Why AI + DevSecOps Is the Future of Software Security With Patrick J. Quilter Jr

[00:00:00] Get ready to discover some of the most actionable DevOps techniques and tooling, including performance and reliability for some of the world's smartest engineers. Hey, I'm Joe Colantonio, host of the DevOps Toolchain Podcast and my goal is to help you create DevOps toolchain awesomeness.

[00:00:19] Hey, it's Joe. And today's episode is packed with insights you don't want to miss. I'm joined by Patrick Quilter, CEO of Deploy360. And a true pioneer at the intersection of automation, security, and AI. Patrick started out just like us as an automation engineer, but his journey took him from launching his own consulting company to selling it to acquiring another and now leading a cutting edge DevSecOps platform trusted by the Department of Defense. In this conversation, Patrick shares how testers can make the leap into security, what Agentic AI really means for DevSecops pipelines and why AI is more about speed and security than replacing coders. If you've ever wondered where AI and DevSecOps are heading or how you could prepare your career, what's coming next? Stick around because Patrick brings both the vision and the practical advice you need. You don't want to miss it? Check it out.

[00:01:15] Hey, before we get into this episode, I want to quickly talk about the silent killer of most DevOps efforts. That is poor user experience. If your app is slow, it's worse than your typical bug. It's frustrating. And in my experience and many others I talked to on this podcast, frustrated users don't last long. But since slow performance is a sudden, it's hard for standard error monitoring tools to catch. And that's why I really dig SmartBear's Insight Hub. It's an all in one observability solution that offers front end performance monitoring and distributed tracing. Your developers can easily detect, fix, and prevent performance bottlenecks before it affects your users. Sounds cool, right? Don't rely anymore on frustrated user feedback, but I always say try it for yourself. Go to SmartBear.com or use our special link down below and try it for free. No credit card required.

[00:02:12] Joe Colantonio Hey Patrick, welcome to The Guild.

[00:02:16] Patrick J. Quilter Jr Hey, thanks Joe, great to be here.

[00:02:17] Joe Colantonio Awesome. We've been talking for a while back and forth on email. I've been following you for a bit on LinkedIn. I wanted to join you on this podcast. I think you did a big announcement around security, which we're going to dive into the, but before we do, maybe a little background of how you got into DevOps, how did you get into security, what's your background story?

[00:02:36] Patrick J. Quilter Jr Sure, absolutely. Basically, I started out doing an independent consulting company around automated testing. Actually, if I could take a little divergence here, I want to plug you for a second because I've been following you since the early 2000s. I think you're going on now. And I was a big automated testing guy and I had like a lot of people back then I had my pet projects and frameworks and UFT was the big thing back then. It was quick test pro when I was following you. And there was a period when Mercury interactive sold to HP and Mercury interactive had probably one of the best knowledge bases with their products. I mean, you could get answers to WinRunner quick test pro and like the answers would be spot on. This is before all the generative AI stuff before that, right? So that was like everybody's go-to. And then during that period, they took that knowledge base away. I think when it got moved over to HP. So where was the only place to get information? If you Googled your stuff would come right to the top. Like you were a lifesaver for myself and a lot of people that like, when you get into those knots, where you, you just can't find any good support or good ways to, why is this breaking on me? How do I fix it? Your stuff was always there. I've always had you bookmarked just because of things back in the early 2000s. I can't believe we have to say it goes back that far, but that was the reality of it. But yeah, anyways, back to our history. Under that consulting company, developed that pet project, implemented a little bit more was fortunate enough to through some customers that we had. I met somebody that ended up buying my consulting company. That company was very much more blockchain focused, so we worked together in that configuration for a while. My legacy company basically continued to deliver the same type of services, but we started to slant more towards the blockchain and crypto side with the automation. Shortly after that, we took a little divergence and then ended up trying to expand a little bit more. We, at the time, this is around 2017, blockchain was still a complicated and sophisticated technology, but it was going in and out of style, very volatile. So we wanted to put a more firm step forward in going into continuing application development. We ended up expanding my legacy product into more of a DevSecOps platform. We expanded more out. We wanted to get more into the development space and provide a full life cycle experience that obviously incorporates all the automated testing. But that was the big step forward then. And then, you, we had some success over the last two years and expanding our company. We did an acquisition of a DOD company and then their name was actually Deploy360. We just took that name and made it our entire operation now. To summarize, it's been a journey of going from different complicated technologies, but there's always been a big push for us and where our heart really exists is in the application development space. We're providing software these days that gives us a secure way to develop and the work that we've been doing out for the last four years, not that we did this on purpose. We kind of got lucky here. It actually can be transformed very easily into the new agentic approach. We're well set up to continue doing what we're doing right now.

