Exploited: The Cyber Truth

In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security Founder and CEO Joseph M. Saunders and embedded systems expert Jacob Beningo to explore how AI is changing the software development lifecycle for embedded and firmware teams. Together, they unpack the risks and responsibilities that come with AI-generated code. While AI can accelerate development and automate tedious tasks, it can also introduce defects, expand the attack surface, and create a dangerous illusion of completeness. Unlike human engineers, AI cannot explain intent, reason about long-term system behavior, or take accountability when systems fail. Joe and Jacob discuss how engineering teams can safely integrate AI into development workflows without sacrificing security, reliability, or accountability, especially in systems that must operate safely for years in the field. In this episode, they explore: Why AI-generated code can introduce hidden vulnerabilities and complexityThe accountability challenge: who owns the risk when AI writes the code?How AI output should be treated as untrusted code by defaultWhy rigorous testing, validation, and security reviews still matterPractical ways engineering teams can use AI responsibly in embedded development For engineers, security leaders, and product teams navigating AI adoption in embedded systems, this episode offers practical insights into how to move faster with AI without weakening trust in the systems you build.

In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security CEO Joe Saunders and Cordell Robinson, CEO of Brownstone Consulting, to explore how security frameworks like NIST 800-53 are evolving from paperwork exercises into real drivers of security maturity. From continuous monitoring and secure-by-design development to Software Bills of Materials (SBOMs) and vulnerability transparency, the conversation examines what it takes to build trust in embedded and operational technology (OT) systems, especially as regulators sharpen their focus and nation-state threats grow more sophisticated. Together, they explore: Why compliance should cover people, processes, and technology—not just policiesHow NIST frameworks are shifting from checklists to operational rigorThe growing importance of SBOMs in supply chain transparencyHow AI is reshaping both cyber defense and attacker capabilityWhat new regulatory pressure (including the EU Cyber Resilience Act) means for manufacturers Whether you build embedded systems, ship software to government agencies, or manage critical infrastructure, this episode offers practical insight into building compliance programs that strengthen security and earn trust.

In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security CEO Joseph M. Saunders and OT/ICS security expert Mike Holcomb, founder of UTILSEC, for a candid discussion about the weaknesses attackers exploit inside industrial environments. Mike shares what he repeatedly finds during assessments of large OT and ICS networks: no effective firewall between IT and OT, flat networks with little segmentation, stale Windows domains, shared engineering credentials, exposed HMIs, and OT protocols that will accept commands from any reachable host. He explains how attackers move from IT into OT using familiar enterprise techniques before pivoting into PLCs, RTUs, safety systems, and historians. Joe outlines why secure-by-design practices, higher software quality, and “secure by demand” procurement are critical to long-term resilience—especially as cloud connectivity and AI accelerate modernization in industrial environments. Together, they explore: Why a missing or misconfigured IT/OT firewall remains the most common and dangerous gapHow micro-segmentation and unidirectional architectures reduce blast radiusThe risks of web-enabled HMIs and long-lived legacy systemsWhy monitoring PLC programming traffic and historian queries mattersHow the Cyber Resilience Act is reshaping accountability for OT vendors If you’re responsible for industrial operations, plant uptime, or product security, this episode shows how attackers actually move through OT environments—and how to eliminate the mistakes they depend on.

In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security Founder and CEO Joseph M. Saunders and embedded systems expert Elecia White, host of Embedded.fm and author of Making Embedded Systems, to discuss the trade-offs of using open source in embedded development. The conversation goes beyond debates about “open vs. proprietary” to explore how a single library can quietly introduce sprawling dependency chains, unclear maintenance responsibilities, licensing obligations, and long-term security exposure,  especially in devices expected to operate for years or decades. Elecia and Joe share guidance for using open source intentionally, including how to set guardrails early, limit dependency blast radius, and design systems that can respond when vulnerabilities emerge, even when patching isn’t easy. Together, they cover: Why embedded teams don’t get burned by open source, they get burned by unexamined dependenciesHow transitive dependencies and “helpful” packages quietly expand attack surfaceWhy professionalism, documentation, and disclosure practices signal trustworthy projectsWhy build-time SBOMs matter more than after-the-fact analysisHow Secure by Design thinking reduces reliance on emergency patching For embedded engineers, product leaders, and security teams balancing delivery pressure with long-lived risk, this episode offers advice for using open source without inheriting future incidents.

