🔴 Streaming live on March 25: runZero Day at RSAC 2026 Register Now
runZero CAASM

Why your firewall might be your biggest risk, HD Moore (ITSP Magazine)

During his keynote at SecTor 2025, HD Moore, founder and CEO of runZero and widely recognized for creating Metasploit, invites the cybersecurity community to rethink the foundational “rules” we continue to follow — often without question. In conversation with Sean Martin and Marco Ciappelli for ITSPmagazine’s on-location event coverage, Moore breaks down where our security doctrines came from, why some became obsolete, and which ones still hold water.

One standout example? The rule to “change your passwords every 30 days.” Moore explains how this outdated guidance — rooted in assumptions from the early 2000s when password sharing was rampant — led to predictable patterns and frustrated users. Today, the advice has flipped: focus on strong, unique passwords per service, stored securely via password managers.

But this keynote isn’t just about passwords. Moore uses this lens to explore how many security “truths” were formed in response to technical limitations or outdated behaviors — things like shared network trust, brittle segmentation, and fragile authentication models. As technology matures, so too should the rules. Enter passkeys, hardware tokens, and enclave-based authentication. These aren’t just new tools—they’re a fundamental shift in where and how we anchor trust.

Moore also calls out an uncomfortable truth: the very products we rely on to protect our systems — firewalls, endpoint managers, and security appliances—are now among the top vectors for breach, per Mandiant’s latest report. That revelation struck a chord with conference attendees, who appreciated Moore’s willingness to speak plainly about systemic security debt.

He also discusses the inescapable vulnerabilities in AI agent flows, likening prompt injection attacks to the early days of cross-site scripting. The tech itself invites risk, he warns, and we’ll need new frameworks — not just tweaks to old ones — to manage what comes next.

This conversation is a must-listen for anyone questioning whether our security playbooks are still fit for purpose — or simply carried forward by habit.

Meet Our Speakers

HD Moore

Founder & CEO, runZero

Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Resources

Podcasts
We need to talk about KEV with Tod Beardsley (Decipher podcast)
Tod Beardsley joins Dennis Fisher to talk about the evolution of the KEV catalog, how much value you should place on the KEV, and his new KEVology...
Watch Now
Podcasts
Only a third of KEV vulnerabilities are truly critical; are you prioritizing the wrong ones?
Discover how KEVology and the KEV Collider help defenders cut through the noise by enriching KEV data with exploit scores, timelines, & real-world...
Read More
Podcasts
Filtering the KEV was really hard … until now! (Risky Biz Interview)
Casey Ellis chats with Todd Beardsley about KEVology — an analysis of the CISA KEV. KEVology helps you identify the vulnerabilities most relevant...
Listen Now
Podcasts
The dangers of white label devices (Error Code Podcast)
Rob King, Director of Applied Security Research, explores white-labeled surveillance and IoT hardware, why some vendors are banned by governments,...
Listen Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved