At RSAC 2026 theCUBE Research interviews Gal Shafir of Fig Security, co-founder and chief executive officer, and Nir Loya Dahan of Fig Security, co-founder and chief product officer. Christophe Bertrand of SiliconANGLE and theCUBE Research, principal analyst, hosts the conversation. The discussion focuses on security operations resilience, security data lineage and drift detection as security operations teams modernize infrastructure and adopt artificial intelligence, AI.
Shafir and Dahan bring deep product and SecOps experience. Shafir leads global security architect teams at Google Cloud Security. Dahan serves as vice president of product at Simulate. Dahan notes the need to establish operational resilience before layering AI-powered automation. They explain Fig Security's approach to building resilient SecOps infrastructure and implementing security data lineage. Shafir highlights the prevalence of silent failures caused by upstream drift. They describe the role of security data lineage in detecting and remediating configuration and data-flow breakages before these issues undermine detection and response. Christophe Bertrand stresses that security operations centers, SOCs and managed security service providers, MSSPs must adopt security data lineage as a foundational practice.
This interview delivers practical insights for SecOps engineering, SOCs and MSSPs on drift detection, operational resilience and the careful integration of AI into security workflows.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Register for RSAC 2026 Conference
Please fill out the information below. You will receive an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC 2026 Conference.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Sign in to gain access to RSAC 2026 Conference
Please sign in with LinkedIn to continue to RSAC 2026 Conference. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Gal Shafir & Nir Loya Dahan, Fig
At RSAC 2026 theCUBE Research interviews Gal Shafir of Fig Security, co-founder and chief executive officer, and Nir Loya Dahan of Fig Security, co-founder and chief product officer. Christophe Bertrand of SiliconANGLE and theCUBE Research, principal analyst, hosts the conversation. The discussion focuses on security operations resilience, security data lineage and drift detection as security operations teams modernize infrastructure and adopt artificial intelligence, AI.
Shafir and Dahan bring deep product and SecOps experience. Shafir leads global security architect teams at Google Cloud Security. Dahan serves as vice president of product at Simulate. Dahan notes the need to establish operational resilience before layering AI-powered automation. They explain Fig Security's approach to building resilient SecOps infrastructure and implementing security data lineage. Shafir highlights the prevalence of silent failures caused by upstream drift. They describe the role of security data lineage in detecting and remediating configuration and data-flow breakages before these issues undermine detection and response. Christophe Bertrand stresses that security operations centers, SOCs and managed security service providers, MSSPs must adopt security data lineage as a foundational practice.
This interview delivers practical insights for SecOps engineering, SOCs and MSSPs on drift detection, operational resilience and the careful integration of AI into security workflows.
In this interview from RSAC 2026, Gal Shafir, co-founder and chief executive officer of Fig Security, joins Nir Loya Dahan, co-founder and chief product officer of Fig Security, to talk with theCUBE Research's Christophe Bertrand about building operational resilience as the true foundation of modern security operations. Shafir and Loya Dahan explain why SOC teams have quietly accepted that they can't fully trust their own infrastructure. Fig Security addresses this by mapping what it calls "security data lineage" — tracing data flow from source to detection r...Read more
exploreKeep Exploring
Why is the company named "Fig"?add
Please briefly describe your professional background and previous roles (particularly your experience prior to joining Fig).add
How does the Fig platform detect, alert on, and remediate security detection drift caused by changes in business, environment, or data, and how does it use security data lineage to trace data from source to detection to find and fix silent failures?add
>> And we're back at RSAC 2026. My name is Christophe Bertrand, principal analyst at Cube Research. And we're going to be talking to two founders. Very pleased to have Gal Shafir and Nir Loya Dahan, both co-founders. Gal, you're the CEO. You're the CPO, so one of you is running the numbers, the other is actually building the product. And the company is called Fig. So I'd love to hear a little more about the company name and then a little bit about your background. So Gal, let's start with you. Why Fig?
Gal Shafir
>> Well, when we started ideating for the idea, the meeting name was so long, with all the names of the founders and we asked ChatGPT for giving us one syllable name of a fruit that we can start using, and it just caught and we stayed with Fig.
Christophe Bertrand
>> So tell me a little bit about your background and then Nir, we'll go with you. But go ahead, Gal.