Autonomous and connected vehicles are reshaping transportation, but increased software complexity and connectivity introduce serious security and safety challenges that can’t be solved with traditional perimeter defenses. In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security Founder and CEO Joseph M. Saunders and Hemanth Tadepalli, Senior Cybersecurity & Compliance SME at May Mobility, for a practical discussion on what cyber resilience looks like inside real-world autonomous vehicle programs. Hemanth draws on his experience securing mobility systems at May Mobility, as well as prior work with Mandiant, Google, and AlixPartners, to explain how automotive organizations are adapting to software-defined vehicle architectures, regulatory pressure, and expanding attack surfaces. Joe shares his perspective on why mobility companies increasingly resemble software companies and what that means for engineering, governance, and operational security. Together, they explore: How connected and autonomous vehicle architectures expand the attack surfaceWhat cyber resilience means in day-to-day engineering and fleet operationsHow governance, threat intelligence, and software validation reduce riskRegulatory pressures shaping automotive security decisionsHow teams balance detection, response, and safety in autonomous systems Whether you’re building autonomous platforms, managing connected fleets, or securing safety-critical software, this episode offers a grounded look at what it takes to keep modern mobility systems trustworthy and safe.

As industrial control systems become more connected, more Linux-based, and more exposed to IT-style threats, 2026 is shaping up to be a turning point for ICS security. In this end-of-year predictions episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security Founder & CEO Joseph M. Saunders and CTO Shane Fry to discuss what will define ICS and critical infrastructure security in 2026. The episode explores a bold prediction: We will see a major ICS breach originating from a web application vulnerability running directly on an embedded control device. As full Linux operating systems, Node.js apps, and web servers increasingly appear inside OT equipment, long-standing IT vulnerabilities are colliding with systems that are difficult—or impossible—to patch. Joe and Shane dig into why detection-only strategies fall short in constrained, long-lived devices, and why secure by design engineering, memory safety, and runtime protections are becoming essential. They also discuss the importance of accurate, build-time Software Bills of Materials, especially as regulations like the EU Cyber Resilience Act push manufacturers toward transparency, accountability, and provable supply-chain visibility. Together, they cover: Why ICS exploitation is shifting from theoretical to operationalHow web app and RCE vulnerabilities are creeping into OT devicesThe limits of detection-only security strategiesWhy memory safety and runtime protections reduce exploitable riskHow build-time SBOMs improve vulnerability tracking and trust

As vehicles evolve into always-connected, software-defined systems, cybersecurity decisions increasingly shape privacy, safety, and trust on the road. In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security CEO Joseph M. Saunders and special guest Sean McKeever, Global Product Cybersecurity Lead at Marelli, for a candid discussion on what it really means to secure modern vehicles. Sean brings deep industry experience to unpack how OEMs and suppliers are navigating data stewardship, autonomous testing, vehicle theft, and diverging global regulations. Together, Paul, Joe, and Sean explore: What constant connectivity means for driver privacy and data stewardshipThe risks of beta-testing autonomous systems on public roadsHow car theft has shifted from physical break-ins to software exploitationWhy U.S. and EU cybersecurity regulations take fundamentally different approachesThe importance of collaboration across OEMs, suppliers, and regulators From RF relay attacks to software-defined vehicles with decade-long lifecycles, this episode highlights why cybersecurity is no longer an add-on but a core design decision shaping the future of mobility.

Open source accelerates development in embedded systems, but hidden license obligations can quickly create legal and operational risk. In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security Founder and CEO Joseph M. Saunders and Salim Blume, Director of Security Applications, for a look at how copyleft risk emerges and why compliance in embedded products is more challenging than many teams expect. Salim breaks down how restrictive licenses, such as GPL and AGPL, can force the disclosure of proprietary code, interrupt product shipments, or create exposure long after devices are deployed in the field. Joe shares why accurate SBOMs, automated license checks, and enforcing policy at build time are critical to preventing surprises in downstream products. The discussion also touches on the ongoing Vizio case, where the TV manufacturer faces litigation that could compel public release of source code under the GPL, highlighting how open source obligations can surface years after products hit the market. Together, Paul, Joe, and Salim explore: How copyleft obligations can require source-code disclosureWhy embedded environments complicate license complianceReal-world cases where unnoticed GPL dependencies caused major issues, such as Vizio’s GPL lawsuit and Cisco’s WRT54G router familyThe growing implications of AGPL for SaaS and connected servicesHow build-time SBOMs and automated controls reduce long-term risk Whether you're building connected devices, managing software supply chain compliance, or protecting proprietary IP, this episode offers practical guidance to reduce copyleft risk before it becomes a costly problem.

