Where can I listen to this podcast?

This podcast is available on 4 platforms including Apple Podcasts, Spotify, and more. You can also use the RSS feed directly.

Does this podcast accept guests?

Yes, this podcast regularly features guests.

Full Metal Packet

Claim This Podcast

by Control D

11 episodes

Updated Daily

Accepts GuestsHas Sponsors

Podcast Overview

Full Metal Packet is the go-to podcast for security leaders who want the truth about what it takes to defend at scale. Hosted by Yegor and Alex, the founders of Windscribe (trusted by 90M+ people) and Control D, this show pulls back the curtain on how operators actually handle breach incidents, reduce noise, and prepare for the post-AI security world. Season 1 features CISOs, DFIR commanders, and security architects from SaaS, healthcare, government, and hospitality. Each episode dives into: - Breach Incidents → the first 72 hours that define an outcome (de-identified and NDA-safe). - SecOps Therapy → the frictions nobody talks about: burnout, broken workflows, and the fixes that matter. - Security Futures → fresh perspectives on what’s underrated, overhyped, and coming next in a world reshaped by AI. No vendor fluff - just operator-grade conversations that security professionals can apply immediately.

Language

🇺🇲

Publishing Since

10/2/2025

Visit Website View on Apple Podcasts RSS Feed

2 verified contact emails on file for Full Metal Packet

Pitch yourself as a guest, propose sponsorships, or reach out directly to the host.

See contact details

Recent Episodes

June 16, 2026

Navy Officer Reveals the Threat Modeling Mindset Most Cybersecurity Teams Are Missing

Ben Lipczynski is the Director of Security and Regulatory Services at Origina and a former British Royal Navy officer with 12 years operating nuclear submarines and global networks. He brings an operator-level perspective on what separates a contained incident from a months-long operational nightmare.In this episode, Ben breaks down why patching is not a silver bullet, why legacy systems are more defensible than most teams assume, and what the submarine service taught him about knowing your critical systems before an attacker finds them for you.He explains:◼ Why siloed teams and poor system knowledge cause more breaches than sophisticated attacks ever do◼ Why upgrading to the latest version often introduces more vulnerabilities than it removes◼ How 700 scan findings came down to 20 real actions after proper contextual analysis◼ Why the CVE volume problem is about to get significantly worse and what to do about it◼ Why defense in depth, not patching, is the only strategy that holds up when an attacker gets insideTime Stamps:(0:00) Introduction(0:53) What corporate security teams get wrong vs. the military(2:22) The submarine mindset: 90% training, 10% operations(4:48) Operational clarity in the military: everyone knows the mission and their role(6:59) Military structure vs. corporate agility — opposites or the same need?(10:38) Why Ben left the Navy for cybersecurity(14:32) "Take a marching pace" — thinking before acting in incident response(18:09) The iPad water treatment plant story — OT connectivity creep in the real world(25:30) The myth of N-minus-one: legacy doesn't mean insecure(28:10) Open source dependency risk — 60% of vulnerabilities aren't in the core code(31:01) Slop squatting: attackers pre-registering AI-hallucinated package names(33:00) What to do when you can't patch — contextual risk-based defense in depth(36:26) The patch validation problem — exploits now arrive within hours of a CVE(44:00) Fully patched, still taken down — architecture beats updates(51:26) Log4J case study: why deleting the library beat the patch cycle(55:23) Practical advice for security teams managing legacy systems(1:02:22) The CVE volume crisis — is the current patching model even tenable?(1:07:21) Bold prediction: CVE text itself will become an attack vector for AI agentsConnect with the speakers ⬇️:Ben Lipchinski: <a href="https://www.linkedin.com/in/benlipczynskisecurity/" rel="noopener noreferrer" target="_blank">https://www.linkedin.com/in/benlipczynskisecurity/</a>Yegor Sak: <a href="https://www.linkedin.com/in/yegor-sak-725330b2/" rel="noopener noreferrer" target="_blank">https://www.linkedin.com/in/yegor-sak-725330b2/</a>Alex Paguis: <a href="https://www.linkedin.com/in/alex-paguis-53a21815/" rel="noopener noreferrer" target="_blank">https://www.linkedin.com/in/alex-paguis-53a21815/</a>Powered by <a href="https://controld.com/" rel="noopener noreferrer" target="_blank">Control D</a>