[00:06:37] Joe Colantonio Patrick, you start off as an automation agent. Thank you so much for I wish my site still came up as the first thing. I have companies now, a billion dollar budgets that just slam out the automation sector. Anyway, it is what it is. But how do you make the pivot to security? I've always been trying to push that testers should learn more about security. I think it's only going to help them, but it's always been a hard push. I try to do a secure guild and didn't get enough people to attend. How did you get into security. Did you think of someone who is into automation as well? That security is a good thing to add to the tool toolbox, basically.

[00:07:12] Patrick J. Quilter Jr Yes, I absolutely do. Because if you're an engineer that's doing just automated testing, you're used to working with UIs or mobile applications or something, writing test cases. I think all the security stuff and the tools are a natural fit for you. Cause you're already in that mindset of building automated workflows, making sure everything goes from beginning to end and it completed the task that you were supposed to do. That was kind of where I was alluding to before, where we expanded into the DevSecOps world, because that's just a lot of automation. I mean, 80% of that world is working with tools and working with automation. And the step towards security might be a little bit easier than you think, because you can get your hands on a bunch of open source tools that do, that as long as you give it, tell it where to find code repositories or whatever the mechanism is that you're submitting code to these tools, if you can figure all that out and you can script it, which you should be able to do if you're in that automated mindset, you can get your hands on these things and then you can build pipelines. And yes, you'll have to learn, it's not like VB script. If you're going back to the UFT days, you're gonna have to pick up some, maybe some shell scripting, learn to work with J-but I think people are doing that anyways. It's really more of that. It's really concentrating on your workflows, managing the tools, calling those tools in order. And they do a lot of the security work. You don't necessarily have to be an expert on dissecting or doing the analysis on what those tools are producing. You just want to be able to make sure the automation runs reliably and then get some reports at the end that you can share with your development team and let them do the analysis.

[00:09:09] Joe Colantonio Love it. I also, what I'm impressed by you is you start off as an automation engineer, sounds like you started your own company, you then sold your own company, started another one, and then you got so successful, you're able to acquire another company. Like I think that might be a model for people that are afraid about their job to give them a little hope. Like, how did that all happen? Was it just like me, I just stumbled into it, just dumb luck. Or like, were you always into business? Like, how did that happen?

[00:09:33] Patrick J. Quilter Jr There's always that luck factor. And it sounds good when you give a one minute explanation, it went from A to Z, but there's certainly a lot of challenges, a lot bumps in the road. It's not necessarily for everybody, but if you're somebody out there and you are interested in that type of challenge and add into your career there, for me, it was more like, I started off with a regular 9 to 5 job and that's where I learned the automated testing. And then I just asked myself, what else can I do with this? And with each job, I would meet new and interesting people that would have a little piece of the puzzle. As you start putting it together, and you're like, okay, maybe I can take this leap and do some type of independent consulting and carry around my tool as a value add. That was step number two for me, and then you see a little bit more and you talk to more interesting people and they give you some ideas and how you can turn that into maybe more of a product with a license or a SaaS setup or something like that. And it just keeps iterating. If you keep asking yourself that question, where can I take it next? Where can I make it next. And then yes, you gotta hope you get lucky along the way and definitely expect things to go wrong and be ready to handle those.

[00:10:51] Joe Colantonio Yeah, for sure. So speaking of where can I take it next year, you're on time, you're like right in on trend with what's happening out with AI. I think you describe yourself as AI-driven DevOps. Is that correct?

[00:11:03] Patrick J. Quilter Jr Correct.

[00:11:05] Joe Colantonio What are your thoughts on AI? A lot of people are afraid of AI. Once again, you seem like not, you embrace things. Why does it seem like you're embracing AI rather than being afraid of AI or saying it's nothing?

