Rob Allen, Chief Product Officer at ThreatLocker, shares how organizations can move from theory to action with Zero Trust by starting with visibility and enforcing practical controls that actually work. This episode cuts through the noise to show how deny-by-default strategies can simplify defenses and make attackers’ jobs much harder—without making yours more complex.
In this on-location episode recorded at the RSAC Conference, Sean Martin and Marco Ciappelli sit down once again with Rob Allen, Chief Product Officer at ThreatLocker, to unpack what Zero Trust really looks like in practice—and how organizations can actually get started without feeling buried by complexity.
Rather than focusing on theory or buzzwords, Rob lays out a clear path that begins with visibility. “You can’t control what you can’t see,” he explains. The first step toward Zero Trust is deploying lightweight agents that automatically build a view of the software running across your environment. From there, policies can be crafted to default-deny unknown applications, while still enabling legitimate business needs through controlled exceptions.
The Zero Trust Mindset: Assume Breach, Limit Access
Rob echoes the federal mandate definition of Zero Trust: assume a breach has already occurred and limit access to only what is needed. This assumption flips the defensive posture from reactive to proactive. It’s not about waiting to detect bad behavior—it’s about blocking the behavior before it starts.
The ThreatLocker approach stands out because it focuses on removing the traditional “heavy lift” often associated with Zero Trust implementations. Rob highlights how some organizations have spent years trying (and failing) to activate overly complex systems, only to end up stuck with unused tools and endless false positives. ThreatLocker’s automation is designed to lower that barrier and get organizations to meaningful control faster.
Modern Threats, Simplified Defenses
As AI accelerates the creation of polymorphic malware and low-code attack scripts, Zero Trust offers a counterweight. Deny-by-default policies don’t require knowing every new threat—just clear guardrails that prevent unauthorized activity, no matter how it’s created. Whether it’s PowerShell scripts exfiltrating data or AI-generated exploits, proactive controls make it harder for attackers to operate undetected.
This episode reframes Zero Trust from an overwhelming project into a series of achievable, common-sense steps. If you’re ready to hear what it takes to stop chasing false positives and start building a safer, more controlled environment, this conversation is for you.
Learn more about ThreatLocker: https://itspm.ag/threatlocker-r974
Note: This story contains promotional content. Learn more.
Guest:
Rob Allen, Chief Product Officer, ThreatLocker | https://www.linkedin.com/in/threatlockerrob/
Resources
Learn more and catch more stories from ThreatLocker: https://www.itspmagazine.com/directory/threatlocker
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25
______________________
Keywords:
sean martin, marco ciappelli, rob allen, zero trust, cybersecurity, visibility, access control, proactive defense, ai threats, policy automation, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
From Reactive to Proactive: Building Guardrails That Actually Protect | A Brand Story with Rob Allen from ThreatLocker | An On Location RSAC Conference 2025 Brand Story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Marco.
Marco Ciappelli: Sean,
Sean Martin: you know where I wanna be today.
Marco Ciappelli: What?
Sean Martin: Well, I'm kinda happy I'm here 'cause Rob's here. Yeah.
Marco Ciappelli: I'm happy I'm here too and I know why you wanted me to be on this one. Know because you don't
Sean Martin: trust me. I don't trust you. And we're zero. Trust. Talking about zero trust. I have zero trust. Zero trust.
Absolutely.
Marco Ciappelli: See, I
Sean Martin: how I had the script on this one. No, the reason I'm joking is there's, there's a car being given away somewhere else. Not right here. There is definitely a car. I, I wanna be a, a cyber hero for threat locker.
Marco Ciappelli: I wanna be a cyber villain so I
Sean Martin: can get a nice car cyber villain. No, but you, I mean the, the program you have, the Cyber Hero program is pretty dang cool.
It's very cool. It's very cool. Very cool. Maybe we'll touch on that a bit, but uh, before we get into all the fun stuff, that threat locker's up to the pizza, you're gonna have, the cars you're giving away. Um, let's remind everybody who Rob Allen is.
