In this episode of MSP1337, Chris Johnson is joined by Jeff Majka, founder of Security Bulldog, to unpack why MSP‑delivered SOC services are at a breaking point, and how AI and automation are forcing a reset. They explore why traditional tiered SOC models and white‑label thinking no longer scale, how ungoverned AI adoption collides with zero trust, and why speed and decision quality now matter more than raw data or CVE counts. From ticket overload and false positives to exploitability, continuous monitoring, and breach resilience, the conversation underscores a hard truth: MSPs must redesign security operations around automation-first workflows that reduce noise, protect high‑value assets, and preserve human judgment for what truly matters in an AI‑accelerated threat landscape.
[00:00:06] Welcome to MSP 1337. I'm your host, Chris Johnson, a show dedicated to cybersecurity challenges solutions, a journey together, not alone. Welcome everybody to another episode of MSP 1337. I'm joined this week by Jeff Micah of Security Bulldog. Jeff, welcome to the show.
[00:00:32] Chris, thank you for having me on. I know we've been talking about doing this for a while, so I'm very excited to finally be on the very famous podcast that I've been on. Wow, famous. Longtime lurker, first time guest on the show. That's awesome. So we've kind of skirted this in our several conversations that we've had around, in part, what Security Bulldog does.
[00:00:57] So I'm going to say what the, I'm going to make it clear what the title of the show is. And I would love for you to give us a little bit of backstory on Security Bulldogs. I think it will help context for the episode. You know, the full burden for an MSP to stand up SOC services is no small feat. And we're seeing a lot of elements to the approach that we see from MSPs today, where they've partnered with a third party vendor.
[00:01:25] And in some cases, it's working great for them. But in many cases, while it may be working great, they haven't really appreciated or recognized the full burden of what they've taken on. And I liken it to the old days when we white labeled everything. You know, today, people don't white label email services, right?
[00:01:46] They like it's either Microsoft or it's Google Workspace, or maybe you've got some obscure one, but you're not telling them like, oh, no, it's my, it's my, I built it myself, right? So, so I think that's probably, I think a help for those listening to this that can recognize some of the challenges that they've had if they are doing this. Or more importantly, if you haven't gone down this path, maybe avoid some of the pitfalls, which I think is where Security Bulldog comes in.
[00:02:14] Yeah, I think that's a good summary of it. I think it's further complicated by the fact that it's such, you know, 2026, as everybody knows, is kind of a transitional year in 20 in cybersecurity. You know, the impact of AI and automation is really hitting the ground now and sort of in a massive, impactful way in a way that it's been slowly kind of, you know, incrementally getting more and more worse, or better, depending on if you look at it as an opportunity or cost.
[00:02:44] And I think for MSPs, especially, because typically, they either outsource it or they're not at the tip of sphere in terms of like, like the best practices of what's happening. I think that, you know, for our, from our perspective, we started the Security Bulldog with the idea that it's that our species is terrible at cybersecurity, that we hate delayed gratification. It's hard to sell it, it's hard to manage it, it's hard to operate it, it's hard to do it productively, as well as cost effectively.
[00:03:11] Cybersecurity is just hard all around, and people don't want it. But they have to have it for regulatory reasons. And when MSPs, when that's outsourced to an MSP, it's further complicated by the MSPs' economics and the way that they structure themselves across multiple clients that they're servicing, that that SOC that they're outsourcing or other cybersecurity services they're outsourcing is even more complicated to manage.
[00:03:36] It's just this year with, with the AI and automation impact, how are, how are MSPs thinking about how they're going about it? And I don't think they, they really have thought a lot about it, but we have. And I think that, that, you know, having these conversations with, with you and others about, you know, there, I think I personally think that there's a huge opportunity for MSPs to offer these services better and more effectively and cheaper, more profitably than I have in the past.
[00:04:04] But it does take a little bit of, you know, of consulting and outside the box thinking about just exactly how, how do you organize and orchestrate, you know, security operation services for customers? Because it's going to be different this year going forward than it has been.
[00:04:23] Well, I go back in time to, you know, when we really didn't use a language like cybersecurity, we offered firewalls and, and certain products services that landed in that category, but we didn't really label it that way because we didn't have to, we didn't need a buzzword to talk about security. We just said security, if that made sense.
