Episode #316 w/ Kurt Hendle and Cameron Walters from Coffee, Chaos, and ProdSec

This week on the 316th episode of Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) welcome their guests, Kurt Hendle and Cameron Walters from the Coffee, Chaos, and ProdSec podcast. Together, they dive into the radical transformation of security roles in an AI-driven landscape. The succinct takeaway of this discussion: as the industry shifts toward an Agentic Development Lifecycycle (ADLC), the sheer volume of AI-generated code renders traditional manual review gates obsolete. To listen to this episode, go to our YouTube channel or find us wherever you get your podcasts.

Both Kurt and Cameron are veterans of the security trenches and currently hold senior roles at Teradata. Walters specifically brings expertise as a co-leader of the OWASP Secure Pipeline Verification Standard, a framework designed to secure the modern software delivery lifecycle. Their backgrounds are rooted in early mischievous curiosity, from bypassing parental internet controls for World of Warcraft to hardware hacking Bluetooth devices, which eventually led to transitions into professional careers in military systems, consumer electronics, and enterprise security architecture.

A theme of this episode was the critical transition from human-led code reviews to AI-driven fixes, specifically questioning whether a 30-second AI approval is a productivity win or a “rubber stamp” catastrophe waiting to happen. Ken expresses baseline skepticism, noting that, while developers are already using these tools, a lack of careful review of AI-generated responses often results in garbage entering the codebase. Seth highlights that this is an evolution of a historic problem: developers have always faced review fatigue when confronted with a massive amount of pull requests. Kurt emphasizes that while AI can provide 60x the throughput, it often inherits human flaws and introduces hallucinations that require rigorous due diligence to catch. The consensus is that while the gate still exists, AI's speed is building a mountain of technical debt if organizations do not invest in verifying the work.

The conversation pivots to a radical shift in how software is built, moving away from the traditional SDLC toward what the guest calls the Agentic Development Lifecycle. Cameron shares his own industry anecdotes where engineering teams no longer commit code based on completed features, but instead on 15-minute intervals, regardless of project status. This outcome-driven approach means that the PR—the traditional security hook-in point—is becoming a bottleneck that some organizations are simply bypassing. Ken and Seth grapple with the anxiety of this shift, as the secure SDLC they helped build is predicated on gates that are now being blown up. They suggest that security must shift from a deterministic model to an agentic one, in which security-trained AI agents perform continuous, real-time reviews of the final outcome rather than individual lines of code.

A significant hurdle in adopting these new workflows is the tension between modern AI capabilities and rigid compliance frameworks. Walters points out that many compliance professionals are resistant to AI because its outputs are non-deterministic, making it difficult to demonstrate the baseline consistency auditors require. However, Ken Johnson offers a sharp counter-perspective, noting that three decades of determinism haven’t been working for finding complex logic flaws. The panel concludes that the industry is in a reckoning period where organizations must blend both worlds—using deterministic tools for simple configurations and AI agents for nuanced, complex business logic. For the security professional, the advice is clear: do not resist the shift, as AI is a superpower here to stay, but remain vigilant because the sharp edges of new tech can still cause significant financial and security burns.

As the saying goes, March is coming in like a Unicorn all over. Seems like it’s calling for you to get ready for warmer weather in our merch store. Pick a tee-shirt, and get a size and color for yourself or friends:

Whether you’re coming from our listener base or the Coffee, Chaos, and Prodsec world, come hang out in our Slack. There, you can vent your frustrations about the changing nature of security, or maybe just send a meme or two.

Stay Secure,

Seth & Ken

Related Episodes

https://www.youtube.com/watch?v=xy9kB3ShSsE – Episode Ep. #101 - Mike McCabe & Ken Toler: Managing Cloud Security at Scale - In the range of podcast host swap episodes, you may want to check out this episode with Mike McCabe and Ken Toler who, among a range of activities, produce the Relating 2 DevSecOps podcast.

https://www.iheart.com/podcast/1333-coffee-chaos-and-prodsec-309471369/episode/ep-29-ai-appsec-and-the-security-industry-reckoning-ft-absolute-appsec-327283528 – Episode #29 Coffee, Chaos and Prodsec - “Is AppSec dead or just getting a new job title nobody's written yet?” - In honor of the podcast swap Seth and Ken recorded with Cameron and Kurt, you can check out the recorded discussion available on the Coffee, Chaos, and Prodsec podcast.

https://www.youtube.com/watch?v=XNL0Z6R_TOw – Ep. #136 - AppSec Nihilism and Breaches – Rewinding back to a time when AppSec Nihilism was based on a feeling that security would never be solved, and the future was going to be marked by breaches and more breaches. It may be worth remembering that paradigm while the predominant diagnosis is AppSec is in dire straits because it has been solved.

Absolute AppSec Happenings

When an AI agent came knocking: Catching malicious contributions in Datadog’s open source repos – Datadog’s "BewAIre" system recently detected "HackerBot Claw," an AI-driven agent attempting to inject malicious code into open-source repositories. The attacker targeted a vulnerable GitHub Actions workflow via crafted filenames. While the agent successfully executed some commands, Datadog’s internal security controls and AI monitoring effectively mitigated the threat and impact.

Winning the AI Cyber Race: Verifiability is All You Need – Sergej Epp argues that winning the AI cyber race requires shifting from "probabilistic" to "verifiable" security. He reminisces about playing Counter-Strike online at 16. While AI scales attacks, defenders can win by using AI to automate formal verification, ensuring code and configurations are mathematically proven secure. This transition makes defense more scalable and resilient than traditional reactive methods.

Upcoming Events

Where in the world are Seth and Ken?

March 21-22, 2026 - BSidesSF - Watch this space for the details regarding a panel with Seth and Ken taking place in San Francisco in March.

April 7-8, 2026 - Harnessing LLMs for Application Security - IN PERSON at Kernel Con. Come join Seth and Ken in Omaha for the Harnessing LLMs course!

April 26-27, 2026 - Harnessing LLMs for Application Security - In-person training at DEF CON Singapore. Be sure to register now if you’re looking to enhance your day-to-day AppSec processes with the power of LLM agents.

August 1-4, 2026 - AI-Enhanced Secure Code Review: Black Hat Edition - Seth and Ken are bringing a four-day exclusive course to Black Hat. This is an update on the exclusive version of the course offered at Black Hat Europe. Early bird pricing is ongoing, so it’s a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.