🎙️ Coffee, Chaos and ProdSec, Ep 18
2026 is getting closer, and security is already acting weird.
So this week, Kurt and Cameron grab their mugs and talk through what they see coming next for Product Security and the teams trying to keep up.
From AI agents showing up in the SOC, AppSec, DevSecOps, and GRC, to supply chain risks getting deeper and harder to see, this episode walks through the trends that are starting to take shape right now. The kind that change how work actually gets done, not just how tools are marketed.
They unpack how AI is speeding up code, reviews, and attacks at the same time, why remediation speed is becoming the real bottleneck, and how identity, cloud, and infrastructure are turning into the main battlegrounds. There are strong opinions, a few laughs, and plenty of moments where the future feels exciting and a little uncomfortable.
If you work in Cybersecurity, Application Security, Product Security, DevSecOps, or Software Supply Chain Security, this episode is a look at 2026 through the lens of people who live this stuff every day. All powered by coffee and curiosity.
☕ New episodes every Wednesday.
Coffee, Chaos and ProdSec -> strong coffee, stronger opinio
🎙️ Coffee, Chaos and ProdSec, Ep 17
Breaking into cybersecurity without a degree feels impossible, yet people do it every single day. So this week, Cameron and Kurt grab their mugs and get real about how career changers actually break into Product Security, Application Security, DevSecOps, and Cloud Security when their background looks nothing like tech.
Your hosts dive into the honest truth behind this path, the rejection, the gatekeeping, and the internal drive it takes to push through. They explore how personal brand becomes your signal in a noisy market, how a strong pivot story makes people want to invest in you, why networking still matters more than any certification, and which technical skills help you stand out early. They even dig into how AI has become a learning accelerator for anyone who knows how to use it with intention.
If you are trying to make the jump into security or you want to help someone who is, this episode gives you a roadmap instead of a motivational slogan.
☕ New episodes every Wednesday.
Coffee, Chaos and ProdSec, strong coffee, stronger opinions.
🎙️ Coffee, Chaos and ProdSec - Ep 16
Last week we mapped the problem — now we break the system. Kurt and Cameron return with part two of our vulnerability deep dive, tackling CVSS chaos, broken tooling, exploding CVE volume, and how AI is about to overwhelm traditional prioritization models.
From exposure validation turning 15,000 findings into 300 actionable items, to ASPM finally giving Product Security teams real visibility, to PCI-DSS forcing companies to patch issues that don’t matter, this episode explores where vulnerability management is heading and what “good” will need to look like next.
If you care about Cybersecurity, DevSecOps, Software Supply Chain Security, or how AI will reshape the VM landscape, this one is your next caffeine boost.
☕ New episodes every Wednesday.
Coffee, Chaos & ProdSec — strong coffee, stronger opinions.
🎙️ Coffee, Chaos and ProdSec - Ep 15
Vulnerabilities are piling up faster than teams can read the reports, and vulnerability management is buckling under the weight. So this week, Kurt and Cameron grab their mugs and dig into why modern VM feels impossible, why severity scores mislead everyone, and how reachability and exploitability matter far more than giant spreadsheets of “critical” issues.
From CVSS confusion to EPSS and CISA KEV reshaping prioritization, to AI accelerating discovery and noise, this episode unpacks how we got here and why most organizations are fixing the wrong things.
If you work in Cybersecurity, Application Security, Product Security, DevSecOps, or you simply enjoy hearing two leaders question the entire VM ecosystem, this one is for you.
☕ New episodes every Wednesday.
Coffee, Chaos & ProdSec — strong coffee, stronger opinions.
🎙️ Coffee, Chaos and ProdSec - Ep 14
DevSecOps gets thrown around in cybersecurity more than any other term, but almost no one agrees on what it actually means.
So this week, Kurt and Cameron pour fresh mugs and unpack the real practices behind modern Application Security, Product Security, DevSecOps, and Software Supply Chain Security without the marketing fluff.
From threat modeling and architecture reviews, to CI/CD guardrails, identity patterns, SBOMs, pipeline automation, and why DAST still refuses to fit anywhere, this episode digs into how security can integrate into the entire software lifecycle without slowing teams down.