[00:04:44] And, and most of our prospective clients would think about security in the context of locks on doors, you know, who permissions for whatever office or rooms it might be cameras perhaps got included in that. But, but, but by and large, we, we didn't really think about cybersecurity. And I think if you go back really far to like when the HIPAA compliance came out in the late nineties, where you had really heavy focus on privacy, right?
[00:05:12] And you fast forward to today. And while we have gravitated to talking about things from a security perspective, whether it's cyber or not, the premise behind all of this is to protect the privacy integrity of data. And I think we've lost sight of that in many cases. We're like, we'll just secure everything. Cause that's, that makes sense.
[00:05:34] Well, I mean, yeah, it's kind of, you know, I don't want to say it's a joke, but it's ironical that, you know, just at the point where we were trying to get everybody to understand the concept of zero trust and protecting that data. And then we're dropping got AIs without guardrails across the MSPs and customers and CEO, CEOs going all hands deck. Like everybody has to use AI in the next 24 hours, right? That's not zero trust. That's like the opposite of zero trust. Right.
[00:06:04] So we're creating lots of problems. I trust everything. I always walk in the park at night in the dark by myself with large wads of cash in both hands. So saying, come take my money. Exactly. Exactly. Right. So I think we went through, you know, and it's kind of like, you know, what we're going through this year is kind of like when cloud happened in 2008 and nine or mobile happened in the early two thousands or even the internet in the nineties. Yeah. Like, okay, it's here. It's everybody's going to do it. It's going to create lots of problems.
[00:06:34] Lots of opportunities. I think for MSPs to say, okay, how do we help? How do we help our customers manage this? And I think taking best practices of how you actually deploy and manage AIs and people working together, because I think we know that now it's not going to be one person with one AI. It's going to be a team of AIs with a team of people, especially in a sub security sense. Like, how does that actually work in practice? Right. It's the whole tier one, tier two, tier three manual stuff is out the door, obviously, just because of the speed of it. Right. Right.
[00:07:03] The, if mythos is half as powerful as we think it's going to be. And, and again, the joke is we already have things that are bad enough for cybersecurity teams that they can't keep up. Like you're going to have to move them at AI speed to defend, right? If the attackers are slightly ahead of the defenders right now, as they always are. So the defenders are going to have to get faster and faster, increase the tempo so they can respond to something like mythos, which the only way to do that is to automate as much as you possibly can.
[00:07:30] Automate all the easy things, automate a lot of the triage and get to, okay, what can't be automated kicks out to the human beings in your organization. And for an MSP, that's a great opportunity of saying, hey, we can aggregate a lot of best practice knowledge across all of our clients. So we are, our tier, you know, tier two, three guys, those tier one guys are going to be automated, are going to be able to see better and understand better about how to protect your data, your high value assets.
[00:07:56] What's interesting about that is I was thinking about how many, whether MSPs or the clients that MSPs are dealing with, you know, AI is here to stay to your point. And I was thinking about like how easy it is to pull up chat GPT or fill in the blank. There's a prompt, ask the question, you get an answer. So much time saved from what would have been a more, you know, leveraging of a search engine to get sourced information.
[00:08:22] You're asking it to just give you the answer without having to go and read for yourself. And then I thought about that in the context of like building widgets and applications that you can now do by just giving context at a prompt window. But the part that's being left out is, well, what happens to that when you're ready to use it? What happens to it when you go back to the prompt and you want to create a new iteration of it? And it's like, I have no recollection of building this at all.
[00:08:52] And so you now have, I was thinking about from Pocket OS and on, it's like, we still need all of the things that we had before. But now we need more of them because most of the audience, or not audience, but most of the people out there when they're using these tools, they don't think about it from the perspective of how do I back this up? How do I create versioning control? How do I ensure that it's secure? And the list goes on and on and on. Because the reality is, we're used to instant gratification to what you said at the beginning.
[00:09:20] We have to solve for that too, along with all of these other things. Yes. And so, and again, how do we do all those things at AI speed? And there's AI tools that do compliance. There's AI tools for all the things you just mentioned. They're not getting deployed, right, for bureaucratic reasons, right? So I think that the compliance side of the house is going to lag, as it always does. But, you know, okay, how do we do, okay, we need to do all those things.
