Derek Manky, Chief Security Strategist and Global Vice President of Threat Intelligence at Fortinet FortiGuard Labs, joins theCUBE at RSAC 2025 in San Francisco. Hosted by theCUBE Research's John Furrier and Jackie McGuire, the discussion explores current cybersecurity threats and the evolving role of artificial intelligence (AI) in combating these challenges.
In this engaging conversation, Manky shares expertise in threat intelligence and cybersecurity strategy, emphasizing findings from FortiGuard Labs’ 2025 Global Threat Landscape Report. The discussion reveals trends in cyber threats, including the rise of AI weaponization and the shift toward targeted cyberattacks. It highlights the role of theCUBE Research in providing insights into cybersecurity challenges and solutions.
Key takeaways from the discussion include Manky's analysis of the evolving cyber threat landscape, particularly the increasing sophistication of cybercriminals adopting nation-state attack tactics. According to Manky, while ransomware volumes may be decreasing, the precision of such attacks increases. They also discuss how collaboration and advanced threat detection technologies are essential in staying ahead of cyber adversaries. These insights underscore the importance of an adaptive multi-faceted approach to cybersecurity.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For RSAC Conference 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC Conference 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to RSAC Conference 2025
Please sign in with LinkedIn to continue to RSAC Conference 2025. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Derek Manky, Fortinet FortiGuard Labs
Exploring Advanced Cybersecurity Measures at RSAC 2025
Derek Manky, chief security strategist and global vice president of threat intelligence at Fortinet FortiGuard Labs, joins theCUBE at RSAC 2025 in San Francisco. Hosted by theCUBE Research's John Furrier and Jackie McGuire, the discussion explores current cybersecurity threats and the evolving role of artificial intelligence (AI) in combating these challenges.
In this engaging conversation, Manky shares expertise in threat intelligence and cybersecurity strategy, emphasizing findings from FortiGuard Labs’ 2025 Global Threat Landscape Report. The discussion reveals trends in cyber threats, including the rise of AI weaponization and the shift toward targeted cyberattacks. It highlights the role of theCUBE Research in providing insights into cybersecurity challenges and solutions.
Key takeaways from the discussion include Manky's analysis of the evolving cyber threat landscape, particularly the increasing sophistication of cybercriminals adopting nation-state attack tactics. According to Manky, while ransomware volumes may be decreasing, the precision of such attacks increases. They also discuss how collaboration and advanced threat detection technologies are essential in staying ahead of cyber adversaries. These insights underscore the importance of an adaptive multi-faceted approach to cybersecurity.
Chief Security Strategist and Global VP Threat IntelligenceFortinet FortiGuard Labs
Derek Manky, chief security strategist and global VP of threat intelligence at Fortinet, joins theCUBE’s John Furrier and Jackie McGuire at the RSAC 2025 Conference. The discussion unpacks key insights from FortiGuard Labs’ 2025 Global Threat Landscape Report and explores how AI is changing the threat landscape.
Manky outlines the growing sophistication of cybercriminals, including nation-state-style tactics and precision ransomware attacks. He explains how collaborative strategies and real-time threat detection are critical for staying ahead of evol...Read more
exploreKeep Exploring
What is being discussed at the conference with Derek Manky?add
What types of cyber threats are continuing to expand, including the use of artificial intelligence as a tool?add
What are some of the highlights and new trends in cyber security that have surprised observers?add
What is the current state of cybersecurity in terms of the competition between good guys and bad guys?add
>> Welcome back everyone to theCUBE's live coverage in San Francisco for RSAC 2025. I'm John Furrier, host of theCUBE with Jackie McGuire. Breaking down all the action on our fourth day of coverage here. The last keynotes lining up. Of course, a lot of action, really an inflection point for the security industry as certainly AI has been a big part of the conversation. But the same game is still in play, that is to protect organizations from the adversaries. Derek Manky's here, Chief Security Strategist, Global VP Threat Intelligence at Fortinet FortiGuard Labs. Great to see you.
