<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:media="http://search.yahoo.com/mrss/" xmlns:podcast="https://podcastindex.org/namespace/1.0">
  <channel>
    <atom:link href="https://feeds.simplecast.com/NKmLKfWM" rel="self" title="MP3 Audio" type="application/atom+xml"/>
    <atom:link href="https://simplecast.superfeedr.com" rel="hub" xmlns="http://www.w3.org/2005/Atom"/>
    <generator>https://simplecast.com</generator>
    <title>The Tabletop</title>
    <description>CISOs spend careers preparing for incidents they hope never happen. Here&apos;s what it looks like when one does.

Each episode of The Tabletop puts a security leader into a high-stakes, tabletop exercise—complete with evolving injects, tough tradeoffs, and no idea whether the incident they&apos;re navigating is ripped from the headlines or completely fictional. At the end, they have to guess.

Fast-paced and hosted by Vanta&apos;s Khush Kashyap, The Tabletop is a rare, front-row seat to how the best security minds in the world actually think, prioritize, and make critical decisions under pressure.

It’s part game, part masterclass—designed to entertain, educate, and showcase the real-world complexity of modern security leadership.</description>
    <copyright>2025 Vanta</copyright>
    <language>en</language>
    <pubDate>Wed, 1 Jul 2026 07:00:00 +0000</pubDate>
    <lastBuildDate>Wed, 1 Jul 2026 11:14:21 +0000</lastBuildDate>
    <image>
      <link>https://the-tabletop.simplecast.com</link>
      <title>The Tabletop</title>
      <url>https://image.simplecastcdn.com/images/9af9fba1-837c-4059-ab78-af95721786d7/6d1eb62a-0b05-4df6-8d87-d005b919bb52/3000x3000/vanta-thetabletop-cover.jpg?aid=rss_feed</url>
    </image>
    <link>https://the-tabletop.simplecast.com</link>
    <itunes:type>episodic</itunes:type>
    <itunes:summary>CISOs spend careers preparing for incidents they hope never happen. Here&apos;s what it looks like when one does.

Each episode of The Tabletop puts a security leader into a high-stakes, tabletop exercise—complete with evolving injects, tough tradeoffs, and no idea whether the incident they&apos;re navigating is ripped from the headlines or completely fictional. At the end, they have to guess.

Fast-paced and hosted by Vanta&apos;s Khush Kashyap, The Tabletop is a rare, front-row seat to how the best security minds in the world actually think, prioritize, and make critical decisions under pressure.

It’s part game, part masterclass—designed to entertain, educate, and showcase the real-world complexity of modern security leadership.</itunes:summary>
    <itunes:author>Vanta</itunes:author>
    <itunes:explicit>false</itunes:explicit>
    <itunes:image href="https://image.simplecastcdn.com/images/9af9fba1-837c-4059-ab78-af95721786d7/6d1eb62a-0b05-4df6-8d87-d005b919bb52/3000x3000/vanta-thetabletop-cover.jpg?aid=rss_feed"/>
    <itunes:new-feed-url>https://feeds.simplecast.com/NKmLKfWM</itunes:new-feed-url>
    <itunes:keywords>compliance,cybersecurity,risk management,saas,technology,trust</itunes:keywords>
    <itunes:owner>
      <itunes:name>Vanta</itunes:name>
      <itunes:email>meredith@caspianstudios.com</itunes:email>
    </itunes:owner>
    <itunes:category text="Business"/>
    <itunes:category text="Technology"/>
    <item>
      <guid isPermaLink="false">17f8f08d-ef3e-44ac-a5fe-f6e0f9fe0100</guid>
      <title>Alex Stamos has 23 minutes to stop an AI chatbot leaking data (Live Tabletop Exercise)</title>
      <description><![CDATA[<p>What does a security leader actually do when an AI chatbot starts confidently revealing customer data that was never supposed to see the light of day? In the debut episode of The Tabletop, Alex Stamos takes the hot seat and shows us in real time.</p>
<p>Alex has spent his career at the intersection of security and the hardest problems in tech—Chief Security Officer at Yahoo, Facebook, and SentinelOne, founder of the Stanford Internet Observatory, and now Chief Product Officer at Corridor, a startup focused on the security and safety of AI coding agents. If anyone knows what it looks like when AI ships faster than security can keep up, it’s him.</p>
