Security Science

Kenna Security

Cybersecurity shouldn’t be a black box. Security Science aims to demystify cybersecurity with education combined with a dose of entertainment. We will tap a mix of experts to tackle the gamut of security topics - from the (mis)use of AI to deep analysis of specific vulnerabilities - grounding out each episode with measurable outcomes or joking around when there is a lack thereof. New episodes every other Wednesday.

All Episodes

We tackle a hotly contested debate as old as cybersecurity itself: does releasing exploit code do more harm than good?

Jun 2

1 hr 10 min

We interview Collin Boyce, Chief Information Officer for the City of Tucson, Arizona and discuss his process of turning impossible ideas into real projects that achieve meaningful results.

May 26

34 min 51 sec

Dive into a quick history of the CVE List as we kick off a quarterly update that tracks the progress of new CVEs issued.

Apr 7

22 min 45 sec

We discuss and add some quantifiable data to a hot-button issue in the cybersecurity industry: responsible disclosure of vulnerabilities and exploits.

Mar 31

34 min 29 sec

Continuing our miniseries into Risk, Measured: we go back to statistics class and discuss some of the characteristics of good metrics to help people understand what you should be looking for when you want to meaningfully quantify cybersecurity phenomena, program performance, or anything really.

Mar 17

45 min 28 sec

Sometimes a number is just a number. Context - the information and environment around the number - is what really matters. We discuss how this concept holds especially true in vulnerability management and risk scoring.

Mar 10

22 min 42 sec

We discuss the general lack of defensive perspectives in cybersecurity media and culture, how that impacts perceptions and decision making, and what we can do about it.

Mar 3

30 min 57 sec

We discuss the application of power law distributions in cybersecurity.

Jan 27

33 min 52 sec

We look at the phenomena of exploit code moving from traditional and cybersecurity-centric databases like Exploit-DB and Metasploit and instead being published on Github. Is Github becoming a de facto database for exploit code?

Jan 20

38 min 34 sec

Kenna Security recently celebrated its 10-year anniversary on Dec. 10th, 2020; so we decided to do what we do best and take a data-based (and rare) review of the top vulnerabilities from the past decade, year-by-year.

Dec 2020

52 min 41 sec

We discuss the security and privacy of connected gifts this holiday shopping season.

Dec 2020

42 min 15 sec

We welcome a special guest from VMware Carbon Black to discuss the state of cloud infrastructure and security, primarily through the lens of vulnerability management today, tomorrow, and far into the future.

Dec 2020

46 min 27 sec

Jerry Gamblin gives us a pre-thanksgiving primer for Amazon AWS re:Invent 2020, which will be held from Nov. 30 - Dec 18th on a computer monitor near you.

Nov 2020

25 min 6 sec

We discuss the sixth and latest report in our ongoing dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 6: The Attacker-Defender Divide looks at exploitation events from 2019 to analyze the momentum shifts between cybersecurity hackers and the teams defending organizations from attack.

Nov 2020

54 min 28 sec

Will Docker’s download rate limits kill containers as we know them today?

Nov 2020

26 min 5 sec

We discuss the fifth report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 5: In Search of Assets at Risk.

Nov 2020

55 min 51 sec

We discuss the challenges managing risk in 3rd party code from things like Open Source Software libraries.

Oct 2020

26 min 47 sec

We discuss the fourth report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 4: Measuring What Matters In Remediation.

Oct 2020

1 hr 7 min

We discuss the evolution of cybersecurity metrics and reporting to Boards of Directors.

Oct 2020

33 min 7 sec

We discuss the third report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 3: Winning the Remediation Race looks at (1) how quickly and (2) how many vulnerabilities a given organization can handle. Answering two key questions: Can organizations remediate all of the new vulnerabilities in their environments? If not, can organizations remediate all of the new High-Risk vulnerabilities in their environments?