Cameron and Kurt break down why DevSecOps is more culture than tooling, how design flaws start long before code, what AI is about to break next, and why “shift everywhere” beats “shift left” every time.
If you work in cybersecurity or just enjoy hearing two security leaders question reality over caffeine, this one is your new weekly ritual.
☕ New episodes every Wednesday.
Coffee, Chaos & ProdSec — strong coffee, stronger opinions.
🎙️ Coffee, Chaos & ProdSec – Ep 13
This week, Cameron and Kurt tackle the questions everyone claims to understand but absolutely argues about in every cloud meeting. What is the cloud really? Why is identity suddenly the perimeter? And how did Kubernetes quietly become everyone’s new production environment?
We break down the real concerns behind cloud sprawl, misconfigurations, and identity chaos, plus why CSPM, CWPP, CASB, DSPM, and a dozen other acronyms all matter more than people want to admit.
We get into:
☕ New episodes every Wednesday.
Coffee, Chaos & ProdSec — strong coffee, stronger opinions.
🎙️ Coffee, Chaos & ProdSec - Ep 12
The OWASP Top 10:2025 RC1 is here, and it is already causing chaos. So this week, Kurt and Cameron grab their mugs and break down every category with real world stories, honest takes, and a few spicy opinions on why some vulnerabilities just will not go away.
From Broken Access Control dominating the charts again, to Misconfigurations that keep haunting cloud teams, to classic Injection failures refusing to stay in the past, this episode digs into the patterns behind the list and what they reveal about the state of modern security.
Your hosts explore how design flaws emerge long before code is written, why authentication failures keep showing up in new forms, and how logging gaps continue to blind even mature orgs. It is a guided tour through the list with humor, insight, and the occasional “I cannot believe this still happens” moment.
If you work in AppSec, Product Security, DevSecOps, or you simply enjoy hearing two security leaders question reality over a cup of coffee, this episode is your new weekly ritual.
☕ New episodes every Wednesday.
Tune in, patch your brain, and embrace the beautiful mess of the OWASP Top 10:2025 RC1.
🎙️ Coffee, Chaos & ProdSec – Episode 11
This week, Kurt and Cameron break down the showdown between Google’s Big Sleep AI and the FFmpeg maintainers keeping the internet’s media backbone running for free.
A tiny bug in a 1995 video codec sparked a big debate about responsibility, AI-driven vulnerability hunting, and the growing strain on open source volunteers.
We get into: • Why FFmpeg pushed back with “just submit a patch” • How AI is flooding OSS projects with vulnerabilities • The reality of trillion-dollar companies relying on unpaid labor • What needs to change before more maintainers walk away
Grab your coffee and settle in as we unpack one of the biggest open source stories of the year.
☕ New episodes every Wednesday.
Coffee, Chaos & ProdSec — strong coffee, stronger opinions.
🎙️ Coffee, Chaos & ProdSec – Ep 10
This week, Cameron and Kurt sit down with the co-founders of the OWASP Secure Pipeline Verification Standard to unpack the real story behind SPVS and why the industry desperately needed a pipeline-focused security standard.
From the early days of chaotic DevSecOps practices and scattered controls, to the moment the community rallied behind a structured, prescriptive approach, this episode dives into how SPVS came to life and the problems it set out to fix. Your hosts explore the gaps between policy and practice, why pipelines became the new enterprise battleground, and how SPVS is changing the way teams think about CI and CD security.
You will hear candid insights on the earliest design debates, the tradeoffs that shaped the framework, and the push to create something both practical and auditable. It is a conversation that connects the dots between pipeline pain, cultural friction, and the growing need for predictable, verifiable controls in modern software delivery.
If you work in AppSec, Product Security, DevSecOps, platform engineering, or you are simply curious about how community standards evolve, this episode offers a rare look inside the origin, intent, and future of SPVS.
☕ New episodes every Wednesday.
Grab your coffee, settle in, and follow along as we explore how pipeline chaos turned into pipeline clarity.