[00:09:50] How do we do all those things in a, in a, as much as we can, nimble, innovative, decentralized kind of way, right? And I think that's, again, changing the way the companies do, you know, business, the way they operate, is part of that whole process. And I think everybody's still trying to figure it out. But I think that, you know, people are deploying the, you know, I heard, the story that I heard the other day that I think is sort of, and again, I'm pro AI.
[00:10:19] I own an AI company. We use AI tools all the time. Everything we do is pretty much AI or automated and AI enabled. And again, two separate but interrelated things that I sometimes get confused on. But yeah, a company deploys AI in their HR department. And they're, you know, they're getting ready to do some layoffs. And again, our theory is always that human beings are human beings and they're going to make decisions as human beings, not as rational actors or AIs.
[00:10:49] And we think differently the way that AI thinks, which is why AI is always like, you know, I think AI is impressive to people because it doesn't think like a human being. And I think we're impressive to AIs because we don't think like the way that they think. But they do what is AI. Yeah, yeah, go ahead. Well, yeah. Ironically, we're talking about, you know, AI is not able, is not its own intelligence, right? It's not conscious. It can do things because people have programmed it to do things.
[00:11:15] Programming it to learn, sure, we've seen that for decades of software that can fix its own code based on how it was built to do so. But I think today the part that really has piqued my interest in our conversations that you and I have had is that there's lots of vendors out there, to your point, that are leveraging AI to help distill and assimilate information so that with the limited time we have, we can make good decisions about what we do next.
[00:11:43] My question to you is like, why Security Bulldog? And I say this to a lot of vendors that come on the show, not necessarily why your product per se, but like you're competing in an ever, I would say the water level continues to rise. Like it continues to be a larger pool. But at the same time, you have more and more vendors coming into this water that want to also swim in the same water that you're in. How do you navigate that?
[00:12:09] Because I don't think there's a one size fits all and there's so many different ways that we approach this challenge in the security space, particularly. What are you seeing? I mean, how does, like, why? What made you like, I'm going to create Security Bulldog because we can solve for? Yeah. So I think that, again, like in cybersecurity, there's so much wasted time and jobs that traditionally a human being would do, like analyze a whole bunch of open source information to make decisions,
[00:12:37] slows the decision-making process down. And, right, and again, in cybersecurity, what's the main principle is, right? Reduce the probability of some catastrophically bad event happening within the next year or two, right? That's like a node, right? So, okay, how do you enable that to happen? Traditionally, you'd have human beings analyzing all this stuff. But long ago, it became way too much for an individual human to do.
[00:13:01] So our aspect of it is if we're going to move the needle in cybersecurity, we've got to build tools that work with human nature, not against human nature. And, A, human beings get burnt out on this, right? This is why people don't stay in cybersecurity for a long time because it's a somewhat thankless job. So how do we help them be better at their drill? We divided the things that humans are bad at. Let's have AI do it for them, right? So, okay, what do we do? We pre-collect and curate open source intelligence using, and I think this is really interesting.
[00:13:29] Okay, what's the – and again, the perfect cybersecurity tool would do what? And this is what we're trying to build is what is the least amount of information we can give you and your team for you guys to make a highly confident decision about what to do right now, knowing that this afternoon or next week, that answer might change. And for an MSP, I think that's exactly the kind of like, okay, we have all of these things and we have all of these endpoints, we have all these clients.
[00:13:52] How quickly can we make a decision that best affects the, hey, reducing the ability, the maximum amount to reduce the possibility of something bad happening? And the way we do that, and again, separating a little bit, we believe very strongly that LLMs, sort of general AI LLMs, are not the best tool for a lot of cybersecurity use cases. For report generation and blah, blah, blah, blah, reporting up to your different clients, yes, that's great for it.
[00:14:20] We built a product that's based on a natural language processing engine, which is a semantic scoring engine, which is the opposite. So like if you think of an LLM, it takes a small amount of thing and it generates a lot of crap out of it, right, which is where the hallucinations come in. And NLP is kind of like the opposite, right, where it takes a lot of structured and unstructured content, narrows it down, analyzes it by different semantics, what your different use cases are, and gives you the minimum amount of stuff for you to, again, make a high-quality decision on.
