Five years after Log4Shell, most organizations are no more prepared for software supply chain incidents than they were in 2021 -- and a new wave of AI adoption is making the problem significantly harder. In this conversation from RSAC Conference 2026, Daniel Bardenstein of Manifest Cyber breaks down the illusion of transparency, who is actually responsible for securing the software supply chain, and what it takes to go from reactive to proactive.
Daniel Bardenstein, CEO and co-founder of Manifest Cyber, opens with a candid assessment: the fundamental problem hasn't changed since Log4Shell. Organizations still don't understand what's inside the software and AI they build and buy. A recent Manifest Cyber study found a 40-50% gap between how well CISOs believed their security posture was managed and how their own AppSec teams rated the reality. Traditional SCA tools bury analysts in alerts without enabling response. Third-party tools hand out letter grades without reflecting actual empirical risk. The result is what Bardenstein calls the illusion of transparency -- confidence in visibility that doesn't actually exist.
The hidden sources of risk go deeper than most teams realize. C/C++ code underpins critical infrastructure across medical devices, automotive, defense, and financial services -- yet most scanning tools can't effectively analyze it. Third-party binaries carry serious risk that vendors rarely disclose. Open source libraries that haven't been updated in years represent quiet exposure. And AI adoption is adding a new layer of opacity: datasets of unknown provenance, open-weight models with untested risk profiles, and AI-embedded applications where organizations have no visibility into what models or agents are operating underneath.
Bardenstein frames the path forward in three dimensions: rapid response when a new issue emerges, proactive inventory and monitoring of critical dependencies, and supply chain risk stopped at the procurement gate before it enters the enterprise. When customers demand SBOMs as a condition of doing business, vendors improve -- and those improvements flow to all their other customers as well. Manifest Cyber sees this market dynamic as one of the most powerful forces for making the software ecosystem more secure.
The conversation also takes on accountability. Drawing on his time leading technology strategy at CISA, Bardenstein argues that the burden of transparency must fall on the people who write software, not those who buy and use it. The "transparency tax" -- the hidden cost of cheap or opaque technology -- only surfaces after something goes wrong, in the form of incident response, people-hours, and exposure. Compliance drivers like the EU Cyber Resilience Act are reinforcing this shift, but market pressure from major banks, pharmaceutical companies, and government is already moving faster than regulation.
Manifest Cyber automates the hard work: generating SBOMs, analyzing binaries, surfacing risk in C/C++ and third-party dependencies, and enabling fast, owner-assigned remediation. One customer went from zero to generating SBOMs across their entire fleet in 90 seconds -- without touching a command line. The platform is built to keep engineer velocity high, surface risk in plain language for procurement and risk teams, and make supply chain security accessible to the entire organization, not just the AppSec team.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Daniel Bardenstein, CEO and Co-Founder, Manifest Cyber
LinkedIn: https://www.linkedin.com/in/bardenstein/
RESOURCES
Manifest Cyber: https://www.manifestcyber.com
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Daniel Bardenstein, Manifest Cyber, Sean Martin, Marco Ciappelli, brand spotlight, brand marketing, marketing podcast, software supply chain security, SBOM, Software Bill of Materials, AIBOM, AI supply chain, Log4Shell, software transparency, SCA tools, C/C++ security, open source risk, Secure by Design, EU Cyber Resilience Act, supply chain risk management, third-party risk, RSAC Conference 2026, cybersecurity
The Illusion of Transparency: What Most Organizations Don't Know About Their Software and AI Supply Chains | A Brand Spotlight at RSAC Conference 2026 with Daniel Bardenstein, CEO and Co-Founder of Manifest Cyber
[00:00:10] Sean Martin: All right. It's yours, Marco. It's ours.
[00:00:13] Marco Ciappelli: Sean, what are we gonna do with it?
[00:00:15] Sean Martin: I don't know. I think we will ask our guest to do something really cool.
[00:00:20] Marco Ciappelli: Yeah, and you know what, it's go back to a familiar situation like we've done in the past years after a lot of filming, standing. I'm happy now to be sitting and have a really good guest. Which we have been lucky enough -- we've already spoken with him a couple of times. I mean, we go way
[00:00:42] Daniel Bardenstein: back, way, way back. It's been all of a couple of months now. It's like we've known each other since childhood.