Rob Allen: Uh, so Rob Allen is the Chief Product Officer. [00:01:00] Uh, is he a
Sean Martin: good guy?
Rob Allen: Sometimes. Sometimes if you get him on a good day, good day. Uh, occasional chief podcast officer. Okay. Sometimes Chief Pineapple Officer as well. Don't ask about that one, please. All right. Does have any connection to the pizza?
Sean Martin: No, not that kind of pineapple. Alright.
Rob Allen: Alright, very good. This is more the hacking, ah, hacking device kind of pineapple.
Um, but I've actually, on the uptake, I've passed on the, the, the title of, well, actually I've nominated somebody else to be Chief Pineapple Officer. Okay. Um, thankfully because I, and we'll send them to Def Con. Yeah, I've had bad experiences with pineapples. Um, but yeah, as I said, occasional chief podcast officer, but mostly chief product officer.
Sean Martin: Very good. And he and he build some good products. We, we heard, heard the feedback from the customers at the, at uh, zero Trust world. It's good stuff. Yes. Good stuff.
Marco Ciappelli: But we are at RSA conference. We are, we are. Just in case people didn't notice. Yeah. Or
Rob Allen: people listening, they're wondering here what's going on.
Another good conference. I mean, other conferences are available. No, I know this is one of them. This is one of them. No, not as good as Zero Trust. It's one of them. [00:02:00] And you know we,
Marco Ciappelli: yeah, you are the chief podcast officer 'cause we're already chat with you a few times. Yes, we have. Yes. And it's exciting that we are actually gonna do here on the floor.
Mm-hmm. So, um, anything in interesting that you have seen around maybe, what did you expected?
Rob Allen: Um, well actually I was here last year, so I kind of knew what to expect. I mean, obviously it's
Sean Martin: huge.
Rob Allen: Um, there are a great many people, but both of those things are good because a great many people is a great, many opportunities to speak to people, uh, which is basically why we're here.
Um, a lot of customers, um, one great thing about events like these is year on year. There's more and more customers. So where, you know, two, three years ago we might have had a handful of customers here. Now we might have 20, 30, 40, 50 customers, all of whom wanna come up, say hello, have a conversation. Um, so yeah, it's, it's, it's a great opportunity to, and I
Marco Ciappelli: know 'cause again, we spoke before and how important this [00:03:00] conversation with the customers are.
Mm,
Rob Allen: absolutely. And
Marco Ciappelli: we have been able to hear both sides. Mm-hmm. So everybody benefit from this conversation. So anything interesting in her. Um, I, as I
Rob Allen: said, like I've had a, um, quite a large customer of ours actually come up yesterday and they had some really good ideas around our privilege, access management, or elevation control, um, solution.
Um, I mean it's where, quite frankly a lot of our good, good ideas come from is when somebody says, it would be really cool if you could do X. Um, and very often, if somebody's. Wish for it to do something. Is that important for them to suggest it to us? It's probably something that will benefit other customers as well.
Right? Um, so very often it's something that we'll try and try and make happen.
Marco Ciappelli: Yeah. That's really good.
Sean Martin: What, um, what, what's your sense of, obviously with your customer base, they probably [00:04:00] recognize what Zero Trust is, what it means to them, how you help them with achieving whatever that is to them. Um, when you, when you branch out beyond a large group like this, how does that conversation sound in terms of solidifying or, or nailing down what Zero Trust is?
We've had, we've, we've talked about it being a mindset mm-hmm. In many cases. Um, do you find that a large group like this has a common, real understanding of what's going on with respect to Zero Trust, or, or is it still a lot of education required?
Rob Allen: It's, it's. A little bit of column A, a little bit of column B.
Okay. I mean, obviously there would be a fairly, well, I don't wanna say well educated attendees here, but I mean in, in terms of cybersecurity. So a lot of people here would be quite well versed, shall we say. Um, from a cybersecurity perspective. Most of 'em would know, broadly speaking what Zero Trust is.
