62. The 4-Hour AI Scam: Hackers steal millions—and no one sees it happening
Hello, everyone, and welcome to another episode of the Security Podcast in Silicon Valley. I'm one of the hosts. I'm joined today by the other host, Sasha Sienkiewicz, and we've got an amazing guest for everyone, Rod Schultz, the CEO of Bolster AI. Welcome to the show, Rod.
Hey, guys. Thanks for having me. Super great to be here. Welcome, Rod.
This is not your first time here. Welcome. Welcome back to the show. Welcome back.
Just for all of our listeners who may not have heard your previous show, our paths crossed a little bit at Apple. Well, maybe crossing our paths at Apple is overstating it just a pinch, but we were both part of their iTunes security team. So yeah, you've got a little bit of engineering in you. A little bit of engineering, yeah.
John and I both worked on the Fairplay team where back in the early 2000s, Steve Jobs was putting together a team to prevent people from stealing music and movies, kind of help recover the recording industry from the impact of Napster. And I feel like what we worked on, John, like when it came to encryption and key management and basically enforcing business models is kind of starting to come back around a little bit with artificial intelligence, large language models. And the question is like, how do you monetize data, right? At that time, it was how do you monetize videos, video and audio from a production of, from a music studio or a movie industry studio.
Now it's like, how do you monetize data in general that's getting sucked up into these large language models? And it's a fairly common ground at this point that we will be running short on data, on valid data pretty soon, or if we haven't already. Yeah. I mean, right now it's like this insatiable appetite for these large language models because they're reaching this wall in some ways.
I'll go into some of the things that I think are interesting and unique with our competitive advantages as a bolster because we do use AI and large language models for what we're doing. But yeah, in general, I think there's a very new, a new question out there, which is again, how do you make money in this world? It's turning into a data land grab. And if that's the case, then how do you reward the people that actually created that data?
So back in the days you mentioned at Apple, you guys were on the same team, essentially protecting the data, the digital rights of the creative content that musicians came up. It was the whole purpose of the encryption that was slapped on top of the iTunes. What do you see today in the market? What's the biggest concern of the organizations or individuals or enterprises?
Where are they looking for a super accurate data? I think it really comes into like, one is the data trustable. So I think someone's got to sit there and make a decision on how trusted is it. That trust is, you know, context dependent.
And then the source of the data starts to become interesting. When they get data, Adobe has some very interesting things that they're doing, which was the content authenticity initiative where they can stamp an image as being created by a camera. With this GPS coordinate by this photographer. And then you can track and trace the credentials that go along with it along the way.
And I think you're going to start to see some interesting overlapping intersection with different tools and techniques that are used to try and get back to a trustable state. And I don't think there's going to be any one single killer app that's going to do it. But a lot of, it's kind of top of mind for people. I think the challenge right now is that it doesn't cost anyone anything for doing something untrustable or false or fraudulent on the internet.
And this is really where Bolster, the company that I joined as CEO in back in October, really comes into play because there's no cost for misinformation, disinformation, and fraud. Large companies that are effectively B2C. So any large enterprise that has a large consumer buyer needs to try and defend their brand from the illegal usage, the fake usage that's effectively stealing the attention away that the brands spend so much money to develop and create.
And then as an attacker, I come in and I can steal that attention for pennies on the dollar and utilize it for a quick buck, ruin the reputation of the brands, and then turn around and just do it on the next weak-legged zell of the herd when it comes to an insufficiently protected brand. So that's what we're looking at. We kind of call this area of its attack the shadow attack surface of the brand or of the company. And that attack surface is directly proportional to the size of the brand, the size of the assets under management, and in some ways about the quality of the reputation that that company has with its consumer buyer.
And hey, listen, every single marketer, CEO, enterprise leader aspires to have a large brand, especially if they're selling into the consumer space. And if that's the case, then there's going to be a corresponding cost to that. And that's that shadow attack surface. So in other words, there is a repuditional cost of not doing something about the misinformation that might be out there.
And with the modern technology, including the large language models and the hot ward of AI, process of generating invalid content is so much cheaper and so much easier to do. Hence, there is a need for the corporations to build a control that will protect from that misinformation. Yeah, exactly. There's the ease of creation.
There's the ease of optimizing and making it incredibly pinpoint accurate for your target. Like one of the conversations I had a couple weeks ago with my team was I was comparing the brand protection space and the brand security space that we're in to the art market. And what you have now is you have very low cost, perfect, like replicas of artworks that are being thrown at customers. And they can't tell the difference.