[00:14:49] So what we're doing is using AV of the old days, right? If you think about the heuristic antivirus back in the day, it was looking for patterns. It didn't require lots of people to look at it. It would analyze what was out there and narrow it down and go, okay, these three things we have to block. Everything else is okay. Yeah, and the great thing about a semantic scoring engine is that it doesn't care. Whatever use case or whatever role you have, and not only necessary in cybersecurity, but 100% cybersecurity, like, hey, let's narrow.
[00:15:19] And again, it works proactively 24 hours a day, seven days a week. Sure. So it becomes like, hey, there's a security bulldog next to all the different people in your security organization, giving them the individuality in your team collectively, little data points to help you make better, faster decisions. And again, in cybersecurity, it's all about how fast can you make decisions and remediate stuff, right? It's all about speed. It's all about time. It's funny.
[00:15:46] The first thing that popped in my head when you were explaining the process, I started thinking about going to a library and trying to find a book without checking in with the librarian first. Like, assuming you understand the indexing that they're using and assuming that you know what title you're looking for and maybe author, you might get into the vicinity of where you're trying to find it.
[00:16:10] But depending on how big the library is, you could still spend hours searching for a book just because you don't know the ins and outs of that particular library. Obviously, that would be catastrophic if we applied that model of like, I'm going to go ask so-and-so who's our go-to for knowing everything in our MSP to help us make a decision. I've got five minutes. Yeah. Well, and again, like in cybersecurity, it all gets turned into tickets, right?
[00:16:39] So, like when you think about the mundane, practical, okay, how does this really work in practice? Well, in cybersecurity, it's tickets. So a SOC or a SOC services thing. Basically, you're just creating a bunch of tickets and then you've got to remediate those tickets. But then as the real world changes and priorities change, like those tickets get moved around. And what's a critical ticket and what's a medium ticket? Well, those medium ones just sit there forever, right? So it's not just, hey, what do we have to do today?
[00:17:06] But it's what does our workflow look like over weeks and months and years? And for an MSP, obviously, across all those different clients. Like, and how many tickets are their proof of client? Are you clearing them out? Are you in charge of remediation? Are you not in charge of remediation? Like, where is your SLA stand up? I think makes a big difference for MSPs. Like, what actually are you doing? Is it just alerting or are you actually in there remediating?
[00:17:30] Well, and I think that if we weren't boiling the ocean and we just wanted to solve one thing that helps MSPs is to reduce the noise and identifying false positives, right? Like, if I look at the average deployment of some sort of SIM tools particularly, usually you go in and look and it's like, how come this hasn't been tuned? Oh, I haven't had time. So basically, you have a tool that's doing nothing that you're paying for because you can't keep up with the amount of information it's consuming.
[00:17:59] So that's a big one right in and of itself, right? We don't have the human bandwidth as limited to what they can do with tools like, you know, the Palo Altos and the CrowdStrikes and some of the other big SIM products. You know, that's a lot of information that, you know, this is bigger than the fire hose, right? This is an ocean. This is a tsunami of information. So you got that one. That's obviously a big one. And then I think right after that probably is like the ability to respond and remediate is a nightmare.
[00:18:29] And I think you and I might have talked about this before. With Mythos, you know, CVEs are going to become an obsolete KPI. Like, right? We're not going to be able to say, oh, look, I reduced all 85 CVEs down to four. Like, and? Like, what's likely coming is not going to ever make it to a CVE. Or if it does, it'll be long after you've been hit by it. So I think, you know, the problem was never, oh, let's clear out all the vulnerabilities, right?
[00:18:58] Because it is, it's always been, hey, do these, are these vulnerabilities applicable to my IT environment? Right? Sure. Right? I don't care, right? If I don't have Cisco in my environment, I could care less what happens to Cisco, right? Sure. Right? So, hey, how do I narrow it down to what's pertinent to me? What's my IT environment? What cybersecurity tools am I using? It can, if it's exploitable, okay, yes or no. Okay, it's a thing, it's pertinent to my thing. Has it been exploited? Right? There's different databases that can tell you what's been exploited and why not.
[00:19:28] Okay, if it is, are they threat actors? Right? You can miter attack. You can look at it that way. We can do threat hunting and there's different ways of looking at it. Okay. And then can it get access to my high value assets? Right? Because in the end, like you said in the beginning, like it's about the data. Right? So, if it has, oh, it's exploitable, but it's my web browser. Well, okay. Okay. Sure. Okay. That's a problem. And we'll give it the due retention it deserves. But as long as my high value assets, the core data that's pertinent, privacy data and otherwise, that's where I'm looking at.