Most of 'em would probably have an idea that Zero Trust would be a good idea, would be something they should look at implementing. [00:05:00] A lot of them realistically don't know where to start. Right. Which I suppose is largely where we come in and we say, well hook. These are the things that we can do for you.
These are the steps that we can help you take to achieve what you're trying
Sean Martin: to achieve. Right? And let's, let's quickly run through maybe what a, a, an accelerated brief view of what some of those steps might be. Um, so folks, so they have that in mind. Um,
Rob Allen: I suppose to some extent, I mean, it, it, the first step is the first step.
So it's about starting somewhere. It's about saying, look, this is something we want to do. Okay, how are we gonna do it now? Unfortunately, there's no silver bullet for this problem. It's not a product you could buy. Mm-hmm. It is a series of steps you can take. I mean, as, as you mentioned, it's a mindset fundamentally.
Now how you start with policy,
Sean Martin: does it start with scoping? Does it start with business? Does it start with risk? All of those things. Any, anywhere. I was gonna say all of those things.
Rob Allen: I mean, realistically it starts from our perspective, it starts with visibility. Okay. Um, because in [00:06:00] order to apply controls, in order to get to a point where you can fundamentally default deny, you need to have visibility over what's there.
You need to know what's running in your machines. You need to know what software is present before you can then make decisions as to whether well, actually is this thing needed or not? Or should I be blocking that? Or just getting to the point where you can lock everything down and say, right, nothing new is gonna be allowed to run unless I explicitly allow it.
So visibility very much is the first step in terms of, and that's just deploying agent and. Let it do its thing, right? Um, there's no heavy lift involved in that. You don't have to, it used to be a heavy lift. It used to be a very heavy lift. But realistically, that's one of the things that we pride ourself in.
We, we take away a lot of that hard work. Um, as I said, we deployed agent, we let it learn. It's gonna build policies automatically. So you don't have to sit there and figure out, well, Marco needs this software and this software and this software and this machine, and Sean needs all of these different pieces of software, right?
We're gonna see all those things. We're gonna create policies automatically, and that takes a lot of the hard work, a lot of the heavy lifting out of this. But again, what it provides you fundamentally is visibility. [00:07:00] So I can see, hang on a second. Marco's running putty. Say that for me. Marco. Putty. What is that?
Putty. Putty. Putty. Sorry. I mean, Marco. So Marco's running putty on his machine. Um, does he need that? I mean, it's been used for data. I do need it, but it equally, you could use that for data exfiltration. I mean, we have seen it being used for data exfiltration. Um, so then you can make a decision, well, maybe he does need it, maybe he doesn't, I mean, purely for entertainment purposes, I think we should allow him to run it and say it regularly.
Yes. Repeatedly on many podcasts every day. But yeah, as I said, you can then make decisions. You can then start getting to the point where you can lock down your environments.
Sean Martin: Let me, let me follow up with this. 'cause maybe the, A view into the current state for many still where it's difficult to get that visibility and, and.
Maybe even some semblance of control. Um, I've heard many times GPA [00:08:00] GPOs there mm-hmm. Group policy orchestrator. Right. Is there not every cus company uses it. It is a way to kind of get to a point, but that's a pain in, in the neck and which is probably why many don't use it. Mm-hmm. What obviously the alternative is to learn, but I guess kind of paint a picture of what you see.
If, if organizations attempt to get to Zero Trust using tools that aren't threat locker,
Rob Allen: uh, with tools that aren't threat locker is, um, it's a lot of work. It's fundamentally, it's a heavy lift. I mean, I've spoken to organizations who have spent years trying to implement other solutions, other tools that are out there, um, and fundamentally failing, not even getting to the point where they can turn it on.
It's just so much work. It's so much hassle. They're afraid to turn it on because it's really hard to configure and it's a lot of. It's a lot of manual intervention, fundamentally, right? Um, so as I said that, that is one thing that we pride ourself on is we take away a lot of the hard work. I mean, fundamentally, our [00:09:00] mission was to make this possible, right?
Because in most environments, in most cases, it wasn't possible. I mean, for example, you might be able to deploy something like App Locker on a server. And because that's a relatively static environment, there's not a lot of software going on. You might be able to maintain that and not able to run it. But if you introduce something like that into a dynamic environment where people are running lots of different software and things are up operating all the time, it just becomes completely unmanageable.
So as I said, that's kind of the secret sauce. We make it possible. Attainable. Achievable. I did, I know Michael
Sean Martin: wants to jump in with some No, no, I'm just, I'm listen with some P, but um.
Do you, do you change the operating environment? You don't, you don't change the way the infrastructure looks to achieve? No, we don't have to. Yeah.
Rob Allen: I mean, fundamentally what we do is we set guardrails around what people are doing. I mean, there's two parts to default deny. I mean, the first part is obviously the default, deny or denied by default.
The [00:10:00] second part is the permit by exception, right? Now the Permit by exception, the default deny is what's gonna keep you safe. The permit by exception, is what's gonna allow organizations to run, because you need to be able to run things. You need to be able to do what you need to do. And fundamentally, all we do, broadly speaking, is we set guardrails around that and say, look, operate between these guardrails and you're not even gonna know we're here.
Right? Okay. You know, but try and download a coupon clipper from China or run a remote access tool that you're not, that hasn't been allowed. Absolutely, we're gonna step in and block that. But again, most users don't do that that often. Most users do the same thing in the same way with the same software pretty much every day.
Right? I don't, I don't wanna monopolize
Marco Ciappelli: No, I enjoy, I mean, I'm learning a lot and, and you guys get very, you know, a little bit more on the, we, we get passionate, the operat operation of this, but I wanna bring it a little bit outside again, in term of the concept of zero trust. Mm-hmm. Scares a lot of people.
I know you guys are trying to do it and you're doing it, it in a way that it's [00:11:00] not overwhelming.
Sean Martin: Mm-hmm.
Marco Ciappelli: Uh, but it's also a mindset. And so I wanna talk a little bit of the mindset of working with the Zero trust Yeah. Model.
Rob Allen: Well, I mean the, look, there's lots of different ways to describe it. There's lots of different ways to, uh, to explain to people.
I mean, fundamentally, one of my favorite descriptions of it is to assume breach. Um, it was actually the, uh, executive order from a couple of years ago, mandating zero trust for the federal government or anything to do with the federal government actually. Explain what it is, and one of the definitions and one of the parts of the definition was to assume a breach is inevitable, right?
Or has already occurred. And constantly limit access to only what is needed. And I love that definition because when you apply that or when you consider that, then fundamentally everything we do make sense, which is assume they're already in so bad, guys are on my server right now. They've got full domain admin privileges.
What can they do? And the sad fact is in most [00:12:00] environments, the answer is quite a lot. I mean, data exfiltration is trivial, as I said. Whether it's using tools like putty or PowerShell or Curl or whatever mechanism they choose, I mean, a lot of it's sitting in an environment already and a lot of it really hard to detect.
I mean, fundamentally, if you are strategy, if your approach is to wait for something bad to try and run
Marco Ciappelli: right
Rob Allen: then it's probably already too late. I mean, your data's already out there. It's for sale in the dark web and. Cleanup operation at that stage. So that's why what we try to encourage people is to take a more proactive approach.
So rather than, as I said, waiting for something bad to run, we're gonna control the environment in such a way that they can't get to the stage where they're going to be deploying ransomware. I mean, obviously, they're not gonna be able to deploy ransomware, but in most breaches there is, you know, potentially months worth of activity prior to that.
Where they borrow, they, they, you know, evaluate the environment. They try and figure out what's there, what they can steal, what's valuable, how much money they can ask you [00:13:00] for, what your cyber insurance is gonna pay out, what your bank accounts show, so how much money you have in your account. These are all valuable pieces of information for an attacker.