So in the art world, we have the buyer and the seller. And in the phishing and the fraudulent email world, we have the sender and the receiver. And the job is to trick the receiver or the buyer into thinking they're getting something authentic when it's really not. And then right in the art world, it's take the cash.
In the fraud world, it's, hey, can I get them to give me their credentials? Can I get them to give me their personal information? Can I get them to divulge access to maybe their bank account or their credit card? But there's a lot of similarities.
So the ability to create that fraud is wildly. It's getting simpler and simpler. And the distribution techniques are optimized, right? The internet is such an amazing distribution engine.
And the attackers that we see today can spin up infrastructure very quickly. They're very good at evading detection capabilities and mechanisms that we have in place. And we're seeing a very interesting cat and mouse game. I mean, to take it back to like the beginning of this conversation, John, at Apple on Fair Play, it was always this like question of like, how long was it going to take for someone to reverse engineer our correction techniques that we pushed out for protecting music and movies?
In this case, it's how long is it going to take an attacker to try and go around our defense mechanisms or our detection mechanisms to get to the victim? Yeah, that's really interesting. You're mentioning fraud. You're mentioning these attackers taking advantage of all of the great brands that we've built out there, using them for nefarious purposes, for fraudulent activity.
What's the most common type of fraud that you help identify and take down? I would say it kind of goes into a few buckets. Number one, the easiest thing to do is to create a fake website. And so let's, for instance, if the website, if we're trying to protect like a brand, like let's say like Nike or something as an attacker, you're going to try and like get like any kind of misspelled version of Nike.
These are called typos quads or misspells. And then you just, you learn. And so they will grab those DNSs and they'll sit on them until, Hey, there's the Olympics are coming up. A lot of people might want to be going to that website and let's spin these websites out really quickly.
We see this also in the entertainment space where you'll get, let's say a performer who goes all of a sudden announces their tour. And all of a sudden the tour then pushes all the new marketing material. The URL goes up for pick your favorite brand or band or performer toward 2025. com.
And then people make mistakes as they, as they type that in. And then the fraudulent empire is like all over the place, just waiting for unsuspecting people to look at these websites. It's their exact duplicates of those websites. And people make a mistake because they're trying to buy merchandise really fast before it sells out.
And it doesn't sell out because it's all fake. The other technique that we see a lot is with phishing. Of course, it costs nothing to create a sophisticated phishing campaign. It's effectively like running a marketing campaign at this point.
You just have to pick, pick the type of victim you want to go after. Make a decision on how gullible they are or how, how easy it is to dupe them based upon current events or something else that's happened. And then the race is on to see who can monetize that fraud the fastest. And right now these phishing campaigns, as kind of funny as they are, when you look at them, they're getting more and more sophisticated.
They're getting really more and more difficult to differentiate between something that's real and something that's fake. Yep. Consumers are really paying the price. How do businesses deal with this type of attack today?
The phishing campaign, the clones of the website, it's not really a new attack. But as we discussed, it's just becoming so much easier. You can use V0 and a bunch of other tools that will clone the website for you. And you can just spin it up so fast and almost instant.
What do companies do today to battle that fraud? Unfortunately, what we see is ineffective public service campaigns, which it's like, hey, if you see this fraud, report your email to the Consumer Protection Bureau. I mean, it's almost like when you walk around the airport and they're like, if you see something, say something, which is like, okay, it sounds good. It's almost like a checkbox for the PR team to say, well, we put up a website, a page on our website that says, hey, be aware of phishing campaigns.
But it doesn't do anything to actively get out and protect their customer. Because you depend on people identifying that this is a fraud. And then you depend on people to report it. But as we know, the percentage of that final report is very low.
Yeah, the reporting is very low. We do have a new product we just released, guys. It's called AI Security for Email, where what you're talking about, Sasha, is the abuse mailbox. So we work with larger companies who their customers do get a lot of email fraud.
And they published an abuse mailbox. They basically say, look, if you see someone trying to create a phishing campaign with our logo or our stuff, please send those emails to phishing at whatever. com. They'll then hand those emails over to us.
And we will then go through and process them. We'll kind of dissect them into pieces. And we do a lot of interesting kind of dissection and deeper inspection of the URLs and the boxes that are attached to them. And then we'll go out and we'll take down and destroy the infrastructure that hosts this phishing campaigns for those companies.
