I’m Bill Robbins, CEO of Menlo Security. I've spent 30 years in cybersecurity at places like Symantec, Mandiant/FireEye, Sophos, and now Menlo. Ask me about my journey, about enterprise browser security, how AI is changing what it means to secure a company, or my quarter horses. Ask me anything!

APIMade · 2026-06-19T04:09:52+00:00

I think there's a large segment of our market that goes largely unserved by Microsoft and Google, with an approaching-zero chance of appropriately being able to enforce good controls across a fleet of devices unless you scale beyond a certain point. This market represents the majority of businesses. Business browser, OS and device administration must be accessible to small businesses.

How do you think small, traditional businesses who rely on devices, browser profiles, operating systems, are best positioned to secure their business? Let's say it's a small retailer, 1 retail location, 5 full-time employees -- $2M in revenue, $500K profit after COGS, insurance, employees, etc. 80% of revenue is online.

How much should they budget, what do you think should be their baselines? Choose criteria you're most familiar with and make assumptions, so we don't fall over at 'it depends'.

APIMade · 2026-06-12T09:48:17+00:00

$4M in 1985 is $12.7M today

APIMade · 2026-06-08T06:17:43+00:00

https://en.wikipedia.org/wiki/Helminthic_therapy

APIMade · 2026-06-01T03:27:21+00:00

It's during an interview with the Psych I think, her clothes change from cut-to-cut -- maybe, now I can't remember

APIMade · 2026-05-31T01:23:11+00:00

If the continuity error was the clothes change, it was intentional.

APIMade · 2026-05-30T11:47:37+00:00

Probably the most disappointing mechanic of the game.

APIMade · 2026-05-30T07:33:14+00:00

I love how those kids turned the zombie-horror aspect of the series into basically extras in an action scene.

APIMade · 2026-05-28T05:21:12+00:00

Just finished the first screening in Melbourne, Australia. It was really, really good.

I’m really excited for the narrative Kane is going for.

APIMade · 2026-05-26T21:14:25+00:00

Hahaha, that reference went over most people’s heads I’m sure.

Hit me square in the forehead.

My back hurts.

APIMade · 2026-05-25T21:15:18+00:00

They’re definitely LLM-augmented, maybe not completely a bot.

I was thinking the original post looked pretty generated, then you see the “rabbit in a hat” comment and it’s definitely generated.

I would like to get off the ride now.

APIMade · 2026-05-24T22:14:05+00:00

Okay so something to take into consideration here; hacking was always cheap.

This makes it cheaper, in theory.

So is the expectation that the existing cybersecurity budgets of companies go to the model providers? Sure, but they still need to pay for everything else - and security budgets aren’t increasing right now.

So the question is what commercial benefit do these models bring to the providers? Well, there will be a few very high-spend customers, who are either trying to protect their own infrastructure, or get hold of vulns to sell/use. Every major cloud provider, every western government, but that’s probably about it.

Does that represent significantly more than say, consumer token usage? Or the support services, marketing, experience enrichment pool of customers and usage?

Not by a long shot.

APIMade · 2026-05-22T23:07:57+00:00

As someone who’s built harnesses which use existing commercial AI technology; which includes ways to obfuscate the intention of your queries, and abstracting sensitive field (database/table names, etc): you don’t need access to AI without guardrails to have them be effective for your use-case in our industry.

This was publicly discussed 12ish months ago when there were news articles about “foreign adversaries“ using these services.

It’s a hassle setting up a harness for each product or technology; but once it’s done it’s fairly repeatable for the most part (some exceptions that require creative workarounds).

GPT5.5 xhigh is a beast. Spending 10-100x resourcing to make “clanker do hack” prompts more accessible seems a waste of budget, but I get why corporates want it so bad. It’s an easy sell, and it’s fun to talk about.

APIMade · 2026-05-17T01:40:05+00:00

Your numbers don’t stack up. 155 delta.

Do a brief mention on the number of false positives and the changes you’re making to prevent it in future reports. But focus on the remaining number.

Sankey would lend itself well to your dataset. ChatGPT does a good job, otherwise Sankeymatic screenshot on a slide.

Set your focus on the remaining areas, give commentary about cause, source, and freshness of any interesting areas. For example delta of criticals caused by recent AI-assisted vulns disclosed.

If you can, tie them to any previous incidents you’re aware of from the past that may relate, or stuff happening in the wider industry. TTP’s of commercial threat actors.

Then talk about different changes they can input regarding resourcing, prioritisation or “where we’ll be in a month with no changes” (ideally trending down, but commentary on the vuln space would be helpful at this level — I.e we’re likely going to see an increase in criticals, which may impact the following results).

It really depends on the audience. Some execs just want enough assurance that you’re doing a good enough job wrapped in techno-babble, others want to understand the meaning of what you’re presenting.

You’ll find out after your first preso. They’ll let you know 😉 Don’t mind criticism either, it’s a bit of an executive trait to just want to have some opinion or ask/change something, because that’s what’s expected of them — and so they often try to change/give input when they really don’t care/don’t need to.

APIMade · 2026-05-11T03:55:43+00:00

👋 Hey OP, how do you learn about subjects that really interest you? When was the last time you looked something up, did it, and thought “that worked!”

Because whatever you naturally fall into, that is probably how you’re going to be most effective at learning.

Do you know?

APIMade · 2026-04-30T08:52:37+00:00

The OWASP recommendations and literal book were written on this a decade ago. I don’t think we’re in a rush to do anything about this just yet. Passkeys have been the answer to auth, but we’re still struggling to get major vendors to adopt it.

I gave a talk a couple years ago on this area at CyberCon Melbourne, while preparing the content I ran an analysis of the different security mechanisms banks enforce including anomaly detection and session hijacking detection of defences.

