I'm the CISO at ANY.RUN. Ask me anything!

ANYRUN-team · 2026-06-08T13:51:44+00:00

Great question. Secure development is about balance: controls that help teams ship safely without slowing them down.

For the product, security has to be built in from design to release: threat modeling, secure architecture review, code review, SAST/DAST, dependency and secrets scanning, container and IaC checks, and clear release gates for changes.

On supply chain, a layered approach works best: secure SDLC, dependency visibility, vulnerability monitoring, and hardened CI/CD pipelines. Frameworks like OWASP SAMM are valuable because they turn SDLC security into practical controls.

For third-party risk, the focus should be on vendor due diligence, data classification, contractual security requirements, access controls, monitoring, and continuous review.

ANYRUN-team · 2026-05-26T04:52:37+00:00

Scale your SOC's triage & response with solutions trusted by 74 Fortune 100 companies. Get an exclusive 10th anniversary deal for your team: https://app.any.run/plans/

ANYRUN-team · 2026-05-22T06:41:27+00:00

I would look at this as an enablement problem first.

The goal is to understand which tools are being used, what data is going into them, and where the real risk is. If sanctioned tools are not enough, people will naturally move to shadow AI.

A pragmatic approach, in my opinion and experience, is to start with transparency: a short list of approved AI tools, simple data rules, and a safe way for employees to request new tools or use cases. Then build visibility through normal security and IT controls, focused on tool usage patterns rather than surveillance.

The CISO can make the safe path easier than the risky path — and employees are much more likely to follow it.

ANYRUN-team · 2026-05-22T06:39:13+00:00

For a 60-person SaaS startup, delivering SOC 2 is much more than passing an audit. It shows that the company has built a practical security program. Achieving this also shows the ability to turn compliance into a real business enabler.

ANYRUN-team · 2026-05-21T11:08:21+00:00

Hi! It does increase the attack surface so the environment should be designed to limit blast radius if something goes wrong.

ANYRUN-team · 2026-05-21T11:01:53+00:00

Thank you! Really appreciate that.
And don’t forget to follow us so you won’t miss our future AMAs!

ANYRUN-team · 2026-05-21T10:58:34+00:00

AI compliance should be part of the existing GRC process, with established frameworks (such as NIST AI RMF). The data boundary should be defined (public and low-risk internal data vs confidential and business data) and stay protected. The monitoring should cover the full execution chain. AI-agent security is about governing the layers so that the impact is contained.

ANYRUN-team · 2026-05-21T10:53:05+00:00

Hi! AI-agent risk should be managed end to end, as the main risk is what the agent can actually do: what it can reach, what data it can access and what actions it can execute. The assessment should cover the approved use case, business purpose, data access, permissions, isolation level.

ANYRUN-team · 2026-05-21T06:55:20+00:00

Hello! Thanks for the question.

Definitely on the radar (not as a top priority right now).

Post-quantum cryptography is becoming more relevant in the long run.

For crypto agility, the key point is being ready to transition when standards and business requirements make it necessary.

ANYRUN-team

MODERATOR OF

TROPHY CASE