And that has turned into an incredibly powerful tool for us to provide to the customers because it's accurate. The customers are forwarding us these emails. And like, so for we have a couple of companies, one, they send us 30, 000 emails a month of which 56%, I believe, around that number are actually like true fraud. Some are like, hey, campaign donations or whatever, things that really aren't fraud.
They're being forwarded to us. But 56% are legitimate fraud on that brand or for that logo. And then we go and take that down. And that has been an interesting way, Sasha, for us to take action on top of the signals that we're getting through those email campaigns.
Because if I'm running a company and I'm responsible for marketing and I'm responsible, if my organization is large enough, I'm responsible for the fraud and prevention. What steps do I take today without bolster? Is it a lot of manual steps that I have to follow? What would I do?
Honestly, I wouldn't necessarily know what steps I need to take. Yeah, then that's the biggest problem is outside of trying to send out press releases or banners across the website saying, please look out for this new phishing campaign, or please look out for these new websites that are popping up with our brand and look on it. There's almost nothing you can do. I mean, kind of the example is like, you can protect what's inside of your house, but you can't prevent bad things from happening in your neighborhood.
And what bolster really does is we go out and we scour the web on the outside of the outside of the enterprise. And we look for that data, gives us an indicator that fraud is happening and abuse is happening. And we take that down so they could spin up their infrastructure, Sasha, in order to do it, to go out and do the searches, or they could leverage bolster because this is what we're designed to do. That sounds really helpful.
You'll actually go out and take down these fraudulent sites, these malicious sites, these sites that are stealing the brands, the reputations for some nefarious purpose, bolsters customers. Yeah. And that, that turns into a really interesting back and forth between the hosting provider and bolster, because we'll come to that with a dossier of information and say, we can prove this as fraud. And some of them are really fast when they're like, awesome.
Like we're going to take that down and they can take that down in just a matter of like minutes. Yep. Others are slower. And this is where like some of the subject matter expertise that we have at bolster comes into play where we can do that negotiation with that hosting provider or that DNS provider pretty fast based upon playbooks that we have, but also a lot of information and data that we've acquired and accrued over the last five years.
And we can make a very, very fast claim to say, no, we're going to approve it's fraud. We're going to show you the history behind it and explain to you why it needs to be taken down and it's nefarious. But that ability to resolve it quickly for the customer is foundational to what we do. Very nice.
That's no, it sounds like a great service. Like it saves a lot of people, a lot of time, a lot of headache and including the, in the legal department too, because I bet a lot of that just goes back to understanding how to navigate different legal like frameworks or the laws in the different states, depending on like where something might be hosted or even if it's outside the country. Yeah, 100%. You kind of get this scalable kind of apparatus for legal, this scalable apparatus for trust and safety, this scale apparatus for brand security, where we scale based upon the size of the attack.
These attacks are bursty. They don't come at predictable times. And so it's really hard to say, look, as an enterprise, I want to pay for a team of three people or four people to always be looking for this stuff. So we automate these things a lot for them.
We make it very simple for them to, our service can be turned on within 24 hours, sometimes faster than that. And then we can scale up and meet these bursty like fishing storms or these fraud storms that come out of nowhere, push them back. And then we're there and ready and waiting for when the next one comes along. So for the new email product, this one is a little bit more correlated to activity happening over email.
Yeah. What was the indicators? What was the signal that you saw from the market that nudged, bolstered to move in that direction? People were, I mean, you kind of, your customers are kind of the first ones that will tell you what to build.
And so we started to get a lot of signal that this was an unsolved problem. They felt helpless in many ways, kind of brought up like, what are they supposed to do? And the challenge is that the enterprise doesn't own the inbox of the consumer. So, and a lot of them were trying to say, Hey, please send us these fraudulent emails.
The problem was like those fraudulent email inboxes were just starting to stack up and they couldn't process the queue fast enough. So we worked directly with them on a couple of key customers that get a lot of fraud to say, okay, well, what is it? What would you like us to do? What would be good for reporting back the useful insights and analytics that give you an idea of the pulse with the assumption of like, you can't control the supply of fraud, right?
But what you can do is you can control how it's consumed and you can destroy it the minute it comes up with the assumption that it's going to pop up somewhere else. And what they're really looking to do is divert the attention away from their brand and push it onto the brands that aren't doing this. So as we start to battle back these phishing storms for our customers, we're starting to see through other mechanisms that we have to measure data in the system that they're moving to weaker targets that aren't using us to protect them. I see.
I like the analogy of a storm that you're pushing back on that, the phishing storm. I've always thought of some of these campaigns and like external vulnerability scans that just sort of happen across the internet. It's just part of what happens on the internet. It's just there.
