In this episode of Threat Vector, host David Moulton, Senior Director of Thought Leadership for Unit 42, speaks with Elad Koren, Vice President of Product Management for Cortex Cloud at Palo Alto Networks. With the 2025 Unit 42 Incident Response Report showing that adversaries can move from initial compromise to data theft in less than five hours, Elad explains why reactive security models can no longer keep up. He outlines how complexity in cloud environments, rising attacker speed, and the use of AI-driven automation have reshaped the threat landscape, leaving defenders little time to respond. The conversation dives into why posture and configuration alone are not enough, how uniting vulnerability management and threat detection eliminates blind spots, and why "peacetime" and "wartime" security must finally converge. Listeners will learn how to build trust between security and development teams, what it takes to truly shift left, and how unifying data and context enables faster and smarter decision-making. For security leaders ready to evolve from firefighting to forewarning, this episode offers a clear roadmap to proactive and resilient defense.
Protect yourself from the evolving threat landscape – more episodes of Threat Vector are a click away
Full Transcript
David Moulton: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought Leadership for Unit 42.
Elad Koren: There is huge importance in looking at things across the board, having the most visibility you can, shifting left with everything you can to reduce the risk for that, for that environment but also being able to protect on the right and -- and prevent from bad things from happening. That holistic view is crucial for proper security strategy for any company.
David Moulton: You know, the word proactive gets thrown around a lot in security. But what does it actually mean when you're dealing with cloud environments that change by the hour, AI that accelerates both innovation and attack speed, and teams stretched thinner than ever? In this episode, I had a chance to sit with Elad Koren, a security leader who spends every day bridging the gap between engineering realities and customer challenges. We talk about why reactive models can't keep up with modern complexity, how to unify peacetime and wartime security, and what it takes to shift left in a way that truly empowers developers. Elad brings a pragmatic view rooted in what's really happening inside organizations today. And we explore how proactive security isn't just about prevention; it's about acceleration. So, if you've ever wondered how to get ahead of the next threat instead of chasing the last one, this conversation is for you. Welcome to Threat Vector. I've been looking forward to this conversation. We've struggled to get this one recorded as our schedules keep passing each other, but you made time today. Thanks for coming on the podcast.
Elad Koren: Oh, thank you, David. I was really looking forward to this one. And I was really making the time today because I think this is an important piece that all of our listeners should hear.
David Moulton: Elad, let's start with this question of urgency. Why is the current threat landscape making reactive security models increasingly less effective?
Elad Koren: So there's a -- there's an interesting paradigm that's been going around for a while is, if you have your environment properly configured, posture A, hygiene A plus, you'll be good. But this is not true, and we are seeing that becoming more and more complex, right? The cloud is becoming more and more complex with more services added almost on a daily basis by cloud service providers. It's their way of doing money. It's just the way the world works, right? Capitalism. The problem is that it adds complexity. And, as it adds complexity, I haven't found a single organization that was able to maintain this amazing posture. Even if they could achieve it, maintaining it for a while, it's like it's impossible. And add to that the fact that there is someone on the other side constantly working to identify those gaps, zero days, really any potential exploit to be able to then leverage that to steal data, to create potential damage. And, when you add those together, you identify that the threat that we have now, it's real. It's real, and it's becoming more and more real. And, as more sensitive data is going to the cloud because the cloud makes it much more, you know, available and easy and approachable, accessible. At the end, what you get is risk is higher. Availability of attack surface to attackers higher and your level of protection getting lower. You need better protection. This is why we've been -- we've been looking at everything that led us to this point in the cloud, and we essentially got to the conclusion that you cannot just rely on that posture piece. You cannot just rely on making sure that you have everything well-configured in your environment because you can be amazing in this, but the result would still be that your data is stolen because someone got in and you missed it. You didn't have the right protection tools. That is the key to why we've been -- we've been thinking about it differently, right? And I think this is -- it's highly required.
David Moulton: I totally agree. And I want to ask, you know, you're in with customers. You're talking to our engineering teams who are studying the problems that our customers face. What are some of the warning signs that a security team is really stuck in reactive mode?
Elad Koren: Oh, it's a -- it's a good one. The security teams have been going after the security outcomes for a while now. Many of their practices, they fit the old legacy technologies. And, as you start seeing more and more organizations go to a more modern architecture DevOps, cloud-based, hybrid, you see the security teams are lagging. Now, it could have been okay if they had all the right tools for cloud and other areas, but you see how they keep -- those security teams keep on trying to chase the technology of the organization. And -- and you have two trends. Again, you have two trends that are kind of going against each other. The business of any organization wants to move as fast as possible. Cloud is making it possible, and they're trying to adopt more technologies to move faster. But the security teams, it's not serving the business directly. You're seeing situations where security teams need to fight for budget, for people; and they need to prove that they need more people or more technology to address all the risks that the business is not necessarily aware of. I think that is where what needs to be kicking in is the understanding that there needs to be a change. And, when you -- when you look at turnover of security teams, when you look at the size of the security team compared to the business ARR, size of development teams, this is where you can really identify those gaps. And this calls for a few things: either bigger teams, which I don't think any organization wants; or more efficient tools, more efficient tools, consolidation of tools, making sure that you're looking at things in one single pane of glass or being able to pull information from several sources and make better decisions, more informed and more efficient decisions and, ultimately, efficacy of the team. And being able to take the real threats and tie them back to the original point, right, fix them at the source. Having all of that would make a security team go from being super reactive, chasing things, having a flood of alerts to actually turning the tables around and then having to go proactively and say, Hey. This threat that I'm seeing, I've already seen how previously when I didn't fix it, it created an incident that I had to run and block potentially. Now I can actually see that. I can prioritize it. That is the way things are -- they should change. And -- and we are seeing more and more organizations that understand that, that understand that this is actually driving the business forward, less risk, more abilities, more possibilities, and ultimately better outcomes.
David Moulton: Yeah. I'm going to keep saying this because it was said by Meerah a couple months ago when she was on the pod. And I fell in love with her framing that security, at least here at PAN, allows her and the CIO organization to go faster. She feels confident that security is a strong break when something needs to stop, but it allows her to take an aggressive approach to innovation, to development, to rolling out and trying something, knowing that we're never going to go, you know, off the road, off the trail because security is there. And I think what you're saying is, if security can move from reacting to those moments when a strong break is needed because of innovation to one that is proactively figuring out where the curves are, where the twists are, where that risk is going to show up, that that then allows the team to have a much better outcome. And maybe adding more people, that's more communication overhead. That's more training. You know, that's a division of responsibilities. At a certain point, the added capacity doesn't add necessarily better outcomes. So it's an interesting shift in your -- your strategy and your way of thinking about how to keep an organization moving fast while -- so keeping it safe. Elad, in the -- in the Unit 42 Global Incident Response Report, we saw that attackers are using AI. They're using AI and automation together to launch more and faster attacks, more adaptive attacks. What's the risk if defenders don't match that kind of speed?
