Transcript
of threats that get blocked, they never ever get to people's inboxes, it's gone up, even though the volume has surged significantly. So, Dewan is the CEO of Proofpoint, joining us for a second year in a row here on the ground in San Francisco. Nice to see you again. Thanks for joining us. Well, thanks for having me, J.D. You've recently acquired Acuvity. You've also launched Proofpoint AI Security. What problem are you solving as enterprises rush into both generative as well as agentic AI? Well, you know, agentic AI creates a huge productivity for people. We know that. We're all somehow using it today in our, what I call, agentic workspace. And in that, there is a significant increase in the surface area for risk for the enterprise. AI is supposed to mimic humans, artificial intelligence. So, just like humans, it can be socially engineered. We call it prompt engineering. Just like humans, it can lose data. So, what we are doing with AI security, which is built on top of the company we acquired called Acuvity, is creating an intent-based protection and guardrails for AI. Just like humans, you need to assess what is the intent for AI and does it align with the purpose they were designed for. And AI, unlike other systems, works in a non-deterministic way. You ask it a question, it won't always follow the same pattern to get an answer. So, you really need to assess the intent using AI to make sure that it's not drifting from the purpose that the AI agents were built for. And that's what AI security from Proofpoint does. Do more AI agents mean more risk? And where do you see the biggest vulnerabilities continue to emerge? More AI agents, or I should say AI in general, definitely means more risk. Every new agent doesn't need to create new AI risk if you have the right guardrails in place. You can't add the guardrails per AI agent. It's nearly impossible. You want to democratize the creation of AI agents. More and more business workflows need to have AI agents for every enterprise. So, as a result, you need a platform to ensure that you have the right guardrails. Now, that's what Proofpoint provides. That's what AI security platform and the solution that we announced last week is supposed to give our customers. It's supposed to give customers for the threats that are coming in to target these AI. People who are issuing attacks on AI that are supposed to prompt engineering them, you know, by exploiting AI, by issuing communication with AI that builds a context and make AI do things that it's not supposed to do. Or AI not knowing how and who to share data with and making sure that AI have these guardrails, otherwise data can be exfiltrated. Those are the attacks that we are starting to see come on AI. And AI security provides the guardrails that ensures AI is protecting the enterprise information and is not vulnerable to these attacks. There's much more of a conversation now happening about the ways that AI is somewhat lowering the barrier to cybercrime. Are we seeing attacks themselves become increasingly more democratized? Definitely. We are now seeing in certain countries and regions almost two to three x more attacks year over year. And they are sophisticated. So you can tell that language is no longer a barrier for threat actors. You know, in Japan, in Middle East, in Korea, all of a sudden we're seeing a surge in the volume of highly sophisticated attacks. Secondly, we're seeing even in countries where we've always had pretty sophisticated attacks, like in the U.S. or western part of Europe, we're seeing 30-40 percent increase. We know for sure this is sophisticated threats. We know for sure that there aren't 30-40 percent more threat actors. And so all of these now used to be if I have to get a social engineering attack on you, JD, I would have to put someone has to study you, what your patterns are and who you're communicating with, collaborating with. That's no longer the case. AI agents can study all that and to some extent even go two steps further, create an attack and issue an attack and have a conversation with you. Now that the threat actors themselves are using and scaling AI, to your point, in much more effective ways, how does Proofpoint now on the other side of this equation use AI to defend against those increasing threats? We saw the pattern, I would say about two to three years ago, where we started seeing these threats evade our system. We were starting to see customers saying, you know what, our models, which have always been ML-based models, but they are semantic models. They sort of look at patterns. We saw that these more and more threats were coming in. We had to adopt in our own solutions language models. It's been about 18 months now we have adopted language models as part of protection, which are again detecting the intent of the communication, comes back to the intent-based protection that Proofpoint has always offered. And these models can actually, you can rewrite a threat in any ways, you can write it in any language. Our language models are defending and our efficacy of protection, which is the percentage of threats that get blocked, they never ever get to people's inboxes. It's gone up, even though the volume has surged significantly higher. This is the most important question with regards to the careful balance, the equation, is AI ultimately a bigger threat multiplier or a defensive advantage in the ecosystem of cybersecurity? Well, I think, unfortunately, I have to say it's going to be a cat and mouse game with AI. There is no other way out because AI agents are going to continue to, we haven't yet seen the pace and the speed at which these AI agents would issue attacks. And we haven't seen the exploitation of the risk of AI that enterprise ends up creating. It's just a different technology. So I feel that we are still in the early stages of making sure that you're getting the best possible defenses against AI-based threats, as well as AI acting as insider risk. The good news is that we kind of know that these are languages and behaviors that you have to protect against. We've done that for humans. And now AI acts as a savior and defender against all of this potential increased risk that has been created. And that's kind of the mission for Proofpoint. We're extending what we have done using language models to protect humans, to now extend it to protect human and AI, even though the threat surface area increases. Finally, the arms race itself sounds as if it is rapidly accelerating. Give me some sense about what comes next for Proofpoint in that ongoing battle. Well, I have to say, this AI has created something exciting for me and for Proofpoint because Proofpoint has always been this incumbent and a leader in terms of protecting against bad guys and continuing to extend our solutions. And we have extended our platform gradually as the threat landscape has evolved. I think with this whole emergence of AI, especially as enterprises adopt AI and that risk surface area grows, the technology and the sophistication of our solution is growing. I'm really excited about this AI security solution. It's an extension of our platform, bringing intent-based models to both humans and AI. And I think this is going to keep us busy in the next 18 months or so, so that we can provide our customers one solution for collaboration, data, and AI security. And they all have to work together anyways. People have to work with data and AI. And so this needs to be protected as a singular solution that works on protecting the intent of human and AI. And to me, that's an exciting journey, which is changing and evolving at a really rapid pace. So I'm having a ton of fun with it, and I think that's going to keep us busy. So Matt, it's great to see you again. Thanks for sitting down with us once again here at RSA in San Francisco. Nice to see you. Well, thanks for having me.
