0:00
/
Generate transcript
A transcript unlocks clips, previews, and editing.

🎙️ Ground Level AI Podcast | Joshua Saxe on AI security, Meta, and the cyber threats that actually matter

Former Meta Llama security lead and Abundant Security cofounder Joshua Saxe explains why the biggest AI security risks may not be the ones making headlines—and why defenders need access to frontier AI

Welcome to the first episode of the Ground Level AI Podcast! I’m excited to offer up thoughtful conversations with AI leaders with a strong focus on what happens when AI meets the real world. From AI infrastructure and cybersecurity to enterprise adoption, policy, geopolitics and the workforce, we'll explore where the technology collides with reality.

My first guest is Joshua Saxe, cofounder and CTO of Abundant Security and the former engineering lead for Llama security at Meta. I've been writing about AI security for several years, and lately it's become one of the hottest topics in AI, driven by concerns about increasingly capable models like Anthropic’s Mythos; worries about autonomous cyber attacks; and growing fears over what AI could mean for critical infrastructure and national security.

NOTE: check out 19:01. The subtitle is pretty funny!

Here’s an edited transcript if you want to read instead:

Edited for length and clarity. Joshua Saxe is Cofounder & CTO of Abundant Security and formerly led AI security engineering for Llama at Meta.


On working in AI security from Wichita, Kansas

Sharon Goldman: Before we get into AI and security, AI and society, AI and capabilities — you live in Wichita, Kansas. That would surprise a lot of people. You’re not in Silicon Valley. Have you always worked from Kansas?

Joshua Saxe: No — I’m from California, grew up in LA. My wife is a humanities academic, and since I met her fifteen years ago I’ve been following her around because it’s hard to get a job as a humanities PhD. We ended up in Kansas because she got a job at the university art museum. We’ve got two kids here now — I’m definitely a Kansan at this point.

Sharon Goldman: What’s it like working at the forefront of AI while being so far from Silicon Valley? Does it feel strange, or is it actually an advantage?

Joshua Saxe: It’s basically really nice. My work has always been intense, but since ChatGPT launched, the whole AI world has gotten intense — I was at Meta in 2022 when that happened, and I was completely consumed working on large language models, probably 60 hours a week if you count all the reading and thinking. It’s nice to work from home so that every time I step out of my office, I can see my family, and to be around people who have no idea what I do — a community of friends who aren’t in tech. Kansas is much more “you work to pay the bills and then you have a life,” which is different from Silicon Valley. It’s a good balance.

When I go to SF and see all the billboards touting enterprise AI, it does feel like an alternate universe. I think working in AI security — which people often put under the umbrella of AI safety — it’s nice to be in contact with regular people who feel like they’re downstream of the societal effects of AI. Out here, people feel like AI is tech’s next experiment being run on them. Staying in touch with that perspective grounds me.

Sharon Goldman: Do you reassure them, or just let them have their feelings?

Joshua Saxe: I don’t reassure them. Sometimes I feel like a bit of a lightning rod at dinner parties, especially when I was at Meta — nobody likes Meta.


Leaving Meta to found Abundant Security

Sharon Goldman: You were at Meta for three or four years, since summer of 2022, and left a few months ago to start Abundant Security. What made you leave, and what were you looking to build?

Joshua Saxe: It was hard to leave my old job and hard to leave big tech — I thought about going to one of the other AI labs instead. But I wanted, once in my career, to try starting something totally from scratch, partly just to have that experience before I get too old and tired to do it. I’ve also worked in cybersecurity my whole professional life, and right now feels like the most opportune time to do a security startup, because the whole field is being turned upside down by AI. There are things you can’t do at a startup because you’re small, but there are things you can do because you can move fast — things I felt I would have been frustrated not being able to do inside a large company.


Why he thinks restricting Mythos and Fable was the wrong call

Sharon Goldman: I’ve been reading your Substack, and one recent post really stuck with me. You wrote about what happened with Anthropic’s Mythos and Fable models — the government stepping in to say “we need to shut this down,” after a jailbreak was found — and you argued that’s actually the wrong move for the U.S.: that the opposite is true. Can you explain that thesis?

Joshua Saxe: Mythos is one of many models out today that can find vulnerabilities in software and help exploit them — it may be the best model for that, though GPT‑5.6, which just came out, might be better; I’m not sure. But it’s top-tier. The government decided Mythos was especially dangerous and initially didn’t allow Anthropic to release it, and when they did, it was released in a heavily guardrailed way that makes it hard to use for cybersecurity defense. Mythos and Fable are the same underlying model, just guardrailed differently. Even now, if you ask Fable something as simple as “help me port-scan my own network to check what’s open” — a routine task for an IT security person — it’ll likely say no.