Elad Koren: I think everything leads us to where we are today and heading, right. Just go back four years, right. COVID started, and we all -- really, we were at the point where technology pushed us so far, digitization and everything. I think what we're seeing now is that on steroids. And any organization that haven't built the right processes in place is risking one of two things: either being stopped by the regulator that will tell them, Listen. You messed up. You grow -- you -- you outgrew your capability to protect your end users; and you need to go back to the starting point and just build it all together; or face the consequences of a breach. And I think neither is a desired outcome for any organization. So the reason why here in Palo Alto Networks, and this is why you heard Meerah say that. And I love it. I think it's so true because we did what many organizations are expected to do. We built security into our entire processes, and we did that because we have the right tools in place. So I'll take you back just a few years. One of the things that security have always, always pushed for is to be included as soon as possible in every process of building a product, right? Every business process that leads to revenue, leads to -- leads to growth and success, if you add the security as soon as possible, then you can rest assured that it will not come back at the end and tell you, Hey, listen. You know, all of this, it's great that you got this. But, you know, you have users' information out there explicitly open to -- to attackers to grab or monetary potential, monetary issue because -- because of potential mishaps on configurations on certain areas. I think what we've built now and what we have at our disposal these days is a well-constructed set of tools that are fully adaptable to the operational flow of the customer. That means that they can take it, and they can blend it into everything. I'll give you an example. We've identified -- we had a research, and we identified that it takes minutes, minutes between having a secret available in a repo in GitHub open before it's harvested. It wasn't publicly available. It was out there in one of the -- one of the repos, and there was somebody skimming this and -- and taking that and trying to use that. Minutes. It took minutes to get to that point. And I think having that as part of your CI/CD process, being able to block it, being able to say, Hey. I'm sorry. You cannot push it into production because you're -- you're missing a key security practice. It's something even the most outcome-driven developers can relate to. They can really understand why it would be a risk. That would be a risk on them. It would be a risk on the organization. So you start there. And, when you start there, you can really get to a point where you get the trust because that's -- that's what it's all about, gaining that trust with developers that what you're doing is not slowing them down. You're actually enable them to move faster because they have the right guardrails. And I think I'll tie it back to the beginning. Having the right processes and guardrails is what keeping organizations today to be able to move faster because they know something will stop them. You can drive in the road really fast because you know you have all the right security controls in your car. You have the right guardrails.
David Moulton: Yeah.
Elad Koren: You have the airbags. You have everything. You could -- it's proven. It's the same with software. And I think this is where we are at this very moment.
David Moulton: Yeah. I remember talking to Nathaniel Quist on our episode back in September of '24 about this. And he talked about the honey cloud and how they put that credential out on a GitHub repo and just waited to see how long it would take. And, you know, I think off mic we're debating, you know, how long do you think it'll take? And we were giving some guesses. And I'll be honest. I was shocked to find out that it was mere minutes later that it was not only attacked, but people were using it and -- and going after, you know, this -- this honey cloud environment that was set up for research. It's -- it's wild to think that that is the case because it wasn't public. But, you know, people are -- people are able to move so much faster. And, if you make that mistake, you don't have a lot of time to go through and fix that before you've been ultimately compromised in this case. Elad, a lot of people hear the term proactive security, but it means different things to different people. I'd love to start by, you know, getting your definition of what do you mean when you say proactive security.
Elad Koren: To me, proactive security is all the set of security acts, actions you can take to make sure that you're properly secured in face of everything that you may encounter. It can be proactively hardening your entire environment. It can be proactively looking at things, whether or not they're properly configured and working to what you'd expect from either cloud or enterprise environment. I think, traditionally, many people looked at proactive security as the less appealing or, you know, interesting type of security because it's -- it's more of the hygiene and DevOps type of -- type of actions. But I think it's becoming more and more clear that it's -- it's a critical piece in having the right security -- set of security practices in your organization. So I think proactive security is everything you do in peacetime before an attack has happened. Everything. Everything. It, by the way, includes also having the right infrastructure to support the reactive security, right? This is part of their proactive security, in my opinion.
David Moulton: Yeah. When you talk about that hygiene, it reminds me of years ago not -- not necessarily following my dentist recommendations on brushing your teeth, flossing, all those sorts of things. And -- and, boy. Do I wish I had done that, you know, a couple of -- of cavities later. So, you know, I think the same thing for an enterprise but scaled up. When the cavity is -- is found, it's painful.