Gal Shafir
>> So before Fig, I've led the global security architect teams at Google Cloud Security, mostly focusing on Google SecOps, which was the largest business at the time. That came after the acquisition of Simplify, where I did similar roles for a few years from the very beginning until the Google acquisition.
Christophe Bertrand
>> Got it. So what about you, Nir?
Nir Loya Dahan
>> Yeah. So before starting Fig, I was the VP of product for a company called Simulate, around adversarial attack simulation. So been there for four years. And before that, I used to work with Gal, back at Simplify before the acquisition, in different product roles, had an amazing time there.
Christophe Bertrand
>> Right. Sounds like the typical... We met somewhere, we had a set of great products, great experience, and decided to go solve a problem that ELs can solve, which is what I want to talk about. When you think about security operations, clearly there's a lot going on, especially with AI. But one thing you've introduced, this idea of security operations resilience, which I really like. There are other vendors who talk about resilience operations and things like that. So I think that changes the game a little bit. And simply because you're dealing with a big problem, in my opinion, which is change. Change happens in IT infrastructure all the time, security infrastructure. It's a constant, yet it's a constant that is either managed, which is change that you plan, to a large extent, and change that is not managed and that's drift. So I'd like to double click on that. Maybe we'll start with you, Nir. What is your definition of, essentially operational resilience, and why does it matter?
Nir Loya Dahan
>> So one thing we've noticed over the years working in SOCs with security operations teams is that they kind of accepted that hard fact of life of, we can't really trust our infrastructure. We're running all those amazing initiatives. Back then it was automation. Then it was like expanding to other technologies. By the way, now it's AI. A lot of security teams want to implement AI in their process and everything. But every engineer asked themself that questions like, "Do I even know if it's working? Do I even know if it's configured properly? If I'm going to do this change in my environment, is it going to break or not?" And they kind of accepted it, leaving with workarounds they build on their own, having some kind of like services, sometimes, to look at specific issues. And not having trust in their reliability and resilience of their infrastructure. The way they spelled it out for us, we didn't invent the term resilience in the SOC. They told us. And this is kind of like how we've identified that this needs to be solved.
Christophe Bertrand
>> Right. So clearly this is a problem that you've identified talking to, I imagine a large number of customers, end users. People doing this day in and day out, having to deal with a lot of attacks, a lot of problems because of change, whether they wanted to change or didn't want the change, clearly. So Gal, tell me a little bit more about the type of customers that you are going after, the type of customers you have, early adopters. What are you hearing? How are they actually using your solution? And I'm very curious about how they're resonating with resilience, versus just management or operations, security operations management.
Gal Shafir
>> So, the type of customers that we're after and obviously are now customers in production, are customers who own their own SecOps infrastructure, and they have this function of SOC engineering and detection engineering that operate the infrastructure, or the MSSPs that operate those infrastructures for others. Either way, if you run a SOC, you're going to have this problem. And what we're seeing them and the way they use the product is, really the same way that any engineer in the organization that is running a complex and interdependent infrastructure has a tool to, first of all, understand what is going on, what's connected to what, how a change over here might break something over there, and are we really operational right now? They use this tool the same way any other engineering team, whether if it's network engineers or DevSecOps engineers or DevOps engineers, would run their infrastructure from a single place with confidence.
Christophe Bertrand
>> So let's double click on that for a second. The biggest issue that I think you've brought up in your early days as an organization is the fact that there's drift happening that is not controlled. I mean, we can talk about plan change. That's going to be my next question, but let's start with drift. It surprises me always, "Oh, well, we have this great infrastructure. We spent all these millions of dollars building things and we have great engineers, great people." And somehow something changes and nobody really knows why and why something changed. Now I can see how it could happen in a highly hybrid environment. Maybe some provider changes something, they don't let you know. Okay, that could happen, but drift happens. So why does drift happen in the first place? Let's talk about that. And once we understand that, what do you do with your solution, or the Fig platform, to actually alert and fix?