I think denying Anthropic the ability to release this model for real defensive use is bad, even though it’s true that doing so denies attackers access to it. There are a few problems with that framing:

First, attackers already have access to good open-weight models they can run on their own infrastructure that can find vulnerabilities in software. Fable is better, but attackers have real reasons not to rely on it heavily — using it means handing their data to Anthropic, which has a close relationship with the FBI and NSA. Even if they get away with it initially, they risk showing up in logs and being tracked down, or, if it’s nation-state activity, giving away intelligence about how they operate. So I think attackers will lean on open-weight models rather than the frontier Anthropic and OpenAI models.

Second — even setting monitoring aside — if attackers and defenders had equal access, defenders still have the advantage of being able to find and fix bugs before shipping. In an ideal world, every software organization would use these models to catch bugs before release, and we’d be much more secure. There are also simply more defenders than attackers, and they have more money to spend on tokens.

Sharon Goldman: So to sum up: attackers would likely just use an open or Chinese model that’s good enough for their purposes anyway, while denying defenders access to the top models like Mythos and Fable stops defenders — who are already behind on finding and patching vulnerabilities — from catching up.

Joshua Saxe: Right. And the counterargument people raise is: sure, in an ideal world defenders would move first, but in reality defenders move more slowly than attackers, so it’s not good that these powerful models are broadly available. I think the way to build confidence in an answer is to actually look at how attackers and defenders have behaved so far. Capabilities that are potentially useful to attackers have been available since 2022–2023 — since GPT‑3.5 and definitely since Llama 3, we’ve had Turing-test-passing chatbots available to attackers — and we haven’t seen a “sky is falling” moment. In the apocalyptic scenario, attackers would adopt these models en masse and there’d be a near-vertical jump in scams and fraud. But scam and fraud losses have just climbed steadily over the last six years since the pandemic, with no visible inflection point tied to any LLM release.


Why AI hasn’t produced a headline-grabbing hack — yet

Sharon Goldman: Why do you think that is? Every release, there’s real anxiety that attackers are about to take over and fraud is going to spike. Why hasn’t there been a single headline-making hack?

Joshua Saxe: This isn’t my deepest area of expertise, but I’ll share what I know. For scams and fraud specifically — take pig-butchering scams, which are long cons run by organized criminal enterprises, often operating call centers in parts of the developing world, targeting elderly or isolated people: they draw the victim in, build a relationship, and slowly empty their bank account. LLMs are useful there — smoothing out language for non-native speakers running the con, and AI image generators help fake a convincing persona. But there are other bottlenecks to scaling those operations that have nothing to do with language quality or photos: payment rails (laundering money in ways that are hard to trace is still hard), and people — many of the workers running these scams are trafficked and forced into it, which is itself a bottleneck LLMs don’t remove.

On the cyberattack side specifically — a headline hack, not fraud — I don’t find the absence that surprising. People sometimes assume that because Mythos can find bugs, that leads directly to a catastrophic hack, but that’s not how the causality works. Say there’s a zero-click bug in WhatsApp or Signal — I message you and suddenly have access to your laptop. That alone doesn’t get an attacker to a catastrophic goal. Now I have user-level access, but I still need to find the sensitive documents, move laterally to an administrator machine, get past additional security guardrails and monitoring, possibly find more exploits, possibly use social engineering. There’s a public misconception that finding the bug is basically the same as bringing down an organization or the government. That’s just not how cybersecurity actually works.


What actually worries him

Sharon Goldman: What does keep you up at night?

Joshua Saxe: On the security side, I do think attacker adoption of AI is going to be a big deal, with dangers that are hard to predict right now. Very few people in 2005 predicted ransomware would be a multibillion-dollar industry by 2020 — that emerged less from security innovation and more from the combinatorial effect of cryptocurrency making it viable. I think AI could similarly enable new attack business models we haven’t seen yet, and it’s reasonable to be concerned about that. Existing actors — nation-states, ransomware gangs, pig-butchering operations — will all adopt AI, but I wouldn’t expect them to adopt it faster than Deloitte or Accenture or the New York Times, who are all slowly walking their own adoption curves. So I think it’ll be slower than the catastrophic headlines assume — but five years from now, they’ll all be using it, so defenders have to as well.

Sharon Goldman: I wrote about the JadePuffer attack recently, and one expert I spoke to said he found it more concerning than Mythos-style bug-finding, because it used known, almost old-school vulnerabilities — but the AI was able to chain them together on its own, cheaply. Is that the kind of thing that worries you?