[00:19:57] That's what I'm really looking to protect. And if I got limited time and resources, that's where I'm going to spend the most of my energy is protecting inward from those high value assets in that database. You know, I think about back in the day, I worked on a project and it kind of goes hand in hand with this because I think about what we're capable of doing for a place in time. Right? So, we did a security vulnerability assessment against our organization.
[00:20:22] And as we were identifying the assets that were either edge or near edge devices, we started having these conversations internally like, this seems to have a public facing interface. Maybe not a big deal. But like, what else does this asset have access to because it's in the chain of connected assets?
[00:20:45] And over the course of like a two-week period of time, we identified that something that should not have ever been given public facing access, let alone what's exploitable on it, factored in.
[00:20:57] And the logic behind it is why I think it's relevant is they didn't think that the security concerns we had identified until we proved exploitability were relevant because they saw them as they were too far away from the likelihood and reachability based on the outside to the inside. Right? But that was a spot in time. Right?
[00:21:19] So, like, today, and with continuous vulnerability improvement and the ability for the threat actors to continuously find new ways to attack, you can't wait until the next time we do the annual security assessment to figure out what holes have been poked into the fabric to be exploitable again. Yeah.
[00:21:41] I mean, it's, you know, it's, in having, you know, and this is where continuous monitoring comes in and having an accurate map and shadow IT and, you know, the more gaps between, you know, what you're looking to defend in terms of, you know, if you're doing it once a year, that's no, that wasn't, that wasn't enough five years ago. Right? Let alone. Right, but if you, right? Well, let's, let's just go down that path for a second.
[00:22:07] You've got regulatory frameworks and, and frameworks just in general that are established best practices of when you should do certain things. Pen testing is a great example. There's not, I don't know of a framework. I could be wrong here because I haven't checked in a while, but most of them point to pen testing happening once a year. They look at vulnerability or continuous vulnerability management as something that you do on an ongoing basis, but it doesn't say do it, you know,
[00:22:35] continuously it says to, you know, at least do it like on a quarterly basis or a monthly basis. Like those are still spot in time checking in between. It's still quite open for, you know, Hey, wait till the, wait till the security guard goes by. They come by every three and a half minutes and then you can go in without even trying, right? Like no one's going to detect you because you may just to go through when the security guard wasn't looking. Well, and again, five, 10 years ago when time to exploit was like a couple of years, maybe you had a little bit of time, but time to exploits.
[00:23:04] It's now down to what it was like a week last year and it's like a matter of days now. Right. So depending on the type, yeah, it's, it's within days for sure inside of 30 days. In some cases they're talking about things that if it were to hit your system is, is potentially minutes. Correct. Um, so yeah. So, I mean, so, so again, like mythos or whatever it's going to be and like the anti mythos, right? There's a gap between the deployment of the bad actors and like the defense.
[00:23:33] And again, same cybersecurity has been the same sort of thing. Like the cat mouse game between the attackers and defenders have like, if there's a mythos can find these institutions, there should be an anti mythos. They could do the exact same thing. Just finding the patches. Right. But it's always going to be slightly delayed because cybersecurity defenders are generally speaking not as empowered as they should be to like do these things. And the government, you know, the role of organizations is not to be a hundred percent secure. It's to be mostly secure and prevent the, you know, the outcome of bad things happening.
[00:24:01] So, um, you know, how, how bad the gap is between, you know, mythos or whatever it is, you know, and it's already bad, like already existing AIs can already do most of this stuff already. Right. So any scary story you read in the newspaper, it's, you know, what guy was doing a event, a panelist was talking about this. He still was talking about this at an event. It was like, it's all right. It's already there. Right. We don't need some magical mythos.
[00:24:28] Like the AI tools that are already there can already do these things functionally faster than the human, a traditionally human setup or traditionally human compliance standards. Right. So it's already well past the ability to do that, which means you're going to get breached. So, you know, people thinking about it, this is where MS Keys can help in terms of, hey, you're going to get breached.
[00:24:51] So you got to really think a hell of a lot more about what your, what your resilient strategy is, like what your backups are. Like you got to, okay, this break in, you know, what's the, what does that emergency plan really look like? Like. Sure. Yeah. I think, I think the, the kicker is emergency or not, do you have a plan?