Derek Manky
>> Great to see you.>> Always great to get the reports. And you always been the... Also, you're also on the CISO World Economic Forum Advisory. You're giving keynote talks here. Great to see you.
Derek Manky
>> Yeah, it's busy. It's great to see you as well too.>> How are you feeling?
Derek Manky
>> I'm feeling good. We can talk through it. There's always a lot of doom and gloom and a fast dynamic through our landscape, but there's good news, of course, right?
Jackie McGuire
>> The conference has had a much more positive spirit, I felt like.
Derek Manky
>> Absolutely, yeah.
Jackie McGuire
>> I came here... I've been having a... I always call it my coffee cry, a couple days a week in the morning because we deal with a lot of stuff in security, and I was expecting it to be a little heavy coming here. It was the total opposite. I think it's everybody's chance to take a deep breath, and kind of step out of the day-to-day drudgery.
Derek Manky
>> Yeah. Obviously security practitioners here, so it's a strength in numbers thing as well. That's what makes you feel good. Yeah.
Jackie McGuire
>> It's like, "Oh, my people. I don't feel like a weirdo.">> Well, there's a lot of great themes here. Many voices, one community. Couldn't be more compelling now. I think, Derek, last time you were on theCUBE, you were, I think, one of the first ones to really bring to the table cyber threats as a service, where the organizations around the threats were so organized and then they were selling as a service. I have to ask you, with AI now, I'm sure it's smarter, faster, more agile in terms of deploying some of the tactics in the cyber crime area. What does the Fortinet Global Report you guys just released talk about? Does this show up heavily?
Derek Manky
>> It absolutely does. Yeah. And it's going to continue to, I would say. So, yeah, we just launched our 2025 Global Threat Landscape Report, so it's a full-packed view across all of 2024, all the native telemetry intelligence we get that my team will then crunch and make sense of it. And there's a lot of trends in there. On the AI and on the crime services, that's something that we've continue to see to expand. So, it was things like ransom as a... we talked about this before, ransom as a service, DDoS as a service, phishing as a service. Those still exist. And by the way, it's a commodity. You're talking about $50 to $100 to engage one of those services, but now with the weaponization of artificial intelligence, large language models being used as a tool, we're seeing services being built. It's a business they're building, so we see reconnaissance services now. If you want to go and launch a->> Explain what that is for people to understand.
Derek Manky
>> So, reconnaissance services is using the GPT models, the LLMs that cyber crime like FraudGPT, WormGPT, the things that guardrails have been taken off. They're using that as a service. So, you can sign up, subscribe to them, use them to get information on potential victims through crafted information, through social media, all those things. And then put into spear phishing emails, that if you want to try to penetrate a CFO of an organization, there's services to do that essentially.
Jackie McGuire
>> Sharpen the spear?
Derek Manky
>> Yeah.>> What's the biggest thing in the report this year that jumped out at you? What was some of the highlights that surprised you? What were some of the new things?
Derek Manky
>> Yeah, so shifting left, so cyber criminals are acting more and more like nation-state APT actors because they're heavily funded. So, we are seeing things like ransomware dropping, volumes dropping in ransomware, but that's not a good thing because they're becoming much more targeted. Manufacturing was the number one target that we saw for cyber crime. And why are they doing that? Because the playbooks got more aggressive. They're not just going after ransom data, they're going after services, because they know if they take a service offline, they're going to bleed revenue. They put that into their playbooks, and that's something that we're seeing.>> And service as software, that's the big trend now, it flips to the other side. That makes a lot sense. So, the drop in ransomware is because they're not spraying and praying?
Derek Manky
>> Yeah, exactly.>> They're targeting, is that the approach?
Derek Manky
>> Spraying and praying, I haven't heard that for a while, but yeah, absolutely.>> That's a seed investment strategy that used be in the Valley in the old days.