In this episode of Exploited: The Cyber Truth, host Paul Ducklin sits down with RunSafe Founder and CEO Joseph M. Saunders to explore why the future of cyber defense depends on disrupting attacker economics rather than racing to keep up with every new threat. Joe breaks down how organizations can gain an asymmetric advantage by reducing exploitability across entire classes of vulnerabilities, especially persistent memory safety flaws that continue to expose critical systems. He shares why adding lightweight, automated protections at build time is one of the fastest ways to shift the cost curve onto attackers without forcing massive code rewrites or slowing development teams down. Together, Paul and Joe discuss: Why attackers’ resource advantage requires a new defensive mindsetThe power of “patchless” protection in embedded and OT environmentsWhy memory safety flaws persist and how to neutralize them at scaleThe risks of AI-generated code and how to prevent silent vulnerabilitiesHow Secure by Design practices improve resilience for critical infrastructure If you're responsible for securing embedded systems, OT assets, or long-lived devices where patch cycles are slow and risk is high, this episode offers a new mindset that gives defenders the upper hand.

As OT environments face rising geopolitical tensions, ransomware threats, and aging infrastructure, vulnerability management has never been more complex. In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security CEO Joe Saunders and Stuxnet expert Ralph Langner, Founder and CEO of Langner, Inc. Ralph shares from his decades of firsthand experience defending industrial control systems and explains why traditional CVE-focused vulnerability management falls short in OT. He breaks down the three major categories of OT vulnerabilities—design flaws, feature abuse, and configuration errors—and reveals why competent attackers often ignore CVEs entirely. Joe highlights how memory-based vulnerabilities continue to threaten critical systems and why eliminating entire vulnerability classes can create an asymmetric advantage for defenders. Together, Ralph and Joe explore: Why most OT equipment remains insecure by design and why replacement will take decadesHow features, not bugs, often become the real attack vectorThe growing role of ransomware and IT-side weaknesses in OT compromisesPractical steps OT defenders can take today to incrementally improve resilienceThe value of class-level protections, better architectures, and secure development processes Whether you secure energy infrastructure, manufacturing systems, or mixed IT/OT networks, this episode delivers experience-driven guidance for strengthening cyber-physical resilience.

AI is fueling both innovation and new attack tactics. In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security Founder and CEO Joseph M. Saunders and Kelly Davis, Senior Solutions Architect at Glasswall, to uncover how AI-powered malware is slipping through traditional detection in federal and defense environments—and what can be done about it. Kelly breaks down how “clean file” strategies are redefining cybersecurity by ensuring only safe, verified content enters critical systems. Joe connects these insights to operational technology (OT), where malicious code can disrupt industrial operations, safety systems, and even national infrastructure. Together, they explore: How AI is changing both attack and defense in cybersecurityWhy detection-based security is too slow—and how AI is widening the gapHow Content Disarm and Reconstruction (CDR) strengthens federal and defense workflowsHow federal agencies can adopt file-level defenses using pilots, boundary controls, and workflow APIsThe parallels between clean files in IT and secure binaries in OT Whether you’re defending national assets or securing industrial systems, this episode reveals why prevention—not detection—is the smartest defense in the AI era.