<p>In this episode, host Khush Kashyap drops Alex into a fictional scenario: He’s roleplaying the CISO at Buzzmatrix, a fictional 400-person AI SaaS company with a lean security team and no in-house incident response. Late on a Friday, the VP of Marketing pushes a new AI chatbot live without security review. By Monday, customers are posting screenshots of the bot serving up order histories, account details, and support summaries—some real-looking, some hallucinated. Across a series of escalating injects, Alex has to decide what to take down, who to wake up, when to bring in legal, and what he owes customers.</p>
<p>Alex walks through engaging outside counsel, the GDPR clock, forensic vendor management, and the leverage a CISO actually holds over an uncooperative vendor. Along the way, he makes the case that the existential threat in most incidents isn’t the lawsuit, it’s the erosion of customer trust. At the end, he renders his verdict: real incident or constructed fiction?</p>
<p><strong>Quotes</strong></p>
<p>“CISOs are all L, no P in the P&L, right? We don’t make any money. We just lose it.”</p>
<p>“You can turn what was a small mistake into a huge scandal if you end up putting out a statement that you have to retract.”</p>
<p>“The litigation risk is almost never existential. What is existential is the trust of your customers.”</p>
<p>“If those models have access to all customer data, and then you tell them in a prompt—only give Sally Sally’s data—you’re toast, because they are not built to be able to do that access control.”</p>
<p><strong>Time Stamps</strong></p>
<p>[00:00]  “Our lawyers will destroy you guys in court”</p>
<p>[00:46]  Welcome to The Tabletop: Meet Alex Stamos and Today’s Scenario</p>
<p>[01:06]  Setup: CISO at BuzzMetrics, a 400-Person AI SaaS Company</p>
<p>[01:24]  The Friday Launch: Marketing Ships an AI Chatbot Without Review</p>
<p>[02:11]  Inject One: The Screenshots: Real and Hallucinated Customer Data</p>
<p>[03:57]  Pull It Down or Assess First? Triaging the Marketing Bot</p>
<p>[04:27]  Inject Two: The Conversation: Customers Claim the Data Is Theirs</p>
<p>[05:03]  Why You Don’t Post Before Legal Signs Off</p>
<p>[07:10]  Do You Owe a Response When the Data Is Fictional?</p>
<p>[07:48]  Inject Three: The Training Set: Real Tickets, No Scrub, No Consent</p>
<p>[08:14]  Now It’s a Real Breach: Outside Counsel, Regulators, and the GDPR Clock</p>
<p>[10:52]  When Does the Investigation Itself Become a Liability?</p>
<p>[11:47]  Forensics Inside the Vendor and the Hugging Face Nightmare</p>
<p>[12:51]  Vendor Leverage: “You guys are showing up in our write-up”</p>
<p>[14:55]  Over-Legalization: Why Lawyers Shouldn’t Drive Incident Decisions</p>
<p>[15:29]  Litigation Risk vs. the Existential Risk of Lost Trust</p>
<p>[16:43]  Root Cause: Launch Calendars, Data Controls, and a Culture Not Paranoid Enough</p>
<p>[20:03]  The Wake-Up Call: Staffing a Product Security Team After an Incident</p>
<p>[20:15]  The Moment of Truth: Real Incident or Fiction?</p>
<p>[21:16]  Off the Table: The One Question to Ask Before AI Touches Customer Data</p>
<p>[21:32]  The Privilege Differential and Why You Can’t Trust AI Access Control</p>
<p><strong>Links</strong></p>
<p>Connect with the guest and host on LinkedIn!</p>
<ul>
 <li><a href="https://www.linkedin.com/in/alexstamos/" rel="noopener noreferrer">Alex Stamos</a></li>
 <li><a href="https://www.linkedin.com/in/khushbookashyap/" rel="noopener noreferrer">Khush Kashyap</a></li>
</ul>
<p>Learn more about:</p>
<ul>
 <li><a href="https://www.corridor.dev/" rel="noopener noreferrer">Corridor</a></li>
 <li><a href="https://pit.stanford.edu/university-organizations/internet-observatory/" rel="noopener noreferrer">Stanford Internet Observatory</a></li>
 <li><a href="https://www.vanta.com/" rel="noopener noreferrer">Vanta</a></li>
</ul>