[00:11:16] Patrick J. Quilter Jr Yeah, I mean, it's hype. There's a lot of hype out there these days and there's, you're going to see a lot of over-excitement and over-emphasizing the impact that AI could have, especially in the software development space and where we've seen that the most is encoding the coders are we're not going to need coding anymore. These AI tools are going to take care of everything. And it's not been our experience. This landscape is changing by the week. So. I think we're monitoring what's out there very closely, and I don't see anything out there that we've gotten our hands on and experimented with to say, ah, this is going to replace thousands of workers. We haven't come across that. The impact that we do see is that for those that are serious about the coding career, like they're good, experienced coders, they can move a lot faster with these tools, the things that they would have to initially set up your initial routines that you might have to write. This thing can get you started. It can get down that path and then experienced and well skilled developers can keep adding to that. That's what I think addresses the fear. People think, we're not even going to need experience developers anymore, but that's totally not the truth. And I'll even give you an example. I've seen, and I've run into this myself. I mean, I would consider myself like a V plus coder. And with this, I'm trending more towards the A side. But there have definitely been some situations where I've gotten myself into a loop where the AI's telling me to write the code a certain way, so I do it. And then it doesn't work, and then I tell it, and then like almost goes into a loop where it gives me the old code all over again. And if you're not looking at that and paying attention to that, you're just copy and pasting copy paste and running and hoping that it works, you're gonna get yourself into a big problem. That's kind of how to put it all together. You can see just right then and there it still needs a human to interpret it and move it and got and almost guide it so it can guide you.

[00:13:25] Joe Colantonio 100%. I've been messing around with Cursor and I just pretended I didn't know anything about automation. I said, here's the Playwright MCP, log into this and give me the stat from this table. And it's been like three days and it's still not working. Like you said, I keep accept, accept, except, except. I'm pretending like I don't know what it's doing and it still can't get it right. But what I did notice is even when I do get serious with it, it has a lot of security issues. Like I said it leaks things to the console. And if I didn't know, I had to ask, hey, make sure you make this secure. I said, oh, I found all this stuff that's not secure. Well, you created the code. Well, the AI created the codes, so why would it create it secure? So is that something people need to be aware of as well?

[00:14:06] Patrick J. Quilter Jr Yeah, and it's like it's got a bit of a personality about it. Like it's almost blaming you for, well, this is your code and yeah, there's something wrong with it. How did you do that? I got this for you buddy. That's why we're focused on DevSecOps. We want to have AI involved in the entire life cycle. Would there all the emphasis right now or? Maybe 95% of the emphasis is on code generation. If you focus on the life cycle, exactly what you're talking about is gonna catch that. The way our product is set up right now, you do your vibe coding, you can do it in your favorite UI. We have one that's part of our platform. But once that gets generated, we have within our product, the workflow, that send that code to our security scanning agent. We have a number of agents interacting together. The agents themselves are the kind of the smaller unit that you can almost think of that as your team. It's broken up into DevSecOps phases and each of those phases basically represents another agent. In our scenario here, we have the development agent that lets you do the vibe coding. That vibe coding gets passed over to the security agent. The security agent will do its scan on the static code analysis, for example. And then sends the results back to the development agent and the development agents should fix it. And then there's always a human in the loop to make sure that that conversation and that flow continues to run smoothly. But those agents, those two agents just right there do all the work together.

[00:15:48] Joe Colantonio How does that work? Is someone using their ID or your ID, the coding, or they're using it to code like, code me this, and then they press a button, say, now go talk to the security agent. Are these agents just working on their own almost independently of that?