It's always kind of like the weather. Yeah, it's the weather. Yeah, it's the weather. We essentially have internet security weather.
Yeah. And the crazy thing is the weather is being manipulated with very low cost. People that want to organize because they just need a small percentage of the victims to click all the way through. And they're controlling the weather based upon infrastructure that's very cheap to set up.
In fact, we did some research. It takes less than four hours to set up an effective phishing campaign where you have to create the website, you grab the URLs, you set up the servers, and then you create the crafted phishing emails with the hook of like what you're going to do and to redirect the victim to the phishing site. So within four hours, you can effectively change the weather. Now the question is like, okay, if you're going to be a responsible protector of your enterprise, you need to be protecting against these things because they come out of nowhere.
So from the business point of view, the incentives are huge. You piggyback right in on the existing brand's marketing machine and your returns on investments are huge because it only costs you four hours of labor to deploy a clone and then you can craft an ideal attack and off you go into the races. Yeah. The future of fraud, the advantage is in the fraud creator right now.
And it will probably, it'll probably like the pendulum will swing even more into the favor of the fraud creator. And then the precision starts to like, because what they do is they make them more and more precise based upon stolen data. And that data as healthcare records are divulged and as cell phone records are divulged, you get some really fascinating things. I mean, even me over right before like New Year's, I got a text and it was like, and of course they know I live in the Bay area because I have a Bay area zip code area code on my phone.
And they're like, look, if you're in the fast track lane, you need to prepay the tolls for this weekend. And you need to click here and for literally for a second, I was like, oh man, I thought I paid my fast track. And then I was like, I'm just like another, I'm just another victim. I'm just another guy with a sophisticated attack.
It's happening through just a little bit of information. One, they knew that I was probably living in the Bay area based upon my phone number. They knew I was probably traveling because that's the travel season. And they knew that if you travel up one-on-one in the Bay area, that beautifully fast track lane we have is a huge advantage when, when the traffic starts backing up and you want to use it.
And it wouldn't surprise me if a lot of people fell for this one. Yeah. That's really interesting. I bet like as AI becomes more sophisticated, as all of our publicly available data is scraped and thrown into these models.
You can have some very convincing fraud at scale, which is probably something we haven't seen ever. But thanks to some of this new technology, I'm grateful that companies like Bolster are fighting back against that massive problem. Right. Yeah.
We're trying to, I mean, we're trying to fight the good fight guys on, on this one, because I think the magical combination John and you're talking about is, Hey, I'm, I'm an attacker. I'm just going to buy a bunch of data. That's going to give me the context I need. I'm then going to match that with software that I can effectively get at very low cost.
So the ability to automate it, to scale it, and then to distribute it is just there. And it really sucks for a lot of these, these people because they're falling prey to attacks on the brand that are making them unhappy with that brand and causing them to turn away from the brand or causing them to reevaluate whether they want to have a relationship with that brand. So, so we know that you've only been with Bolster since October, October, 2024. And it already feels like you have like your, your teeth like sunk so deep into this problem.
Would you like to share with our listeners, maybe the proudest moment that you've had so far in your early? So doing it like, like reviews with customers on the ASP here for email has been pretty incredible to listen to them, kind of tell your story for you. And, and just the excitement that they have on, this is really cool because for every X number of emails that we got, there's probably a thousand X out there that, that we didn't receive. And the fact that they're actively taking a proactive and concerted approach and attack to remediating these has been really neat.
That kind of has grown into other conversations of like, well, what more can you do for us? What more can you build from us? Sitting down with the security operations teams. So I've done some, some deep dives with some of the customers and having them explain how they use our web product, our social media product, our dark web product, but how they connect the dots and build out the stories and how we're foundational for that is really inspirational.
And I love how Bolster is becoming almost the central hub in some ways for the collection of data. And then the ability to take that data, package it, and then move it into another tool that they're using for their SIM or for their attack surface management tooling that they're doing. That's been really fun. I think in general, also just meeting the rest of the company, the team, watching them grow and seeing the excitement on people's faces as we start to win some of these accounts and really, really needs.
I love that those, those best moments always come back to people. Yeah. And, and just, and most of the time I've been here, it's only been about a little over three months. There's been some holidays mixed in between, but I've hit the ground running pretty fast.
It's very obvious. The problem is not getting better. The problem is only getting worse and that there's a lot of interesting opportunities in fraud protection to, to really go after the heart of that. As you, as you talk to your customers, to your existing customers and future prospects, where do you see fraud evolving in the near future?
