Since two years ago Yeah. Yeah.

This a very decent one. Yeah. Yeah. That is asking you, what do you want to do? What is the application like?

Yeah. Yeah. Cooking like? And something like that for not forget about account. Okay.

Forget about project or or or is what are you gonna do? Yeah. And I'm going to do my part, me as a closed service provider, and you customer do this. Yep. We should be able to do that.

Yeah. And that is also going to help everybody to understand the shared responsibility model that nowadays is almost impossible to understand. For us, a little bit because we have been in the cloud for long, but for new people Yeah. So we need to fix that or otherwise, the cloud adoption is going to get stuck. Yeah.

I think. Yeah. And by the way, the shared responsibility model is getting even, I would say, muddier with AI service. Of course. Of course.

Of course. Now I remember when when AWS released Bedrock with the Bedrock, you know, the LLM hijacking and Yeah. The offering issues that that that that came by that time. How can you explain somebody Yep. What is your responsibility?

Yeah. Sometimes what I said in in my favor in our favor of Pro is, like, if Proder can fix it or can can tell you, it's your responsibility. That's all. But I also with the over the years, Proder is not only being used by end users, but also by Yeah. The Yeah.

Providers. But in anyway, if you are building an application, I'm prouder can tell you what is wrong Yeah. Because it's your responsibility. Yeah. Whatever that is.

Yeah. It can be in a serverless or it can be in a full responsibility Yeah. EC two instance. So Bedrock breaks us quite a bit. Right?

Because we've been actually testing a lot of the models and, you know, the the behavior that you get from, let's say, like, some of the Amazon models versus some third party models is, like, night and day different. And, you know, common jailbreak prompts that just don't work on some models do on the others. And how are you supposed to think about that as a customer when you're like, hey, Amazon. Why are you giving me a crappy model that's, like, super vulnerable to the most basic of jail LLM jailbreaks. Right?

But that happened in the in the past when when they released new services. That happens, in the Elasticsearch service Yeah. And it's different to the OpenSearch. Yeah. Even if it's under under the hood, it's kind of the same.

Same engine. Yeah. But the the defaults are different. That's why. Yeah.

Yeah. But why? Because you have more or less control. I mean, you they have less or more control on the way they expose the services. Yeah.

And this is going to happen tomorrow with any other concern. Yes. Yeah. Yeah. Yeah.

So that is why I think we have to be, alert. We have a team dedicated to threat detection and remediation Yeah. And new controls. And as as you say with AI, that should make our lives easier Yep. But it's not going to fix everything.

Yeah. Awesome. Awesome. Well, Tony, thank you so much for taking the time to join us on Modern Cyber. We will be back with another episode from the sidelines of Forward CloudSec.

We're hoping to get a chance to sit down with as many people as possible, sharing their perspectives. This is really one of the best opportunities that we have all year to sit down with such a concentrated group of experts. Toni de la Funete, thank you so much for taking the time. Thanks for having me. Thanks for having me.

Protect your AI Innovation

See how FireTail can help you to discover AI & shadow AI use, analyze what data is being sent out and check for data leaks & compliance. Request a demo today.