Kevin Mandia On GenAI Threats, Joining Up With MDR Vendor Expel

In an interview with CRN, the Mandiant founder discusses joining the board at Expel and why he believes GenAI is ‘going to help the defender more.’

When it comes to generative AI, cybersecurity luminary Kevin Mandia believes the technology will end up as a bigger asset to cyber defense teams than hackers—even though the benefits for attackers are clearly massive.

Even apart from the well-known usefulness of GenAI tools such as ChatGPT for social engineering tactics—such as writing more-convincing phishing emails—attackers are also undoubtedly attempting to use the capabilities for finding previously unknown zero-day vulnerabilities, Mandia said in a recent interview with CRN.

“The number of zero days every year has gone up tremendously,” he said, indicating that AI advancements are possibly, but not conclusively, a factor there.

“Zero-day discovery may be aided by some AI engines. We just don’t know,” Mandia said. “But someone’s finding more.”

Mandia also discussed the spate of highly disruptive cyberattacks in 2024 and his recent move to join the board of directors at Expel, a major provider of managed detection and response (MDR).

The announcement comes after Mandia stepped down as CEO of Mandiant—the esteemed cyber incident response and threat intelligence firm that he founded in 2004—in May. Mandiant was acquired by Google for $5.4 billion in 2022.

Mandia said joining the board at Expel was a natural move due to his long-running connection with Expel CEO Dave “Merk” Merkel, who had served as vice president of products and then as CTO at Mandiant. Mandia also lauded Expel’s tech-agnostic MDR platform—which offers customers the ability to “subscribe to the outcome of getting aggressive, agile cyber defense in a time when you need it.”

Speaking with CRN, Merkel said Mandia’s expertise and network will provide a massive boost as Expel looks to scale to the next level, after recently surpassing $100 million in annual recurring revenue.

“[Mandia] understands the threat. He understands the direction it's going. and he knows all the people that are wrapped up in that, both in the civilian and government world,” Merkel said. “That’s just a tremendous asset in terms of being able to work with Kev.”

Here is more of CRN’s interview with Mandia.

Do you believe attackers are intentionally trying to increase the disruption at this point, for instance with attacks on health-care providers and software makers?

No question, you make more money as a criminal if you inflict more pain. Part of the pain infliction is public disclosure, public humiliation, threatening of executives. And those are new levers that have been pulled by attackers over the last few years. It’s not just break in and encrypt stuff. Now it’s, let’s break in and steal stuff and create more pain by divulging information to reporters, divulging things online and doing threats. So you have very brazen acts, little risk of repercussions to those acts, and we’re just playing defense. A lot of folks will say, ‘The attackers aren’t that good.’ Or that the attackers are fundamentally just breaking through vulnerabilities that everybody should be able to patch—that’s simply not the case. It’s really hard when you play defense every day to play perfect defense.

Do you see GenAI as a greater help to the attackers or to defenders?

I think GenAI is going to help the defender more. We can scale internally, and we have access to our own data. So I think it’ll help us train our people faster as well so that when you get the newbie that comes in, we ought to be able to solidify processes that just make them better at the job, far faster. It took me two years of just hitting log files and hitting ‘page down’ every day, when I worked at the Pentagon back in the ’90s. I had nowhere to go if I saw something interesting. AI is just going to present, ‘Here’s why we think this is interesting.’ So you shortcut the black hole—where you go down the rabbit hole, and you can’t find anything at all.

It is almost impossible to know when AI is being leveraged in an attack. But the number of zero days every year has gone up tremendously. We found 105 last year, and there used to be like 10 to 20 a year. So maybe AI can help the adversary [with that]. Zero-day discovery may be aided by some AI engines. We just don’t know. But someone’s finding more.

What prompted the decision to join the board at Expel?

I always wanted Merk to call and ask [me to get involved], but he didn’t for a long time. And that’s good because he was working through the hard parts of building the company from scratch to well over $100 million in ARR. So that’s damn impressive. When we worked together from 2006 to 2014 at Mandiant, Merk built our whole software engineering, our products, our go-to-market. I wouldn’t be where I was today without his efforts. I was impressed with his skills and his leadership the whole time. He had built something great at Mandiant, and I knew he was going to build something great at Expel. And it’s just really great to finally get that call. As soon as he called, unbeknownst to him, I was a fish ready to bite. I was like, ‘Hey, put me in. I'm ready.’ And I believe in the market—there’s so many companies that just want help in cybersecurity. So for me, this was a no-brainer. I’ve got the time and I’m excited to help.

What are some of the areas you’re looking to get involved with at the company?

What I want to do is help differentiate—get really close to the tech, see how they do it, get close to the people—so I can go out and be an evangelist. I meet most CISOs when they’re under duress; something bad’s happened. But it’s also an interesting time to meet them because you’re very credible at those moments. And I would like to help them. And when Expel’s the answer, I want to be able to have the megaphone out saying, ‘Here’s what can help you.’ And I've always been very genuine. In security, you have to be. You can’t show up and go, ‘I have a solution that somewhat works.’ That doesn’t do very well in security. And then something bad happens and there’s huge impact. This is not a place where you can be a car salesperson. You’ve got to sell the solutions that work. And I’m convinced Expel works.

Could you speak a bit more about how you might assist with differentiation at Expel?

Everybody’s going to say, ‘We have the best people.’ And we were up against that at Mandiant, and everybody’s beating their chest saying, ‘We’re the best, no, we’re the best.’ I want to come in and say, ‘We’re the best, and here’s why.” And be exact, be honest, be genuine and say, ‘This is why it matters.’ And that’s what excites me about this.

We’ve been doing security for over 30 years. This is all we know. This is the mission we chose, or it chose us. Cybersecurity is not a problem you solve because you went to Wharton Business School and you felt like being an entrepreneur. This is something you live and you breathe. And when something happens to your customers, you don’t even differentiate between yourself and the customer. It’s happening to us, and now we have to do something. And that’s the kind of mentality Merk has, and the team at Expel has. So I’m excited to be able to represent them. I’ve got to do the homework to represent them the right way. And that’s the stage we’re at now.

In particular, what is the importance of having someone like yourself on a company board?

There’s nothing wrong with having a bunch of PE [private equity] people and financial people on your board. And actually, they give the right guidance 99 percent of the time. But they say it in a way where you can get it done by tomorrow. Because everything’s easy when you’re not the person that has to do it. I’ve had boards. I did 26 quarters as a public CEO. They were always right, but they’d be like, ‘Hey, you’ve got to do this and do that, and can you get it done in three days?’ And I’d just burst out laughing—’No, I’ll need a little more than three days.’ They’re not the ones that need to have the 17 critical conversations that make that plan become a reality. And those are the things that wear down CEOs. I got exhausted planning the changes that were always happening because you had to talk to people. Those things exhaust operators. So I hope to help in that regard. I hope that I can help Merk in some of those conversations and help them recognize it’s not easy. There’s nothing easy about it.

When it comes to MDR, what is the biggest value you see for customers at this point?

I think people want to feel safe and secure at their enterprise. That’s what you want to bring to the table with MDR—the ability to get people to feel self-assured that they have an aggressive, agile defense, and they can run their business and not have to worry about it. And you’re never done. I think that’s one thing we learned in security. We’re not going to wake up and go, ‘Oh, Expel’s done innovating now, we’re good to go.’ You’re always going to need to have that mindset of constant pursuit of what’s going to happen next. But ultimately, that is in my opinion the desired end state for every CISO—they want to be able to go to sleep at night going, ‘Expel’s got our back.’

Given that there are so many players in MDR right now, what do you see as the reason that Expel has the right approach to MDR?

Getting something better for less is a great thing. And in cybersecurity, it's an excellent thing. And that’s exactly what you get when you look at Expel. You can subscribe to the outcome of getting aggressive, agile cyber defense in a time when you need it. Cybersecurity has never been more important. I get to say this every day because every day it goes up and to the right. Geopolitical conditions drive it. Until you have world peace and everybody feels economically taken care of, you’re going to still have crime. So there’s no risk or repercussions to the attackers. There’s unlimited shots on goal for the offense because of the safe harbors for the criminal element and cyber espionage. So you don’t have much deterrence, unlimited shots on goal. Greater dependence on technology and impact of the breach has never been higher than today. Now cars are online. You have wearable devices. Both in our own lives, private lives, and at our enterprises and organizations, dependence on technology has never been [greater]. Hence, with cybersecurity, you’ve got to do it right. And there’s not even enough cybersecurity experts. What you want to do is be able to subscribe to the outcome and get the outcome of scaling the best experts. Cybersecurity is fascinating to me because if you have 50 average people, well then, you’re average at cybersecurity. It’s just that simple. You do need people that are exceptional, and there’s just not a lot of them. And Expel’s got a way of taking the experts and the knowledge and providing that value to all their customers. I think that’s critical.