Nir Loya Dahan
>> Yeah. So drift happens because of various different reasons, but the thing is that the business changes, the environment changes, data changes, that's the nature of data. It constantly evolves to the needs of the organization. The same goes for security data, whether it's IT, whether it's internal tools and logging, whether it's third party vendors, data is changing, data is growing, and detection needs to adapt, in a way. And this is exactly what we're looking at. What we are doing is we abstract the client's security infrastructure into what we call security data lineage. Basically meaning we can, and you can basically, identify the entire data flow from the data source all the way to the detection itself and everything that it goes in between to identify what are the configuration that the data is going to go through, what are the change that the data is going to go through, and what are the different structures of the data, to the point of what is the exact pattern of the exact value within the exact field to that point? Because sometimes, and most times, the silent failures happen at this very, very specific point. And this is how we're able to make our clients constantly sync with business change that happens around them.
Christophe Bertrand
>> Gal, I'd like to double click on silent failures. Actually, that's a great term because it says it all without saying anything. And I like this idea of lineage. I think it's essentially what you're doing is trying to really identify everything, understand everything, document everything. So should something come up, you can go figure it out quickly, automatically, ideally, and then fix it. So tell me about silent failures and what are the typical silent failures that your customers have identified and why should they care about them? What is the domino effect that it creates?
Gal Shafir
>> So the effect of life, which we've learned through our Google SecOps days and Simplify days and Simulate days, is that no engineer or no CISO knows if a detection rule hasn't triggered in three months because they were secure, or because something got broken in the plumbing a couple of months ago. And that's really the silent failures, which means that when the rule and the logic is looking for something that doesn't exist in the data any more because of an upstream drift or an initiated change, there's no alert on it. Nobody knows that that's the case. And that really gets down to the level of, maybe my rule is looking for an email address in the data, but right now because of an upstream change from my identity team, my identity logs are coming in with the domain/username. The data still flows in. It's not that it's not flowing, but the alert will never trigger, or even worse, partially trigger.
Christophe Bertrand
>> Oh, that makes perfect sense. And yeah, I can imagine that's absolutely impossible to catch unless you're really looking for those changes. So let me ask you about this event, and I'd love your take on AI. Because obviously this is a cyber security event has been for many years, yet this year, for sure, it looks like we're in another AI event. So, well, Nir, let's talk about that. What's your take on what's going on with cybersecurity and AI tools? Are we making things better or worse?
Nir Loya Dahan
>> So I'll split my answer into two. So first of all, how do you secure AI in the organization? I think this is bigger than the internet. Let's be honest. It completely changes everything, and every method of work we know, and introduces a tremendous challenge for security leaders these days. What's going to be the right approach to secure AI? Is it like a user? Is it not like a user? And I'm excited to see so many interesting approaches to tackle this challenge. On the other end, there's using AI for security and this is what we see a lot where security organizations want to harness the AI power, because the attacker is going to do the same thing.
Christophe Bertrand
>> Exactly.
Nir Loya Dahan
>> And what we really see is that while organizations want to utilize and harness AI power, they need to do it on a reliable and working data infrastructure. Because if it's not, we had a saying back at Simplify. When you're automating on a broken process, you're only going to break things faster. So this kind of like making sure the foundation works before putting AI on top of it, is key for harnessing AI successfully.
Christophe Bertrand
>> Right. So Gal, I know you have to run, you're a busy, busy guy. What would be your closing thoughts, recommendations you would have for our viewers? What should they do next? What should they think about?
Gal Shafir
>> I think that if you really boil it down, at the end of the day, everybody talks about cyber resilience. And everyone invests in attack resilience, but you can't really have cyber resilience if you don't have the operational resilience. And now more than ever, when change is rapidly changing even more, because the organization is rapidly evolving even more, that breaks more things downstream. And when the SecOps infrastructure is becoming cheaper and better and faster, and everybody understands that, it also becomes more fragmented and complex and distributed to engineer, with more people doing less analysis on alerts and doing more operational work on the actual foundation. And if you don't trust your foundation today, you'll have really hard time to embrace tomorrow and to go through this SOC modernization that you're hoping to go for.
Christophe Bertrand
>> Well, I think you said it all. You cannot build on a bad foundation. So I think that's definitely words of wisdom here. Well, I look forward to seeing how you guys do, and maybe talk to you next year. And very curious to hear more about your customers and how the platform is doing moving forward. So Nir and Gal, thank you so much for joining us.
Gal Shafir
>> Thanks for having us, Christophe.
Christophe Bertrand
>> Great to have you here today. And to our viewers, thank you very much. Stay tuned. We have a lot more coming up, RSAC 2026 in San Francisco.
Christophe Bertrand