[00:16:07] Patrick J. Quilter Jr In their final implementation, they're going to be working on their own. And maybe it's fair to give where we are in our development cycle. And I'll even take a step back and how we got to this particular setup that we're going after. Like we said, we do a lot of work with the department of defense and they're the ones that have, from my perspective, have really coined the phrase DevSecOps, that term is very important for them. What, if I didn't run into the people that were working in now, I would just consider it all DevOps. But to them, security, it was forefront, it needed to be in this acronym. And then the way that they break out their phases explains all of that. They have security involved in every phase. It's much more elaborate. If you think about that DevSecOps infinite loop, their loop has several more steps in it. Than your typical commercial loops or the way that they view the world of that life cycle. So there's even a lot more that defines the details into what they consider the DevSecOps life cycle, but in the end, it ends up being a 10 step disciplined approach. We took that concept and there's a lot of documentation that a particular group in the DOD, they're called DOD-CIO. And they publish this information publicly. Anybody can go out there and look, you wanna see like a robust implementation of DevSecOps. They do all the thinking and documenting and publishing for how you might wanna think about implementing it. There's a ton of guidance out there. We took that guidance and we essentially fine tune our models to meet those standards. Then we built our UI to incorporate those 10 phases. And then again, those ten phases end up being the specialized agents that work with each of those. As I mentioned in the beginning, we've been working on this platform that we've had for like four years, a lot of what we're able to reuse is the backend that we developed, it's very virtualized, dockerized, we can port it around to a number of different clouds and actually physical hardware. And that's what I was saying turned out to be somewhat of a God send for us that we didn't know agentic was coming when we were working on this, but it turns out that's like 80% of the legwork. It's not all that hard to get a hook, a UI front end up to an LLM and get a response back, even though that's where it looks like all the hard work is happening, but it's actually bolting that stuff onto a robust backend that has all the information that you need. That's what we are in our development cycle. We're taking the agentic piece and hooking it into our backend one agent at a time. We are about to roll out the third one, third out of ten, and to answer where you were, I think you were going with your very initial question is how do these things communicate to each other? There's RAG architecture and there's vector databases that hold memory, so all those things from the agentic layer are at play so that these tools, these different agents can communicate with each other and they know exactly where assets are in the pipelines because they all have access to central memory.

[00:19:45] Joe Colantonio I guess what I'm really surprised by, just to set me as the DOD, I would think that we would not be very friendly towards Agentic AI. So is that a miss like a lot of people like, oh, it's not it'll never work in industries like finance and banking. But if you're using it for DOD I would think that crushes all those thresholds.

[00:20:06] Patrick J. Quilter Jr It does. If you look at the RFPs that have, this is all public information, any of the RFP's that are out there and the last maybe three months, there's been an explosion. The new administration is very bullish on AI and utilizing that within all different agencies. So I think a lot of it came from that push. I know last year and in the year prior, it was, something that the DOD wanted to be on top of in case it became extremely relevant. And I think this year there is even more of a financial push to start figuring out how they can get commercial off the shelf products into the DoD and utilizing that that seems to be the directive, at least today.

[00:20:56] Joe Colantonio Nice. So you talked a little bit about Vibe, maybe a little more info around that. Is it your own developer environment or is it like some sort of Vscode type of implementation?

[00:21:09] Patrick J. Quilter Jr Yeah, we send out, we wrap VS Code into our overall architecture. So you might've remembered me saying just a minute ago, there's a backend that we have. That backend is locked down, secure, and it's in a State where you can take any of these assets and move them around to different environments. We were able to take a VScode backend. And include it in our overall structure. It's now portable. It ships with everything that we provide. And then on top of that, there are some, you can add in any of your favorite open source LLMs through continues the interface that basically allows you to switch between LLMS and do your vibe coding. So from that standpoint, for us, there's several very good, and you brought up Cursor, already one of them that does the vibe coding itself. We did not necessarily want to compete with that, but with some open source utilization and packaging it all in with our platform, we're able to give a secure, what a hardened experience with VScode and some of these other AI agents. We take care of a lot of security a big thing for us is what's called the DevSecOps supply chain. We want all the tools to be configured right and with the right security checks already in place, already scanned before we push those out to customers.

[00:22:49] Joe Colantonio Love it. You did mention Claude, not Claude. I think you mentioned OpenAI. Do you find for security using local LLMs are more secure? Is that also not a true statement?