Elad Koren: I think, when you look at the entire threat landscape, right, when an organization needs to assess their threat landscape, vulnerability management is -- is a subset of this, right? Vulnerability management and exposure management as an expansion of this one is taking the known things that could go bad, right? So they have CVE numbers. They have some assigned MOs and -- and the attack frameworks. The threat detection piece, what threat is broader than just vulnerability. Vulnerability management is a very specific set of things, right? I think, traditionally, many organizations created that separation because it was easy, the different categories, the different ways to look at things. The categories evolved over time. That is where attackers, adversaries became more aware of the fact that, hey. You know, somebody is tracking vulnerabilities here. Somebody's tracking different threat -- threat areas there. And -- and that threat detection was disconnected from vulnerability management piece. And I think what we're -- what we're seeing more and more is how these areas are becoming closer entangled with each other, right? So you cannot really look at the threat detection piece without understanding the context of vulnerability management, exposure management that goes even beyond vulnerability management. For example, a workload; and you see the vulnerabilities that exist on this workload. These are not the only things that you analyze when you need to understand the threat detection piece. You analyze the behaviors of any observed users there or processes that are running. You analyze which environments they can access. You -- you analyze the different connections and the different relationships you have there. And that is how you take two seemingly different areas, and you combine them together to make sure that you can leverage one when looking at the other, that unified data plane that looks at everything, looking at threat detection in real time, in production, in the right context of vulnerability, misconfiguration and all the things that lead to it from the posture perspective. If you're not tying those two together, then you're missing a critical piece in that investigation.
David Moulton: So you've spoken about unifying peacetime and wartime security. I got to know why is this concept so important right now?
Elad Koren: The things that we've -- we've observed over and over again with the AI being so common, I think what we're seeing is that attackers are -- and you mentioned it yourself, right? Attackers are leveraging, leveraging more and more and more. It means that, if you're not fixing the peacetime fast enough, it will come back to bite you really, really quick on the wartime. And being able to ties those -- to tie those two together and have that full visibility is a crucial piece in being able to then have better outcomes in both, not just one of them. If you take a look at the not just the security that we have today. Take a look at the security in the past. I'll just take one example, right. About two decades ago, I was working for a different company in a different situation. Security was in a very different, very, very different world back then. But, when we were examining transactions over the wire, right, digital banking just started. Protecting digital banking was a key thing in making users trust digital banking more, and it was just the beginning. What we observed is that we can assess the risk of a transaction or anything that is done online. But, if we combine it with the ability to understand if there's an actual threat on the machine of the user doing that, like malware or a Trojan horse, we can have much better outcomes because you can connect those two together. So we've been seeing that in every category of security happening over and over and over again. And this is the time where we need to look at it holistically for the organization. Look at the peace time and how that connects to the wartime and having that context because things are moving much faster. Things are happening so much faster that, if you're not using all the information that you have at your disposal for automated or conscious decisions, then you're doing partial -- you know, partial job there. And I think we're getting to a point where we cannot afford that anymore.
David Moulton: So let's shift gears again and talk about data. I know that fragmentation is this huge barrier to proactive defense. What kind of data needs to be unified to enable this true proactive threat management that you're talking about?
Elad Koren: Honestly, everything. I think, if I look back at how data science have been done now, you know AI, machine-learning-driven set of capabilities, it was widely known. Garbage in, garbage out, right? So, when you -- when you really want to get to a better set of decisions, better set of, you know, identification, detection, everything, right, even posture things, even that peacetime identification of areas that you need to focus on, it really requires all data on all assets that you have to be truly unified because, if you don't, you're missing a big chunk of information. I'll give you an example, right? So you can look at all of your data. You can classify the data really, really well. You can make sure that you -- you can spot that data asset that has sensitive data, but you're missing all different information on the identities that can actually access it. Or you're missing a piece on the workloads that you're using that can go over. Or you're even missing that endpoint that the DevSECops or the DevOps engineer has and then can go into your cloud accounts and set up those roles or those workloads. If you're not having all this data in one place and you're trying to create that integration in a very artificial way, I would say, what you're risking is the ability to make informed decisions based on these -- on these datasets. So, when we say that you really truly need unified data layer, you really truly need the unified data layer that -- that you can control and you can update and you can expand because technology moves forward really fast; and that is the point where, having that all in one place in an extensible manner, that's the key differentiator to also future proofing things. So I think, at the end, it all boils down to that.