<p>The Tabletop is by Vanta, the leading Agentic Trust Platform helping security leaders manage compliance, reduce risk, and prove their programs work—before the incident, not after. Learn more about Vanta: <a href="https://bit.ly/4y2XTQo" target="_blank" rel="noopener noreferrer">https://bit.ly/4y2XTQo</a>.</p><br/> <p>Hosted by Simplecast, an AdsWizz company. See <a href="https://pcm.adswizz.com">pcm.adswizz.com</a> for information about our collection and use of personal data for advertising.</p>]]></description>
      <pubDate>Wed, 1 Jul 2026 07:00:00 +0000</pubDate>
      <author>meredith@caspianstudios.com (Alex Stamos, Khush Kashyap)</author>
      <link>https://the-tabletop.simplecast.com/episodes/the-hallucinating-bot-with-alex-stamos-cpo-at-corridor-5RzGcxGg</link>
      <content:encoded><![CDATA[<p>What does a security leader actually do when an AI chatbot starts confidently revealing customer data that was never supposed to see the light of day? In the debut episode of The Tabletop, Alex Stamos takes the hot seat and shows us in real time.</p>
<p>Alex has spent his career at the intersection of security and the hardest problems in tech—Chief Security Officer at Yahoo, Facebook, and SentinelOne, founder of the Stanford Internet Observatory, and now Chief Product Officer at Corridor, a startup focused on the security and safety of AI coding agents. If anyone knows what it looks like when AI ships faster than security can keep up, it’s him.</p>
<p>In this episode, host Khush Kashyap drops Alex into a fictional scenario: He’s roleplaying the CISO at Buzzmatrix, a fictional 400-person AI SaaS company with a lean security team and no in-house incident response. Late on a Friday, the VP of Marketing pushes a new AI chatbot live without security review. By Monday, customers are posting screenshots of the bot serving up order histories, account details, and support summaries—some real-looking, some hallucinated. Across a series of escalating injects, Alex has to decide what to take down, who to wake up, when to bring in legal, and what he owes customers.</p>
<p>Alex walks through engaging outside counsel, the GDPR clock, forensic vendor management, and the leverage a CISO actually holds over an uncooperative vendor. Along the way, he makes the case that the existential threat in most incidents isn’t the lawsuit, it’s the erosion of customer trust. At the end, he renders his verdict: real incident or constructed fiction?</p>
<p><strong>Quotes</strong></p>
<p>“CISOs are all L, no P in the P&L, right? We don’t make any money. We just lose it.”</p>
<p>“You can turn what was a small mistake into a huge scandal if you end up putting out a statement that you have to retract.”</p>
<p>“The litigation risk is almost never existential. What is existential is the trust of your customers.”</p>
<p>“If those models have access to all customer data, and then you tell them in a prompt—only give Sally Sally’s data—you’re toast, because they are not built to be able to do that access control.”</p>
<p><strong>Time Stamps</strong></p>
<p>[00:00]  “Our lawyers will destroy you guys in court”</p>
<p>[00:46]  Welcome to The Tabletop: Meet Alex Stamos and Today’s Scenario</p>
<p>[01:06]  Setup: CISO at BuzzMetrics, a 400-Person AI SaaS Company</p>
<p>[01:24]  The Friday Launch: Marketing Ships an AI Chatbot Without Review</p>
<p>[02:11]  Inject One: The Screenshots: Real and Hallucinated Customer Data</p>
<p>[03:57]  Pull It Down or Assess First? Triaging the Marketing Bot</p>
<p>[04:27]  Inject Two: The Conversation: Customers Claim the Data Is Theirs</p>
<p>[05:03]  Why You Don’t Post Before Legal Signs Off</p>
<p>[07:10]  Do You Owe a Response When the Data Is Fictional?</p>
<p>[07:48]  Inject Three: The Training Set: Real Tickets, No Scrub, No Consent</p>
<p>[08:14]  Now It’s a Real Breach: Outside Counsel, Regulators, and the GDPR Clock</p>
<p>[10:52]  When Does the Investigation Itself Become a Liability?</p>
<p>[11:47]  Forensics Inside the Vendor and the Hugging Face Nightmare</p>
<p>[12:51]  Vendor Leverage: “You guys are showing up in our write-up”</p>