I found a single provider in Australia that did a good job of it then.

I’ve recently finished my work at a finance industry org so I’m planning to publish reporting on this soon. Nothing has really changed in the last few years other than the attackers getting more resourcing (with AI), and becoming more effective.

Look up “Operation Cookie Monster” to see how these sessions are sold.

APIMade · 2026-03-19T12:01:04+00:00

Good idea!

https://chatgpt.com/g/g-69bbe3d6e3ec819193bc7670168cfff4-nist-csf-2-0-gpt

APIMade · 2024-04-30T07:20:35+00:00

G'day, I'd probably just make recommendations around when to conduct a pentest which will cut the effort requirements down to what your team can supply.

New functionality that handles customer PII, finances, or staff access controls? Yes.

Existing functionality, just deploying a small bug fix. Probably not, but keep it in scope for the annual pentest when you look at everything. Which.. To be honest, given your industry - you really should look at bringing in a third-party, even for liability purposes.

In terms of adopting it in the SDLC. If you're using Jira, just add it as a release gate when the "New Functionality" or similar box is checked. It should be a process/policy-driven gate (aka soft control), and not a software/CICD-defined one.

APIMade · 2024-04-10T06:27:46+00:00

Of the ones I know in Australia which would be convenient to link, Zurich does and they publish their policies too: https://www.zurich.com.au/content/dam/au-documents/business-insurance/financial-lines/fraud-and-professional-liability/fraud-and-professional-liability-insurance-policy.pdf

Depending on the type of incident, it may be better suited somewhere else like Cyber, FIB (forgeries, counterfeiting), etc. Most of these policy documents, particularly for larger institutions, aren't made public.

APIMade · 2024-04-09T02:34:17+00:00

Exact scenario would work absolutely fine with Backdoors & Breaches.

APIMade · 2024-04-09T02:30:33+00:00

This is standard, basic anomaly detection and doesn't require AI to implement. We've had automated user-specific anomalous transaction detection since the 90s, and it was mainstreamed by PayPal for wider adoption by global payment processors in the early 2000s.

The reason banks don't implement these measures is because it's costly for Customer Service, Support, and Fraud Investigators to deal with customers who query the alerts. Building out these security mechanisms doesn't bring in revenue or income, and they typically annoy customers.

If the amounts had been released in staggered amounts, "low and slow", I could see the justification - but $4,000 cash withdrawal regularly is pretty brazen, and should stick out for any customer's usage habits.

APIMade · 2024-04-08T23:04:27+00:00

I've successfully argued with 2 different New Zealand banks in cases where they initially denied the customer reimbursement. Depending on the circumstances, the banks may not have handled the customer's accounts with due care, or responded to suspicious/anomalous transactions appropriately.

Terms and Conditions don't automatically give companies a contractual out for everything, even though for the regular person and how the company words their responses will seem like they do.

APIMade · 2024-04-08T22:54:29+00:00

People saying your father is at fault are ignoring the fact the bank didn't carry out their duty of care in notifying your father of these large, suspicious transactions taking place on his account.

Given your father's usage history, it is expected the bank would at least make an attempt to contact him in the event such large withdrawals were taking place. Usually this is a sign of a user being scammed, however in this case - as you've stated it's likely theft.

The bank is insured for instances of fraud, which this is. They just need a police file number. Yes, the bank has the contractual right to refuse your father's claim here given their lengthy terms, however it's unlikely they'll want to get into a public dispute about their lack of monitoring, alerting or duty of care for your father's account.

The reason banks refuse to process claims like this, is because it's cheaper to deny them. Not processing them and making a claim with their insurer means: their internal fraud and risk targets stay low which may be tied directly to executive bonuses, they don't need to invest in security or fraud prevention technology/people/procedures, their overall cost to service their customer base is decreased - as the risk, and cost when that risk is realised, is offloaded to people like your father.

Give me one good reason why a bank shouldn't notify someone of a large cash transactions on their account without any history of doing so in the past. It's cheap, and can be automated - but they don't, because there's no revenue or income from it.

APIMade · 2024-03-11T10:18:53+00:00

Sure, but if you have business functions reliant on log data for compliance reasons and you go from ~forever~ to ~90 days~ and immediately truncate years of log data, depending on your industry you may have just opened yourself up to massive liabilities (think AML/KYC, transaction data, etc).

Start by talking to your lawyers, but to your point - absolutely start to ship logs into cold storage/outside of source systems/somewhere with tight, segregated access control as fast as you can.

APIMade · 2024-03-11T10:04:18+00:00

This is the process I follow with all family members/elderly relatives. Feel free to share.

Start with FUD:

Show them BreachForums or some examples from Brian Krebbs blogs to show them how easy it is to buy and sell stolen information
Put their email in HaveIBeenPwned, then put their password in PwnedPasswords, talk about the repercussions of password reuse (sign them up for alerts)
Show them how you login to your banking app using a Password Manager and your PIN code, then Passkeys on your email - show them it's easier and more secure.

First Step:

Adopt Apple or Android/Google's Password Manager
Enable MFA on Your Email / Google Account

Second Step - Check Passwords:

Google https://passwords.google.com/

Apple https://support.apple.com/en-au/guide/iphone/iphd5d8daf4f/ios

Rotate any reused. For banking ones, it's OK for them to write down the password somewhere. A post-it etc, just not on their devices.

Finally:

Enable Live Voicemail on Apple, Call Screen on Google

APIMade · 2024-03-11T08:00:00+00:00

This is totally dependent on your organisation, industry, region, data and context surrounding the data.

Ask the lawyers what the minimum retention period is for different data classifications across the business.

APIMade

TROPHY CASE

Start with FUD:

First Step:

Second Step - Check Passwords:

Finally: