Emma Zaballos is an avid threat researcher who’s enthusiastic about understanding and combatting cybercrime threats. Emma enjoys monitoring dark web marketplaces, profiling ransomware gangs, and using intelligence for understanding cybercrime.
CyCognito, founded by veterans of national intelligence agencies, makes a speciality of cybersecurity by identifying potential attack vectors from an external perspective. The corporate provides organizations with insights into how attackers may perceive their systems, highlighting vulnerabilities, potential entry points, and at-risk assets. Headquartered in Palo Alto, CyCognito serves large enterprises and Fortune 500 firms, including Colgate-Palmolive and Tesco
You could have a various background in cybersecurity research, threat evaluation, and product marketing. What first sparked your interest on this field, and the way did your profession evolve into exposure management?
Right out of school, I worked as an analyst on a global trade lawsuit that involved tracking a network of actors across the US (and internationally). It was a brilliant interesting case and once I began searching for the following thing, I discovered a job at a dark web monitoring startup (Terbium Labs, now a part of Deloitte) where I essentially pitched myself as “hey, I don’t know anything in regards to the dark web or cybersecurity, but I actually have experience tracing networks and behavior and I feel I can learn the remaining.” And that worked out! I kept working in cybersecurity as an issue expert with a concentrate on threat actors through 2022, once I joined CyCognito in my first product marketing role. It’s been great to still be working in cybersecurity, which is an industry I’m super enthusiastic about, while trying out a brand new role. I like that I get to satisfy my love of data-driven storytelling through writing content like CyCognito’s annual State of External Exposure Management report.
You mention that you simply’ll never own an Alexa. What concerns you most about smart home devices, and what should the common person know in regards to the risks?
In the event you spend any time looking into the dark web, you’ll see that cybercriminals have an immense appetite for data—including consumer data collected by firms. Your data is a useful resource and it’s one which many firms either can’t or won’t protect appropriately. You as a consumer have limited options to manage how your data is collected, stored, and managed, nevertheless it’s necessary to be as informed as possible and control what you possibly can. That may mean getting excellent at adjusting settings in your apps or devices or simply forgoing some products altogether.
By necessity, if you’ve gotten a sensible assistant enabled in your phone or a sensible home device that requires a voice cue, the microphone needs to be listening continually to catch you asking for something. Even when I trust that the corporate is protecting those recordings and deleting them, I just personally don’t like the concept of getting a microphone all the time on in my home.
There are definitely services and products of convenience that collect my data and I exploit them anyway, since it’s one way or the other price it for me. Smart home products, though, are something where I’ve personally drawn the road—I’m okay physically going over and adjusting the lights or making a grocery list or whatever, as an alternative of telling Alexa to do it. The Web of Things offers some incredible advantages to the patron, nevertheless it’s also been a boon to cybercriminals.
You’ve worked in each the federal and personal sectors. How do the cybersecurity challenges differ between these environments?
After I worked on contract for the Department of Health and Human Services of their Health Sector Cybersecurity Coordination Center, it was far more focused on digging into patterns and motivations behind cybercriminals’ actions—understanding why they targeted healthcare resources and what sort of recommendations we could make to harden those defenses. There’s more room to get really in-depth on a project in the general public sector and there are some incredible public servants doing work on cybersecurity within the federal and state governments. In each my startup roles, I’ve also gotten to do really interesting research, nevertheless it’s faster paced and more targeted on tighter scoped questions. One thing I do like about startups is which you can bring somewhat more of your personal voice to research—it could have been harder to present something like my “Make Me Your Dark Web Personal Shopper” talk (DerbyCon 2019) on behalf of HHS.
In your recent article, you highlighted the rapid growth of the dark web. What aspects are driving this expansion, and what trends do you see for the following few years?
The dark web is all the time dead, all the time dying, and all the time surging back to life. Sadly, there’s a consistent marketplace for stolen data, malware, cybercrime-as-a-service, and all the opposite kinds of goods related to the dark web, which suggests that although dark web standbys like Silk Road, AlphaBay, and Agora are gone, latest markets can rise to take their place. Political and financial instability also drives people to cybercrime.
It’s turn into cliche, but AI is a priority here – it makes it easier for an unsophisticated criminal to level-up skills, perhaps through the use of AI-powered coding tools or through generative AI tools that may generate compelling phishing content.
One other factor driving the dark web renaissance is a powerful crypto market. Cryptocurrency is the lifeblood of cybercrime—the fashionable ransomware market mainly exists due to cryptocurrency—and a crypto-friendly government under the second Trump administration is more likely to exacerbate dark web crime. The brand new administration’s cuts to federal cybersecurity and law enforcement programs, including CISA, are also a boon to cybercriminals, since the U.S. has historically led enforcement actions against major dark web marketplaces.
What are a few of the biggest misconceptions in regards to the dark web that companies and individuals should concentrate on?
The most important misconception I see is that the dark web is that this massive, mysterious entity that is too complex to know or defend against. In point of fact, it makes up lower than 0.01% of the web—but that small size masks its true impact on business security. One other common myth is that the dark web is impenetrable or completely anonymous. While it does require specialized tools just like the Tor browser and .onion domains, we actively monitor these spaces day by day. Due to the publicity behind the takedown of the Silk Road marketplace, organizations often think the dark web is only for selling illegal goods, like drugs or weapons, not realizing it is also an enormous and complex marketplace for corporate assets and data. The truth is that the dark web is something it’s not only possible but essential for organizations to know, since it has the potential to directly impact every business’s security posture.
You mentioned that organizations should “assume exposure.” What are a few of the most neglected ways firms unknowingly expose their data online?