May 28, 2026

ISO 27001 Expert: Why Compliance Doesn't Equal Security For CISOs

John Verry is the Managing Director at CBIZ Cybersecurity, ISO 27001 certified lead auditor since 2006, and has guided hundreds of organizations through ISO 27001, SOC 2, CMMC, FedRAMP, and HITRUST. He has seen firsthand what separates organizations that get genuinely secure from those that just collect certifications.In this episode, John breaks down the gap between compliance and actual security, why shadow AI is already embedded in tools your team uses daily, and why agentic AI is the risk no CISO is truly prepared for yet.He explains:◼ Why you can be fully compliant and completely insecure at the same time◼ Why operationalizing your security program inside tools your team already uses matters more than buying another GRC platform◼ How 65% of SaaS platforms now have AI built in and why most organizations have no inventory of it◼ Why the EU AI Act's August 2026 deadline is real and what organizations need to do now◼ Why agentic AI shifts the risk from hallucination to autonomous business decisions made at scale without a human in the loopTimestamps(00:00) Introduction (06:27) Meet John Verry: Managing Director at CBiz Cybersecurity (07:47) What compliance theater actually means and why it matters (09:34) Security is a journey, compliance is a destination (12:30) The most common mistakes companies make after getting certified (15:07) What it actually takes to operationalize a security program (17:34) The merchants of complexity problem and why less tooling wins (20:50) Third party risk management and the hidden operational debt of every new vendor(22:19) What shadow AI is and why most organizations still do not know they are using it (28:21) How to balance moving fast on AI with slow-moving compliance frameworks (31:40) Why ISO 27001 updates slowly and why that might actually be a good thing (36:41) How to risk model different types of AI from Grammarly to agentic systems (40:14) Why shadow AI is lower risk than deeply integrated AI but still dangerous (43:29) Sycophantic AI behavior, what causes it, and why it creates real danger (52:29) AI coding AI, the hard takeoff, and the model collapse problem (54:24) EU AI Act deadlines, ISO 42001, and why AI compliance urgency is now (58:44) How ISO 42001 works as an extension of ISO 27001 (01:01:27) When auditors do not understand AI governance and certifications become theater(01:02:28) The main blocker stopping CISOs from escaping compliance theater (01:05:41) The next 12 to 18 months: why the era of agentic AI is already here (01:07:48) Closing thoughts: What should actually scare every CISO right nowConnect with John Verry on LinkedIn<a href="https://www.linkedin.com/in/jverry/" rel="noopener noreferrer" target="_blank">https://www.linkedin.com/in/jverry/</a>Hosts ⬇️Alex: <a href="https://www.linkedin.com/in/alex-paguis-53a21815/" rel="noopener noreferrer" target="_blank">https://www.linkedin.com/in/alex-paguis-53a21815/</a>Yegor: <a href="https://www.linkedin.com/in/yegor-sak-725330b2/" rel="noopener noreferrer" target="_blank">https://www.linkedin.com/in/yegor-sak-725330b2/</a>Powered by <a href="https://controld.com/" rel="noopener noreferrer" target="_blank">Control D</a>