Derek Manky
>> No, you're bang on.>> Spray and pray, the Southern Valley days.
Derek Manky
>> No, it's exactly that. They're moving away from spray and pray into targeted tactical attacks. We're even seeing hacktivism, things like that, using large language models. It's a 17.9%, almost 18% increase in just reconnaissance activity. We saw all across 2024, 36,000 scans per second. So, think of it as per second happening for a full year, so they're very active right now, yeah.>> You mentioned nation-states. I want to come back to this because, remember, I think go back maybe six, seven years ago, the nation-states were kind of camouflaging their attacks by giving their playbooks and services to other groups, but it was really kind of a nation-state. Is there now data that the nation-states are more aggressive? What are some of the tactics we're seeing around the nation-states threats?
Derek Manky
>> The nation-states, it's nothing too novel. So, with nation-states, we do see new zero-days weaponized, but in the report we talk about that. Out of 40,000 CVEs, that was a huge increase, 39% on the attack surface, there's only about 312 zero-days we saw weaponized. So, it's still a niche area, I would say, that we do see in nation-states, but the reality is a lot of their modus operandi is still very long cycles and they're still spending a lot of time on trying to get in, maintain persistence into networks. The cyber crime is the piece that's shifting fast, because again, they're not burning zero-days. They're using living off the land technique, so they're very focused on being tactical when they're in environments. And that's something that really stood out to me in the approach... in the report. It's this approach into that more sophisticated tactical approach.>> Evolution's getting smarter.
Jackie McGuire
>> We've heard from more than one customer that the trend now is that hackers aren't hacking in, they're not breaking in, they're just buying logins and logging in.
Derek Manky
>> Yep, exactly.
Jackie McGuire
>> I saw one of the statistics you had in the report was a 42% increase in stolen credentials appearing on the dark net, and is that because there's more info stealer?
Derek Manky
>> Yep, yep.
Jackie McGuire
>> How are things like that collecting that information?
Derek Manky
>> A lot from info stealers. We see RedLine account... So, one info stealer, RedLine, was over 60% of all info stealer activity we saw. And those info stealers are a commodity. You can get them. Again, it's not a big investment for an aspiring cyber criminal or, like you say, hackers, but these are really still-
Jackie McGuire
>> No. Yeah, these are not people who are writing code, to be clear.
Derek Manky
>> Right, exactly. But that's the issue, it's a low barrier of entry. And AI of course, is acting as a catalyst to that, and it's going to continue to scrape those credentials, to put those into those packs that are sold. And credential stuffing, it's not going to go away.>> What is the answer? Because the trend here is agents is hot, but also automation has been around, but that's cool, but non-deterministic, generative ai, is it more for password protections? We're hearing some use cases. Where's the action to stop the info stealing? The phishing is at an all-time high because... Hey, I got an email. It looks like it's really good. It's not misspelled. It's in perfect English, targeted. What are some of the preventions? How do people solve all this.
Derek Manky
>> Multifaceted. So, I think it's clear, we have to be clear when we talk about AI, there's generative AI, it's a large language model, human interaction based languages, and then discriminative AI, which is the real heavy-lift engine.
Jackie McGuire
>> Progression models, savers.
Derek Manky
>> Data analysis, looking for the new zero-days, looking for malware. You need both. So, generative AI will help to offload the workload for an analyst. It's that up-leveling, upscaling an analyst, that's a huge good solution for that. Analyst burnout is a real thing today. We have a huge skills gap in the industry. So, in the SOC, being able to filter out, pull that signal from the noise, use that in SIMSOR solutions. That's where generative AI sits. Now, you need meat, you need something under the hood, and that's where you have to have the machine learning to be able to spot that anomaly and that thread. That's not generative AI.>> It's interesting, as you're talking, I'm kind of having a flashback to the many interviews you've done on theCUBE with me. I remember we talked about these reports going back years. I remember you talking about the SOC and the SIM. It's hotter than ever. The SOC area is where the innovation... We even hear things like red-teaming models, so there's a lot of that security practice coming in. What's changing in these growth areas? Because obviously human intelligence, the human in the loop, human first augmentation, the first applications of some of the AI we're seeing in security. Security's very practical. They like to break things, but they're not going to just let anything in, but they'll use a little bit here, if it's convenient. What's happening in the SOC? That seems to be a hot area. What's your view on what's changing in the role of the SOC?