Past like the level of sophistication, Sasha, like we've spoken about, we see it moving more and more into financial because of the ability to, to move the money. We also see it moving a lot towards web three because web three is designed to put money on rails and to just suck it from one location and move it to another. And then we're also seeing interesting tailwinds for fraud. We want to say that as content moderation and fact checking is, are being pulled back.
The ability to convince people through social media accounts to jump from social to a phishing website is getting easier and easier because no one's going to see it. There's a lot, there's fear of your people who are, who are catching it and say, pull that down. That's wrong. And so.
Didn't matter. Pull the plug on content validation. I saw they recently made a statement that they will no longer be doing fact checking or something along the lines. Yep.
So all of those are contributing to what I call the information asymmetry of, of like receiving information or, or reading information. Like if I, if I get an email from you, right, there's like in general, because you sent it to me, the sender knows more about me than the receiver. Right. Probably me as the receiver.
I have this like, like misnomer here where there is no information asymmetry. Right. That like, oh, because Sasha sent me an email, he knows me. But the problem is like inbox is open.
The web is open. So it's like, Hey, if the assumption is like, Hey, I'm on a website. It's, it's trustable, right? It's being hosted on meta.
It's being hosted on X. Like those platforms are trustable. And that trust basically trickles down to the content or the trust trickles into the email inbox because I received it. And that person knew how to find me.
And all of this fraud capitalizes on that information asymmetry. And the ability to say, well, I know more about like the receiver than the receiver knows about me. And so my job as an attacker is to fool them into trusting them some information or to performing an action that seems innocuous. It turns into this domino effect of usually like something being moved from, from the receiver back over to the sender.
So it's a, it's a form of fake social validation. Should I make enough noise about the fake resource that was recently created that builds the trust with the potential consumer of that fake content and the rest is the history. Yeah. These influence campaigns have been done by psyops people in the military for decades, right?
Whether it's to like radio stations being broadcast in, in war zones from one side to the other, fake information, propaganda campaigns. We've now taken a lot of that sophistication and we've, it's been handed over in a way more powerful way to organize crime. And, and they're like the amount of money lost on fraud each year is like in the trillions. Like it is insanely, like the number is only getting bigger.
And, and as the numbers go up more and more players move into the markets. As the CEO of Bolster, what's the hardest thing that you've had to do yet? The thing, the hardest thing right now for us, John, is deciding what not to do because there's so many interesting projects because we use large language models and small language models, the training costs are high. So I'd have to make this, this assessment a lot, which is how much money do we move into advancing our models, training new models.
Every single customer we bring in, we train a model to, to go out and look for illegal usage of their brand and their likeness and, and their, the concepts that they push out on their websites. And then that's the current space we're in today. Now it's okay. Well, where is the fraud market moving?
The questions that you guys were asking and how do we parlay our expertise and our, our competitive advantage in fraud to solve adjacent problems. That aren't necessarily just on the outside of the enterprise, but can we solve, can we take some of the insights that we were getting from this data and use that to, to solve interesting problems that are happening to the enterprise themselves? Because these attackers and disorganized crime, they don't just go after consumer. They also go after enterprise.
And so there is crossover between those two worlds. The question is like, well, when does it happen? How does it happen? How do they perform the attacks?
Who are the players and, and can we create some sort of heads up to, to warn enterprises? The storms that are being created on the outside will eventually migrate their way towards sophisticated attacks on the inside. Almost like a, a map of the internet with storms moving through and you could see them affect different customers that you're servicing or bolster. 100%.
That's exactly right. And so that, I would say that's probably the hardest thing because we want to, we want to build better products and make them more amazing for our current customers. And for the ones that we're, we're talking to right now, we also, we need to evolve. And this is, I've never seen technology move faster than I have with it over the last, basically since chat GPT was released.
It changed the world. Bolster was using large language models a couple of years before anybody else. People thought we were crazy. The security community did not embrace them.
They thought it was completely hocus pocus and witchcraft. As you can see, things have changed and the world has been flipped upside down. So while bolster may have helped flip the world upside down with our early use of large language models, we still have to like adjust and understand how we ride the waves on through these new, these new world. So the space of fraud market is, is quite interesting.
You have a community of fraudsters that are connected, that are interconnected, but then on the receiving end, we have enterprises and companies that are left to fight this wave of well-crafted attacks by themselves. And we're not really talking to each other, not as much as the attackers do. So there is a little bit of a symmetry of the information and collaboration. What's, what's your stance on this?