[00:00:48] Sean Martin: Exactly. Well, we appreciate you joining us here in San Francisco for RSAC Conference. How are you, man?
[00:00:57] Daniel Bardenstein: Doing well, always. Excited to be here at RSAC Conference in San Francisco, but as you know, it's a lot. It's RSAC.
[00:01:05] Sean Martin: It's a grueling joy. Yes.
[00:01:09] Daniel Bardenstein: Really enjoy it. The yearly pilgrimage to San Francisco.
[00:01:12] Sean Martin: That's right. That's right. So Manifest Cyber -- you guys are doing some good things. We had a chat with you pre-event and shared some things. For folks who didn't watch that, maybe a few words about your role and an overview of Manifest Cyber, why it was founded, to kind of set the stage.
[00:01:31] Daniel Bardenstein: Happy to. So as you both well know, I'm Daniel Bardenstein, CEO and co-founder of Manifest Cyber. In a nutshell, we help organizations understand their software and AI supply chains. It's now 2026, five years after the Log4Shell incident, which is part of our origin story. But organizations still face the same problem they did back then, which is they fundamentally don't understand the software and the AI that they build and buy.
[00:02:05] Daniel Bardenstein: So that's our mission. We work with some of the world's most critical organizations to help them understand and secure the technology they bring into the environment -- whether it's open source dependencies, AI models, or third-party commercial tools. We help them understand holistic inventories of what they've built. Not little repositories or lists of software, but components that go into a vehicle, like a plane or a car or a medical device. And then we continually monitor what they have for risk so they can pinpoint in just a couple of seconds when there's a new issue to investigate, where it is in their devices, and everything they've built and bought.
[00:02:48] Daniel Bardenstein: And ultimately our goal is we want people to be able to buy technology with the same amount of trust that we as consumers buy houses or food or cars.
[00:02:58] Marco Ciappelli: Yeah. You know, I want to know if I'm allergic to software right away -- maybe there's an ingredient that I don't like.
[00:03:05] Daniel Bardenstein: Yeah. In that same vein -- you'd think it would be that easy, but software is so opaque that when people have blocklisted open source dependencies or components, they often don't know that it might be hiding in the things they're building and buying. So that's exactly the goal.
[00:03:14] Marco Ciappelli: Maybe there's been a recall and we don't know about it.
[00:03:18] Daniel Bardenstein: Exactly. We're not trying to be rocket scientists. If we can automate -- hey, I don't want to buy things I'm allergic to -- or like the automotive sector, how they can do recalls very effectively if there's a problem with your airbags. We're just trying to bring that to technology, and then society we hope will be much more secure.
[00:03:37] Marco Ciappelli: And maybe with that -- you can touch on the famous reason why you started creating this? Log4Shell was everywhere.
[00:03:50] Daniel Bardenstein: At this point it seems like everyone asks the same question. It seems like a trite example -- it's been five years, which is crazy. I was at the Pentagon when it hit. My unit was tasked to help with the response. To answer that deceptively simple question: what is everything that the DOD has built and bought, running an affected version of this library? It took them months and months to answer the question and may not have even found the entire scope of the answer. So that was that light-bulb moment -- we continue to build and buy without knowing what's inside the technology.
[00:04:30] Daniel Bardenstein: And even though Log4Shell is now five years old, there are still supply chain incidents happening seemingly every month. You have the Shyued worm, you have the npm attack, you have the tj-actions issue from this past week, XZ Utils, Polyfill -- the list goes on. Software supply chains are so opaque that adversaries are taking advantage of it, because it's much easier to compromise an upstream system and breach a thousand companies than it is to breach a thousand companies individually.
[00:05:05] Daniel Bardenstein: So as I alluded to earlier, the sad truth is -- here we are five years later -- most organizations aren't much more prepared for modern supply chain incidents than they were for Log4Shell five years ago.
[00:05:20] Sean Martin: Right. And so that's one scenario. I'm looking for this specific thing. That one thing is part of many, many things making up a system -- many systems in the organization. How many organizations feel they have visibility? How many feel they do but don't? How many don't care? What does that landscape look like at the moment?