<p>[14:55]  Over-Legalization: Why Lawyers Shouldn’t Drive Incident Decisions</p>
<p>[15:29]  Litigation Risk vs. the Existential Risk of Lost Trust</p>
<p>[16:43]  Root Cause: Launch Calendars, Data Controls, and a Culture Not Paranoid Enough</p>
<p>[20:03]  The Wake-Up Call: Staffing a Product Security Team After an Incident</p>
<p>[20:15]  The Moment of Truth: Real Incident or Fiction?</p>
<p>[21:16]  Off the Table: The One Question to Ask Before AI Touches Customer Data</p>
<p>[21:32]  The Privilege Differential and Why You Can’t Trust AI Access Control</p>
<p><strong>Links</strong></p>
<p>Connect with the guest and host on LinkedIn!</p>
<ul>
 <li><a href="https://www.linkedin.com/in/alexstamos/" rel="noopener noreferrer">Alex Stamos</a></li>
 <li><a href="https://www.linkedin.com/in/khushbookashyap/" rel="noopener noreferrer">Khush Kashyap</a></li>
</ul>
<p>Learn more about:</p>
<ul>
 <li><a href="https://www.corridor.dev/" rel="noopener noreferrer">Corridor</a></li>
 <li><a href="https://pit.stanford.edu/university-organizations/internet-observatory/" rel="noopener noreferrer">Stanford Internet Observatory</a></li>
 <li><a href="https://www.vanta.com/" rel="noopener noreferrer">Vanta</a></li>
</ul>
<p>The Tabletop is by Vanta, the leading Agentic Trust Platform helping security leaders manage compliance, reduce risk, and prove their programs work—before the incident, not after. Learn more about Vanta: <a href="https://bit.ly/4y2XTQo" target="_blank" rel="noopener noreferrer">https://bit.ly/4y2XTQo</a>.</p><br/> <p>Hosted by Simplecast, an AdsWizz company. See <a href="https://pcm.adswizz.com">pcm.adswizz.com</a> for information about our collection and use of personal data for advertising.</p>]]></content:encoded>
      <enclosure length="22570309" type="audio/mpeg" url="https://afp-922686-injected.calisto.simplecastaudio.com/d84c0e76-9762-4026-a72b-28f5db7658a7/episodes/98069a63-74bd-46b1-8f86-6446be8e8039/audio/128/default.mp3?aid=rss_feed&amp;awCollectionId=d84c0e76-9762-4026-a72b-28f5db7658a7&amp;awEpisodeId=98069a63-74bd-46b1-8f86-6446be8e8039&amp;feed=NKmLKfWM"/>
      <itunes:title>Alex Stamos has 23 minutes to stop an AI chatbot leaking data (Live Tabletop Exercise)</itunes:title>
      <itunes:author>Alex Stamos, Khush Kashyap</itunes:author>
      <itunes:duration>00:23:30</itunes:duration>
      <itunes:summary>In this episode, host Khush Kashyap drops Alex Stamos, Chief Product Officer at Corridor, into a fictional scenario: He’s roleplaying the CISO at Buzzmatrix, a fictional 400-person AI SaaS company with a lean security team and no in-house incident response. Late on a Friday, the VP of Marketing pushes a new AI chatbot live without security review. By Monday, customers are posting screenshots of the bot serving up order histories, account details, and support summaries—some real-looking, some hallucinated. Across a series of escalating injects, Alex has to decide what to take down, who to wake up, when to bring in legal, and what he owes customers.</itunes:summary>
      <itunes:subtitle>In this episode, host Khush Kashyap drops Alex Stamos, Chief Product Officer at Corridor, into a fictional scenario: He’s roleplaying the CISO at Buzzmatrix, a fictional 400-person AI SaaS company with a lean security team and no in-house incident response. Late on a Friday, the VP of Marketing pushes a new AI chatbot live without security review. By Monday, customers are posting screenshots of the bot serving up order histories, account details, and support summaries—some real-looking, some hallucinated. Across a series of escalating injects, Alex has to decide what to take down, who to wake up, when to bring in legal, and what he owes customers.</itunes:subtitle>
      <itunes:keywords>tabletop, technology, b2b, saas, ciso, cybersecurity, security</itunes:keywords>
      <itunes:explicit>false</itunes:explicit>
      <itunes:episodeType>full</itunes:episodeType>
      <itunes:episode>1</itunes:episode>
    </item>
  </channel>
</rss>