As healthcare becomes increasingly connected, cybersecurity is now as critical to patient safety as the devices themselves. In this episode of Exploited: The Cyber Truth, host Paul Ducklin sits down with RunSafe Security Founder and CEO Joseph M. Saunders to explore how medical device manufacturers can design protection into every phase of product development—from concept to deployment and beyond. Joe discusses how medical device manufacturers are aligning innovation with evolving FDA and CISA cybersecurity expectations, embedding secure-by-design principles, and redefining engineering culture to treat security as part of product quality and not just compliance. Listeners will learn: Why Secure by Design is critical for building safe, resilient medical devices from the startHow FDA guidance has pushed manufacturers to treat cybersecurity as part of product design and is reshaping compliance in healthcareWhat a Software Bill of Materials (SBOM) is and why generating it at build time gives the clearest picture of software riskWhy openness about software components helps reduce risk, even when it feels counterintuitiveHow standardizing development practices makes devices safer, lowers costs, and leaves more room for innovation For those developing life-critical devices or managing medtech risk, this episode explores how building security into every stage of design and development protects patients and sustains innovation in connected care.

When we think of generative AI in defense, many think of how it will be used on the frontlines. But it actually serves a much wider purpose in helping warfighters plan, prepare, and execute missions. In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security Founder and CEO Joseph M. Saunders and Arthur Reyenger, Generative AI Strategy Executive at Ask Sage, Inc., to explore how generative AI is transforming defense missions—from planning to execution. They discuss how AI-driven decision support, predictive analytics, and digital twins are giving defense teams faster insights and tactical advantages while maintaining trust, security, and control. The conversation looks at examples of how AI is accelerating acquisition processes, strengthening cybersecurity, and even supporting front-line logistics aboard Navy vessels. Together, Joe and Arthur discuss: How generative AI accelerates decision-making and mission readinessThe role of commercial off-the-shelf (COTS) AI in defense innovationWhy responsible AI and human oversight remain criticalHow secure, scalable platforms are redefining operational impact Whether you’re in defense, cybersecurity, or technology leadership, this episode sheds light on how generative AI is helping warfighters stay one step ahead.

CISA and DHS have raised the bar for software transparency with the first major update to the Minimum Elements for an SBOM since 2021—expanding what every software supplier must disclose. But what does this really mean for developers, embedded system teams, and security leaders trying to protect critical infrastructure? In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security’s Kelli Schwalm and CEO Joseph Saunders to unpack the technical and strategic impact of the 2025 SBOM draft. Kelli explains key additions like component hashes, generation context, and transitive dependencies, and how they improve accuracy and traceability. Joe connects the dots to the bigger picture—how richer SBOMs enable resilience, transparency, and safer disclosure practices across the software supply chain. Together, they explore: Why new SBOM data fields (like hashes and license metadata) matter for risk mitigationThe ongoing challenges of SBOMs for embedded and C/C++ systemsHow stronger visibility supports secure vulnerability disclosure and complianceWhy SBOMs are evolving from check-box compliance to core resilience tools Whether you manage embedded software, oversee product security, or shape compliance policy, this episode reveals how the 2025 SBOM Minimum Elements is set to reshape software assurance for years to come.

Safeguarding critical infrastructure demands more than just technology—it requires unity. In this episode of Exploited: The Cyber Truth, host Paul Ducklin sits down with RunSafe Security CEO Joseph M. Saunders and Madison Horn, National Security & Critical Infrastructure Advisor at World Wide Technology, to explore how collaboration across government and industry is shaping a stronger, more secure future. Madison shares insights from her work bridging the gap between policymakers and technologists, highlighting what “best-in-class” public-private partnerships look like and why security by design is a shared responsibility. Together, Madison and Joe unpack how AI, geopolitics, and legacy systems intersect in today’s cyber threat landscape and what it will take to build lasting resilience. From aligning economic incentives to enabling secure-by-design innovation, this discussion underscores one essential truth: protecting critical infrastructure isn’t just a technical mission—it’s a collective one. In this episode, you’ll learn: How collaboration between government and industry drives national cyber resilienceWhat “best-in-class” public-private partnerships look like in practiceThe challenges of protecting legacy systems that were never built to be onlineHow AI and emerging technologies are reshaping cyber defense and regulationWhy secure-by-design principles must become a shared responsibilityWhere current policies succeed—and where leaders can push for meaningful change

The software supply chain often gets all the attention, but what about its foundation? In this episode of Exploited: The Cyber Truth, RunSafe Security Founder and CEO Joseph M. Saunders explores why securing the firmware supply chain is critical as attackers look to target the lowest layers of devices. Joe explains how firmware vulnerabilities in embedded and connected devices—across healthcare, automotive, energy, and defense—can be exploited at scale, and why legacy assumptions about firmware trust are no longer enough. Listeners will learn: Tactics adversaries use to exploit firmware vulnerabilitiesRisks inherited from third-party firmware and complex supply chainsHow “shifting security down the stack” enhances trust for all systems above itPractical steps CISOs, security leaders, and device manufacturers can take to harden firmware This episode uncovers an often-overlooked attack surface, showing why securing firmware is a strategic priority for reducing risk at scale.