Derek Manky
>> It's a very hot area. So again, a lot of those... So, this is where the agentic piece is really coming in. So, it's not just about the SIM, but the SOR is actually one of the big orchestrators, an intelligent SOR now that's acting as that agent. It's offloading a lot of those mundane tasks. What's happening in the SOC is the mean time to respond is now shrinking into the minutes. Because, by the way, the attackers, they're in the days range right now, so it's actually good. It's a way to actually be able to break that kill chain faster than the attacker's moving. So, it's EDR, XDR, SIM, SOR, all those agentically interface together. The other thing is the generative AI piece, it's human in the loop. So, it's like, "I found something, do you want to do this action?" With the agentic ai, now some of those guardrails are being put in place to actually autonomously do those actions as well.
Jackie McGuire
>> Yeah, I think agentic AI is really promising because LLMs are arguably the worst and least efficient thing to throw at almost any security problem where you have very finite binary information. LLMs are when you have kind of murky and it needs to be interpreted in the language, but with security, most of the time we're dealing with logs, we're dealing with known variables. And so I'm encouraged that we'll have LLM as the interface and then all of these agents doing the more deterministic stuff, without these massive matrixes that they have to traverse and use a ton of compute.
Derek Manky
>> Yeah, exactly. And that's why, like I said, it's not this silver bullet of agentic doing everything. It really is that combination of that role-based approach and then using the generative AI, the LLMs, to really stitch that together. The other big benefit of that is NOC and SOC convergence. That's another thing happening right now.
Jackie McGuire
>> Yes.
Derek Manky
>> Because those have been->> Explain. That's a good thread.
Derek Manky
>> Yeah. Yeah, so NOC and SOC conversions. NOCs and SOCs, they've been built in silos. Different reporting streams, you got the CISO, you have the CIO or CTO. And those don't always gel well together or talk together, but they're very inherently important to have converged. So, that convergence, this is where LLMs are stitching together. For an example, you can see that you might on the NOC side have a WiFi routing issue. Maybe something's chewing up the bandwidth. With convergence, you can pull that in, drill into that and see what's causing that. Oh, it could be a botnet or a piece of malware on an endpoint connecting to the .>> I think that's a huge point. It's great insight because this is where value's starting to move faster because these are all inertia issues. Just because they were built that way doesn't mean they have to continue to act that way. We were talking about that on the intro today, and so I want to ask you about something that I heard earlier around this, and I want to get your reaction to this. So, the coolest thing... Well, for me it was cool, but remember the old honeypot days?
Derek Manky
>> Yep.>> So, there's a modern honeypotting strategy going on with agents. We're starting to see techniques. What's coming out of the agent... I've heard some cool things, like, "Yeah, I got a bunch of agents out there," pretending there's something. Now, this is a tactic. Are you seeing this kind of trend coming? We're seeing a lot more creativity around the craft of getting the bad guys out because they're already in. That's the assumption. What are some of the cool little things that are merging with agents that take that honeypot concept and modernize it to multiple points of-
Derek Manky
>> So, my reaction is I think is really cool as well. So, the modern honeypot is really deception environments. So, they're sort of integrated honeypots that before agentic AI or engines were put into place with them, it would be... it's very manual. You'd have to manually replicate these environments. Look for... If it's an operational technology environment, know your PLCs, replicating shadow environments, all of those things. Very manual. With agents, again, it takes all of that. It's the same thing. It takes all of that basically, I wouldn't say offline, but it makes it much more stitched together, much more realistic. You have high interactive environments with agents in there. That's the cool thing. It becomes much more harder to detect from an attacker's perspective.