Joshua Saxe: I saw the JadePuffer reporting but haven’t dug into the details yet. My understanding is a large language model was used agentically to carry out multiple steps along the attack kill chain. That’s a much bigger concern to me, honestly, than bug-finding alone. If you’ve used something like Claude Code or OpenAI Codex, you’ve seen an agent execute shell commands, open websites, test code, and work for hours autonomously toward a long-range software engineering task. About 80% of those skills overlap directly with what’s needed to break into a network and accomplish something once inside. Today’s LLMs can already automate much of that. We haven’t seen attackers adopt this at scale yet — Anthropic published an example of a Chinese threat group doing some of this — but I expect large-scale adoption of this kind of behavior within the next year or two. It will make attacks easier and more frequent.


Why cybersecurity people are less panicked than you’d expect

Sharon Goldman: Whenever I talk to security people about AI, I’m struck that you all seem pretty calm about it, compared to some of the rhetoric out there.

Joshua Saxe: I think there’s a dynamic where AI experts who aren’t experts in other domains assume those domains are trivial — “cybersecurity is just finding bugs and exploiting them” — so it must be easy to automate. The classic example is Geoffrey Hinton predicting in 2016 that radiologists would all be replaced within a couple of years. He’s brilliant and a real AI expert, but I doubt he’d spent time doing an ethnography of a hospital to understand what radiologists actually do. I think there’s a similar dynamic among AI-safety researchers at the labs — an assumption that cybersecurity reduces to a few tasks AI happens to be good at, and therefore a “cyber apocalypse” is imminent.

Sharon Goldman: When I started covering AI and cybersecurity a couple of years ago, there weren’t many people with real expertise in both fields — it was a small group. Is that changing?

Joshua Saxe: It’s starting to, though we could still use a lot more people with deep expertise in both. In roughly the last six to nine months — since Claude Opus 4.5 came out and Claude Code became popular around last Thanksgiving — there’s been an enormous shift in the security community. Security people heard “AI is a big deal” all through the 2010s and mostly rolled their eyes. I spent that decade working in machine learning and security, so I lived through plenty of that eye-rolling. Now, suddenly, nobody’s rolling their eyes anymore.

Sharon Goldman: What do you think security organizations still need to get right?

Joshua Saxe: We need to be more aggressive about reinventing how security work actually gets done inside organizations — companies, banks, federal, state, and local governments all have security teams with set structures and processes, and a lot of inertia that’s becoming a liability. Take alert triage: a product flags a possible compromise, and a human follows up to check if it’s real. We have very set ways of handling that today, and we need to radically rethink those processes as AI capabilities change — and keep rethinking them, because capabilities shift every six months. There’s a lot of conservatism in security, and a lot of people comfortable with the old way of doing things. Things need to move faster and at greater scale.

Sharon Goldman: I’ll be at Black Hat and DEF CON back to back in Vegas next month — my third time. It’s a fascinating alternate universe of security people. Given the last nine months, with Mythos and Fable making global headlines, what do you expect the hallway chatter to be about?

Joshua Saxe: I’ve gone every year for a long time. A few years ago — 2023 — I gave a talk at DEF CON’s AI Village, which back then was a small side track next to the main conference. The line to get in was so long that people stood for two hours waiting for a turn, cycling in and out. That was the transition point for me. Now I just expect every talk at these conferences to be about AI — that’s basically all people in security talk about now.


On Meta’s comeback and the state of the model race

Sharon Goldman: You led AI security engineering for Llama at Meta — is that right?

Joshua Saxe: Yes. The way it’s structured, there’s typically an engineering lead and a product lead for something like that. I was the engineering lead for Llama security; Spencer Whitman was the product lead.

Sharon Goldman: What do you make of Meta’s latest release, which isn’t open-weight the way Llama was? Have you tried it, and what do you think about how things have shifted there?

Joshua Saxe: I tried an earlier version but haven’t tried yesterday’s update yet. On a personal level, I’m happy for my old friends there — the Llama 4 launch was, I think it’s fair to say publicly, disappointing. Everyone I worked with was pulling 60–70-hour weeks leading up to it, and the outcome didn’t match the effort. So this feels like a real comeback story on a personal level.

As an outside observer now, I’d say this latest launch put Meta back on the map — they could have done better, but I think it’s put them roughly on par with Google, maybe passed them; I’m waiting to see the full evaluation results. Probably sixth or seventh among frontier labs overall right now. What matters is whether the next release keeps advancing. If they can close the gap with OpenAI and Anthropic, I think that snowballs — it helps with retention, which has been a real problem. A lot of my old colleagues have left for other labs. As soon as a lab is perceived as losing the race, it loses talented people, because everyone in AI wants to be close to the frontier.