What I find fascinating is what number of firms still do not understand the breadth of their exposure and the ways they might be exposed through the dark web. We often see leaked credentials circulating on dark web marketplaces—not only basic login details, but admin accounts and VPN credentials that might provide complete access to critical infrastructure. One particularly neglected area is IoT devices. These seemingly innocent connected devices might be compromised and sold to create botnets or launch attacks. Modern IT environments have turn into incredibly complex, creating what we call an “prolonged attack surface” that goes far beyond what most organizations imagine they’ve. We’re talking about cloud services, network access points, and integrated systems that many firms don’t even realize are exposed. The hard truth is that almost all organizations have way more potential entry points than they think, so it’s higher to assume there’s an exposure on the market than to trust your existing defenses to be perfect.
How are cybercriminals leveraging AI to reinforce their operations on the dark web, and the way can businesses defend against AI-driven cyber threats?
Cybercrime will not be really creating latest kinds of attacks—it’s accelerating those we already know. We’re seeing criminals use AI to generate lots of of incredibly convincing phishing emails in minutes, something that used to take days or perhaps weeks to do manually. They’re developing adaptive malware that may actually change its behavior to avoid detection, they usually’re using specialized tools like WormGPT and FraudGPT which are specifically designed for criminal activities. Perhaps most concerning is how they’re managing to compromise legitimate AI platforms – we have seen stolen credentials from major AI providers being sold, and there is a growing effort to “jailbreak” mainstream AI tools by removing their safety limitations.
But the excellent news is that we’re not defenseless. Forward-looking organizations are deploying AI systems that work across the clock to observe dark web forums and marketplaces. These tools can analyze tens of millions of posts in minutes, understand criminal coded language, and spot patterns that human analysts might miss. We’re using AI to scan for stolen credentials, monitor system access points, and supply early warning of potential breaches. The secret’s that our defensive AI can work at the identical speed and scale because the criminal tools—it’s really the one approach to sustain with modern threats.
CyCognito takes an “attacker’s perspective” to discover vulnerabilities. Are you able to walk us through how this approach differs from traditional security testing methods?
Our approach starts with understanding that modern IT environments are way more complex than traditional security models assume. We also don’t depend on what organizations know to tell our work – when attackers goal a corporation, they’re not getting lists of assets or context from their goal, so we also go in with zero seed data from our customers. Based on that, we assemble a map of the organization and its attack surface and place all their assets in context in that map.
We map the whole prolonged attack surface, going beyond just known assets to know what attackers actually see and might exploit. Once we monitor dark web marketplaces, we’re not only collecting data—we’re understanding how leaked credentials, privileged access, and exposed information create pathways into a corporation. By overlaying these dark web risks onto the present attack surface, we give security teams a real attacker’s view of their vulnerabilities. This attitude helps them understand not only what may be vulnerable, but what’s actually exploitable.
How does CyCognito’s AI-driven discovery process work, and what makes it simpler than conventional external attack surface management (EASM) solutions?
We start with a fundamental understanding that each organization’s attack surface is significantly larger than traditional tools assume. Our AI-driven discovery process begins by mapping what we call the “prolonged attack surface”—an idea that goes far beyond conventional EASM solutions that only have a look at known assets.
Our process is comprehensive and proactive. We constantly scan for 4 critical kinds of exposure: leaked credentials, including hashed passwords that attackers might decrypt; accounts and privileged access being sold on dark web marketplaces; IP-based information leaks that might reveal network vulnerabilities; and sensitive data exposed through past breaches. But finding these exposures is just step one.
We then map every part back to what we call the attack surface graph. That is where context becomes every part. As an alternative of just handing you a listing of vulnerabilities like conventional EASM solutions do, we show you exactly how dark web exposures intersect together with your existing infrastructure. This enables security teams to see not only where their data has ended up, but precisely where they should focus their security efforts next.
Consider it as constructing a strategic map somewhat than simply running a security scan. By overlaying dark web risks onto your actual attack surface, we offer security teams with a transparent, actionable view of their most important security gaps. This contextual understanding is crucial for prioritizing remediation efforts effectively and ensuring a swift, targeted response to emerging threats.
Prioritization of risks is a significant challenge for security teams. How does CyCognito differentiate between critical and non-critical vulnerabilities?
We prioritize vulnerabilities by understanding their context inside a corporation’s entire security ecosystem. It isn’t enough to know that a credential has been exposed or an access point is vulnerable—we’d like to know what that exposure means when it comes to potential impact, and that impact can vary depending on the business context of the asset. We glance particularly closely at privileged access credentials, administrative accounts, and VPN access points, as these often represent the best risk for lateral movement inside systems. By mapping these exposures back to our attack surface graph, we will show security teams exactly which vulnerabilities pose the best risk to their most important assets. This helps them focus their limited resources where they’ll have the most important impact.
How do you see cybersecurity evolving in the following five years, and what role will AI play in each offense and defense?
We’re in the midst of a fundamental shift within the cybersecurity landscape, largely driven by AI. On the offensive side, we’re already seeing AI speed up the dimensions and class of attacks in ways that will have been unimaginable just a couple of years ago. Latest AI tools designed specifically for cybercrime, like WormGPT and FraudGPT, are emerging rapidly, and we’re seeing even legitimate AI platforms being compromised or “jailbroken” for malicious purposes.
On the defensive side, AI is not just a bonus anymore – it’s becoming a necessity. The speed and scale of contemporary attacks mean that traditional, human-only evaluation simply cannot sustain. AI is crucial for monitoring threats at scale, analyzing dark web activity, and providing the rapid response capabilities that modern security requires. But I need to emphasise that technology alone is not the reply. The organizations that will likely be most successful in navigating this latest landscape are those who mix advanced AI capabilities with proactive security strategies and a deep understanding of their prolonged attack surface. The subsequent five years will likely be about finding that balance between powerful AI tools and smart, strategic security planning.