[00:23:01] Patrick J. Quilter Jr Yeah, well, if you want something that if you had to put everything side by side and you wanted to say if I could pick one configuration that was more bulletproof than the other, which one would I pick? Now, I don't know of any major issues or major breaches or any crazy stories out there with security around any of the whether it's Claude, OpenAI, ChatGPT, all those things, but it's a risk. Anytime you're going from your local laptop or if you're at work, you're out of your network and into somebody else's network, there's a risks there. What if we could get all the same benefits that OpenAI provides and you never had to leave your network? So this has actually been a focus of ours. We have what's called an edge installation where we take some NVIDIA hardware, and as I mentioned, our solution, our platform is virtualized, all Docker, whatever we run in the cloud, we can pack the same stuff up and run it on local hardware. And when we push this on the NVIDIA hardware, which you kind of need because the LLMs chew up a lot of memory, a lot GPU. When you push it onto there, you could essentially package up our entire solution and be able to send that hardware to an organization who could, with the proper security protocols and procedures in place, plug that into their network and they can get the experience of whether it's developing software or just asking questions like you would a regular ChatGPT and that traffic never has to leave your network. So you kind of get the best of all worlds there. Are there any study? All this stuff is new. Are there are any studies out there or anything that makes it clear? No, but intuitively, again, I pose it to you and your audience. If you could lock everything down and get the same experience or data and your traffic never has to leave your network, then doesn't that intuitively seem like it's more secure?

[00:25:15] Joe Colantonio Right, right. Yeah, for sure. I would also think with developers and testers that they have a certain workflow that they enjoy certain environment that they're used to. If they needed or wanted to use your solution, how much of that would change? I don't know if that make sense?

[00:25:34] Patrick J. Quilter Jr From the developer's perspective, it doesn't have to change. I guess there's two audiences to look at it. We would obviously want to push, so the developer working with the development agent, we would want to encourage them to utilize our hardened VScode and AI experience because we've baked in all the security and organization around that. If they didn't wanna do that, they could continue to work on probably their same VScode. It seems like a ton of people are using that. Maybe more than anything else, I don't know, my only other experience is really with Eclipse. I'm sure there's still that out there, but I think people really gravitate to VS code, so let's just take that for example. They could take their VS code that they already have installed with all their files on their local system, however they're managing and organizing whatever they're used to. And connect that in to our environment. They have the ability to use either or, and then they can, anything that they develop, if they wanted to push that code to our security agent to do the scanings, and we do all types of scans. We do, that security agent does dynamic scanning. It does container scanning and something around networking. They can utilize all of that. And that just becomes part of their workflow. I'm sure they're probably already used to working in VScode and then sending things to GitHub or GitLab, but there's some advantages that we're providing that they can still do all of that stuff and maybe stay in a more secure environment.

[00:27:12] Joe Colantonio Absolutely. I know a lot of people hate this question, but I like it. We're almost, I mean, only 4 months away from 2026. I'm just curious to know if you were, had a crystal ball. Where do you see AI and DevSecOps going maybe in the next year to 3 years? I know it's hard to do that, but any pulse that you have speak with the like DOD and people like that, where you see the industry going?

[00:27:36] Patrick J. Quilter Jr I see it seems like this, starting this summer, there was a big interest in AI from venture capital perspective. I mean, everybody's been talking about it. Everybody's been weighing in on it. It was a huge topic starting from this summer. I'm starting to see over the past two weeks. I'm on LinkedIn all the time monitoring the conversations and even right now it feels like the hype is cooling off a bit. What I think happens next is that over the next couple of months, these pilot ideas or these less thought out or less developed AI ideas start to fade away and then it becomes a little bit more serious if we're going to invest capital, is there like real substance with these AI solutions out there, there's something out there that's working. I think from that perspective that a lot of energy is going to go in that. And I really think in, and why we've gone, made sure that we've maintained a very portable virtualized solution and pushing it onto edge devices. I really think, there's going to be a migration away from cloud, not massive and not for everybody, I think, your fortune 500 companies are going to continue to use cloud. They have big budgets. These GPU costs I guess are not a huge deal for them or it's worth it still for them just to be able to utilize that. But for your smaller and medium sized businesses, I think if somebody comes in with a solution that drives down the GPU costs and gives them the AI experience, there's going to be a significant movement in that direction.

[00:29:29] Joe Colantonio All right, Patrick, I know a lot of people hearing this, a lot of people need to get their hands dirty. They probably want to try this. Do you have any like early access of beta where people can actually try for themselves to see if it actually lives up to the hype that we talked about today?