Yeah, I think you're spot on Sasha with that, which is the attackers organized better than the people that are being attacked. That is really shocking that we're in this situation and it happens time and time and time again. So that is an area that we're starting to investigate to provide better threat intel based upon our data and data we can get from partnerships that we're working with. So we're starting to see some early opportunities with collaboration because you're kind of fighting similar enemies here.
I mean, we saw this pattern with bug crowd. We've seen this pattern with a lot of these companies that are out there that help create some of this wisdom of the crowd that can, because the attacks are universal. And we're looking at some of those opportunities as well. I'm, I'm super curious.
Maybe you could help us see someone in your life that has really been there with you or for you. Maybe it's been a little bit of a mentor, someone who has had the greatest impact on your life or maybe your career. Interesting question. I don't know if I can say there's any like one person I can point to a few things, maybe not people or maybe some people along the way that kind of popped out.
Number one, one of the reasons why I left Apple was when I was learning an insane amount there, but Apple was really happy with me becoming like a sharp edge for Apple. And I really wanted to understand what I could do and how I could evolve and grow. And what that led to was me leaving Apple and going to Adobe. And when I went to Adobe, they had something called an innovation bootcamp where they would take anybody who was interested and they would show them what innovation was and like, how do you productize innovation?
And they, Berkeley, I took a ton of classes over at the Haas Business School where I learned strategy. I learned how to pitch. I learned how to negotiate. And having that opportunity.
And I really feel like Adobe allowed me to kind of spread my wings in some ways and learn and not just get better at content protection and cryptography, right? And key management, all the things that we know about that Apple was really focused on, like security and things. But to step back and kind of transform from like how to solve something to why are you trying to solve it? And that transition from like going from the how to the why was so eye-opening for me in many, many ways.
I would say that's been really helpful. The first startup I went to was called Rubicon Labs. I got recruited out of Adobe to go there. And Richard Yegan, the CEO, was really fantastic when giving me an opportunity to hear my, have my voice heard and to have an opinion and to encourage me by saying, hey, listen, like the questions you're asking and what you're presenting and how you're framing the story here is actually like very impactful.
Keep doing it. Keep driving. Keep pushing because your strategy is going to have an impact on this company. And for me, that gives you the confidence to be in a room with a few people or on your own and be open to like testing out an idea, be willing to have it swatted down, but not having that impact your confidence level.
And so those things, and there's other events in my life that have contributed, were really foundational for me to go. We spoke about a little bit. I came out of the engineering world. And in the engineering world, it's really down.
I mean, I was designing protocols for Cisco, right? When I, in the operating system for Cisco routers and switches, when I first came out of school, very different than trying to raise money with a VC or have a pitch to a board or close a customer or present on stage. And so that, the evolution of those skills and those stepping stones along the way, and there, there've been many others were foundational for me. Yeah.
And it's incredible. The shift from the how to the why, like both incredibly important, different, very different stories. No, thank you for sharing. The, I'm really curious, speaking of our backgrounds, if you could go back in time and meet your younger self, would you, and would you have any advice for your younger self?
I mean, of course I would, because I'd give them stock tips. Buy Bitcoin. Yeah, biologically, I think, yeah, I would, my, yeah, I think my advice would be, there's going to be ups and downs. Keep learning from the pain, but don't take it so personally, maybe in some ways, but be some of the advice I would have.
And try and separate out the emotion from the learning, because especially when I was younger, I mean, the story I tell people was when I went, so I, my first job at a school was Cisco, from Cisco to Apple, Apple to Adobe. And I'm in meetings at, at Adobe and I'm like, I'm screaming at people and they pulled me aside and they're like, well, what are you, what are you doing? And I was like, what do you mean, what am I doing? Like, these things aren't getting done.
Like, I think this guy doesn't agree with my opinion, whatever. And they're like, yeah, you can't do that. It's like, that's not how you can convince somebody, right? Through raw emotion.
And when you're raised by the wolves and Cisco systems in the late nineties was like, we would do tweet reviews where we would go line by line. People would just print out all the code and they would go line by line and they'd be like line 97, like you're a moron. Like that's not an exit condition, right? Like, and, and like, literally it was like, it was just like death by a million horrible comments in these code reviews.
And Apple was a brutal place as well. During, we released iPhone, we released Apple TV at the time, the iTunes store, the app store, all these things. Like it was hard. So you take that emotional baggage and you start, you know, you start to create the knives to like, to attack people with.
