Emma Zaballos is an avid threat researcher who is passionate about understanding and combatting cybercrime threats. Emma enjoys monitoring dark web marketplaces, profiling ransomware gangs, and using intelligence for understanding cybercrime.
CyCognito, founded by veterans of national intelligence agencies, specializes in cybersecurity by identifying potential attack vectors from an external perspective. The company provides organizations with insights into how attackers may perceive their systems, highlighting vulnerabilities, potential entry points, and at-risk assets. Headquartered in Palo Alto, CyCognito serves large enterprises and Fortune 500 companies, including Colgate-Palmolive and Tesco
You have a diverse background in cybersecurity research, threat analysis, and product marketing. What first sparked your interest in this field, and how did your career evolve into exposure management?
Right out of college, I worked as an analyst on an international trade lawsuit that involved tracking a network of actors across the US (and internationally). It was a super interesting case and when I started looking for the next thing, I found a job at a dark web monitoring startup (Terbium Labs, now part of Deloitte) where I essentially pitched myself as “hey, I don’t know anything about the dark web or cybersecurity, but I have experience tracing networks and behavior and I think I can learn the rest.” And that worked out! I kept working in cybersecurity as a subject matter expert with a focus on threat actors through 2022, when I joined CyCognito in my first product marketing role. It’s been great to still be working in cybersecurity, which is an industry I’m super passionate about, while trying out a new role. I love that I get to fulfill my love of data-driven storytelling through writing content like CyCognito’s annual State of External Exposure Management report.
You mention that you’ll never own an Alexa. What concerns you most about smart home devices, and what should the average person know about the risks?
If you spend any time looking into the dark web, you’ll see that cybercriminals have an immense appetite for data—including consumer data collected by companies. Your data is a valuable resource and it’s one that many companies either can’t or won’t protect appropriately. You as a consumer have limited options to control how your data is collected, stored, and managed, but it’s important to be as informed as possible and control what you can. That can mean getting very good at adjusting settings in your apps or devices or just forgoing some products altogether.
By necessity, if you have a smart assistant enabled on your phone or a smart home device that requires a voice cue, the microphone has to be listening constantly to catch you asking for something. Even if I trust that the company is protecting those recordings and deleting them, I just personally don’t like the idea of having a microphone always on in my home.
There are definitely services and products of convenience that collect my data and I use them anyway, because it’s somehow worth it for me. Smart home products, though, are something where I’ve personally drawn the line—I’m ok physically going over and adjusting the lights or making a grocery list or whatever, instead of telling Alexa to do it. The Internet of Things offers some incredible benefits to the consumer, but it’s also been a boon to cybercriminals.
You’ve worked in both the federal and private sectors. How do the cybersecurity challenges differ between these environments?
When I worked on contract for the Department of Health and Human Services in their Health Sector Cybersecurity Coordination Center, it was much more focused on digging into patterns and motivations behind cybercriminals’ actions—understanding why they targeted healthcare resources and what kind of recommendations we could make to harden those defenses. There’s more space to get really in-depth on a project in the public sector and there are some incredible public servants doing work on cybersecurity in the federal and state governments. In both my startup roles, I’ve also gotten to do really interesting research, but it’s faster paced and more targeted on tighter scoped questions. One thing I do like about startups is that you can bring a little more of your own voice to research—it would have been harder to present something like my “Make Me Your Dark Web Personal Shopper” talk (DerbyCon 2019) on behalf of HHS.
In your recent article, you highlighted the rapid growth of the dark web. What factors are driving this expansion, and what trends do you see for the next few years?
The dark web is always dead, always dying, and always surging back to life. Sadly, there’s a consistent market for stolen data, malware, cybercrime-as-a-service, and all the other types of goods associated with the dark web, which means that even though dark web standbys like Silk Road, AlphaBay, and Agora are gone, new markets can rise to take their place. Political and financial instability also drives people to cybercrime.
It’s become cliche, but AI is a concern here – it makes it easier for an unsophisticated criminal to level-up skills, maybe by using AI-powered coding tools or through generative AI tools that can generate compelling phishing content.
Another factor driving the dark web renaissance is a strong crypto market. Cryptocurrency is the lifeblood of cybercrime—the modern ransomware market basically exists because of cryptocurrency—and a crypto-friendly government under the second Trump administration is likely to exacerbate dark web crime. The new administration’s cuts to federal cybersecurity and law enforcement programs, including CISA, are also a boon to cybercriminals, because the U.S. has historically led enforcement actions against major dark web marketplaces.
What are some of the biggest misconceptions about the dark web that businesses and individuals should be aware of?
The biggest misconception I see is that the dark web is this massive, mysterious entity that’s too complex to understand or defend against. In reality, it makes up less than 0.01% of the internet—but that small size masks its true impact on business security. Another common myth is that the dark web is impenetrable or completely anonymous. While it does require specialized tools like the Tor browser and .onion domains, we actively monitor these spaces every day. Because of the publicity behind the takedown of the Silk Road marketplace, organizations often think the dark web is just for selling illegal goods, like drugs or weapons, not realizing it’s also a massive and sophisticated marketplace for corporate assets and data. The reality is that the dark web is something it’s not just possible but essential for organizations to understand, because it has the potential to directly impact every business’s security posture.
You mentioned that organizations should “assume exposure.” What are some of the most overlooked ways companies unknowingly expose their data online?