[00:25:11] And I think that most MSPs who are planning the things that you're, you're talking about addressing through the use of AI and, you know, giving me sort of the TLDR is that, you know, I have limited time to execute plan when the time arises. Right. Like we can always be planning, but executing plans is a lot more difficult.
[00:25:34] You know, like we don't know when, when it's going to get triggered to, to say, oh, we got to use this plan and then to find out, I mean, obviously tabletop exercises and, and planning again, go hand in hand, but we can't predict all things. Right. So you got to have some sort of, and again, like MS, MSPs, MSPs are targets themselves. Right. Right.
[00:25:56] So you have access, you have access to the crown jewels, some sort of real way for, for, for a customer, you know, they're going to, they know that, right. They're going to, and maybe the MSPs, the weak link in the chain because they aren't doing their internal security as well as they possibly should. Right. And that's, that's some, you know, and that's something you want to think about as well is, you know, the self, if there's software supply chain vulnerabilities of people copying and passing code, or there certainly is, you know, service provider vulnerabilities to, to look into.
[00:26:25] Oh, if I want to get into XYZ huge company, maybe going in the back door or through the MSP is the way to do it. But copy and paste has been a problem forever, right? Like you think about PowerShell scripts, like I Googled it, it told me what to copy and paste. I didn't bother reading the code. It also added a couple other things that included sending stuff to another destination. Yeah. We can do better. We got a couple minutes left.
[00:26:50] I want to give time for letting our audience know where they can learn more about Security Bulldog if they're interested. I believe it's securitybulldog.com slash about. Oh, securitybulldog.com is the main website. I'm Jeff Mike. I'm the founder. If you want to get in touch with me, so it's Jeff at securitybulldog.com. We're all over the social media. We're not hard to find. Again, we're a SaaS platform that pre-collects open source intelligence.
[00:27:19] We're there to lower costs and speed remediation for enterprise cybersecurity teams and or MSP as well. So if you want to learn more, please reach out to me. It's available, not hard to find. Last question. Is there a book that you are currently reading or have recently read that you think our audience should consider reading? Oh, God. You know, I've not been... I knew you were going to ambush me with a question I didn't know the answer to.
[00:27:48] You know, I've been really bad at reading books. The one I've been meaning to read is The Phoenix Project, which is the famous cybersecurity book from the 80s and the 90s about the guy who found the spying hacking operation. I don't know the name of the offer off the top of my head. But that one's a question.
[00:28:12] I don't know that particular one, but I remember around the same time was The Cuckoo's Egg by Chuck Stoll. He wrote about the first what would have been considered cyberterrorism, quite honestly,
[00:28:28] because they were able to determine it was a Chinese threat actor that had circumvented and bypassed many of the ways in which one should have been vetted for being able to connect to a modem in any environment, let alone Berkeley. Yeah. Yeah. Well, that's great. I will make a note of The Phoenix Project. I love reading the ones that remind us of we still haven't made the changes to improve our cyber hygiene since the 70s. At least that long.
[00:28:59] Well, the... Yeah, yeah. No, go ahead. No, no. The origin story, the story I always like to tell people is... So the baby internet was what, ARPANET, right? Yep. They had a meeting in 1971 or 72 where a guy came in and he was like, hey, we need to build security into the internet, right? Into the basic protocols.
[00:29:25] And they were in Berkeley somewhere at a classroom talking about it. And it all got voted down because everybody was like, well, we know everybody. Like, there's only like six nodes, right? There's University of Chicago, Berkeley, New York, like Harvard. Like, there's only like eight different, you know, computer labs that are actually, research labs that are actually using ARPANET. So like, why would we need security? Like, I already trust everybody on this network. And so they voted it down again because it was probably a pain in the ass and people are lazy.
[00:29:55] Even really, really smart computer science nerds are lazy, right? So... By the mid-90s, there were so many nodes that you really couldn't know. So... And by the time, it was too late, right? By the time they do anything about it, it was too late. Yep. So we all use this communication system, which is designed to be not secure by its original designers. It was designed flawlessly, right? Well, there you have it.
[00:30:22] For those of you that have been listening, this has been an episode of MSP 1337. Thanks and have a great week.