May 12, 2026

EX-FBI Agent Breaks Down Breach Realities: Identity Is The New Malware

Devon Ackerman is the Global Head of Digital Forensics and Incident Response at Cyber Reason and a former FBI Supervisory Special Agent focused on counterintelligence and cyber investigations. He is also the author of Diving In: An Incident Responder's Journey and one of the most experienced breach investigators working today.In this episode, Devon walks Alex and Yegor through exactly how modern intrusions unfold in the real world, from the first point of entry to full compromise, and what most organizations are still completely missing until the damage is done.He explains:◼ Why attackers ditched malware and are stealing identities to hide inside normal user behavior◼ How one phone call to a help desk bypassed MFA and gave full network access without a single alert◼ Why phishing kits intercept your authentication token, not your password◼ Why hardware keys stop most kill chains cold and where that still breaks down◼ The four threat actor categories and why each one requires a different defensive responseTime Stamps(00:00) Devon Ackerman Introduction(01:48) Why digital forensics and incident response belong together(04:28) How modern investigations have changed in the last 5 years(06:49) Are attackers moving faster than defenders?(08:41) Can digital forensics become proactive?(11:31) Will AI turn cyber defense into a war of bots?(14:50) Why security adoption still lags behind new threats(16:43) Identity becomes the primary attack surface(19:56) War story: help desk social engineering, password resets, and disabled MFA(22:52) A real vulnerability exploited within 12 hours(25:18) What happens when CVE-to-exploit timelines shrink to minutes(28:29) How adversary-in-the-middle MFA phishing works(33:16) Why MFA bypass is really about intercepting authentication(35:54) Hardware keys and where phishing kill chains usually stop(39:14) Hacktivists, nation-states, organized crime, and initial access brokers(42:47) The economics of selling access vs exploiting it yourself(46:56) Devon’s final advice for defenders: reduce blast radiusConnect with the speakers ⬇️Devon: <a href="https://www.linkedin.com/in/devonackerman/" rel="noopener noreferrer" target="_blank">https://www.linkedin.com/in/devonackerman/</a>Yegor: <a href="https://www.linkedin.com/in/yegor-sak-725330b2/" rel="noopener noreferrer" target="_blank">https://www.linkedin.com/in/yegor-sak-725330b2/</a>Alex: <a href="https://www.linkedin.com/in/alex-paguis-53a21815/" rel="noopener noreferrer" target="_blank">https://www.linkedin.com/in/alex-paguis-53a21815/</a>Powered by <a href="https://controld.com/" rel="noopener noreferrer" target="_blank">Control D</a>

11 total episodes available

Deep-dive analytics for Full Metal Packet

Frequently asked questions

Have a different question and can't find the answer you're looking for? Reach out to our support team by sending us an email and we'll get back to you as soon as we can.

What is Full Metal Packet?: Full Metal Packet is the go-to podcast for security leaders who want the truth about what it takes to defend at scale. Hosted by Yegor and Alex, the founders of Windscribe (trusted by 90M+ people) and Control D, this show pulls back the curtain on how operators actually handle breach incidents, reduce noise, and prepare for the post-AI security world.

Season 1 features CISOs, DFIR commanders, and security architects from SaaS, healthcare, government, and hospitality. Each episode dives into:

Breach Incidents → the first 72 hours that define an outcome (de-identified and NDA-safe).

SecOps Therapy → the frictions nobody talks about: burnout, broken workflows, and the fixes that matter.

Security Futures → fresh perspectives on what’s underrated, overhyped, and coming next in a world reshaped by AI.

No vendor fluff - just operator-grade conversations that security professionals can apply immediately.
How often does this podcast release new episodes?: This podcast updates daily.
Where can I listen to this podcast?: This podcast is available on 4 platforms including Apple Podcasts, Spotify, and more. You can also use the RSS feed directly.
Does this podcast accept guests?: Yes, this podcast regularly features guests.

Legal Disclaimer

Pod Engine is not affiliated with, endorsed by, or officially connected with any of the podcasts displayed on this platform. We operate independently as a podcast discovery and analytics service.

All podcast artwork, thumbnails, and content displayed on this page are the property of their respective owners and are protected by applicable copyright laws. This includes, but is not limited to, podcast cover art, episode artwork, show descriptions, episode titles, transcripts, audio snippets, and any other content originating from the podcast creators or their licensors.

We display this content under fair use principles and/or implied license for the purpose of podcast discovery, information, and commentary. We make no claim of ownership over any podcast content, artwork, or related materials shown on this platform. All trademarks, service marks, and trade names are the property of their respective owners.

While we strive to ensure all content usage is properly authorized, if you are a rights holder and believe your content is being used inappropriately or without proper authorization, please contact us immediately at hey@podengine.ai for prompt review and appropriate action, which may include content removal or proper attribution.

By accessing and using this platform, you acknowledge and agree to respect all applicable copyright laws and intellectual property rights of content owners. Any unauthorized reproduction, distribution, or commercial use of the content displayed on this platform is strictly prohibited.