Sep 2020

43 min 19 sec

Today on Security Science, we have a special around the virtual table with some of the biggest names in cybersecurity discussing a wide range of topics like securing remote workers, whether companies are really moving to the cloud, and the impact of the 2020 presidential election.

Sep 2020

52 min 15 sec

We discuss the Exploit Prediction Scoring System (EPSS), the first open, data-driven framework for assessing vulnerability threat: that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure.

Sep 2020

54 min 29 sec

We discuss the second report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction, Volume 2: Getting Real About Remediation picks up on the overall vulnerability landscape analysis from Volume 1 and dives deep into the vulnerability landscape from within actual enterprise networks (a little over 500 of them to be exact).

Sep 2020

58 min 27 sec

How does the spread, detection, and response to viruses like COVID-19 compare with cybersecurity practices today? In the second episode of our Risk, Measured series we talk to special guest, Northeastern University Assistant Professor, Sam Scarpino about how Epidemiology relates to cybersecurity.

Aug 2020

49 min 10 sec

We chat about the state of everyone’s favorite buzz technology: Threat Intelligence with our favorite internet fingerprinter, Kenna’s head of research, Jcran. Joining us is a special guest, longtime pentester, infamous internet listener, and founder of GreyNoise Intelligence, Andrew Morris.

Aug 2020

36 min 31 sec

We discuss the infamous cybersecurity gathering that gets canceled year-after-year, DEF CON. Guiding us along this journey to nowhere is everyone’s favorite security guru and serial DEF CON non-presenter, Jerry Gamblin.

Aug 2020

19 min 16 sec

Both the bane and salvation of security teams, and the start of a month-long fix cycle for IT teams, Microsoft's Patch Tuesday is a consistent reminder that nothing keeps us more secure than good old fashioned cyber-hygiene. Kenna Security's Head of Research, Jcran walks us through his Patch Tuesday ritual and gives us some tools, tips, and tricks along the way.

Aug 2020

25 min 25 sec

Picking up where we left off on the history of vulnerability management, Ed Bellis walks us through the history of risk-based vulnerability management (RBVM) to current times and the near future.

Jul 2020

53 min 48 sec

Year after year we read about millions of unfilled cybersecurity jobs as incidents increase and Twitter experiences one of the most public cyber meltdowns in history. We talk with data scientist extraordinaire, Michael Roytman about whether Machine Learning can fill the cybersecurity skills gap.

Jul 2020

36 min 54 sec

The first in a multi-part dive into the Prioritization to Prediction (P2P) research series by Kenna Security and The Cyentia Institute - guests Ed Bellis and Wade Baker discuss P2P Volume 1 which quantifies the performance of vulnerability prioritization and remediation strategies for the very first time.

Jul 2020

49 min 27 sec

Want more detail than Shodan queries? Need to figure out which devices have that new critical vuln and are exposed to the internet? Creator of, Jcran discusses his creation and touches on the topics of digital fingerprinting and discovery tools.

Jul 2020

16 min 35 sec

The first episode in a Security Science mini-series called Risk, Measured - Kenna's Chief Data Scientist, Michael Roytman discusses the theory and components used to measure risk. Touching on the definitions, current and future data sources, responsibilities of security teams, characteristics of bad models, and much more, this is a definite must listen for anyone interested in measuring cyber risk.

Jun 2020

28 min 51 sec

2020's global Covid-19 pandemic has yet again thrust the concept of Zero Trust architectures into the security mainstream. Researcher, Builder, Hacker, Traveler, and Kenna's head of Security and Compliance, Jerry Gamblin discusses Zero Trust and the realities of the work required to truly adopt the architecture, probably bursting a few bubbles along the way.

Jun 2020

26 min 25 sec

In the very first episode of Security Science the Father of Risk-Based Vulnerability Management, Ed Bellis walks us through the history of Vulnerability Management. From the dark times before the CVE list and open-source scanners to the capabilities of today's best performing vulnerability management programs.

Jun 2020

42 min 23 sec