And I think that I would remind myself early on that like, the job is to learn. It's not to inflict pain back that I think a lot of people take like, well, hey, it was painful for me. Now I, now I must make it painful for you. So that would be some of the advice that I'd probably give myself.
No, I love that. I guess looking into the future and with a growth mindset, what legacy would you like to leave? Or which legacy do you think Bolster can leave? I think from like, so I'll touch on the first, like, so for me, my legacy is if I wasn't, if I wasn't doing this, I really love teaching.
And I love just watching people gain insights on things. For me, the ability to watch someone learn an insight is magical, especially when it's a powerful insight that can shape business, can shape career, can shape education. That is incredible. And I mean, I've, I, you can have insights on, in physics and chemistry and math and whatever.
And so I, I really love, I would love my legacy to be that I had an impact on people, their ability to, to learn, take the insights from that learning and then turn it into, use it for positive growth. Not necessarily just like revenue generation for a company, but potentially good choices for career, good choices for life in general. The legacy for Bolster is, it is early days in the information warfare game of fraud. And there is a lot more of opportunity that's out there.
It's our job as a company to test out these hypotheses on like how to combat fraud in a cheap way and learn and grow and do that over and over and over again. My hope is that when we go back in five years, we are, we, we, we put the stamp on, on fraud. We put the, put the stamp on fraud protection, the ability to combat it, the ability to spin up defenses just in time or persistently and to scale against the fraud. And then eventually to start taking that fraud down based upon threat intelligence insights and the ability to weaponize the data sets that we're starting to build on top of.
Nice. I can just, I see it perfectly in my mind. When I step into an elevator, there's two strangers in them. I don't know who they are.
They're having an intense discussion around like, oh, how do we deal with this fraud? Like, oh, someone took advantage of our logo to get that clicks. Oh no. And then one of them turns to the other and says, oh, it's easy.
Let's just use bolster. Did we, did we sign them yet? That's our first Superbowl commercial actually. That's the, seriously?
Yeah. We actually took the entire budget. This is why the company did not might be Steve. They were all of our runway and we're putting it all on the Superbowl.
Just, just, just, this was not staged or anything like. No, there's going to be an ad for like a financial institution. A Pepsi commercial followed by bolster. And, and we'll probably go out of business the next day, but we're going to make a really big impact.
1984 won't be like 1984. That's exactly right. Nice. Well, we have a ton of entrepreneurs that listen to the show, especially in the security space.
I would love to have a little bit of a leading question for you. If you don't, you don't mind. Like what's one service or product that you wish just existed? A pain point that you've had maybe for a while, maybe that you have at bolster that you're absolutely willing to put money to solve that you just wish would go away already.
Any, anything come to mind like that? Like, so if I could give, like put an ask out to the entrepreneurs in the world to go, please build me this product. Yes. Interesting.
I'm not sure if anything, I mean, from a security perspective, we're always trying to connect the dots on data, John. And get better traceability on data. Traceability. Understanding where it was generated, where it's going, flag it, kind of be trusted.
And like, there's all these data governance tools. And like, the problem is like, it's like, well, where do you connect your, your, your tracking information to this? Is it the database level, right? This is what Snowflake is trying to do.
Databricks is trying to do. But I, I, for, for me, we have like, in, in general, we struggle with networking infrastructure, understanding the data that's generated there. Where does it move? Has it been, you know, transformed, repainted in a certain way to, to hide.
And that whole, like, maybe secure data operations. If I would, if I'd use that term, which I don't know if I've ever heard that term before, but secure data operations is, is front and center for us. Maybe the hyperscalers would be the ones to start providing that. But I do feel like there's, there is, it's an unsolved problem along with the identity of, of who created all that information.
I wish I, the, the, the product manager in me is like, that's a car. Like, give me a, give me a finger PRD, right? Well, I mean, I guess that's up to the entrepreneurs, right? Yeah.
Yeah. Sharing a little bit of the, but I, I mean, look, as, as more and more compute gets shifted to the cloud, right, there is like, there is proportional to the size of the security problem. Locked down data is, is unusable, right? There's a reason why the Fed does not want you to put your money underneath the bed, right?
It's, it's not usable, right? Like data needs to be like used, right? It's been motioned and it needs to be in use in transit, right? Rest.
