Learn more about how enterprises confront agentic attacks → https://ibm.biz/~whT3B0eVk

Sophos let OpenClaw run wild on its network (sort of). It wasn’t as bad an idea as it sounds! 

With a few guardrails and restrictions in place, the security software firm turned OpenClaw into a serious little pen tester, surfacing “23 actionable, high-quality findings.” 

But is this a sustainable model for introducing AI agents to the security process? And how do we deal with the inevitable friction between a model meant to find exploits and the guardrails telling it to do no harm? 

This week, host Matt Kosinski and panelists Claire Nuñez, Dave McGinnis and Kimmie Farrington discuss the wisdom and folly of letting an AI agent pen test your system. 

Plus: We dig into Bruce Schneier’s thoughts on “security in the age of instant software” and a report from CipherCue that ransomware is growing three times faster than security spending.  

All that and more on Security Intelligence. 

Segments: 
00:00 – Intro 
1:07 -- OpenClaw as a pen tester  
14:23 -- Cybersecurity for instant software 
25:36 -- Ransomware outpaces security spending 

The opinions expressed in this podcast are solely those of the participants and do not necessarily reflect the views of IBM or any other organization or entity. 

Follow the Security Intelligence podcast on your preferred platform  →https://ibm.biz/~Ypv3rQ7si

#OpenClaw #AIAgentSecurity #PenTesting

IBM Technology

IBM's Security Intelligence podcast panel discusses Sophos's experiment using the open-source AI agent OpenClaw as a red team operator on a legacy on-prem network, where it found 23 actionable findings. Panelists debate guardrails for AI agents in security workflows, the security risks of AI-generated ephemeral software that may never be properly decommissioned, and a CipherQ report showing ransomware incidents grew 30% while security spending only grew 10%. Key takeaways: security teams should lean into AI tooling now before attackers do, human oversight remains essential, and spending more doesn't automatically improve security posture.

Should you let OpenClaw pen test your system? Plus: Cybersecurity for ephemeral software