[00:29:41] Patrick J. Quilter Jr Yes, absolutely. As I mentioned, we're rolling out this product little by little and adding the agents on top of the existing product that we already have. So we would absolutely love to have some early access customers. The value there is that they get the solution at a significantly reduced price and we obviously get the feedback that we're looking for right now. As technology is changing all the time and there's things that we want to get in our platform and get immediate feedback so hopefully it's a win-win for everybody if any folks are interested.

[00:30:16] Joe Colantonio Patrick, so like I know, don't answer everyone. Who's the perfect customer? If someone's listened to this, who would be the perfect ideal person that would get the biggest bang from actually trying the beta and seeing if it really would help them for what they're doing?

[00:30:30] Patrick J. Quilter Jr Yeah, I think, the small to medium sized customers, if you're a company of that size, and you're realizing that you need to scale, you're hearing the time savings that DevSecOps can provide. Keep in mind, it's not just about coding, it's about the full life cycle. We can provide everything and you don't have to spend a fortune to get to that point. You would be perfect for this early access program.

[00:31:02] Joe Colantonio Love it. Okay, Patrick, before we go, is there one piece of actual advice you can give to someone to help them with the DevSecOps efforts? And what's the best way people could find to learn more about you or more about your company, Deploy360?

[00:31:14] Patrick J. Quilter Jr Sure. With DevSecOps, I think it's just, I'm going to plug it. Once again, that you got to stay up on the latest information. DoD, CIO, if you Google that, it should pull up their homepage and they've just published so much information. It could take you probably a good three months before you exhausted it all, but you start getting that background there and I'm not OpenAI ChatGPT fan, so I'm on there constantly. If there's a concept that I don't understand, I'll peel off an hour and make sure that I do understand it. I would encourage people to do that. I'm also a hands-on person. I like to get into the coding and configuring. That's how I start to understand it, so if you're a person like that, those are three steps, just get a source that you really like for your information. Make sure you understand it and you have the tools out there like never before. I shouldn't say like never, before Joe Colantonio, way back when used to give us that experience, but since we don't have that anymore, use your ChatGPT to really understand it, and then spend some time implementing it and it doesn't have to be a full implementation, but just make sure you know how all the dots connect and then you'll be able to go into conversations and understand things better and contribute better. As far as where to find things for us, I mean, certainly, our company puts out a lot of information about this evolution and DevSecOps and mirroring it with AI. Definitely follow us, our websites out there. I'm sure Joe have that as some follow up information. I post on LinkedIn constantly. So like I said, I'm constantly monitoring the news and I'll give some opinions there. And we keep our LinkedIn page very up-to-date. We love some community interaction.

[00:33:14] And we'll have links to all this awesomeness down below.

[00:33:17] All right, before we wrap it up, remember, frustrated users quit apps. Don't rely on bad app store reviews. Use SmartBear's Insight Hub to catch, fix, and prevent performance bottlenecks and crashes from affecting your users. Go to SmartBear.com or use the link down below, and try for free for 14 days, no credit card required.

[00:33:38] And for links of everything in value we've covered in this DevOps ToolChain show, head on over to testguild.com/p201. So that's it for this episode of the DevOps ToolChain Show. I'm Joe, my mission is to help you succeed in creating end-to-end full-stack DevOps ToolChain awesomeness. As always, test everything and keep the good. Cheers.

[00:34:01] Hey, thank you for tuning in. It's incredible to connect with close to 400,000 followers across all our platforms and over 40,000 email subscribers who are at the forefront of automation, testing, and DevOps. If you haven't yet, join our vibrant community at TestGuild.com where you become part of our elite circle driving innovation, software testing, and automation. And if you're a tool provider or have a service looking to empower our guild with solutions that elevate skills and tackle real world challenges, we're excited to collaborate. Visit TestGuild.info to explore how we can create transformative experiences together. Let's push the boundaries of what we can achieve.

[00:34:44] Oh, the Test Guild Automation Testing podcast. With lutes and lyres, the bards began their song. A tune of knowledge, a melody of code. Through the air it spread, like wildfire through the land. Guiding testers, showing them the secrets to behold.