Watch the video:
Key discussion points:
The evolution from Web2 to Web3 security
- Web3 operates on "hard mode" compared to traditional security due to four key factors: open source (attackers can read all code), open state (attackers can choose optimal timing), open entry (no KYC barriers), and open exit (immutable transactions)
- Traditional Web2 security practices like instrumentation and metrics are still catching up in the Web3 space
- The composability of Web3 creates unprecedented attack surfaces—five different teams can build on your code without you knowing
Why smart contract security audits aren't enough
- Audits provide point-in-time security validation but can't address real-world composability risks
- Safe components can be combined unsafely, creating vulnerabilities that emerge after deployment
- The rapid pace of language updates (Solidity, Viper) means audit findings can become outdated quickly
- Real-world integrations and usage patterns often differ significantly from audit assumptions
The case for 'Real-Time' Monitoring
- Provides continuous "green light" indicators that systems aren't compromised
- Enables detection of threats as they emerge, not hours or days later
- Supports automated response actions for predefined risk scenarios
- Creates circuit breakers for asset health, regulatory compliance, and operational security
Web3 infrastructure maturity
- Transaction costs have dropped from $60-80 to fractions of a cent across 20+ chains
- Use cases have expanded beyond NFTs to real-world applications like music licensing and parking
- Mainstream adoption is approaching, making security preparation critical
- Enterprise adoption is accelerating with institutional players entering the space
The security economics shift
- Hacks are consistently growing larger (typically over $1M each)
- Prevention technology costs are decreasing (under $500K)
- This divergence creates a compelling business case for proactive security investment
- Small teams (like Aave's <100 people managing $34B TVL) need simple, effective security solutions
Building security-first culture
- Keep security simple and documented for small, resource-constrained teams
- Make security decisions early in the development process, not as an afterthought
- Focus on one or two responsible team members rather than complex processes
- Remember that a few days of security investment can prevent millions in losses
Industry outlook
- Next 2-3 years will be a "stress test" period with minimal regulation
- Various technologies (formal verification, fuzzing, real-time monitoring) are competing for adoption
- AI integration across the security workflow is becoming a key differentiator
- The industry needs better communication to non-technical audiences for broader adoption
Guardrail's growth & vision
- Currently onboarding 1-2 new clients weekly with enterprise adoption accelerating
- Backed by Coinbase Ventures with strong advisor network
- Focus on research-heavy approach with AI integration across monitoring, detection, and response
- Building the "most 2025 version of security tooling" with learnings from the past decade
This episode was recorded as part of the Trident Talks series, focusing on go-to-market strategies for early and growth-stage cybersecurity companies.