[00:05:35] Daniel Bardenstein: That's a great question. We just released a report from research that we conducted, and one of those stats was a 40-50% difference between how well execs thought their security posture and awareness was versus how their own AppSec professionals rated their degree of transparency and security practices.
[00:06:00] Daniel Bardenstein: So depending on who you ask in the organization, the CISOs and execs might think they have things more under control than the people on the front line. On top of that, we continue to see organizations have a false sense of security -- pun intended. On the first-party side, there are traditional SCA tools that scan code and drown security analysts with vulnerabilities and alerts -- too many to actually deal with -- but they don't help with response, they don't help with inventory. And on the third-party side, there are tools that give commercial software a report card -- an A, B, C, D, F score -- without actually telling you the meaningful empirical risk of the things you're building and buying.
[00:06:41] Marco Ciappelli: Right. And when we were talking before this conversation, you used the phrase 'the illusion of transparency.' I remember that. Why don't we realize the importance of this? Infrastructure, hospitals -- is it because we just don't want to believe there is so much danger in the software itself?
[00:07:14] Daniel Bardenstein: I believe so, and I think it's a compliance checkbox mentality. Maybe there's an organization that writes in a more modern language -- Python or JavaScript -- they can scan their dependencies, they understand risk, and they think they're good. We recently released some new features that hit exactly on some of these hidden sources of risk that most people aren't thinking about, or know they have a gap on but haven't closed it.
[00:07:40] Daniel Bardenstein: C/C++ is a big one. Even though we're moving towards memory-safe languages and trying to modernize software stacks, most critical infrastructure is still written in C/C++. Medical devices, automotive, defense, healthcare, financial services -- it's a massive gap. It's a dirty secret of the SCA market: being able to find transparency and security in C/C++ code, which we can now do for our customers.
[00:08:10] Daniel Bardenstein: Binaries are a good example -- not just when you're putting them into your medical device, your car, your weapon system, but even in third-party commercial tools. We trust that NVIDIA writes good code. Therefore we all download NVIDIA's AI software frameworks. And we've analyzed those binaries and found really serious security risks that no one seems to know or care about because they trust NVIDIA.
[00:08:35] Daniel Bardenstein: Then you have things all the way down to end of life and level of support. We're using open source libraries that don't have active vulnerabilities, but they haven't been updated in five years -- that also poses significant risk to the business. And then, not surprisingly, we're at RSAC Conference, we have to talk about AI. Everyone is adopting AI at breakneck speeds.
[00:09:00] Daniel Bardenstein: We want AI as fast as possible -- AI all the things. No one's stopping to ask what's in it. Where did it come from? This dataset I got from the public internet. This open-weight model -- how do I trust it? How do I understand the provenance? People have this sense of illusion: 'Oh, I trust Anthropic, I trust OpenAI.' But there's so much more of the iceberg beneath the surface that organizations aren't yet thinking about.
[00:09:19] Sean Martin: Now, even with applications that you do trust -- you may have done some assessment during procurement and deployment and with your third-party risk management program -- now introduce AI all of a sudden. And you have no idea what models, what capabilities, what agents are sitting on the other side of that. How do organizations not just get the transparency and the knowledge, but turn that into decision-based action versus just a list of stuff we now know and have no idea what to do with?
[00:09:57] Daniel Bardenstein: Absolutely. I'd say maybe three key ways to think about that. First is action in terms of response. There's a new vulnerability, there's a new issue -- I want to understand exactly where I'm impacted, how important it is, what the fix is, and who is the owner. So I can create the ticket, send the email, and that incident can be closed in minutes rather than days, weeks, or months.
[00:10:25] Daniel Bardenstein: There's an element of proactive risk. Can a CIO or a security leader say -- here are the top ten open source libraries that underpin our critical software, we really need to keep an eye on these, make sure we trust the people and systems behind them. Same thing with suppliers. Just having an inventory and an awareness of what one has so you can be proactive rather than always being on the back foot.