What I find fascinating is how many companies still don’t realize the breadth of their exposure and the ways they could be exposed through the dark web. We regularly see leaked credentials circulating on dark web marketplaces—not just basic login details, but admin accounts and VPN credentials that could provide complete access to critical infrastructure. One particularly overlooked area is IoT devices. These seemingly innocent connected devices can be compromised and sold to create botnets or launch attacks. Modern IT environments have become incredibly complex, creating what we call an “extended attack surface” that goes far beyond what most organizations imagine they have. We’re talking about cloud services, network access points, and integrated systems that many companies don’t even realize are exposed. The hard truth is that most organizations have far more potential entry points than they think, so it’s better to assume there’s an exposure out there than to trust your existing defenses to be perfect.
How are cybercriminals leveraging AI to enhance their operations on the dark web, and how can businesses defend against AI-driven cyber threats?
Cybercrime is not really creating new types of attacks—it’s accelerating the ones we already know. We’re seeing criminals use AI to generate hundreds of incredibly convincing phishing emails in minutes, something that used to take days or weeks to do manually. They’re developing adaptive malware that can actually change its behavior to avoid detection, and they’re using specialized tools like WormGPT and FraudGPT that are specifically designed for criminal activities. Perhaps most concerning is how they’re managing to compromise legitimate AI platforms – we’ve seen stolen credentials from major AI providers being sold, and there’s a growing effort to “jailbreak” mainstream AI tools by removing their safety limitations.
But the good news is that we’re not defenseless. Forward-looking organizations are deploying AI systems that work around the clock to monitor dark web forums and marketplaces. These tools can analyze millions of posts in minutes, understand criminal coded language, and spot patterns that human analysts might miss. We’re using AI to scan for stolen credentials, monitor system access points, and provide early warning of potential breaches. The key is that our defensive AI can work at the same speed and scale as the criminal tools—it’s really the only way to keep up with modern threats.
CyCognito takes an “attacker’s perspective” to identify vulnerabilities. Can you walk us through how this approach differs from traditional security testing methods?
Our approach starts with understanding that modern IT environments are far more complex than traditional security models assume. We also don’t rely on what organizations know to inform our work – when attackers target an organization, they’re not getting lists of assets or context from their target, so we also go in with zero seed data from our customers. Based on that, we assemble a map of the organization and its attack surface and place all their assets in context in that map.
We map the entire extended attack surface, going beyond just known assets to understand what attackers actually see and can exploit. When we monitor dark web marketplaces, we’re not just collecting data—we’re understanding how leaked credentials, privileged access, and exposed information create pathways into an organization. By overlaying these dark web risks onto the existing attack surface, we give security teams a true attacker’s view of their vulnerabilities. This perspective helps them understand not just what might be vulnerable, but what’s actually exploitable.
How does CyCognito’s AI-driven discovery process work, and what makes it more effective than conventional external attack surface management (EASM) solutions?
We start with a fundamental understanding that every organization’s attack surface is significantly larger than traditional tools assume. Our AI-driven discovery process begins by mapping what we call the “extended attack surface”—a concept that goes far beyond conventional EASM solutions that only look at known assets.
Our process is comprehensive and proactive. We continuously scan for four critical types of exposure: leaked credentials, including hashed passwords that attackers might decrypt; accounts and privileged access being sold on dark web marketplaces; IP-based information leaks that could reveal network vulnerabilities; and sensitive data exposed through past breaches. But finding these exposures is just the first step.
We then map everything back to what we call the attack surface graph. This is where context becomes everything. Instead of just handing you a list of vulnerabilities like conventional EASM solutions do, we show you exactly how dark web exposures intersect with your existing infrastructure. This allows security teams to see not just where their data has ended up, but precisely where they need to focus their security efforts next.
Think of it as building a strategic map rather than just running a security scan. By overlaying dark web risks onto your actual attack surface, we provide security teams with a clear, actionable view of their most critical security gaps. This contextual understanding is essential for prioritizing remediation efforts effectively and ensuring a swift, targeted response to emerging threats.
Prioritization of risks is a major challenge for security teams. How does CyCognito differentiate between critical and non-critical vulnerabilities?
We prioritize vulnerabilities by understanding their context within an organization’s entire security ecosystem. It’s not enough to know that a credential has been exposed or an access point is vulnerable—we need to understand what that exposure means in terms of potential impact, and that impact can vary depending on the business context of the asset. We look particularly closely at privileged access credentials, administrative accounts, and VPN access points, as these often represent the greatest risk for lateral movement within systems. By mapping these exposures back to our attack surface graph, we can show security teams exactly which vulnerabilities pose the greatest risk to their most critical assets. This helps them focus their limited resources where they’ll have the biggest impact.
How do you see cybersecurity evolving in the next five years, and what role will AI play in both offense and defense?
We’re in the middle of a fundamental shift in the cybersecurity landscape, largely driven by AI. On the offensive side, we’re already seeing AI accelerate the scale and sophistication of attacks in ways that would have been impossible just a few years ago. New AI tools designed specifically for cybercrime, like WormGPT and FraudGPT, are emerging rapidly, and we’re seeing even legitimate AI platforms being compromised or “jailbroken” for malicious purposes.
On the defensive side, AI isn’t just an advantage anymore – it’s becoming a necessity. The speed and scale of modern attacks mean that traditional, human-only analysis simply can’t keep up. AI is essential for monitoring threats at scale, analyzing dark web activity, and providing the rapid response capabilities that modern security requires. But I want to emphasize that technology alone isn’t the answer. The organizations that will be most successful in navigating this new landscape are those that combine advanced AI capabilities with proactive security strategies and a deep understanding of their extended attack surface. The next five years will be about finding that balance between powerful AI tools and smart, strategic security planning.
Thank you for the great interview, readers who wish to learn more should visit CyCognito.
The post Emma Zaballos, Product Marketing Manager at CyCognito – Interview Series appeared first on Unite.AI.