You can start to see interesting opportunities for home or for encryption, for, for data comp combining and data sharing in, in, in interesting ways. I think a lot of the, the DRM challenges that we were trying to solve back in the day, in the early two thousands or mid two thousands are going to rear their ugly heads again in so many ways, secure execution environments, things like that. There's, there's a lot of, there's a lot of data in general, and there is a lot of noise in the data. You guys are on a mission to identify the critical data that is related to the PRD.
And the question is how quickly can you identify the anonymity? In the dataset. And how do you map relatable datasets together, which then supposed to help give you a heads up of something is about to happen or something is starting to happen. And I, I totally understand the need in that quality data.
How do you build the relationships of that data? That's extremely important. Yeah. I think that's so well said that our marketing team is going to take that Sasha and we're going to use it on our website.
And no, seriously, I think it's, it's very well put. There is, you, you touched on something very important, which is the story of you being on the road and you getting the message about needing to replenish your toll account. And this highlights how easy it is for the fraudsters to reach out to us. In general, security products are extremely complex.
Most of the time we're talking about security that is stuck in the early 2000s, where we rely on engineers to understand the dashboards. We rely on engineering teams to implement. What I, what I see happening a lot more often, and I see that with, with bolster, which is importance of user experience. Like you don't have to be a security specialist with 50 years of experience to understand how do you implement the solution to the obvious problem?
Where you as a company take all of the complexity of the manual processes, you take the complexity of mapping the data, you take the complexity away from trying to map data like a puzzle and you simply give the output. And then there's a question. The only question that customer needs to worry about, or the person that is faced with a problem, which is data in input and output, we would like to understand what data we can take in. We'll process it for you.
And the output will be the result of the function that is implemented under the data. Yeah. I mean, if you talk to any seasoned product professional, they're going to tell you that you should, when in doubt, simplify. I think, and with data, I think it's comes down to like when in doubt, abstract.
And you want to abstract the data, solve the problems without the expectation. That the customer should have a PhD in your product. Right. This direction towards agentic interfaces, Sasha, is going to start to allow companies to do what they've been wanting to do.
Or I think what the three of us want to see, which is less complexity, better problem solving. They're just rewrapping the complexity in a way and presenting it to you in a dashboard that none of them look good. None of them interoperates. And someone needs to babysit the dashboard when you start to bring in that security vendor.
Yeah. If we, the three of us walked the halls of RSA last year, and it was like, we could have been at like in Vegas. Like it's almost the exact same experience of like, what game are they playing? What are the odds?
And how much do you win and lose? Like every single vendor was, was selling almost as if they're like a new game. The gaming tables in Vegas without the understanding of like, hey, how do I become a subject matter expert in order to harness the power of this, this new game you've got here? Your, your experience at Apple is, is very interesting for, for one reason that I will map to the discussion that we have now.
Apple is not the first computer manufacturer. They build extremely user-friendly product that was easy to use. Before then we had very complex and complicated system that you had to have some type of education in order to operate it. But what Apple brought to the market is user experience.
And that gains traction. We see the same pattern in the software today, where the user experience is what drives the adoption of the product. It's not the technology itself. And you touched on this.
You started as a technologist, you were building products, but then you went into the business side. I agree with you 100% that the usability and the function that the product delivers is most important. If it's easy to use, you'll have the natural adoption of the product. Yeah.
I mean, one of the things that you could, the foundational, one of the foundational technologies that Apple built on top of was something called Gorilla Glass. Without Gorilla Glass, we never would have had pinch pull and all the interesting touch screens at all today, right? Corning stock went through the roof. You could almost say that it's potential, right?
That like AI and large language models may be the Gorilla Glass here of the next iteration, the technology wave, where it's not pinch pull, but it's a new logical way to interface with technology that we as humans want to interact with. Not pull down menus and file uploads or whatever, but it's just something more natural based upon who we are as a species. And I think it all comes down to the usability. And so you can solve a problem in a reasonably okay way with an amazing experience.
And that product is probably going to survive for a long time. Rod Schultz, everyone, the CEO of Bolster AI. Thank you so much for joining us on another episode of the Security Podcast in Silicon Valley. Guys, thanks for having me.
It's super fun. To all of our listeners for tuning into another episode. I'm one of the hosts, John McLaughlin, and joined with the other host, Sasha Sienkiewicz. This has been a Y Security production.
And thank you so much, everyone. Tune in to the next episode. Oh, and for all of the great tidbits and the case studies, we'll have links in the description, Rod, so we can have clear call to actions for anyone who's interested to learn more about Bolster. Thank you so much.
All right. Thank you, everyone. Thanks, Rod.