[00:10:55] Daniel Bardenstein: And the last one is on the procurement side. When you know what's inside something -- going back to the purchasing analogy, I don't want to buy something I'm allergic to -- the best way to reduce risk is to not let it into your enterprise in the first place. By surfacing that visibility, even for somebody on the procurement team or the third-party risk team, helping them understand: here are the key risks you shouldn't accept from this vendor. The supplier who wants to sell you software -- here's what you need to go tell them to fix.
[00:11:20] Daniel Bardenstein: And we've seen real stories of this happen. The vendor, eager to close the contract, turns around a patch very quickly, provides more secure software to the customer -- and now they've fixed issues for all their other customers too. So we're slowly but steadily making the ecosystem more secure all around.
[00:11:41] Marco Ciappelli: Let's talk about that. I like the societal angle. Healthcare is a good example. Going from reactive -- going to the doctor when you get sick -- to proactive: try not to get sick, do the right things, get the right ingredients. If you have this list of ingredients in software and components, you're definitely moving towards a more proactive society -- and business, and infrastructure, and government, and security.
[00:12:29] Daniel Bardenstein: Absolutely. This is a personal passion of mine. It's not just about building and selling a great product -- it's how do we actually make society more secure. Medical devices are a great example, or even zooming out to OT/ICS. These are devices that, unlike SaaS or traditional software, live in the wild for 20 or 30 years.
[00:13:00] Daniel Bardenstein: Part of the inspiration for why I started the company was in the medical device and healthcare space. There are MRI machines and other medical devices running literally Windows 7 or Windows 8. If you're going to buy something with this outdated, vulnerable software -- maybe it's already end of life -- you're going to have to live with it for the next 10, 20, or 30 years. And you don't simply patch an MRI machine without negatively affecting patients.
[00:13:20] Daniel Bardenstein: So we frame this as the transparency tax. You think you might be getting a cheap deal -- I'm just going to go for the lowest-cost vendor -- but you're ending up paying additional cost in terms of time, complexity, and people-hours to maintain and secure those technologies. That might change your calculus. And if you raise the bar on your suppliers to do better, now all their other customers benefit from more secure technology -- and in the healthcare space, all those other patients from all those other hospitals benefit from using more secure insulin pumps and pacemakers and other internet- or Bluetooth-connected devices.
[00:14:08] Sean Martin: Let's stick with the medical analogy for a minute. If one is to be healthy individually, you don't just go to the doctor when you're not well. Hopefully you're eating well, you're exercising, you know what you're consuming. As an individual you take accountability for your own health -- you don't just transfer that to the doctor or the MRI provider or whatever. So in the world of secure software and running a business with safe systems -- where does accountability land? Do organizations try to push it off to the third-party system providers? Is there a sense that we have to live and breathe healthily, not just do an assessment and then forget about it?
[00:15:08] Daniel Bardenstein: To me, this is what Secure by Design is all about. Secure by Design became a big movement at CISA when I was there, leading technology strategy. The idea is we need to, as a society, move the burden of writing more secure software onto those who are actually writing the software. In the same way -- let's go back to the food metaphor -- I can choose what I buy and eat, but in order to make those decisions I need an ingredients list. What's in the Cheetos, what's in the Twinkies? And I can decide: do I want to eat healthier? Do I want the processed foods? But at least it's my decision.
[00:15:57] Daniel Bardenstein: The burden of being transparent should always be on the people writing the software for the people buying it. When I'm buying technology, it's on my supplier -- it's their responsibility to tell me what's in their tech so I can make a good decision. But if I'm writing software and selling it to my customers, I need to implement good security design practices as well. I need to inventory my open source, I need to write code securely, especially with AI, so I can practice what I preach and provide that same degree of transparency to my customers.
[00:16:31] Sean Martin: And how about reporting -- auditing and reporting -- whether or not I'm selling software to others, do I have a responsibility to executive leadership and to the board?
[00:16:56] Daniel Bardenstein: Absolutely. Everything from the board, audits, compliance -- it all drives this need. Supply chain security is becoming a board-level issue. There are now compliance elements -- in the EU, for example, the Cyber Resilience Act will make organizations pay the greater of 15 million euros per year or two to three percent of global revenue if you don't comply. Part of that is doing SBOMs, understanding your dependencies, practicing good hygiene and good security. That's a lot of revenue loss, that's a lot of penalties and fines. So it's now incumbent upon board and executive leadership to see those reports, to have that data and transparency -- but organizations need to do it at scale and with automation that doesn't slow them down as they're trying to innovate.
[00:17:49] Marco Ciappelli: It's not up to the consumer of the medical device to know -- it doesn't know, it's too technical. But if you're wearing one, I gotta trust the company that makes that. Is the market not incentivizing this because the consumer isn't pushing for it? Is it because there's a benefit for the producer of the devices to keep it unknown?
[00:18:53] Daniel Bardenstein: The dark secret we're illuminating here is that software is still terribly insecure. I'll give you an example that happened earlier today. Somebody who works at one of the world's largest EDR endpoint detection companies -- very present at this conference -- was asked by a major customer for their SBOM, their ingredients list. The security leadership at this company said, 'I don't want to provide that level of transparency.' When asked why, the answer was: 'I'm ashamed of how poor quality our software is.'
[00:19:37] Daniel Bardenstein: From the government perspective, there's been a lot of pushback to prevent regulation. We've had this self-regulatory scheme for the last 20 years that I don't think has really moved the needle in terms of how secure software is. Where there is compliance, compliance is moving the needle. But there are also more and more companies -- the big Wall Street banks, pharmaceutical companies, government -- that are now demanding: if you want our business, you must provide this transparency. And that's what's moving the market.
[00:20:08] Daniel Bardenstein: If the compliance incentive isn't there, the bottom-line incentive is there. It takes the likes of a big bank, major critical infrastructure, and government to swing a big enough bat to get this transparency. People are now finally being held accountable for the quality -- or lack thereof -- in the software they provide.
[00:20:28] Daniel Bardenstein: We encourage that this should be a best practice. This shouldn't be something you have to wait for your government, regulator, or auditor to mandate. Organizations should be differentiating on who can be more transparent, who can quickly convince and gain trust and maintain trust with their customers that they write secure software. That allows them to beat their competition. So we're seeing market incentives driving people to do this even without the threat of compliance.
[00:21:06] Marco Ciappelli: To wrap this up -- what can Manifest Cyber do right away for a company that realizes this is needed and needs help?
[00:21:16] Daniel Bardenstein: In short, we can automate all this and get it up and running in a very short amount of time. Done -- set it and forget it. Our personal record: one of our customers went from zero to generating SBOMs across their entire fleet in 90 seconds without touching a command line. So we try to make things easy and automated. We want to abstract all the technical weeds away from the user unless they really need to know.
[00:21:50] Daniel Bardenstein: We can keep engineer velocity really high. We can make sure the software they're using to write it is secure. We can help them answer the mail and demonstrate what they're building with -- demonstrate it to their customers, their regulators. And we can help them illuminate the darkness of their third-party risk management process. How do you actually understand what's in all the tech you're buying and putting your sensitive data under? These are big, hard, lofty problems, and we've built tooling to help organizations do this in an easy and intuitive way.
[00:22:20] Sean Martin: Perfect. Hard problem to solve. You're helping to solve it. Don't need to stick your head in the sand anymore.
[00:22:26] Daniel Bardenstein: Exactly. And we want to make it accessible. If things are too technical, if you have to stare at JSON or other code all day, you're not going to get your job done. Especially as companies are using AI and things are moving at AI speed -- you need automation. You need to understand what the risk is, where it is, how to fix it at AI speed. And that's what we're able to do with our customers.
[00:22:48] Sean Martin: I love it, Daniel. Good to chat with you.
[00:22:51] Daniel Bardenstein: Thanks for having me on. We very much appreciate it.
[00:22:54] Sean Martin: Thanks, everybody. Connect with Manifest Cyber, connect with Daniel, and we'll see you all here at RSAC Conference. Stay tuned.
[00:23:10] Marco Ciappelli: Want to do that close one more time, please?
[00:23:12] Sean Martin: No.
[00:23:15] Daniel Bardenstein: One more time. One more time.
[00:23:20] Sean Martin: All right. Thanks everybody for joining us here. Be sure to connect with Daniel and the Manifest Cyber team, and stay tuned for more from RSAC Conference.