Hack or get hacked: banking on continuous proactive security
Recorded on June 12, 2025
SPEAKERS
SUMMARY
Jorge Monteiro, emphasizes the urgent need for continuous, proactive cybersecurity. He argues that compliance alone is not enough, financial organizations must actively identify and fix vulnerabilities before attackers exploit them. With rapidly evolving threats and expanding attack surfaces, speed, visibility, and testing are critical. Security should be seen as a strategic advantage.
Key topics
Organizations should adopt proactive security, actively hunting for vulnerabilities before attackers find them. This includes continuous testing and ethical hacking.

Bots can exploit newly discovered vulnerabilities within minutes of publication. Organizations must match this speed with real-time detection and response.
Security is a competitive advantage. Demonstrating robust, continuous security practices signals reliability, and can build trust with customers and partners.
Transcript
00:00:00 - Introduction
Jorge Monteiro begins by introducing himself and his company, Ethiak, which focuses on autonomous ethical hacking.
He emphasizes that cybersecurity is often wrongly left until the end of discussions and argues that continuous, proactive security is crucial. His main thesis is stark: "You either hack yourself or get hacked." The goal of his talk is to convince the audience that investing in continuous proactive security is essential for 2025.
He outlines three key reasons to prioritize cybersecurity: compliance, resilience, and differentiation. He begins with compliance, noting it's driven by necessity due to strict and growing regulations globally.
00:05:00 - Regulations and certifications
Jorge delves deeper into compliance, citing regulations like NIS 2, DORA, and the Cyber Resilience Act in Europe. He explains the distinction between regulations (mandatory) and certifications (optional but beneficial).
However, he cautions that compliance alone doesn’t equal security. A company could pass audits with minimal effort and still be highly vulnerable. He shifts focus to resilience, which acknowledges that breaches are inevitable.
Statistics show that 1 in 8 businesses suffer six-figure cyber losses annually. George simplifies cyber risk into three variables: assets, vulnerabilities, and threats, comparing them to a city with buildings, open windows, and intruders.
Jorge explains that attackers only need one “open window” to break in, and this is made easier by growing digital complexity. Businesses now have more assets: applications, APIs, cloud services, AI tools, expanding their attack surface.
A big challenge is shadow IT, systems unknown to security teams, often created ad hoc by departments like marketing or engineering. Statistics show that 30% of attack surfaces are unknown to organizations. He notes that vulnerabilities are exploding, with 40,000 new CVEs (Common Vulnerabilities and Exposures) in just the last year, equating to over 100 new vulnerabilities per day. These aren’t hypothetical; they’re in real, widely-used software.
00:10:00 - Hack yourself to protect from attackers
He discusses how threats are now faster, more automated, and more scalable than ever. Attackers don’t need to know who they’re targeting; bots scan the internet indiscriminately.
Increasingly, technical vulnerabilities are the root cause of breaches, surpassing human errors like phishing. For example, Cloudflare experienced over 1,000 attacks within 22 minutes of a new vulnerability being published. He stresses that traditional, once-a-year pentesting is grossly inadequate.
The only variable organizations can control in the cyber risk equation is vulnerabilities—by identifying and fixing them quickly. But most cybersecurity today is reactive, focused on defense (walls, alarms) instead of prevention (finding and fixing flaws before attackers do).
Jorge asserts that the only way to stay ahead of attackers is to "hack yourself first." Hacking, in its original sense, is about creativity and problem-solving. Organizations must test everything continuously: software, infrastructure, and people.
This requires regular vulnerability scanning and penetration testing—not just once per year, but on an ongoing basis. He explains how vulnerabilities typically emerge: they’re found, exploited, and then published.
00:15:00 - The importance of prioritization
If a vulnerability is exploited before it’s public, it’s called a zero-day. The key metrics executives should care about are MTTD (Mean Time to Detect) and MTTR (Mean Time to Remediate). Reducing both is only possible through regular, proactive testing.
Jorge acknowledges it’s not realistic to fix every vulnerability, but stresses the importance of prioritization: fix the most impactful and exploitable ones first.
00:20:00 - Proactive cybersecurity
He highlights the limitations of scanners, which often return false positives, creating noise and mistrust among teams. Instead, organizations need accurate tools that alert only on real, critical vulnerabilities. He draws a metaphor: scanning is like snorkeling; pentesting is deep-sea diving. Both are necessary.
Ethiak’s platform blends automation (machine-based continuous scanning) with human expertise (manual pentesting), creating a collaborative security environment. Vulnerabilities discovered in one client can be used to strengthen defenses across others in real time.
00:25:00 - Final thoughts
He outlines how Ethiak works: given a domain and authorization, the platform identifies all subdomains, IPs, technologies, and vulnerabilities. This provides both attack surface management and pentesting. Clients use Ethiak to discover assets (especially useful for large groups with many subsidiaries), manage vulnerabilities, retest fixes, and monitor third-party suppliers. This last use case is especially important under NIS 2 regulations, which emphasize supply chain security. Finally,
Jorge revisits his core message: organizations must shift from defensive to proactive cybersecurity. Speed is now more important than intelligence. To thrive in a digital ecosystem, businesses must adopt continuous testing and make security a strategic differentiator—not just a compliance checkbox.