ASPM’verse marked Cycode’s third virtual summit, and it was the most future-facing yet. Ten sessions brought together security leaders, developer-first product teams, and executives driving real change in the way organizations think about application and product security.
While the topics ranged from AI-generated code to unified vulnerability management, several common threads ran throughout:
- AI is reshaping security workflows, but human judgment is more critical than ever.
- Context is the key to meaningful remediation.
- The future of AppSec is product security (and vice versa).
That’s why it was the perfect moment for us to debut our new AI-Native Application Security Platform. It’s purpose-built for the AI era, helping teams solve today’s most pressing software security challenges with speed and clarity.
ASPM’verse itself is evolving too. In six months, we’re leveling up with the first-ever Product Security Summit—an even bigger, bolder stage for innovation and collaboration.
In the meantime, check out 10 standout sessions that captured the biggest ideas and insights from across the summit.
1. Agentic AI Is More Than Hype
In our opening keynote, Chris Hughes, Founder of Resilient Cyber, broke down how agentic AI – LLMs “with arms and legs” – is already solving some of AppSec’s biggest pain points. From cognitive overload in SecOps to artifact generation in GRC, agentic AI isn’t theoretical.
As he put it: “The biggest risk of GenAI is that we don’t use it.”
That means teams will be onboarding tools with GenAI baked in. The key? Evaluate vendors on evidence, not hype.
Watch the session to hear which GenAI evaluation frameworks and agentic AI implementation models are worth following in 2025.
2. Threat Modeling Is More Important Than Ever in the Age of AI
A panel featuring Linda Fay, Jacob Combs, and Brad Tenenholtz tackled the new risks AI introduces—both in how software is developed and attacked.
Jacob pointed to model poisoning (hallucinations, unsafe code, etc) as a growing concern, while Brad offered a necessary calibration: if devs are scaling 10x with AI, security leaders need to scale 100x. Linda emphasized the gap in trust and verification, especially among junior staff relying on GenAI.
The consensus? Threat modeling remains one of the most essential, human-driven practices in product security.
Don’t miss the full panel discussion.
3. ASPM Can Bridge the Gap Between Findings and Fixes
Adam Dudley, VP of Strategy & Alliances at Nucleus Security made a compelling case for Application Security Posture Management (ASPM) as a connector between AppSec and vulnerability management. He stressed that data fragmentation and tool sprawl are manageable problems—but only if security teams are equipped with context: asset criticality, ownership, exploitability. ASPM solutions that provide this enable faster, more confident decision-making.
Done right, they don’t just detect issues—they drive remediation.
Learn how ASPM platforms are turning prioritization into action in the full interview.
4. Security Culture Starts With the “Why”
Nikola Dalcekovic, Product Security Officer at Schneider Electric and Brian Levine, Director of Product Security at Elastic, explored how to build resilient, business-aligned product security programs.
They both agree: tools matter, but culture is what sustains security at scale. Likewise, if security doesn’t embed into workflows, it creates friction. That’s why both encouraged listeners to start with “why” to align teams across disciplines.
Nikola warned that compliance-driven initiatives often backfire, framing security as a gatekeeper rather than an enabler. Brian added that in open-source, multi-platform environments, people and process matter more than checklists.
See how two global orgs are building security programs that scale with trust.
5. Developers Respect Context
During this Q&A, Nick Waringa, Product Security Director at Flock Security, focused on the high cost of contextless security. Based on his extensive experience, when findings are noisy or lack clarity, developer trust erodes—and so does security effectiveness.
He noted that IDE integration, not just shift-left rhetoric, is what really drives early action. He also maintains that it doesn’t matter how far left you scan…it’s how well you understand risk. Context is the new credibility, and some tools (including ASPM) are delivering it and raising the bar.
Watch the session to see what real developer enablement looks like.
6. AI Coding Tools Still Need Guardrails
Secure Code Warrior’s John Cranney and Patrick Collins shared that 99% of their customers are using GenAI in development—but human review remains essential. Why? Because some languages and workflows lend themselves to GenAI support, while others leave too much room for error.
The bottom line: these tools introduce new complexities that require expertise to navigate. Developers need to understand not just how to use AI tools, but how to question their outputs—because no matter how advanced the model, judgment still matters.
Explore where AI excels, where it fails, and how to mitigate its blind spots in the full session.
7. AI Won’t Replace AppSec, But It Will Redefine It
In a wide-ranging session, Anshuman Bhartiya, AppSec Tech Lead at Lyft and Marc Hornbeek, CEO at Engineering DevOps Consulting, discussed whether AI could solve AppSec’s long-standing resourcing gap. The answer? Not entirely, but it can help.
Echoing what John and Patrick said, GenAI won’t replace security engineers, but it will reward those who know how to leverage it. Their prediction: prompt engineering will become an essential skill for engineers at every level.
They also challenged the “just buy another tool” mindset: scaling responsibly means using fewer, smarter tools that streamline workflows instead of adding more noise.
See why expertise still beats automation, and how to future-proof your team.
8. Cycode Is Building the Future of AI-Native AppSec
Guillaume Montard, Head of Product at Cycode, and Amir Kazemi, Director of Product Marketing at Cycode, previewed the company’s latest innovations, from pipeline security to intelligent risk dashboards. They also introduced Cycode’s AI Teammate: an agentic capability that helps teams go from identification to resolution faster.
By combining AST, supply chain security, and ASPM in one platform, Cycode is eliminating security debt and enabling security by design.
If you want a glimpse at what’s next in our AI-Native Application Security Platform, book a demo.
9. Unifying Risk Is the Only Way Forward
If you’re tired of “YAST” (Yet Another Security Tool), you’re not alone.
Matthew Rose, Global Application Security Architect at World Wide Technology, emphasized the fatigue created by siloed tools and overlapping solutions that complicate rather than clarify risk.
He broke down the various flavors of ASPM solutions—from those that simply aggregate findings to those that layer in correlation and prioritization. What makes the best ASPM platforms stand out, he argued, is their use of native scanning to surface high-fidelity risks and eliminate the noise.
Learn how to break down silos and build a unified risk strategy in the full session.
10. Product Security Owns the Full Lifecycle
Brian Rust, Deputy CISO at WorldPay, closed the event by redefining what it means to do application security well.
He explained that AppSec used to be about whack-a-mole testing. Product Security, in contrast, has always taken a broader and more proactive approach. Rather than focusing narrowly on testing and remediation, it’s about embedding secure design principles across the entire software lifecycle—from ideation to deployment.
Like others, Brian argued that AppSec must evolve into Product Security because the risks and responsibilities span across teams, workflows, and decision points. And this shift isn’t just semantic. If security is to truly support innovation and protect the business, it must be involved from the very beginning and throughout every stage of product development.
Get a CISO’s perspective on building holistic security from the ground up.
Ready to Go Deeper?
Whether you’re a security engineer trying to reduce noise, a product leader focused on velocity, or a CISO prioritizing risk across the org, these sessions offer actionable insights for you. Watch the full event on-demand now.
Curious how Cycode can help you bring these ideas to life? Book a demo and see the #1 AI-Native Application Security Platform in action.
Also, special thanks to our ASPM’verse event partners – Nucleus Security, Secure Code Warrior, Sysdig, Traceable by Harness, and World Wide Technology.