Um, I mean, the sweet spot seems to be somewhere around 30% of your money in the bank is what they will ask for now, plus what your cyber insurance will pay out. Because they're not gonna ask for a hundred percent of what you have in the bank because that's gonna shut any business down, and they're just not gonna pay it.
Marco Ciappelli: Right.
Rob Allen: So they try and make it uncomfortable enough to be uncomfortable for everyone. There's a
Marco Ciappelli: tipping point where it's, it's easy to pay. Exactly. But again,
Rob Allen: finding that information, evaluating where that information is stored, getting access to it, that fundamentally takes them time. Um, but as I said, rather than waiting for the, okay, now ransomware is running.
Our approach is to control the environment in such a way that it makes their lives really difficult and also more likely that they will be discovered as they try and get around or to, to circumvent the control center there.
Marco Ciappelli: I, I like to say that it's common sense, but it's not [00:14:00] that common.
Rob Allen: Mm-hmm. Common sense is unfortunately not as common as you, you might like,
Marco Ciappelli: but when you think about it, it's the same approach.
You have to be healthy. Mm. It's, you know, if you. If you work on prevention Yeah, then you don't have to deal. Well, it may happen 'cause it could be inevitable, but you, you kind of manage it.
Rob Allen: Absolutely. But I mean, from a cybersecurity perspective, both approaches are valid. Both approaches have value, but both approaches work best when combined.
Right. So when you talk about proactive, preventative and also reactive, effectively detection is reactive. Yeah. You need both. You need both, absolutely. But what we. I have seen for many years is that a lot of them, a lot of customers, a lot of prospects rather have basically stacked up on the detection end.
Mm-hmm. So they have lots of different tools fundamentally doing the same thing in different ways. So they might have antivirus, they might have EDR, they might have MDR, they might have, you know, three or four different levels of detection tools, fundamentally, all looking for the same threats. Mm-hmm. [00:15:00] And very often falling over each other when they actually find them.
So what we try to encourage people to do is well look. A proper layered defense involves different types of protection, involves different types of solutions. So yes, absolutely have detection and we have our own detection product, but combine that or layer that along with controls. Yeah, and again, the controls are what are gonna keep you safe.
The detection, ideally is what's gonna tell you something is going on, but when it's not allowed to happen, if that makes sense. So rather than. Responding to an active ongoing attack, you're effectively responding to indicators of compromise for somebody basically banging their heads against the wall that is threat locker, as I said, trying to get around or trying to do what they're being, you know, realistically not allowed to do or not able to do.
And that gives you time to respond.
Marco Ciappelli: And it's easier to detect when it's less than you have to detect instead of a crowd of
Rob Allen: Absolutely. Of
Marco Ciappelli: all
Rob Allen: of them. Absolutely. And again, it's one of the biggest problems with a lot of detection tools is [00:16:00] false positive.
Marco Ciappelli: Yep.
Rob Allen: I mean, you spend lot of noise. It's like the boy who cried wolf.
I mean, these things are, are, are shouting. Go look over here. Look over here. There's something going on. And when you actually look, I mean, I, I've literally spoken to customers who, who've told us to me about various products that they use. Say, look, well, how, how, you know, how is it, is it good? Is it valuable?
And they go, yeah, it's fantastic. Wolfs are there. Really. Absolutely.
Sean Martin: But
Rob Allen: the false positives drive me insane because I'm always looking for this thing or that thing and there's nothing actually going on. I mean, I had a really good example of a guy. We, an example we use is just exfiltration via power show.
Mm-hmm. So it's just one line PowerShell script that copies data from here to our blog. And I spoke to a customer about a competitor product he was using, and he mentioned the false positive thing and that it broke his heart that he was constantly responding to these, nothing going on. So I mentioned the, um, exfiltration and he said, do you mind if I try that on my machine now?
And I said, no, absolutely, go right ahead. So we ran the exfiltration script, it stole the data from his machine, not a. Out of his other tool. [00:17:00] So when there was something malicious actually happening, it did nothing. Right. But as I said, he's been chasing false
Sean Martin: positives. Yeah. All day, every day. Yep.