Jackie McGuire
>> So, just so to take a step back, for anybody who hasn't heard of honeypots before, they're not just the people waiting by the elevators in Vegas . So, this is where you set up basically a clone of your environment to deceive attackers to believe they've actually gotten into your environment, so that they basically end up wasting all their time digging in your sandbox rather than actually coming inside, right?
Derek Manky
>> Yeah, yeah, yeah. So, a traditional honeypot was just pure detection. It's to lure an attacker in, see what they're up to, so you get some intelligence based off of it and you get some lead time. The modern honeypot though is interactive, so it's actually intentionally luring and trapping an attacker in because nobody... it deals with insider threat, nobody should be probing and looking around for those because they're not real environments.>> The interactive is a signal that really kind of gets extra threat intelligence.
Derek Manky
>> Yeah, we're talking, it's a complete replication. You have web interfaces, you have shells into PLCs and HMIs, human machine interfaces and OT environments. You name it. You can replicate retail, all these different verticals.>> It's fascinating. I'm intrigued by the cat and mouse game. Again, back to the asymmetry that's been leveling up, what's your take on the data coming out of the report? Is the good guys getting better faster than the bad guys, or is it still kind of... What's the gap? Can you scope the playing field and the landscape?
Derek Manky
>> So, this is the vibe we're talking about again. It's the good news scenario, because-
Jackie McGuire
>> Wait, I have a vibe counter. I'm going to do a plus one.
Derek Manky
>> As I said, the technology is there. Look how many people come to this conference. Cyber criminals aren't having conferences like this. We have the technology. We, the industry, have invested into this. It works. It really does. With all that coming together in the SOC, it can actually move much faster right now to detect things than an attacker is moving. They're going to try to get ahead, so that's coming, but I really do think that, for once, the defenders have the edge here.
Jackie McGuire
>> I love that they're pushing us to collaborate more, because I think to your point, they don't have conferences like this, but they do have discord channels where they very openly share. There's no protected IP in the attack world, and for three years, I've been saying, "If we want to beat our enemies, Art of War, we need to think like our enemies. We need to open source. We need to share information. We need to stop building software walls around our tools where they don't integrate with other tools nicely." And I think we're really going there. We've seen now that even the largest companies, if you can't ingest information from another SIM or a DLP platform, platformization is going to cause your customers to find somebody who can. And I feel like... I always say that venture capital and private equity for the early 2000s, 2010s fueled silos because nobody wanted to invest in anything that wasn't a silo, because that was the IP. And so now we had this silo, trillion dollar silo farm, and now our practitioners are like, "What the hell? It shouldn't be this way. I shouldn't need to know six query languages to respond to a critical incident." So, it's encouraging to me that because our attackers are really effective, they're forcing us to rethink how we work together.>> Does that come out in the survey, her comment about the sharing and the community? Because that's the theme of the conference, many voices, one community, what comes out of the data on the solidarity of the community on the good side? Does that show up?
Derek Manky
>> It does. So, you know the initiatives. We're a part of, I'm a part of Cyber Threat Alliance. It's one of those where we're absolutely using machine learning automation in that. It helps to, again, make those more efficient. It also helps to solve issues, like data privacy and tagging. Tagging is a big issue. All those sorts of things that can be done by those engines. So, it definitely helps. The other thing quickly on what you're talking about on the SOC is the playbooks. So, going back to the SOR, that's something that would take a lot of time to write and constantly refactor. That can be autonomous now today.>> So, a lot of CISOs are coming, talk to theCUBE. We've been tapping them. Jackie's putting a practice together around specifically CISOs with the team. A lot of folks share with me privately, they don't say their jobs are on the line directly, but it's a stressful environment. You said burnout. People want the playbooks. They want to know what the best practices are. Are there... From your perspective, you're on a lot of advisory on a global basis with CISOs, you're in the network. What's going on? What is the conversations? What are some of the best practices that people are doing now, state of the art, in your mind?