David Moulton: So I'm going to take a swing at this. As you're describing it, I'm getting the sense that having a gap in the data is like not having the full context. And then, when you're trying to figure out what the problem is or where the threat's at or if it's truly a threat or if it's a false positive, you're missing those key things. And I'm picturing getting a blood pressure reading that says it's very, very high blood pressure; but you're missing the context that you were just, you know, coming off of a 5k. You're running for half an hour; and of course your blood pressure's up, right? You were just on a roller coaster. That context is huge. It's not really a problem. But, if you don't have that key piece of information, the context, then the data could tell you the wrong thing; and you're off to the races to go lower the blood pressure or lower the risk for the business, and it wasn't an issue. And, in other cases, it could be an actual issue. But, again, you couldn't test against it and go, what was this moment before? What was this context? And sometimes it's good enough to know blood pressure is high. That's a problem. But not always, and that's where that -- all the information. I think when you said that, I was -- I was a little like, wow. That's a lot. But, if you can bring that in, then you can get to that full context. Anyways, that's my swing for the fence of kind of playing that back. But does that seem right as a way of telling this story?
Elad Koren: Yes. And I think -- I think you're spot on. It's funny when you just started talking, and it was the exact same analogy that came to my mind with, like, maybe pulse and running and basically the same.
David Moulton: Yeah.
Elad Koren: Exactly the same. I think that the key here -- and, when you're looking at these things, when I say everything, it's not, like -- I mean, data can cost money, right? But --
David Moulton: Sure.
Elad Koren: Truly, like, think about the different things that you can -- that you can do that you're not even aware with the data now. And -- and being able to use anomaly detection, AI-based capabilities in systems because you collect the right set of data, and you -- and it's all stitched together, I think this is, just like you said, informed context-based facts that you can derive on your environment. Just one more thing I'll say about this one. If you could take, for example, a potential incident that you're investigating now and you could understand not just what the user is doing or what the potential attacker is doing, actually, what it can also do across your entire estate, right, moving laterally in your environment, being able to then take control, that level of assessment is only available if you truly have the data properly connected and properly collected in your data lake, right? Being able to also not just analyze what happens now but what can potentially happen later, that is a huge thing.
David Moulton: So, ultimately, proactive security is about shifting left. Getting ahead of the threats before they manifest. How do you guide CISOs and security leaders into making that shift in their organizations?
Elad Koren: When we're coming from our own story, right, and we are sharing our own experience, I'm saying, listen. Part of actually going through this is gaining the trust of the developers, right? We, as security people, we need to gain the trust of the developers that what we're guiding them through is not just throwing them off. It's not slowing them down. And that comes with actually providing the right real evidence, real proof. So they need -- those security practitioners, they need to feel empowered to go and chase this one internally and make sure that their processes are actually adapted to that new level of mindset where you can go as left as you can or as left as you should. It does not come with just a statement that says, Trust us. It'll work. No. It needs to come with data. It needs to come with evidence. It needs to come with you need to fix this because this is the risk. Being able to highlight the potential risk if you're not doing that properly or the actual result of not doing that previously, right, even that highlighting the secrets that -- that were found or the vulnerabilities that weren't blocked on the CI/CD pipeline, these, by themselves, are great proof for those security practitioners to go then talk with the developers and tell them, Listen. Just take a look at that. This is the threat that we're adding. And they get it, right? They get it --
David Moulton: Yeah.
Elad Koren: -- because it's their day-to-day job.
David Moulton: Elad, once again, I get the advantage of being in the interview seat where I get to learn from somebody who's so deeply knowledgeable about this, and I come away with it. I hope that this was a fun podcast, a good conversation for you. And thanks for coming in, talking to us about this urgent need for proactive security and the need to really shift your strategy away from just react as fast as possible to giving yourself more time by shifting left.
Elad Koren: No. Thank you. Thanks for the opportunity, and I enjoyed it very much. And -- and thank you for making this happen.
David Moulton: That's it for today. If you like what you've heard, please subscribe wherever you listen. And leave us a review on Apple podcast or Spotify. Your reviews and feedback really do help me understand what you want to hear about. I want to thank our executive producer, Michael Heller; our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Mix in original music by Elliott Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.