Interesting. I know we're coming up on the end here, so I'm gonna throw you a zinger. I was, uh, just to make it fun, I was at a, uh, a legal conference a few weeks back. A bunch of lawyers law practices inside counsel, talking about. Ai. Yeah. Driven code, vibe, coding. Mm-hmm. Agentic ai and of course hidden in there is all the API driven stuff and microservices, and I'm thinking here are people that are not technologists.
Mm-hmm. Here talking about AI and coding and building apps and building services and using a bunch of stuff. How, how does that world impact. What you see and how you, how, how does Zero Trust deal with that, I guess is really the question I'm trying to figure out? Um, [00:18:00]
Rob Allen: well, short answer is beautifully. Okay.
Um, but I'll actually, I'll I'll, 'cause it's all new and then it's denied by the default because then you're not enabling
Sean Martin: the business.
Rob Allen: I'll give you an example. Um, so I mean, you're talking about things like polymorphic malware, for example, or, or, you know, obfuscated using LLMs, that kind of stuff. I mean, I, I, I've done my fair share of that and it's, it's really cool.
I mean, fundamentally it's lowering the barrier of entry to malicious actors. So once upon a time you needed a specific set of skills to be able to code, to be able to make malware. Now realistically, all you need is bad intentions because you can go to LLLM and say, well look, I need code to do this, and then I need to code to do that.
And we put these two pieces of code together and all of a sudden you've got malware. Um, so the dangers are there, but I'll give you one other very quick example, which was, there was a story in the news last week about a, it was the CEO of a cyber. A security company who was arrested for putting malware on a hospital's devices.
Now [00:19:00] it turns out it was actually a piece of PowerShell, so it was literally just a PowerShell script or piece of PowerShell that was taking a screenshot and uploading it to a location. Now, I managed to get my hands on that PowerShell, and I gave it to chat GPT, and I said, look, I wanna do this and I wanna put it here instead of there, and I wanna do it into a folder, and I wanna do it every, you know, one minute rather than every 10.
It did everything that I needed. And I didn't need any skills to do that. So the, the, the, the fact is it is being misused as much as it is, as it is being used. And realistically in a lot of cases, the, the bad guys have no limits on what they can do. There's no restrictions. They don't operate in boxes.
They work very much outside the boxes where unfortunately, a lot of cases defenders do.
Sean Martin: Yeah.
Rob Allen: But the beauty of that, it is when you deny by default, you don't need to respond to each individual threat. You don't need to know what's going on particularly. You just need to apply controls and then the things that they might otherwise misused can't be misused.
Go. I love it.
Marco Ciappelli: Well, you know, I, I think with conversations like [00:20:00] this, it, it makes people think about the way they view the problem. Mm-hmm. And really change the perspective that they can think about it. So with one minute to go, or less, I'm gonna say putty another time. Ah, so make you happy. Say putty, right?
Putty. Put putty. Yeah. No, I'd say putty. Putty. I say putty. Okay. And that makes me happy and I wanna thank you for this conversation and uh, I hope we're gonna have many more.
Rob Allen: Yeah, absolutely. It's been a pleasure.
Marco Ciappelli: Yeah. Yeah. And, uh, I invite everybody to check out what ThreatLocker is doing because it's a concept that, as you said, it's gonna, help's, not gonna resolve completely the problem.
It takes more things, more tools, but definitely big. There's no silver bullet. A big, a big, big door and wall too. It gives you
Sean Martin: a chance to do some of the other stuff. Exactly. Exactly.
Marco Ciappelli: Fighting, fighting, and,
Sean Martin: uh, Sean. More conversation coming up, more conversations with threat locker. More conversations from RSAC conference.
Itsp magazine.com/rsac 25 For more. [00:21:00] Stay tuned. Please subscribe, share with the friends and enemies. We'll catch you on the next one.
Marco Ciappelli: Stay tuned,