🎙️ Coffee, Chaos and ProdSec, Ep 9
Ever pushed an API key at 2 a.m. and hoped nobody noticed? In this episode, we dig into one of the most preventable but devastating security failures: secrets in code. From leaked AWS keys and OAuth tokens to misconfigured GitHub Actions, we explore how small oversights can open the door to massive breaches, and why this problem keeps growing every year.
We break down real-world incidents like hardcoded admin credentials and recent supply-chain compromises, showing how each one spiraled from simple mistake to global impact. Then we look at the systemic reasons it keeps happening, velocity over hygiene, CI/CD complexity, and the myth that “encrypted” equals “secure.”
Grab your mug and join us as we share practical fixes that actually work, from automated scanning and vault integration to culture-level change. Because in the end, secrets management isn’t a feature, it’s survival.
☕ New episodes every Wednesday.
Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
🎙️ Coffee, Chaos and ProdSec, Ep 8
What really happens when you “hack the stack”? In this episode, we pull back the curtain on the messy, brilliant world of penetration testing, from corporate networks and VPNs to APIs, CI/CD pipelines, and live production systems. We explain what pen testing actually is, why it’s often misunderstood, and how the best testers balance creativity, curiosity, and chaos.
Then we get real about motivations and mishaps: compliance checkboxes, reports that gather dust, and the occasional “oops, we broke prod” moment. We trade war stories, debate bug bounties vs. red teams, and unpack how AI, automation, and continuous testing are changing the game, without replacing the human hacker’s instinct.
Grab your mug and join us for unfiltered stories, hot takes, and hard-won lessons from the field. Whether you’re a tester, a builder, or just pen-test-curious, this episode proves that breaking things (ethically) is still one of the best ways to learn.
☕ New episodes every Wednesday.
Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
🎙️ Coffee, Chaos and ProdSec, Ep 7
Who left the keys under the mat? In this episode, we unlock the chaos behind broken access control, from S3 buckets of doom to interns with production privileges. We share real-world stories of “everyone’s an admin,” zombie accounts, and permission creep that turned harmless systems into ticking time bombs.
Then we dig into why this keeps happening: messy RBAC models, cultural blind spots, and the endless tug-of-war between convenience and control. We explore how organizations can move from reactive fixes to proactive design with automation, ephemeral access, and meaningful reviews that actually improve security instead of blocking work.
Grab your mug and join us as we expose the comedy (and tragedy) of bad permissions, share practical ways to lock things down without locking people out, and remind you, with great access comes great responsibility.
☕ New episodes every Wednesday.
Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
🎙️ Coffee, Chaos and ProdSec, Ep 6
Thinking about breaking into Product Security? In this episode, we lay out the roadmap, how to start, what to learn, and how to thrive once you land the role. We share our own origin stories, the detours we took to get here, and the lessons we learned the hard way along the way.
Then we dig into the skills that matter, from threat modeling and secure design to communication, empathy, and influence. We discuss favorite tools, common misconceptions, and how to build credibility through side projects, open source, or community involvement, even before you’ve got “ProdSec” in your title.
Grab your mug and take notes as we spill the (coffee) beans on how to stand out, get hired, and survive your first ProdSec gig, chaos, caffeine, and all.
☕ New episodes every Wednesday.
Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
🎙️ Coffee, Chaos and ProdSec, Ep 5
Where were you when Log4j hit? In this episode, we revisit some of the wildest moments in modern AppSec and ProdSec history, from dependency chaos and credential leaks to the late-night incidents that taught us the most. We talk through real (and an0nym1z3d) stories that shaped how we think about risk, response, and resilience.
We break down what actually happened during infamous security meltdowns, how teams reacted under pressure, and the surprising lessons that came out of the panic. Expect everything from supply-chain shenanigans to “secrets in code” horror stories, plus a few industry rants in our “What Grinds My Gears” segment.
Grab your coffee and settle in for the ultimate mix of humor, humility, and hard-won wisdom, because every breach comes with a story worth telling.
☕ New episodes every Wednesday.
Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
🎙️ Coffee, Chaos and ProdSec, Ep 4
What’s next for Product Security? In this episode, we dust off the crystal ball and predict how the next wave of technology will reshape the field. From zero-downtime patching and ephemeral secrets to “observability as security,” we explore what’s real progress and what’s pure hype. We dive into DevSecOps trends like AI-driven automation, ASPM, minimal container images, and policy as code, asking the hard question: are we shifting left, right, or just in circles?
Then we zoom out to the big architectural shifts, Zero Trust becoming an operational standard, cloud-native sprawl colliding with consolidation, machine identity management taking center stage, and AI-powered defenses blurring the line between adaptive protection and full-blown Skynet vibes. We close with a lightning round of bold 2025 predictions covering everything from passwordless authentication and decentralized identity to platform consolidation and Security-as-a-Service.
Grab your mug and join us as we separate what’s hot from what’s hype, decode what’s coming next for ProdSec, and share what every security team should be doing today to prepare for tomorrow.
☕ New episodes every Wednesday.
Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
🎙️ Coffee, Chaos and ProdSec, Ep 3
Why is ProdSec so challenging? In this episode, we run through the real-world gauntlet of modern production security, scaling secrets management, securing ephemeral infrastructure, and keeping pace with relentless deployment cycles. We dig into why these problems persist and what’s finally starting to work.
From cloud misconfigurations and pipeline sprawl to developer enablement and culture clashes, we dissect the everyday battles ProdSec teams fight to keep systems safe without slowing innovation. Expect a few war stories, plenty of laughs, and a handful of practical takeaways you can apply right away.
Grab your mug, take a breath, and join us as we explore what makes ProdSec so tough, and how to turn those challenges into opportunities for stronger, smarter security.
☕ New episodes every Wednesday.
Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.
🎙️ Coffee, Chaos and ProdSec, Ep 2
What keeps security folks up at night, and what gets us out of bed in the morning? In this episode, we get personal about the parts of ProdSec that inspire, frustrate, and challenge us most. From building secure-by-default pipelines to chasing the thrill of catching bugs before they bite, we share what fuels our obsession with protecting products at scale.
We compare the moments that hooked us, late-night incidents, breakthrough fixes, and the weird satisfaction of turning chaos into clarity. Along the way, we talk burnout, purpose, and why passion projects often teach the best lessons about resilience and leadership in security.
Pour another cup and join us for an unfiltered chat about why we love ProdSec, even when it drives us a little mad.
☕ New episodes every Wednesday. Coffee, Chaos and ProdSec, strong coffee, stronger opinions.
What even is Product Security?
In this kickoff episode, we break down what makes ProdSec the connective tissue between AppSec, DevSecOps, and engineering. We unpack why it exists, how it differs from other security domains, and why every modern product team needs it, even if they don’t realize it yet.
Then we explore what real-world ProdSec looks like: from securing build pipelines and reviewing code to influencing design decisions without being the “Department of No.” We talk culture, collaboration, and the art of balancing developer velocity with risk reduction, all with a few caffeine-fueled laughs along the way.
Grab your coffee and settle in as we define ProdSec once and for all, laying the foundation for every chaotic, insightful, and occasionally ridiculous episode to come.
🎙️ Coffee, Chaos & ProdSec - Trailer
Ever wish cybersecurity came with caffeine, chaos, and a few laughs?
Welcome to Coffee, Chaos & ProdSec, where your hosts Kurt (security architect and chaos tamer) and Cameron (ProdSec wrangler and reformed script kiddie) brew up weekly conversations on the wild world of modern security.
From real-world breaches to bad password confessions, the duo dives into Product Security, AppSec, DevSecOps, and the occasional hacker impression that probably shouldn’t make it past QA. Expect sharp takes, caffeinated debates, and stories from the trenches of digital defense.
Whether you’re a white hat, black hat, or just wondering how hackers “surf the net,” this is your new weekly ritual. Grab your coffee, patch your brain, and embrace the beautiful mess of cybersecurity.
☕ New episodes every Wednesday.
Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.