Matthew Gladney
Matthew has worked in and around cloud security software engineering since 2017, building security enablement software at Capital One, HashiCorp, DivvyCloud, Stacklet, and Rapid7. He's the primary author on two patents, one for rapidly creating cloud-resource configuration graphs at query time, the other for efficiently producing cloud access-policy analysis. He has also consulted on products designed to help teams keep their cloud environments well-managed. He spends most of his free time changing diapers and thinking through the opportunities for agentic workflows to scale security research.
Session
Neoclouds are here whether we planned for them or not - and the security assumptions we carry over from the hyperscalers don't transfer cleanly. The IAM ergonomics and audit trails we'd taken for granted aren't a given. How are secrets stored? If you hand an AI agent an access key, can you scope it to read-only - and can you even tell afterward which actions were the agent's?
These are what Amy Edmondson calls "ambiguous threats": warning signals that don't fit our existing mental models and so get rationalized away by competent people, working in good faith, applying reasonable assumptions - not because teams are reckless, but because the mental model required to interpret the platform signals doesn't exist yet - and the mental bandwidth required to build that model from scratch doesn't exist either.
This talk isn't about which platforms are safe. It's about methodology for laying out the facts so a security team can form a clear, opinionated posture - one it can defend internally, and that we can start to standardize as an industry instead of re-deriving for every new provider.
To make that practical, I'll also share an open-source agent skill that runs the same evaluation against any platform's public surface, turning a week-long investigation into a 40-minute pass.
And it's an open invitation to the researchers who already probe AWS for a living: let's point that lens at the neoclouds.