JJ of Gecko Security and former Disney and Costco CISO Ryan Knisley on why AppSec needs an AI security engineer, not another scanner.
Description
AppSec has been stuck for years, drowning teams in noisy findings that never told them what was actually exploitable. JJ, co-founder and CEO of Gecko Security, and Ryan Knisley, former CISO at Disney and Costco, join Resilient Cyber to talk about what changes when an AI security engineer reasons across code, infrastructure, and design docs at once.
We get into why business logic breaks traditional SAST, why attackers think in graphs while defenders think in lists, why MTTR is a broken metric, how Cal.com went closed source in the AI era, and where AI-driven AppSec consolidation lands over the next two years.
Key takeaways
Gecko is an AI security engineer, not another scanner. It reasons across code, infrastructure, and documentation, so a finding arrives already mapped to whether it is reachable in production and what data it touches.
The context that tells you if a bug matters lives outside the code. Business logic, architecture, and runtime are where exploitability is decided, which is why scanning the code alone floods teams with noise.
Business logic is why traditional SAST fails, and why an LLM alone will not fix it. The same endpoint with no auth check is a critical bug in a document store and expected behavior in a social app, and only design docs and architecture tell the two apart.
Attackers think in graphs while defenders think in lists. A critical with a compensating control may not matter, while ten lows chained together can be the thing that actually reaches the asset you care about.
Exploit development is being commoditized. JJ describes a near future where the whole internet becomes one big bug bounty scope with agents running campaign-level attacks, so the old severity-ranking lens no longer holds.
Fix the class, not the ticket. Rather than patching bugs one by one, Gecko traces groups of findings back to the design decision that created them and eliminates every variant so the same issue never returns.
MTTR is a broken metric. A variant of last week's bug returns with a fresh clock, so teams close tickets to look healthy while risk stays flat, which is why Gecko measures recurrence rate instead.
Cal.com shows where open source is heading. After AI coding pushed its pull requests from about 30 a day to 100 with a one-person security team, being open source flipped from an advantage to a liability, so it went closed source and replaced four tools with one.
Tool consolidation is a risk decision, not a cost exercise. Ryan's shiny object problem leaves teams stacking scanners nobody can fully staff, and collapsing the stack lets you cross-train people and reduce real complexity.
The finding layer collapses, and human judgment moves up. When finding and fixing get cheap, the scarce work becomes deciding what is correct, whether to accept a risk on purpose, and owning the design decision for a whole class of bugs.
Chapters
00:00 Meet JJ and Ryan
02:46 Why Gecko is an AI security engineer, not another scanner
05:07 The trend of agentic and headless security tools
05:53 Why business logic breaks traditional SAST
06:27 The no-auth endpoint example and context outside the code
09:06 Attackers think in graphs, defenders think in lists
11:02 Commoditized exploit dev and the internet as one bug bounty
13:55 Shift left and why MTTR is a broken metric
15:07 Eliminating entire classes of vulnerabilities
15:51 Recurrence rate and avoiding risky refactors
18:22 The Cal.com case study and open source going closed
20:48 Consolidation and the shiny object problem in security
22:40 Where AI-driven AppSec lands in two years
27:12 What it takes to trust an AI security engineer
28:57 Where to find Gecko and the Black Hat talk