Derek Manky
>> Yeah, there's a paradigm shift, so the old playbook is not sufficient. So, what do I mean by that? Static defense, just doing compliance and following regulation and checking the boxes, and thinking you're secure because you have a SOC. That doesn't work. You need something that's dynamic, adaptable. So, what's happening right now is we're seeing CTEM, continuous threat exposure management. That's a real thing. It's automating that, so the CISO doesn't have to. It's not a once a year pen test. These are dynamic continuous pen tests that are happening, purple teaming. So, taking the breach and attack simulation, firing that through your defenses, seeing what the gaps are, doing detection, engineering to fix those gaps. That's the new modern approach. And it doesn't have to be a burnout approach either, like maintenance. Yeah, it's like, "Okay, check, make sure everything's good."
Jackie McGuire
>> Acknowledging that it's a process, not a destination. I think we want security to be this objective you're going to attain, but it's not. It's just a continual evolution, and we need to look at it more like... You used to be like, "Oh, if I get my firewall in place and I'm done," but now this is a continual hygiene process.
Derek Manky
>> Continual hygiene, and it solves a lot of issues. The burnouts, the OpEx as well too, because it's something operationalized. You don't have to go and find 10 more analysts in your SOC.
Jackie McGuire
>> Yeah.>> All right. So, share an observation from this event here. What's the coolest thing you heard or conversations? Share a story or anecdote around what's going on here in San Francisco at RSA 2025.
Derek Manky
>> Yeah, I don't have a particular story. I think it's just... As we said earlier, there's a lot of... This is my 15th RSA I've been to, so it's always a veteran.
Jackie McGuire
>> Do you get a robe or something?
Derek Manky
>> The loyalty one.
Jackie McGuire
>> Oh, nice.>> Fantastic.
Derek Manky
>> So, there's always something new coming out. AI, of course, was a couple of years ago, but I think it's definitely more on this implementation of the agentic piece. It's not just a buzzword. It is a buzzword, it's a lot of hype, but there's practical->> Agents are happening....
Derek Manky
>> but yeah, there's practical implementations, and I think that is really cool. I did a talk here in 2019 on swarm technology. Agents are the precursor to that, so seeing it here, I'm like, "Wow, okay, that was six years ago, but now this is happening.">> Okay, so I'm going to tap your expertise on theCUBE alumni expert that you are. If I'm going to write a headline tomorrow on my blog about this, what's the headline for RSA this year? What's the-
Derek Manky
>> Defenders have the Edge.>> Good guys are catching up fast.
Jackie McGuire
>> That's a good way to... Good punctuation. Keeps me in a good mood.>> Yeah. Well, I'm a blogger, someone's got to get killed. Someone's dead. Zero Trust is dead. Long live Zero Trust. Derek, thanks so much. Put a plug in for Fortinet and your report. You guys do great work. We appreciate what you do. Thanks for being here.
Derek Manky
>> So, the report, this is a complete view of 2024. You can find it on Fortinet.com, but we also have our security blogs, so from FortiGuard Labs, so we have continuous new, interesting security research articles on that, Fortinet.com/blog. And there's always something new we're finding every day.>> And by the way, not to just quickly change gears, but because we've got to wrap, is that if you look at all the best AI work coming out of all the cloud shows and all the kind of industries, that the people who have deep research are winning on the native AI product side, not as a product for the customer. They're making their products better so that their AI can be consumed. And so you guys do a lot of research, and the industry appreciates it. Thank you.
Derek Manky
>> Yeah. A lot of R&D as well.>> Okay, I'm John Furrier here in theCUBE. Jackie McGuire, Dave Vellante, John Olson, our whole entire security team is here. Of course, reporters are out there getting the top stories. We'll be right back on day four after this short break.
Jackie McGuire