As manufacturing systems and industrial control devices become increasingly connected, attackers are finding new ways to hijack machines, disrupt operations, and steal intellectual property. In this episode of Exploited: The Cyber Truth, host Paul Ducklin and RunSafe Security Founder and CEO Joseph M. Saunders break down how embedded threats unfold and why manufacturers are in the crosshairs. Joe shares real-world examples of water system breaches, programmable logic controller (PLC) exploits, and the dangers of memory-unsafe code that persists across legacy and modern systems. He explains how attackers weaponize software supply chain weaknesses and software determinism—and why preventing exploitation at build time is critical. Topics discussed include: How adversaries infiltrate embedded and industrial devicesThe role of nation-state motivations, economic espionage, and insider threatsWhy memory-unsafe languages remain a root cause of critical vulnerabilitiesHow Secure by Design practices and runtime protections can harden devices without disrupting operationsWhat manufacturers must watch as AI-driven attack paths begin to emerge For leaders responsible for protecting industrial systems, this episode offers a clear-eyed look at the risks and practical strategies to defend machines before they get hacked.

As advanced weapons platforms become increasingly software-driven, cybersecurity has emerged as a frontline concern for Aerospace & Defense. In this episode of Exploited: The Cyber Truth, host Paul Ducklin and RunSafe Security CEO Joseph M. Saunders welcome Dave Salwen, VP of Embedded Systems at RunSafe Security, for a deep dive into the cultural and technical shifts required to defend tomorrow’s arsenal. Dave explains why applying enterprise IT security models to mission-critical weapon systems is dangerously inadequate, how long patch cycles and software reuse create systemic vulnerabilities, and why proactive defense against unknown threats is essential. The conversation explores: How adversaries exploit software flaws in unpatched, mission-critical systemsWhy cultural change inside the DoD and its ecosystem is as vital as its technical defensesThe role of Secure by Design in weapons development lifecyclesThe risks of open-source and supply chain dependencies in defense programsWhy resilience and runtime defenses are critical to mission survivability For defense leaders, program managers, and technologists, this episode highlights how adopting a new mindset around weapons cybersecurity is key to safeguarding national security.

Taiwan sits at the heart of the global economy, producing nearly 90% of the world’s advanced semiconductors. But with 2.4 million cyberattacks hitting the island daily, could a digital siege cripple it before a single missile is launched? In this episode of Exploited: The Cyber Truth, host Paul Ducklin and RunSafe Security CEO and Founder Joseph M. Saunders examine Taiwan’s fragile critical infrastructure, exposed undersea cables, and dependence on imported energy—weaknesses that adversaries could exploit through cyber warfare and gray-zone tactics. Drawing lessons from Ukraine and Israel, Joe and Paul explore: How Taiwan’s semiconductor “super sector” makes it a global cyber targetWhy energy and telecom resilience are linchpins of national survivalThe role of software supply chain security and memory safety in defenseHow the same cyber playbook could threaten U.S. and allied infrastructure This sobering conversation underscores a vital truth: in the age of hybrid warfare, digital resilience is deterrence itself.

Is patching enough to secure critical systems? In this episode of Exploited: The Cyber Truth, host Paul Ducklin sits down with Joe Saunders, Founder and CEO of RunSafe Security, to challenge the idea that vulnerabilities can be solved after software ships. Joe explains why embedded systems and critical infrastructure demand a different approach—one that builds protections in from the start. He unpacks: Why patching after deployment creates dangerous gaps for attackersHow build-time memory safety and code-hardening disrupt exploitationThe software supply chain risks of relying on incomplete SBOMsReal-world examples of how build-time defenses reduce costly downtime and post-production scrambles If you’re leading a program of record, developing embedded systems, or managing software security, this conversation reveals why “Secure by Design” is the only way forward.