Inside Abundant Security

Sharon Goldman: Tell me about Abundant Security — you’ve said you’re coming out of stealth. What’s the actual product?

Joshua Saxe: The core problem we’re going after is that any sufficiently large organization is sitting on an enormous amount of unpaid security debt. By security debt, I mean things like web servers still running unpatched software from 2012, login portals without two-factor authentication, firewall admin panels that anyone could brute-force. There are a million things like that. We’ve worked with early customers, and honestly it’s appalling how many obvious gaps even sophisticated organizations have. Take a large research university that’s existed since the early internet — literally hundreds of thousands of internet-exposed machines, many of them ancient, any one of which could be a foothold for lateral movement across the network.

We’re not chasing novel bugs or the sexy, hard-to-find vulnerabilities. We’re automating the process of burning down that mountain of accumulated security tech debt — which we think is exactly the inflammable material that agentic AI-driven attacks will target first, because attacker automation is going to go after the low-hanging fruit before the harder targets.

Sharon Goldman: How does AI actually do that?

Joshua Saxe: The platform maps an organization’s infrastructure and codebases, but importantly, also its people — building a network representation of the whole socio-technical structure: who works on what, who’s responsible for which servers, codebases, and products, which individual engineer controls the configuration file that’s exposing a security risk. Once we have that map, AI agents identify the most important issues — both by severity and by likelihood of being exploited — and then reach out to the people who can fix them, largely automating the fix itself while getting a human’s confirmation and approval along the way. That’s a fundamentally different workflow than how this is typically done. In my experience as a security person at large companies, this whole process is slow, manual, and not AI-driven today.

Sharon Goldman: I’d guess it’s not just slow — it’s work people don’t actually want to do.

Joshua Saxe: Exactly — it’s one of the more thankless parts of working in a security organization. At most companies, security might be 3% of headcount, product 40%, and IT bigger still. Your job as a security person is often to find problems you’re not actually allowed to fix yourself. You find the issue, then go tell a product manager, “I know you need to ship Tuesday, but can this wait two days?” — and they may or may not listen. Maybe they ship anyway, and you spend the next two quarters nagging them weekly. You’re accountable for getting it fixed, but you’re not the one who can actually fix it. A lot of security work is just juggling twenty open chat threads nagging people. It’s a big part of why so many security gaps stay open. We want to automate that nagging process — and also make people less “naggable” in the first place by making fixes genuinely easy.

Sharon Goldman: There are a lot of AI security startups right now. It feels like there’s just an enormous surface area of problems, with everyone attacking it from a different angle.

Joshua Saxe: It really does feel like the best time to start an AI security company — except that everyone else sees that too, so there are a huge number of us. Not all of us will succeed; that’s just the nature of doing a startup.

Sharon Goldman: How’s founder life treating you so far?

Joshua Saxe: The best part is building exactly what we want, quickly, with none of the bureaucracy or stakeholder alignment you’d deal with at a big company. It also helps that my co-founders and I have been in this industry a while — we know CISOs who want to work with us, so we’re not starting from zero; we already have companies we’re working with. The downside is the obvious startup risk — will it work out — but there’s also a different kind of risk if you care about impact: if it doesn’t work out, counterfactually I’d have been better off staying at a big AI lab, shipping and securing software for billions of people.

Sharon Goldman: You mentioned a lot of your friends did go to the other labs. What’s the vibe among them?

Joshua Saxe: Everybody is working incredibly hard right now — this is an all-consuming moment to be in AI. There’s almost an eschatological feeling around it all the time: this is the most important invention since fire, but it might also be the thing that kills everybody. And professionally, it’s also the most important moment in a lot of our cybersecurity careers. I think everyone who’s passionate about this field feels that right now.

Sharon Goldman: That’s almost reassuring — if people elsewhere in tech worry AI is going to take their jobs, it sounds like the opposite is true in cybersecurity.

Joshua Saxe: Pretty much. There are very few people in security — the artisanal bug-hunters who used to find things manually — who genuinely believe they’re going to lose their jobs to this. There’s some gallows humor about it, but I don’t think anyone really believes it. They might miss manual bug-hunting specifically, but there’s plenty else to do. We’re all going to have jobs.

Sharon Goldman: Joshua Saxe, thank you so much. This was great — I could talk for another hour.

Joshua Saxe: Thanks so much, Sharon. I was honored to be the first guest, and I’m looking forward to watching where you take the podcast.

Discussion about this video

User's avatar

Ready for more?