The Human Aspect of Red Teams - Brian Fox, Tom Tovar, T. Gwyddon 'Data' Owen - ASW #379

In this episode of Application Security Weekly, host Mike Shima welcomes back Brian Fox, Tom Tovar, and T. Gwyddon 'Data' Owen to explore the human-centric aspects of red teaming and the evolving role of AI in cybersecurity. Data Owen shares his extensive experience from the Air Force cyber warfare domain, emphasizing that red teams are not just about finding vulnerabilities but about simulating real-world adversaries to test organizational resilience. He highlights the importance of psychological manipulation in social engineering attacks, using real-world examples from his time on Guam, and stresses that successful red teaming requires top-down buy-in, clear objectives, and post-engagement education. The conversation shifts to how AI and LLMs are transforming red team operations—accelerating threat modeling and phishing campaign creation—while also introducing ethical risks if used without guardrails. The episode concludes with insights from Brian Fox and Tom Tovar on agentic AI in cybersecurity, where autonomous agents can perform repetitive security tasks like mobile app hardening, enabling organizations to scale defenses without increasing headcount. The overarching theme is that security is not just technical but deeply human, requiring communication, trust, and a shift in mindset from 'us vs. them' to 'we're all on the same team'. Key takeaways include: 1) Red teaming is most effective when it’s psychologically grounded and aligned with organizational goals; 2) Top leadership must authorize and support red team activities to ensure credibility and impact; 3) The most valuable red team outcome is not just finding flaws but driving behavioral and process change; 4) AI and agentic workflows can level the playing field for smaller organizations by automating complex security tasks; 5) Human communication and awareness are the strongest defenses against social engineering; 6) Organizations should treat AI as a force multiplier, not a replacement, and integrate it with real-time data to prevent hallucinations and false confidence; 7) The future of security lies in combining human judgment with machine scalability; 8) Trust and transparency in AI use are critical to avoid unintended consequences and maintain organizational integrity.